Electric Angel http://picix.sourceforge.net/electricangel picix project Thu, 17 May 2007 04:27:19 +0000 http://wordpress.org/?v=2.1.3 en Laura & me http://picix.sourceforge.net/electricangel/?p=7 http://picix.sourceforge.net/electricangel/?p=7#comments Thu, 17 May 2007 04:27:19 +0000 admin http://picix.sourceforge.net/electricangel/?p=7 I meet Laura at work a few months ago, we got along pretty well, so she is my gf now! lol

dsc09724.JPG
Laura this is for you! *:-”*

(That is a ascii kiss)

]]> http://picix.sourceforge.net/electricangel/?feed=rss2&p=7 OpenBSD mbuf exploit http://picix.sourceforge.net/electricangel/?p=5 http://picix.sourceforge.net/electricangel/?p=5#comments Mon, 14 May 2007 06:52:26 +0000 admin http://picix.sourceforge.net/electricangel/?p=5 Some months ago, working for Core Security, I found a pretty severe bug on the IPV6 stack of the OpenBSD operative system.
I was investigating another bug, and because really didn’t have much info about it, I started to fuzz the IPv6 stack, and found this instead.

The history was something like this:

  • My boss assigned me the exploit, more like a curiosity to investigate. There were very few info about the bug, and no PoC.
  • A week later, testing a primitive ipv6 “fuzzer” on a OpenBSD 4.0 box, a managed to get a crash similar to this:

    Screenshot of the OpenBSD crash

  • In the next few days, I made a impact module with the then-i-believe-to-be DoS, and others projects got my atention.

  • Some days later, it occured to my to test the PoC with a OpenBSD 4.1 Box, supposedly patched, and oh surprise:The box also crashed! I was having a Zero-day on my hands.

  • The OpenBSD team was immediately advised about this. They beleived that it was only a crash, and no code execution could be attained from this. They pretty much dismissed the bug, and label the patch a “Reliability fix”. My name wasn’t even on the bug report, and I became a little bitter about the subjet, but soon forget about it.

  • A couple of weeks later, boring on a Saturday Night (I was such a looser, haha!), decided to give it a try and make the exploit for the bug. I was getting a pretty reliable crash on the m_freem() kernel function, so should be a way to exploit that.
  • That day, working non-stop like 10 hours or so, I managed to get code execution on that bug. Sleep a couple of hours (I was very impacient) and back to work: This time i managed to execute code and get the kernel to continue with normal execution. It was great!
  • The next morning on the office, i silently modified the advisory, changing the “DoS” title, with a “Remote Exploit”. Woot!

Then a bunch of very hilarious discussions were insued between Core and the OpenBSD team (Specially Theo), and is detailed on the advisory. Then the advisory was published, all went crazy for a couple of days. The manager of the Marketing team of Core was very thankfull of me and give me some words of support.

Thats all. I am not really a blog man, but is kind of required for blackhat, so here is. I will gladly respond any question, post a comment entering “comment”. bye!

]]> http://picix.sourceforge.net/electricangel/?feed=rss2&p=5 Pic30 OS project http://picix.sourceforge.net/electricangel/?p=4 http://picix.sourceforge.net/electricangel/?p=4#comments Sun, 25 Feb 2007 22:01:44 +0000 admin http://picix.sourceforge.net/electricangel/?p=4 This one is not yet finished (mmm nor started) should i give it a try? we will see.

]]> http://picix.sourceforge.net/electricangel/?feed=rss2&p=4 Pic18 OS project http://picix.sourceforge.net/electricangel/?p=3 http://picix.sourceforge.net/electricangel/?p=3#comments Sun, 25 Feb 2007 22:01:00 +0000 admin http://picix.sourceforge.net/electricangel/?p=3 All coments about this project are under this thread.

]]> http://picix.sourceforge.net/electricangel/?feed=rss2&p=3