Although this tool isn’t brand new and has been lurking in my archive for a couple of months now. I’ve finally got hand of a time window to release it publicly. A couple of months ago, when I was taking a look at Gray Hat Python [1], I though to build my own dumb file format fuzzer as an exercise. The following shows and shares the results of my ramblings. The tool in question is called Egurra, which in basque stands for Wood, and comes from the also basque expression “egurra eman”, which kinda translates into “give it the beans”, which in turn is the brute-forcish essence of fuzzing.
Quick & Dirty: MediaCoder .m3u stack overflow
Following this public exploit for MediaCoder Audio Edition I decided to take a look at it, and if possible, try to exploit it under Windows 7. My surprise comes as in the latest available version (MediaCoderAE-0.7.3.4610) it still wasn’t fixed. Since the development team doesn’t seem to care much about it getting fixed anyway, I’ll make a quick write-up of what’s it about.
The bug in question is a fairly handbook example of a stack based buffer overflow. The binary (and some of it’s libraries) don’t support neither DEP nor ASLR which puts a smile in our face (or not, considering we are in 2010) right away. If we supply a .m3u file with a large amount of data, we will end up writing past the boundaries of the buffer.
Quick & Dirty. M3U. 10K ‘A’s.
Posted in Exploits.
– 2010/03/31
Quickpost: Gipuzkoa Encounter 2010 Hack-It!
Last weekend a lan party event named Gipuzkoa Encounter took place for the 4th year in a row in Tolosa, Basque Country. Along several other course’s in this kind of events a CTF-like security challenge event known as “Hack-It!” was held during the weekend. And how does this topic relate to myself? Well, just like I did last year, this year I contirbuted with a couple of binary challenges.
The following pack includes two executables: a linux ELF and a windows PE. The challenge in both of them is to get the password that will succeed in the check. I hope all the participants had some great low-level digging time!
Links:
Posted in Community, Reversing.
– 2010/03/23
Bypassing DEP: The Savant way
Those who follow my twitter account might have noticed in the last few weeks an increasing activity regarding writable addresses, 2k3 servers, and DEP bypasses. Well, today I can bring the concluding explanation about all this recent fuzz. For the last 3 or 4 weeks I’ve been trying to pick a bug in some code and dissect it to build my own exploit from it. Even thought I came across several good choices, I got hooked with this one. To find out what the bug was all about, I also came across a couple of public releases that exploited the bug to help on the way. Unfortunately, or I should say fortunately, all the publicly available releases were meant to be used against XP SP2 or older versions of Windows. Since re-covering somebody elses work seemed pretty boring to me, I decided to take the bug for a spin myself and take it a step further.
In essence, the bug is a classical example of a buffer overflow bug in the stack. The user performs some HTTP requests to the server and this answers with the content the user asked for or…doesn’t he? As it turns out, if we manage to craft a specially designed non-standard HTTP request, we can manage to sneak some juicy code. But as I said earlier, other publicly available exploits already do so, why bother writing another one then? Thing is, as far as I can tell, no one has yet developed a exploit for one of the most extended Server versions of Windows, this being 2003. I won’t delve into the details of what DEP is and how it works. Before getting any further, remember the conditions to which you agree by reading this content. The bug on which I elaborate in this post is yet to be fixed. The project seems to be abandoned at the time of this writing and even thought a bug tracking entry has was opened for this very issue almost 3 months ago, there is no apparent activity in the matter. Also, I don’t find ethic to provide a working exploit for the bug for two reasons:
- Anybody with the knowledge to understand this, can create his own exploit from this.
- The bug still isn’t fixed in the last release version.
Posted in Exploits, Reversing.
– 2010/01/04
