Private Shizo
It's almost free! Author: @ShizoPrivacy
Show more2 975
Subscribers
No data24 hours
-37 days
-5030 days
- Subscribers
- Post coverage
- ER - engagement ratio
Data loading in progress...
Subscriber growth rate
Data loading in progress...
💥The exploit works on
13.1-48.47
, tested both the cmd/unix/reverse_bash
and cmd/unix/python/meterpreter/reverse_tcp payloads
. The nsppe
process does not crash so the target can be exploited repeatedly. It's highly unlikely that the addresses and offsets will work on other Citrix targets.citrix_formssso_target_rce.rb0.03 KB
2420
💥Technical analysis of CVE-2023-3519(stack-based BoF in Citrix ADC)
🔖 Rapid7 currently working on a Metasploit module, which will be released in the near future!
3710
📕AFLSmart++: Smarter Greybox Fuzzing
AFLSmart_plusplus_SBFT23.pdf1.70 KB
771180
Photo unavailable
💥Merge branch 'net-sched-bind-logic-fixes-for-cls_fw-cls_u32-and-cls_route'
Three classifiers (
cls_fw
, cls_u32
and cls_route
) always copy tcf_result
struct into the new instance of the filter on update.
This causes a problem when updating a filter bound to a class, as tcf_unbind_filter()
is always called on the old instance in the success path, decreasing filter_cnt
of the still referenced class and allowing it to be deleted, leading to a use-after-free.70230
🔥[Issue 1459254]Debug check failed: !object->IsUninitialized(isolate)(Turbofan & Maglev)
There is a legitimate race condition here (both in Maglev and Turbofan) between the main thread adding a property to an object (which is a prototype of another object), and the compiler thread looking up the prototype chain.
The main thread first transitions the object's map to have the extra property, and only then sets the value of that property, so the race is:
1️⃣Main: Extend object (i.e. assign uninitialized to field), set object map to new map with 1 more property
2️⃣Compiler: Read map
3️⃣Compiler: Read constant field value (reads uninitialized)
4️⃣Main: Write new field value (overwrites uninitialized)
Usually a main thread write after a compiler read would invalidate a constness dependency, but in this case this is an initialising write, so the field is still constant after being "overwritten".
⚠️This is hard to repro because the timing between the main thread operations (1 and 4 above) is very tight.
PoC
(arguments:
--maglev --jit-fuzzing --expose-gc
):
function foo() { const o100 = { "foo": 1, }; const obj1 = Object.create(o100); obj1.a = obj1; const obj2 = Object.create(obj1); obj2.a; function f112() { const v113 = obj2.foo; v113 & v113; return v113; } for (let j = 0; j < 10; j === j, j++) { f112(); } obj1.foo = null; gc(); //obj1.foo; } for(let i=0;i<15; i++) foo();🛡Fixed in commit: a6dd6c9 "[heaprefs] Handle uninitialized value race" Handle a race of the compiler reading an object which is undergoing a transitioning store on the main thread.
68830
Show all...
0x41con-2023-GetToKnowYourDecompiler.PUBLIC.pdf1.98 MB
925250
Choose a Different Plan
Your current plan allows analytics for only 5 channels. To get more, please choose a different plan.