SecuInside 2012 – Dethstarr

Dethstarr is a remote exploitation level where you first have to reverse engineer a protocol to get to the good parts.

The server program is an inetd-style program which has a socket as stdin/stdout. The main() calls a bunch of different functions which receive a blob of data from the socket and perform a *lot* of checks on it. If any of these checks fails exit() is called.

The bug is that a user-supplied array offset is not checked for negative values before writing a user-controlled value. This yields a nearly-arbitrary write primitive which can be called four times.
{Read More}


Secuinside 2011 CTF – Challenge 11

Challenge #11 consists of two binaries, chal1 and chal2. As if exploiting one binary
wasn’t worth any points!


The vulnerability

Chal1 is an NX-protected x86-64 binary with fixed addresses for libc and ASLR for the stack.
It suffers from a strcpy() vulnerability. A string is copied from argv[3] to a fixed size buffer.
But not before we overcome the fact that the binary exits when there are *any* arguments
at all. Luckily, when there are 0 elements in argv, argv[3] points to envp[2].

While the convention for environment variables is “VARNAME=value”, the kernel does not
enforce it, it just copies NULL-terminated strings. This means we can put any binary data
on the top of the process’ stack, encoding the NULL-bytes by just starting another string.
{Read More}