PoC || GTFO 0x05 & 0x06

[Aerosol]

So, plug everything in, attach an external power supply to the graphics card, power it up, and. . . nothing.

Or so it would seem. But, we’ve got a serial console on the Galileo, so we can check it out by running lspci.

And there we have it! An Nvidia 0x10de standing out in a sea of Intel 0x8086. Our graphics card is

connected, enumerated, and waiting for drivers.

7.3 Solemnization through Software

On a normal desktop, the BIOS starts up, runs the video BIOS that initializes the display, and gets on with

things. But this is supposed to be a tiny embedded system. While it does boot via EFI, it doesn’t run video

BIOS or any option ROMs. We’ll have to that by hand.

There’s already great instructions by Sergey Kiselev on how to build your own Linux for Galileo available.11

I mostly followed those to get a standard install working, but I had to make two changes between

steps 7 and 8 of Kiselev’s tutorial. We need to add all the X11 related packages, and we need to enable

nouveau, the open-source Nvidia drivers, in our kernel configuration.

7 . 1 . Add ‘ ‘ x11 ’ ’ t o the DISTRO\_FEATURES l i n e i n
2 meta?cl a n t o n \_vxxxx/meta?cl an t on?d i s t r o / c o n f / d i s t r o / cl an t on ?ti n y . c o n f
7 . 2 . C o n fi g u r e the k e r n el by runnin g ‘ ‘ bi t b a k e li n u x ?yocto?cl a n t o n ?c
4 menucon fig ’ ’ and e n a bli n g nouveau under d ri v e r s ?>g r a p hi c s ?>nouveau

Copy the resulting files to a MicroSD card, pop it in your Galileo, and you are a modprobe nouveau

&& startx away from what might be the most inefficient way to drive a display ever devised. Of course,

there’s no window manager or input devices yet configured, so you can’t do much, but that’s just a software

problem, right?

Read more to PoC || GTFO 0x05

1 Sacrament of Communion with the Weird Machines

Neighbors, please join me in reading this seventh release of the International Journal of

Proof of Concept or Get the Fuck Out, a friendly little collection of articles for ladies and

gentlemen of distinguished ability and taste in the field of software exploitation and the

worship of weird machines. If you are missing the first six issues, we the editors suggest

pirating them from the usual locations, or on paper from a neighbor who picked up a copy

of the first in Vegas, the second in S˜ao Paulo, the third in Hamburg, the fourth in Heidelberg,

or the fifth in Montr´eal, or the sixth in Las Vegas.

This release is dedicated to Jean Serri`ere, F8CW, who used his technical knowledge and

an illegal shortwave transceiver to fight against the Nazi occupation of France. His wife

Alice Serri`ere once, when asked “Where are the tubes?” showed occupying soldiers the leaky

pipes in their basement.

In Section 2, the Pastor reminds us that there are things that we must be thankful for,

with a parable freshly drawn from the Intertubes.

In Section 3, Fiora shares with us a collection of nifty tricks necessary to emulate modern

Nintendo Gamecube and Wii hardware both quickly and correctly. Tricks involve fancy

MMU emulation, ways to emulate PowerPC’s bl/blr calling convention without confusing

an X86 branch predictor, and subtle bugs that must be accounted for accurate floating point

emulation.

Continuing the tradition of getting Adobe to blacklist our fine journal, pocorgtfo06.pdf

is a TAR polyglot, which contains two valid PoC, as in both Pictures of Cats and Proofs of

Concept. In Section 4, Ange Albertini explains how this sleight of hand is performed.

In Section 5, Micah Elizabeth Scott shares the story of the Pong Easter Egg that hides

in VMWare and the Pride Easter Egg that hides inside that!

In Section 6, Craig Heffner shares two effective tricks for detecting that MIPS code is

running inside of an emulator. From kernel mode, he identifies special function registers that

have values distinct to Qemu. From user mode, he flushes cache just before overwriting and

then executing shellcode. Only on a real machine—with unsynchronized I and D caches—does

the older copy of the code execute.

In Section 7, Philippe Teuwen extends his coloring book scripts from PoCkGTFO 5:3 to

exploit the AngeCryption trick that first appeared in PoCkGTFO 3:11.

In Section 8, Joe Grand presents some tricks for reverse engineering printed circuit boards

with sand paper and a flatbed scanner.

Continuing this issue’s theme of tricks that allow or frustrate debugging and emulation,

Ryan O’Neill in Section 9 describes the internals of his Davinci self-extracting executables in

Linux. Here you’ll learn how to prevent your process from being easily debugged, sidestepping

LD_PRELOAD and ptrace().

In Section 10, Don A. Bailey treats us to a fine bit of Vuln Fiction, describing a frightening

Internet of All Things run by a company not so different from one that shipped a malicious

driver last month.

Finally, in Section 11 we pass around the old collection plate, because—in the immortal

words of St. Herbert—the PoC must flow!

Read more to PoC || GTFO 0x06

Edited December 1, 2014 by Aerosol