Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
David Buchanan does not tweet anymore Profile picture
David Buchanan does not tweet anymore
@David3141593
add my blog to your RSS reader or something. also @retr0id@retr0.id, at://retr0.id
Mar 21, 2023 7 tweets 2 min read
🧵 How to mitigate Acropalypse, server-side:

If you run a CDN or similar, you there's a fairly cheap technique you could use to transparently mitigate Acropalypse without having to re-process any of your stored data. (and save some bandwidth too!) Write a filter (nginx plugin?) that strips any data found after the IEND of PNGs, in-flight. The logic required to do this is quite simple - my blog post about the structure of PNG files should cover everything you need to know: da.vidbuchanan.co.uk/blog/hello-png…
Mar 21, 2023 11 tweets 3 min read
holy FUCK.

Windows Snipping Tool is vulnerable to Acropalypse too.

An entirely unrelated codebase.

The same exploit script works with minor changes (the pixel format is RGBA not RGB)

Tested myself on Windows 11 Image - Take a screenshot.
- Press the save icon.
- Crop the screenshot.
- Press the save icon and save to the same file (the default!)
Nov 3, 2022 10 tweets 2 min read
Twitter supports 4k 60fps video uploads!

Here's how to do it 🧵 A screenshot of the DASH Reference Client (a web-based video Step 1:

Package your media file in the standard MPEG-DASH streaming format. You may need to tweak your encoder settings to make sure that the fragment size doesn't go above 5MB.

ffmpeg and Bento4 are the only tools you need. Use mp4dash's "-use-segment-list" option.
Sep 26, 2022 4 tweets 1 min read
Pack arbitrary shellcode into an executable that always has the same MD5 hash:

github.com/DavidBuchanan3… This tool makes hashquines trivial: C source code screenshot: static char message[] = "My
Sep 23, 2022 12 tweets 4 min read
The image in this tweet displays its own MD5 hash.

You can download and hash it yourself, and it should still match - 1337e2ef42b9bee8de06a4d223a51337

I think this is the first PNG/MD5 hashquine. Image This was particularly tricky to make work because the image data in a PNG needs to have a valid adler32 checksum, *and* a valid crc32 checksum.

Each hex digit "pixel" needed its own colliding block, generated with UniColl. There are 448 of them, taking over 24h to compute.
Aug 3, 2022 5 tweets 1 min read
My desktop has decided that today is the day to stop POSTing. I blame the motherboard, but it's particularly bad timing because I have a new GPU arriving today so I can't test it.
Aug 2, 2022 5 tweets 1 min read
is io_uring turing-complete yet? A screenshot of include/uap... Just need IORING_OP_IO_URING_ENTER to be added...
Jul 16, 2022 16 tweets 5 min read
I've always wanted to put a USB-C port in an iPhone, but didn't want to risk breaking a good phone. So here's the cheapest iPhone SE I could find on ebay - and cheapest type-C to lightning adapter A rose gold iphone SE 1st generation, with cracked screen an There's not a lot going on inside the adapter (I did test it first, and it does support both charging and data) The internals of the lightning to usb C adapter. There's not
Jun 10, 2022 9 tweets 2 min read
What if 6502 assembly was more pythonic? Code screenshot: UART_CTRL = Addr(0xa000) UART_DATA = Addr( This is working code - I might try writing something non-trivial later, to see if it's actually practical.

Not shown in the screenshot, but it supports symbolic expressions based on labels etc. (expression evaluation is deferred until the instruction layout is known)
May 11, 2022 6 tweets 2 min read
I came up with a new(?) compression-based steganography technique, which should work with most compressed file formats or protocols (e.g. PNG, or even HTTP).

It hides data as "mistakes" made by the compression algorithm. Each sub-optimal compression decison encodes ~1 bit. A photograph of a vibrant s... You can use this script to decode the hidden message in the above tweet: gist.github.com/DavidBuchanan3…

I might release a tool once I've polished it up a bit (I haven't implemented dynamic huffman codes yet, which limits my compression ratios)
Feb 3, 2022 6 tweets 3 min read
Successful electromagnetic fault injection on an Arduino running AES-128, using a bbq igniter.

I didn't have any ferrite, so I used a screwdriver bit - seems to work ok. I believe this fault pattern is indicative of a successful round 9 fault.
Dec 23, 2021 6 tweets 2 min read
I just wrote my first V8 exploit, targeting WebOS 😎

The unusual thing is, it's LPE not RCE, and it doesn't exploit any bugs in V8 itself. The issue is due to LG using it unsafely - I'll explain what I mean by this at some point in the future, once I figure out disclosure. sideloaded webapp -> local root Image
Mar 17, 2021 8 tweets 2 min read
I found a way to stuff up to ~3MB of data inside a PNG file on twitter. This is even better than my previous JPEG ICC technique, since the inserted data is contiguous.

The source code is available in the ZIP/PNG file attached: Image The source is also available on Github, for anyone who can't extract the above image:

github.com/DavidBuchanan3…