SecuInside 2012 – Dethstarr

Dethstarr is a remote exploitation level where you first have to reverse engineer a protocol to get to the good parts.

The server program is an inetd-style program which has a socket as stdin/stdout. The main() calls a bunch of different functions which receive a blob of data from the socket and perform a *lot* of checks on it. If any of these checks fails exit() is called.

The bug is that a user-supplied array offset is not checked for negative values before writing a user-controlled value. This yields a nearly-arbitrary write primitive which can be called four times.
{Read More}