Header

Fri, 23 Jan 2009

QoW: Software Reversing and Exploitation
Tags: public, qo[w|m|?], research, reversingbehrang @ 16:23

I've developed a FTP like multi-threaded server application as a target for this challenge of the month. It has been coded in c and compiled by VC++ 2008. This is a three step challenge:

Step 1- Find the correct "passphrase" format to logon to the server and get the "Access Granted" message. (You may use a debugger like Ollydbg to do Live RE for this step).

Step 2- Do vulnerability research on the server software. There is at least one exploitable bug but there could be more bugs or error conditions. Try to spot a memory corruption bug and write a denial of service exploit for it.

Step3- Convert your DoS exploit to a code execution exploit to get a connect-back shell.

If you have questions on the challenge, post them here (or to behrang AT sensepost.com)

[you should be able to run the server on just about anything - bug will be exploitable even under XP-SP*]

/behrang

4 comments

SynNopSys on 2009/1/30
Is this available to outsiders as well???
behrang on 2009/4/8
Yes, you can download the program from: http://www.sensepost.com/blogstatic/2009/01/vulnserver.rar
Saurabh on 2009/4/14
Hey Behrang,

This is Saurabh. Firstly, thank you for proving me something to reverse engineer. It has been a while since I last fired up a debugger so I was excited to read your post this morning.

As per my analysis, the password should be of 8 characters and fourth character should match the eighth character. For eg "sensepos". I could see buffer overflow vulnerability. When READ command is fed with a filename longer than 1999 characters, it causes the server to crash thus causing Denial of service attack. This is due to lack of boundary checks on that buffer. For example a string of 2004 characters will crash the server and the last 4 bytes will overwrite the EIP register. This can be exploited to
get a reverse shell. I will work on exploit when time permits... :-).

I enjoyed working on it. Thank you.

~Saurabh
Julius R. Friedman on 2010/2/11
Saurabh I hope you have found the confidence in your skills that you were seeking from a challenge like this. Maybe you should think of that feeling next time before posting a solutin to a problem.

@Behrang I had forgot that this is the type of thing people like us should be doing in our spare time.

I share the same feelings as Saurabh "It has been a while since I last fired up a debugger so I was excited to read your post this morning." And I would like to thank you for waking my mind up from a what seems like a long tantelizing sleep.

Sincerely,

Julius R. Friedman

Leave a comment

Name*:
Email*:(Won't be displayed)
URL:
Comment*:
*required
Blog
Video
Research
QotW
Categories
about:us (31)
blackhat (5)
blog (10)
broadview (2)
build-it (1)
cloud (12)
community (15)
conferences (60)
crypto (3)
fail (3)
foos (1)
fun (51)
goodbye (1)
hackrack (2)
Hope? (2)
howto (8)
imsojaded (2)
infosec-soapies (25)
infrastructure (3)
local (5)
mac (15)
management (7)
materials (3)
memcached (2)
mindless-politics (4)
mindmaps (1)
PCI (2)
post-it (1)
privacy (6)
product (2)
programming (5)
public (275)
qo[w|m|?] (5)
README (1)
real-world (14)
research (37)
reversing (4)
security-fyi (8)
security-news (6)
silly-yammerings (19)
tech-toys (3)
time-waster (6)
tin-foil-hat (6)
tools (46)
training (18)
travel (1)
tricks (1)
Uncategorized (3)
vendors (6)
videos (6)
vulnerability (7)
wasc (1)
webapps (6)
web_x.0 (2)
writing-advice (1)
zen-hacking (6)
Archives
August 2010 (4)
July 2010 (1)
June 2010 (4)
May 2010 (3)
April 2010 (3)
March 2010 (7)
Feburary 2010 (2)
January 2010 (3)
December 2009 (4)
November 2009 (4)
October 2009 (3)
September 2009 (5)
August 2009 (9)
July 2009 (1)
June 2009 (5)
May 2009 (4)
April 2009 (10)
March 2009 (13)
Feburary 2009 (12)
January 2009 (11)
December 2008 (9)
November 2008 (8)
October 2008 (5)
September 2008 (5)
August 2008 (6)
July 2008 (6)
June 2008 (6)
May 2008 (2)
April 2008 (3)
March 2008 (7)
Feburary 2008 (12)
January 2008 (9)
December 2007 (8)
November 2007 (4)
October 2007 (9)
September 2007 (14)
August 2007 (18)
July 2007 (13)
June 2007 (17)
May 2007 (2)
July 2006 (1)
April 2006 (1)
August 2005 (1)
June 2005 (1)
May 2005 (2)
Archives
Conditions of use Privacy statement
Top of Page Legal stuff