00:00 – Introduction talking about what the Looney Tunable exploit is and my thoughts on the severity of the exploit
02:30 – Start talking about how the vulnerability works
04:00 – The POC String to identify if a box is vulnerable, it doesn’t actually exploit but quickly identifies if a vulnerable glibc is installed
05:45 – Important parts I wanted to point out in the technical writeup.
09:00 – Downloading a good POC written in python, then glancing over the code to make sure there isn’t anything malicious
13:37 – Analyzing the exit shellcode manually in Ghidra to see it just exits with 0x66
18:50 – Analyzing the main shellcode in Ghidra, showing it does a lot more
21:50 – Putting the Shellcode into an elf binary, so we can analyze it with gdb
29:50 – Logging into HTB’s TwoMillion machine to run this exploit
31:45 – Showing how to get the magic numbers incase your target is not supported. Disable ASLR then running the exploit
34:50 – Looking at how Elastic got lucky and detected this exploit with their default ruleset
36:00 – Looking at how CrowdSec detects it
36:55 – Looking at the more recent Elastic rules to see the more thorough check for this exploit
40:40 – Showing all the segfaults in /var/log/kern.log
Highlighted Links:
– Qualsys Blog Post:
– Qualsys Tech Details:
– Exploit POC Tweet:
– Elastic Initial Detection Tweet:
– Crowdsec Detection Tweet:
[ad_2]
source
