BarMuda Posted January 11, 2018 Share Posted January 11, 2018 Is it possible to use the Bash Bunny to utilise the meltdown and spectre vulnerability on any machine that hasnt been patched? I think the vuln can be expolited if a users visits a website and a malicious java script is run. As the bunny is a linux box, can this run a light weight webserver and deliver the same java script? Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted January 11, 2018 Share Posted January 11, 2018 From what I have read, they cannot be exploited reliably remotely. ASLR will still pose an issue seeing they will need to find kernel.dll or whatever kernel for whatever OS to tap into the feature that is bugged. If they can then they could gather information with the exploit. Someone can correct me if I am wrong, it is still pretty new. With the BB it could be exploited quite well since you will be on the local machine and can run whatever program you want (at the level of the user that is signed on of course). In this case you can make your own program to access the kernel and do its thing since it will be your program. So, yes a BB can be used to exploit there vulnerabilities directly on the machine to get a dump of that private area. Some people I read said code execution was possible with it too but I think what was meant was this exploit could be stacked with others to make them more effective. Use Meltdown or Spectre to get the ASLR data so you know where to map a particular exploit when fired. I think the underlying key here is getting access to the function in the kernel that is vulnerable though, I think that place is the predictive algorithm it uses to determine with branch in program execution to pre-execute to try and save time. Link to comment Share on other sites More sharing options...
RazerBlade Posted January 12, 2018 Share Posted January 12, 2018 The hardest part would be to exfiltrate the memory dump as it can be quite large, 16 gb or more. Link to comment Share on other sites More sharing options...
Sebkinne Posted January 12, 2018 Share Posted January 12, 2018 1 hour ago, RazerBlade said: The hardest part would be to exfiltrate the memory dump as it can be quite large, 16 gb or more. Yeah, I'd have the payload on the victim PC upload the dump somewhere. Link to comment Share on other sites More sharing options...
BarMuda Posted January 17, 2018 Author Share Posted January 17, 2018 Thanks all for your feed back. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.