Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Terminals are the most common way for developers to interact with computers. The control codes of this is conveyed in-band to the users. Escape sequences like \x1b[32m are a good example of this. The author decided to look into the iTerm2 emulator.

Similar to phone phreaking back in the day, the goal of the attack is to use arbitrary characters printed to the terminal to change the control flow of the terminal itself.

The idea behind the attack is sticking characters into stdin via terminal escape codes. By doing this, we can force a command to be executed. The payload is a complete mess to look at. But, the concept is simply this with various twists.

For instance, the \x1b[5n code is a Device Status Report (DSR). This will end up pushes the character n to stdin. By using this, and various other things, we craft arbitrary commands.

Then, we push the command arg1|m4 using various schengians of pushing data to stdin. The m4 command is a C/C++ macro engine, allowing for code execution via the previous input of syscmd(open -a Calculator).

The line \x1bP1000p%session-changed $9 s\n acts a tmux (terminal multiplexor) command that will press enter for us, executing our command now in stdin.

I don't fully understand the payload. There's a lot of juggling between things and the actual reason for searching through history isn't very well explained. Regardless, I loved the attack method and hope to see many more of these in the future.