Revision as of 18:58, 4 August 2014

Capture The Flag evening - Part 23

Brainsmoke is talking about binary exploitation today
objdump -d: see the disassembly, sometimes you can see symbols
- This example has mangled C++ symbols
From running it, the program appears to be a daemon of some kind - a Socks proxy
- This is a proxy for TCP - we can look at the protocol details w/ Google
- netstat -uplanet (we can see which ports are used)
What was added between Socks4 and Socks5? (there might be a bug)
- Authentication and connecting directly to a domain
- Most of the fields are fixed length
- But the domain name is a string - it could have a buffer overflow
- There's a 1 byte name length - if you use a 1 byte length, you might end up w/ a negative number
- If you try to read a negative number, you will try to read a lot of bytes

We want to find out what happens when you tell the program to read and send 255 bytes
- We want to establish a connection
- We need to specify Socks5

@@ Line 22: / Line 22: @@
 * From running it, the program appears to be a daemon of some kind - a Socks proxy
 ** This is a proxy for TCP - we can look at the protocol details w/ Google
-** netstat -
+** netstat -uplanet  (we can see which ports are used)
 * What was added between Socks4 and Socks5?  (there might be a bug)
 ** Authentication and connecting directly to a domain
@@ Line 32: / Line 32: @@
 * We want to find out what happens when you tell the program to read and send 255 bytes
 ** We want to establish a connection
+** We need to specify Socks5