Summerschool Aachen 2005/Notes/Christians notes

From C4 Wiki
< Summerschool Aachen 2005‎ | Notes
Revision as of 17:36, 24 November 2010 by Tobias (talk | contribs) (Reverted edits by Oxudocopaj (talk) to last revision by
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

My Summerschool Projects

I've been running the following test for crawlers for about a year now: I added a "Disallow" entry to my the robots.txt of my webserver and waited for crawlers to explicitly crawl that directory. It seems that there are no crawlers who are interested in files people don't want to be crawled. Together with Maximillian Dornseif, we wrote and set up verBOTen, a crawler that collects robots.txt files from 2.700.000 hostnames that we got from Open Directory Project ( and adds them to a database. The next step will be to crawl those files and ask in public to decide the level of interest of the files, similar to the EXIF thumbnail project.

TLS support for scapy

I started to have a look at the very ugly TLS packet format and started to hack a first version of TLS packet generation for scapy. Max improved and bugfixed it, check his documentation for more ;-)


Some time ago, I reverse engineered an application that uses the Apple Motion Sensor, a motion sensor that switches off the harddisk on fast acceleration to prevent damage. While my software runs well on Powerbooks, it refuses to work on the new AMS enabled iBooks. To have a generic way to find out the called driver functions and layout of the used structures, I want to create a replacement for the original driver to interact with the Apple software.


Inspired by Max' idea, I started to write a library that replaces printf to inspect format strings in closed source software to find possible format string vulnerabilities. The library runs perfectly on Linux with the LD_PRELOAD environment variable, but it's a little bit bitchy on MacOS X. The linker DOES load the library (some debugging information can be turned on by setting DYLD_PRINT_LIBRARIES), but I couldn't convince the linker to overwrite the libc symbol, inspite using the two variables DYLD_INSERT_LIBRARIES and DYLD_FORCE_FLAT_NAMESPACE.

MacOS X reverse engineering

I had some information exchange with Frederic and together we had a closer look on MacOS X binaries and the linker. More information will follow soon.

Gera's challenges

For relaxing, I did some of Gera's challenges, mainly the advanced buffer overflows (especially level 1, 3 and 4).


AppleScript is the highly integrated scripting language of the OSA (Open Scripting Architecture) of MacOS X. The syntax is quite awkward, because you use something like natural language. When writing little helpers for automated fuzzing of webbrowsers, I tried to get some inspiration from other AppleScripts. The problem is, that most AppleScript applications are delivered as a program (the bytecoded + an interpreter) AND with a flag "execute only". That means the source code is not readable. Some Python scripting and comparing binary files revealed that the copy protection and the script itself are placed in the so called "Resource Fork" of the binary (the interpreter, as any "normal" file, is located in the "Data Fork"). The only resource that differs in the protected and unprotected version of the AppleScript is the "scpt" resource ("SCriPT" - obviously).

breaking misc stuff

The grandstream voip phone's webserver just broke, it seems that the password validation is done in the html form and the webserver itself is quite naive: curl -d "P2=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"

POP3 fuzzing

I started a POP3 protocol fuzzer in Python. It turns out that a) the clients I tested do not accept random data which does not look like a POP3 conversation at all and b) the fuzzer also should generate data that looks like real emails. The fuzzer will be released soon