I've developed a FTP like multi-threaded server application as a target for this challenge of the month. It has been coded in c and compiled by VC++ 2008. This is a three step challenge:
Step 1- Find the correct "passphrase" format to logon to the server and get the "Access Granted" message. (You may use a debugger like Ollydbg to do Live RE for this step).
Step 2- Do vulnerability research on the server software. There is at least one exploitable bug but there could be more bugs or error conditions. Try to spot a memory corruption bug and write a denial of service exploit for it.
Step3- Convert your DoS exploit to a code execution exploit to get a connect-back shell.
If you have questions on the challenge, post them here (or to behrang AT sensepost.com)
[you should be able to run the server on just about anything - bug will be exploitable even under XP-SP*]
Many people took a crack at "what tool will work to replace mangler, out of the box" and so we have a bunch of new tools to play with..
Steven's answer of MS-Word or PowerPoint left us scratching our heads a little, and rezn threw in the added complexity of the app requiring valid certs..
ah well.. another cheap, quick informal QoW follows intercrastically..
(my first X-Rated blog post.. i should hook up ad-words and watch the money roll in!)
Ok.. our Zimbabwean recruit was posed the following question by some international academics:
Q:"How would you sort your shoes?"
A: "I make the assumption that the shoes are positioned such that I can see their sizes, and that they are in a row of boxes. I would randomly pick a pair of shoes in a box and call them my 'pivot point'. I would then reorder the shoes such that all shoes with sizes less than my pivot are on the left of it, and all shoes with a greater size are on the right of the pivot (perhaps having 2 piles of shoes next to me as I work, one for size less than, one for size greater than). This pivot pair of shoes would now be in their correct sorted position. I would then apply this same process to the left and right sets of shoes, and then to their left(left,right) and right(left,right) sets, continuing this process until all shoes have been 'pivoted' or there is only one or zero pair of shoes between two pivots. (i.e a set of only one pair)."
Now.. this seems impressive.. but my response was (kinda) Thats a whoreish way to do it..
QoW-1: What possessed me to respond like this?
QoW-2: Do you have a better solution? and why?
I think the ian-mangler hack is awesome, and the fact that it got the results needed means it was a full-on victory.. its really interesting, because fairly recently i had a discussion with one of the XXXX guys on what makes rocking analysts rock, and amongst other things it became apparant (if it was not already obvious) that great analysts can smack together the tool chain they need to handle the edge cases.. i recall way back when "YYYYYY" said "im a leet hax0r except i dont know programming or networking".. sadly he wasnt joking...
its ok if you cant throw ians app together with a fancy gui, or if u take 3 times as long as he did.. but all of you should be looking at this and thinking - in a pinch, i could have made an ugly variation of that with [python|perl|java|bash+nc+sed|or heaven forbid even ruby]
Of course, one of the things we preach in in Hacking By Numbers is also about knowing available tools... so for an informal Friday Question of the "Some time Period"... What tool could have been used, fresh outa the box to achieve the same result ?
A little while back we published our first public QoW for your abuse and enjoyment, and the time to close it is .......... now. The new QoW is available here. Thanks for the efforts; we received a fair number of answers and are still figuring out how to go about recording your submissions. For now, we'll publish the first correct answer, and discuss the answer in brief. Over to Haroon:
An additional bonus for the attacker was that the form would accept as many name/value pairs submitted and returns them in the table allowing us to add variables forever..
original solution was therefore to submit:
Effectively we build our JS command so that it fits into the imposed char limits, and use eval() eventually to pull them all together..
In our example we use it for a simple document.location to move off the cookie, but at that point the world is your oyster..
Ah well.. on with the show.. :>