Summerschool Aachen 2005/Notes/Christians notes

From C4 Wiki
Jump to: navigation, search

My Summerschool Projects

verBOTen.py

I've been running the following test for crawlers for about a year now: I added a "Disallow" entry to my the robots.txt of my webserver and waited for crawlers to explicitly crawl that directory. It seems that there are no crawlers who are interested in files people don't want to be crawled. Together with Maximillian Dornseif, we wrote and set up verBOTen, a crawler that collects robots.txt files from 2.700.000 hostnames that we got from Open Directory Project (http://www.dmoz.org/) and adds them to a database. The next step will be to crawl those files and ask in public to decide the level of interest of the files, similar to the EXIF thumbnail project.

TLS support for scapy

I started to have a look at the very ugly TLS packet format and started to hack a first version of TLS packet generation for scapy. Max improved and bugfixed it, check his documentation for more ;-)

FakeIOI2CMotionSensor

Some time ago, I reverse engineered an application that uses the Apple Motion Sensor, a motion sensor that switches off the harddisk on fast acceleration to prevent damage. While my software runs well on Powerbooks, it refuses to work on the new AMS enabled iBooks. To have a generic way to find out the called driver functions and layout of the used structures, I want to create a replacement for the original driver to interact with the Apple software.

inspectf

Inspired by Max' idea, I started to write a library that replaces printf to inspect format strings in closed source software to find possible format string vulnerabilities.

MacOS X reverse engineering

I had some information exchange with Frederic and together we had a closer look on MacOS X binaries and the linker. More information will follow soon.

Gera's challenges

For relaxing, I did some of Gera's challenges, mainly the advanced buffer overflows (especially level 1, 3 and 4).

breaking misc stuff

The grandstream voip phone's webserver just broke, it seems that the password validation is done in the html form and the webserver itself is quite naive: curl -d "P2=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" http://172.30.20.71/dologin.htm