One Article Review
| Source |  SkullSecurity |
|---|---|
| Identifiant | 8330462 |
| Date de publication | 2023-04-24 00:08:44 (vue: 2023-04-24 01:08:26) |
| Titre | BSIDESSF 2023 Rédactions: Sortez (Difficiel Inverse Engineering + Exploitation) BSidesSF 2023 Writeups: Get Out (difficult reverse engineering + exploitation) |
| Texte | This is a write-up for three challenges: getout1-warmup getout2-gettoken getout3-apply They are somewhat difficult challenges where the player reverses a network protocol, finds an authentication bypass, and performs a stack overflow to ultimately get code execution. It also has a bit of thematic / story to it! Writeup Getout is based on a research project I did over the winter on Rocket Software\'s UniData application. UniData (and other software they make) comes with a server called UniRPC, which functions very similarly to getoutrpc. My intention for the three parts of getout are: Solving getout1-warmup requires understanding how the RPC protocol works, which, as I said, is very similar to UniRPC In getout2-gettoken, I emulated CVE-2023-28503 as best I could In getout3-apply, I emulated CVE-2023-28502 but made it much, much harder to exploit Let\'s take a look at each! getout1-warmup The warmup is largely about reverse engineering enough of the protocol to implement it. You can find libgetout.rb in my solution, but the summary is that: You connect to the RPC service You send messages to the server, which are basically just a header, then a body comprised of a series of packed fields (integers, strings, etc) The first message starts with an integer opcode: Opcode 0 = “list services” Opcode 1 = “execute a service” Once a service is executed, a different binary takes over, which implements its own sub-protocol (though the packet formats are the same) For getout1-warmup, you just have to connect to the service and it immediately sends you the flag. On the server, it looks like: int main(int argc, char *argv[]) { int s = atoi(argv[1]); packet_body_t *response = packet_body_create_empty(); packet_body_add_int( |
| Envoyé | Oui |
| Condensat | *argv *get *gid *response *uid *userinfo *value; /solve 0x41 0xffffffffffffffff 128 2023 28502 28503 4354467b796f75722d636c69656e742d7365656d732d746f2d62652d776f726b696e677d :local: :testuser: >args >pw about access across actually add address address: advantage aes after again algorithm all already also always application apply are are: arg argc argument arguments: argv associated atoi authentication available: based basically begin being best binary bit block body bsidessf buffer bug build but bypass bypassable byte bytes call called calling can cbc chain challenge challenges challenges: char check checker chr cipher client close cmd code code: comes command comprised concat concatenate concludes confusion connect connected containing convenience copy core could create ctf cve data decided decrypt def designed destroy did different difficult directly: displayed doesn e6a12797 each edi empty emulate emulated encrypt encrypted encrypted: encrypting encryption end engineering enough ensure error esi etc executed execution exit expected exploit exploitation fetched fields file final find finds first flag flag: formats from function functions further generate generating get getout getout1 getout2 getout3 getoutrpc getpwnam getting gettoken gid gid++; good had happens hardcoded harder has have header here host host/port: how human identical immediately implement implemented implements instead instructions int integer integers intention is: issue its just key key/iv known largely later leads leak length let libgetout like like: loading login look looks luckily made main make means memory mentioned message messages much multiple name: narrative narrative: need net:1337 network new non nul offset once opcode opcode: opcodes openssl::cipher order original other otherwise out output over overflow own pack packed packet padding part parts passwd password password; payload payload: performs ping player pop popen port predict predictable problem profit program project protocol puts qqqqqqq r15 rand read real register requires research response ret return reverse reverses rocket rop rpc ruby running said same seems send sends series server service services services” service” similar similarly simple size software solution solution: solutions solving somewhat specifically spread stack standby starts story str strchr strcmp string string: strings strlen strncat struct sub summary system take takes tcp terminate: terminates test text that: thematic then thing though three times true try type typedef uid uid++; uint64 uint8 ultimately understanding unidata union unirpc unknown unpack until update use user userinfo username using uuid value value; very vulnerability want want: warmup welcome when where which whole winds winter working works write writeup writeups: your zero “execute “list |
| Tags | Vulnerability Prediction |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.