This post is directed to the people that share my interest in learning and understanding IT-security on a deeper level than most (vulnerability research, exploit development, reverse-engineering). The ones that are not interested in merely learning the tools of the trade, in order to do what any trained monkey would be able to do. Pointing and clicking, using scanners and tools made by other people, to detect and exploit vulnerabilities discovered by other people, without even necessarily having a basic understanding of the actual bugs that are being exploited. Those kinds of things have never had any appeal to me. I want to discover, I want to understand, and I never ever want to stop learning.

While the single best way to learn anything is by doing, having a knowledgeable mentor can speed up the process tremendously. He or she can guide you in the process, provide you with information and challenges chosen to take you from where you are now to where you want to be, and give you a helping hand if or when you get stuck. During my own journey, I have never had the luxury of having a mentor myself. I have, however, had the opportunity to teach and pass on some of my knowledge to willing students a few times. In those cases each student (or rather, the – usually government/defense related – clients that sent them to me) had to pay several thousands of dollars for my services. This time, I have something different in mind…

Perhaps you are currently a “web hacker”, knowing your way around things like XSS, XSRF, LFI/RFI, SQLi and command injection attacks, but want to delve into the realms of binary exploitation and reverse-engineering. Perhaps you are currently more into hardware hacking, and want to learn more about the software side of things, or perhaps you are well versed within the field of cryptography but want to have a better understanding of the software flaws that can often be used to circumvent it completely. Perhaps you are a beginner to the IT-security field, but with an ability to quickly learn and understand whatever you set your mind to.

I am searching for people with potential. Your current level of knowledge is not the most important part, rather, I want you to have the right kind of mindset to go a long way. I don’t care about whether you are a college dropout or a PhD, or if you are in fact still in school. Degrees, certifications and titles tell me absolutely nothing worth knowing. I do care about whether you have that same insatiable desire to learn and understand the world in general, and computers, networks and IT-security in particular, that has taken me to where I am today. You should have a genuine desire to learn, and a willingness to spend the time and energy it will require.

I will provide you with resources, I will give you challenges and hints about how to proceed to overcome them, adapted to your current level of knowledge. I will review your work, and give you information and suggestions on what you can do to improve even further. If or when you reach a certain level, I may even be able to provide you with some work for paying clients (if that’s of interest). If you really have potential, and live up to it, there will always be opportunities.

By now you might be wondering what the catch is, and you would be right to do so. I do not want your money, but I do want some of your time, and some of the talent you can provide. I am currently in the position of having a lot of ideas about things I would like to do, but far too little time to spend on them myself. A lot of these ideas revolve around the web, creating certain sites and services, or small applications (including mobile ones). Some of them are security related, and some of them are completely unrelated to security. Although none of them would be impossible for me to do on my own, I have slowly but surely come to the realization that it would take me a lot more time and effort to do these things than for someone that is already experienced within these fields, and time is something that I have far too little of already. In general, I have always avoided anything that has to do with developing user interfaces, so that is an area I am admittedly weak at. I do have strong opinions on how I would like them to look and work though. Although functionality always trumps beauty, aesthetics are important to me. In code, as well as in the visual side of things.

So, if you are experienced with rapid development and/or prototyping of web sites, including the backend, and/or mobile development, your chances of being chosen is definitely increased. The technologies I would prefer for these purposes are Node.js (perhaps in combination with the full “MEAN”-stack, Node, Angular, Express, MongoDB) in the backend, and probably Bootstrap in the frontend. Experience with building REST APIs, real-time web applications and customized widgets and components is a plus. I have spent some time researching various alternatives for developing the types of sites and services I would like to create, and those technology choices are what I am currently leaning towards, but feel free to come with other suggestions if you feel you have something else to bring to the table. A smaller subset of my ideas also require hardware hacking experience, and/or low level driver development, so those kinds of skills may be interesting to me as well.

As part of your training, my plan is also to let you participate in CTF competitions. I am currently competing with HackingForSoju, although we (and me in particular) have not been as active this year as we would have liked to. Last year, when we tried to be a bit more active, our team ranked between #4 and #7 in the world at (out of 3529 teams in total, to give you some perspective). This year we are currently at a modest 28th place (out of 4382 teams), but that’s a direct result of being so inactive (even when we have participated in a CTF, usually only a few of us have been able to play, and often only for a small part of the CTF). Personally, I have not been able to participate since Codegate (where we got 2nd place in the quals, and 6th place in the finals). My plan is to try to be a bit more active again in the future, and participate in some competitions with HackingForSoju and some with the people I’m mentoring. If I find 10 people (which is probably very optimistic, but one can always dream) with real potential, my goal would be to get you in the top 10 within a year.

If you are interested, send me a comment through the Contact-page, or send me an e-mail at je [at] clevcode [dot] org.

Anyway, if you are not already acquainted with me and my work within the IT-security field, it’s quite natural for you to want to know a bit more before considering this opportunity. As for my professional background, you can take a look at my CV. In short, I have participated in a number of challenges and competitions over the years, I have lead teams of talented IT-security researchers, I have been a speaker at conferences such as BlackHat, DefCon and the RSA conference and I have found vulnerabilities and created exploits for a number of targets (including smartphone and kernel vulnerabilities). Due to the sensitive nature of a lot of my clients, a lot of the research I have done remains confidential (including the most interesting), but there should be enough of public information available to give you a pretty good idea of the kind of skills I provide. :) If you have not already done so, browsing the rest of this site is a good idea as well.

For the TL;DR generation: If you just want to know how to handle all the shells, search for “handling all the shells” and skip down to that. ;)

CVE-2014-6271, also known as “Shellshock”, is quite a neat little vulnerability in Bash. It relies on a feature in Bash that allows child processes to inherit shell functions that were defined in the parent. I have played around with this feauture before, many years ago, since it could be abused in another way in cases where SUID-programs execute external shell scripts (or use system()/popen(), when /bin/bash is the default system shell) and with certain daemons that support environment variable passing. When a SUID-program is the target, the SUID-program must first do something like setuid(geteuid()) for this to be exploitable, since inherited shell functions are not accepted when the UID differs from the EUID. When SUID-programs call out to shellscript helpers (that need to be executed with elevated privileges) this is usually done, since most shells automatically drop privileges when starting up.

In those cases, it was possible to trick Bash into executing a malicious shell function even when PATH is set explicitly to a “safe” value, or even when the full path is used for all calls to external programs. This was possible due to Bash happily accepting slashes within shell function names. :) This example demonstrates this problem, as well as the new (and much more serious) CVE-2014-6271 vulnerability.

As you can see, the environment variable named “/usr/bin/id” is set to “() { cmd1; }; cmd2”. Due to the CVE-2014-6271 vulnerability, any command that is provided as “cmd2” will be immediately executed when Bash starts. Due to the peculiarity I was already familiar with, the “cmd1” part is executed when trying to run id in a “secure” manner by providing the full path. :)

One of the possibilities that crossed my mind when I got to know about this vulnerability was to exploit this over the web, due to CGI programs using environment variables to pass various information that can be arbitrarily controlled by an attacker. For instance, the user-agent string, is normally passed in the HTTP_USER_AGENT environment variable. It turns out I was not alone in thinking about this though, and shortly after information about the “Shellshock” vulnerability was released, Robert Graham at Errata Security started scanning the entire internet for vulnerable web servers. Turns out there are quite a few of them. :) The scan is quite limited in the sense that it only discovers cases where the default page (GET /) of the default virtual host is vulnerable, and it only uses the Host-, Referer- and Cookie-headers. Another convenient header to use is the User-Agent one, that is normally passed in the HTTP_USER_AGENT variable. Another way to find lots and lots of potentially vulnerable targets is to do a simple google search for “inurl:cgi-bin filetype:sh” (without the quotes). As you may have realized by now, the impact of this vulnerability is enormous.

So, now to the part of handling all the shells. ;) Let’s say you are testing a large subnet (or the entire internet) for this vulnerability, and don’t want to settle with a ping -c N ADDR-payload, as the one Robert Graham used in his PoC. A simple netcat listener is obviously no good, since that will only be useful to deal with a single reverse shell. My solution gives you as many shells as the amount of windows tmux can handle (a lot). :)

Let’s assume you want a full reverse-shell payload, and let’s also assume that you want a full shell with job-control and a pty instead of the less convenient one you usually get under these circumstances. Assuming a Python interpreter is installed on the target, which is usually a pretty safe bet nowadays, I would suggest you to use a payload such as this (with ADDR and PORT replaced with your IP and port number, of course):

To try this out, just run this in one shell to start a listener:

Then do this in another shell:

To deal with all the shells coming your way I would suggest you to use some tmux+socat-magic I came up with when dealing with similar “problems” in the past. ;)

Place the code below in a file named “alltheshells-handler” and make it executable (chmod 700):

Execute this command to start the listener handling all your shells (replace PORT with the port number you want to listen to):

When the shells start popping you can do:

The tmux session will not be created until at least one reverse shell has arrived, so if you’re impatient just connect to the listener manually to get it going.

If you want to try this with my personal spiced-up tmux configuration, download this:

Switch between windows (shells) by simply using ALT-n / ALT-p for the next/previous one. Note that I use ALT-e as my meta-key instead of CTRL-B, since I use CTRL-B for other purposes. Feel free to change this to whatever you are comfortable with. :)


This awesome vulnerability, that affect pretty much all Linux kernels from the last five years, was found by Comex about a month ago. It is also the vulnerability that is used in TowelRoot by GeoHot, to root the Samsung S5 and a bunch of other Android based devices. TowelRoot is closed source and heavily obfuscated though, and there are still no public exploits available for this vulnerability for desktop/server systems. So, I decided to make one myself. ;)

One of the interesting things with this vulnerability is that it is triggered through the futex() syscall, that is usually allowed even within very limited sandboxes (such as the seccomp-based one used by Google Chrome). The reason that this syscall is usually allowed is because it’s used to implement threading primitives, so unless the sandboxed application is single-threaded the futex() syscall is required.

This is not the first, and certainly not the last, time that I developed a kernel exploit. Some of you may remember the exploit I developed for a Windows GDI vulnerability back in 2006, for a vulnerability that Microsoft did not patch until two weeks after I demonstrated my exploit at BlackHat Europe in 2007. I must say though, this was definitely more challenging than most kernel vulnerabilities I have researched. Fortunately, challenging equals fun for me. ;)

My initial exploit patched the release() function pointer in the ptmx_fops structure, to achieve code execution in kernel context and calling commit_creds(prepare_kernel_cred(0)). The problem with this approach, however, was that it is prevented by a protection mechanism known as SMEP, that is supported by Intel Haswell CPU:s. Due to this, I changed my exploit to target the addr_limit value in the thread_info structure instead. This allows me to enable one of my threads to read/write arbitrary kernel memory, and provide root-access for me (and optionally disable other kernel-based protection mechanisms, such as SELinux) without having to executing any code in kernel context.

To Comex, great job in finding this vulnerability! I first realized what a talent you have after reverse-engineering your star-exploit back in 2010 (before realizing that you had released it as open source :D), that you used for the JailbreakMe 2.0 site. Judging from all the vulnerabilities you have found since then, you are no one-hit-wonder either. ;) Unlike a lot of the kids these days, you find a lot of vulnerabilities that requires a deep understanding of the target code in question, rather than just throwing a fuzzer at it.

To GeoHot, really impressive work with developing the TowelRoot exploit in such a short amount of time! The breadth and depth of your work, ranging from PS3 jailbreaks, iPhone unlocks and jailbreaks, and now Android roots, not to mention your success in CTF competitions with PPP as well as with your one-man-team, is truly an inspiration. :)

As I mentioned on Twitter earlier (@OwariDa, @ClevCode), using the excellent Hex-Rays ARM decompiler turned out to be quite handy for verifying the payload I’m developing and injecting into the XMM6260-based baseband in my Samsung S3 (GT-i9300). Rebooting my phone due to baseband crashes can be a bit time consuming. :D

The specific research I’m doing at the moment will be kept private, but for those who find the subject interesting I can give you the following simple example. It decompiles, as expected, to v12345678(“Hello World\n”). v12345678 = function @ address 0x12345678. 0xbadc0ded and 0xdeadbeef are used as markers, to make it possible to easily extract the payload from the object file.

How to extract the payload and sending it to your custom injector tool:

PS. Just in case anyone accustomed to x86 assembly wonders; Yes, the code above is position independent on ARM. No need for jump/call/pop-techniques. ;)