Matt Ehrnschwender

459 posts

Matt Ehrnschwender

@M_alphaaa

Security person who likes writing code

Katılım Ağustos 2020

208 Takip Edilen924 Takipçiler

Sabitlenmiş Tweet

Matt Ehrnschwender@M_alphaaa·30 May

I'm finally releasing a project that I've been working on for a little while now. Here's Boflink, a linker for Beacon Object Files. github.com/MEhrn00/boflink Supporting blog post about it. blog.cybershenanigans.space/posts/boflink-…

English

206

19.1K

Matt Ehrnschwender@M_alphaaa·9 Mar

@0xTriboulet ifconfig works by parsing /proc and using socket ioctl calls but parsing /proc is slow and there was no way to extend the ioctl structs without breaking ABI. Linux 2.2 released netlink which is a dedicated replacement for the ioctl issues and what the new net tools use

English

296

Steve S.@0xTriboulet·9 Mar

Anyone know why ifconfig is no longer the default? Bout to vibe code some PRs to make it right 😤

stacksmashing@ghidraninja

Simple age check for Linux: Just have the shell ask the user to check the host IP on first boot. If they type ifconfig they are old enough, if they type ip addr they deserve to be restricted from their computer 😇

English

3.5K

Matt Ehrnschwender@M_alphaaa·19 Şub

@NotNordgaren @0xrepnz @0xTriboulet Yeah that is typically the better option. Using globals in a plugin system is way more limiting than allowing the plugin to allocate a user data struct which gets passed in to an unload function at the end

English

The Bingus Man@NotNordgaren·19 Şub

@M_alphaaa @0xrepnz @0xTriboulet Like so they can unload the plugin and then rebuild and reload. Every plugin system I have ever used has just had an unload function for this. IDK why they want to rely on global static destructors. Sounds like a nightmare.

English

Ori Damari@0xrepnz·18 Şub

You thought rust avoids memory leaks? Think again - In rust, global variables are leaked by design. This means that practically there is no 'safe' way to use Rust in a dynamic library that can unload - if some third party crate decides to use a global variable it won't be freed. Maybe someone here has experience dealing with it?

English

1.7K

Matt Ehrnschwender@M_alphaaa·19 Şub

@NotNordgaren @0xTriboulet @0xrepnz So basically, "MFW when... Windows"

English

The Bingus Man@NotNordgaren·19 Şub

@0xTriboulet @0xrepnz @M_alphaaa MFW you use C++ and end up leaking shit anyways because you're using a library that leaks shit:

GIF

English

Matt Ehrnschwender@M_alphaaa·19 Şub

@0xrepnz @0xTriboulet @NotNordgaren If the library is absolutely needed then I would open up an issue about it. Depending on what is easiest, I would either ask about adding an API which allows freeing up global state or creating an API that does not rely on it

English

Matt Ehrnschwender@M_alphaaa·19 Şub

@0xrepnz @0xTriboulet @NotNordgaren Yes I have experienced this. The ways I have dealt with it are by not using parts of the crate which rely on global state or finding a way to free it from the public API. If that is not possible, I will just not use the library but reimplement the functionality I need

English

Matt Ehrnschwender@M_alphaaa·19 Şub

@0xTriboulet @0xrepnz @NotNordgaren Yes this is true. Static variables do not get deallocated. Dropping static variables cannot work due to how lifetimes are handled

English

Steve S.@0xTriboulet·18 Şub

@0xrepnz @NotNordgaren is this true? 😱

English

655

Matt Ehrnschwender@M_alphaaa·14 Şub

s/through/though

English

Matt Ehrnschwender@M_alphaaa·14 Şub

The notepad vulnerability reminds me of this post on how you can embed file:// URIs in OSC8 escape sequences x.com/taviso/status/…. Attempting to use procmon from sysinternals does not work through

Adam Chester 🏴‍☠️@_xpn_

Anyone else seeing that this hasn't been patched yet? Same for [clickme](file://live.sysinternals.com\tools\procmon.exe). Notepad.exe still at version 11.2510.14.0 for me.

English

261

Matt Ehrnschwender@M_alphaaa·14 Şub

@vaxryy @kqx_io Pointer tagging. It is a niche optimization which stores additional metadata with pointers instead of needing to store it inline with an object in memory. V8 uses it heavily v8.dev/blog/pointer-c…

English

vaxry@vaxryy·14 Şub

@kqx_io this absolutely falls into the "what the hell even led to this code being needed" territory to me, doing bit operations on pointers, man I'm sure there was some reason but dang this is really "this shit's gonna explode" territory

English

178

11.7K

kqx@kqx_io·13 Şub

How a single typo led to RCE in Firefox Can you spot the bug? Read now at: kqx.io/post/firefox0d…

English

637

147.2K

Matt Ehrnschwender@M_alphaaa·12 Şub

Still have a lot of things to clean up and many other features to add but the core parts of it are there

English

Matt Ehrnschwender@M_alphaaa·12 Şub

This is one of the nice things I am aiming for with boflink. Removing the BOF specifics from the source code (DFR, restricted to a single TU) makes the code cleaner and allows access to higher level features like alloc::Vec and external libraries

Steve S.@0xTriboulet

Yet another sick contribution from one of the most cracked devs I have the privilege of knowing github.com/joaoviictorti/…

English

304

Matt Ehrnschwender retweetledi

Max Harley@0xdab0·11 Şub

I'm really proud of what Shane and I did here. I'm biased, but from the results I've seen, this is a hugely scalable way to improve offsec models. It took a ton of engineering work to get it working, but the results speak for itself.

dreadnode@dreadnode

We fine-tuned an 8B model to pop a GOAD domain…using only synthetic training data. No real networks. No frontier model distillation. Just a world model that simulates AD environments and generates realistic pentesting trajectories. See how @shncldwll and @0xdab0 did it: dreadnode.io/blog/worlds-a-…

English

Matt Ehrnschwender@M_alphaaa·10 Şub

@0xTriboulet Based on this "The loop to check the character exits early when the character is correct..." I assume the original implementation wasn't even constant-time at all 💀

English

Steve S.@0xTriboulet·10 Şub

You could pull out the comparison into a function, slap this on, and #ifdef the MSVC equivalent. That’s more readable and makes it portable across all major compilers learn.microsoft.com/en-us/cpp/prep… Volatiles seems like a good idea too, wonder if they tried that instead. Wasn’t clear from the article

English

Steve S.@0xTriboulet·9 Şub

Could you not just disable optimizations in the function with something like this? // Compile the rest of the file with the default/global options void __attribute__((optimize("O0"))) const_time_function(void) { // This function is compiled with -O0 }

The Register@TheRegister

How the GNU C Compiler became the Clippy of cryptography dlvr.it/TQrlq8

English

1.2K

Matt Ehrnschwender retweetledi

Zig@ziglang·4 Şub

Bypassing Kernel32.dll for Fun and Nonprofit #2026-02-03" target="_blank" rel="nofollow noopener">ziglang.org/devlog/2026/#2…

English

865

335.4K

Matt Ehrnschwender retweetledi

Rick de Jager@rdjgr·26 Oca

May I present to you; a full copy of doom, running inside of a Rollercoaster Tycoon 1 save game exploit ✨ Thanks for everyone that came to check out our @DistrictCon Junkyard talk! We had a lot of fun putting it together. (check the thread for slides / exploit)

English

753

8.8K

300.1K

Matt Ehrnschwender retweetledi

wallfacer@simplylurking2·24 Oca

AI-slopped a functional C2 for an app's Lua plugin (no stdlib Lua) in about 24hrs~ had to use the app-specific network libs provided to accomplish a transport. Functions: change sleep, run more Lua in mem, module output, exit/uninstall - most of what u need on a longhaul persist

English

1.2K

Matt Ehrnschwender@M_alphaaa·22 Oca

Pushed up a few small fixes for boflink. Currently working on some other improvements which should make writing BOFs in higher level languages like C++/Rust/Zig a lot more feasible without needing to add various different compiler/source code tricks github.com/MEhrn00/boflin…

English

233

Matt Ehrnschwender@M_alphaaa·6 Oca

@codex_tf2 Btw, you can use `boflink --mingw64 ...` to query MinGW GCC for the list of library search paths instead of hard coding `-L/usr/x86_64-w64-mingw32/lib`. MinGW GCC may install libraries in a different location depending on the platform

English

CodeX@codex_tf2·25 Ara

if anyone is too lazy to learn to use @M_alphaaa 's boflink and doesnt want to fight MSVC to stop using funny sections in your bofs, heres a drop in replacement for the TrustedSec BOF template that uses boflink (standalone) in the makefile github.com/CodeXTF2/bof_t…

English

Matt Ehrnschwender@M_alphaaa·29 Ara

@NotNordgaren Typcial annoying C things. The initialization here would normally set all of the elements to 0 but since this is a VLA, it does other things. I'm not familiar with them so I'm not sure what the rules are with initialization

English

118

The Bingus Man@NotNordgaren·29 Ara

@M_alphaaa Neat. Yea, I didn't know in C const declared variables with constant numbers aren't const.

English

126

The Bingus Man@NotNordgaren·29 Ara

This is probably one of the biggest misunderstood features and source of confirmation bias in the C language. Who can tell my why this does not do what most people think it does?

English

147

647

207.7K

Keşfet

@0xTriboulet @NotNordgaren @0xrepnz @vaxryy @kqx_io @elonmusk @BarackObama @taylorswift13