Difference between revisions of "CTF-practice-evening:2014-08-04"

From Technologia Incognita
Jump to: navigation, search
Line 40: Line 40:
 
** xxd -r -p <<< 050100 | nc localhost 1080 | dd bs=1 > file  (authentication)
 
** xxd -r -p <<< 050100 | nc localhost 1080 | dd bs=1 > file  (authentication)
 
** hexdump -C file
 
** hexdump -C file
** xxd -r -p <<< 0501000501000380:python<<<'print "A"*2000')  | nc localhost 1080 | dd bs=1 > file  (connection request)
+
** xxd -r -p <<< 05010005010003ff:python<<<'print "A"*2000')  | nc localhost 1080 | dd bs=1 > file  (connection request)
 
** We're following along w/ the protocol here
 
** We're following along w/ the protocol here
 
** It crashed - a child exited with Signal 6 (SIGABT)
 
** It crashed - a child exited with Signal 6 (SIGABT)

Revision as of 19:09, 4 August 2014

CTF-practice-evening:2014-08-04
Date 2014/08/04
Time
Location ACTA
Type Workshop
Contact Melanie

Capture The Flag evening - Part 23

  • 4 August, 2014 - 7 PM
  • Please bring along a laptop with you!!!

General CTF Info

Binary Exploitation

  • Brainsmoke is talking about binary exploitation today

Examining the challenge

  • objdump -d: see the disassembly, sometimes you can see symbols
    • This example has mangled C++ symbols
  • From running it, the program appears to be a daemon of some kind - a Socks proxy
    • This is a proxy for TCP - we can look at the protocol details w/ Google
    • netstat -uplanet (we can see which ports are used)
  • What was added between Socks4 and Socks5? (there might be a bug)
    • Authentication and connecting directly to a domain
    • Most of the fields are fixed length
    • But the domain name is a string - it could have a buffer overflow
    • There's a 1 byte name length - if you use a 1 byte length, you might end up w/ a negative number
    • If you try to read a negative number, you will try to read a lot of bytes
  • We want to find out what happens when you tell the program to read and send 255 bytes
    • We want to establish a connection
    • We need to specify Socks5
  • Use xxd to construct the command (converts hex code to binary, and vice-versa)
    • Example: xxd -r -p <<< 41414141410a = AAA
    • xxd -r -p <<< 050100 | nc localhost 1080 | dd bs=1 > file (authentication)
    • hexdump -C file
    • xxd -r -p <<< 05010005010003ff:python<<<'print "A"*2000') | nc localhost 1080 | dd bs=1 > file (connection request)
    • We're following along w/ the protocol here
    • It crashed - a child exited with Signal 6 (SIGABT)