.

Challenge

<<

SRVblackhat

Newbie
Newbie

Posts: 3

Joined: Sun Aug 01, 2010 4:09 pm

Post Sun Aug 01, 2010 5:07 pm

Challenge

I'm working on a challenge that involves analyzing a binary and writing an exploit against the binary. Do you know anything about how to do that?
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Aug 01, 2010 6:15 pm

Re: Challenge

What sort of binary are we referring to?  Something that accepts user input?  Can you fuzz the input fields?

Simply 'writing an exploit against a binary' is too vague to give you specific help...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Mon Aug 02, 2010 1:53 am

Re: Challenge

As already stated by hayabusa, supplying more infos would increase you chances of getting a more concrete answer.

Do you have any experience towards reverse engineering?
<<

SRVblackhat

Newbie
Newbie

Posts: 3

Joined: Sun Aug 01, 2010 4:09 pm

Post Mon Aug 02, 2010 9:42 pm

Re: Challenge

The problem statement is, "Create a program that will open a socket (in the binary .exe) and send data to the service so that through the service you gain access to the secret answer"..
Using IDA Pro I have identified the socket as Port 23 (Telnet). I'm new to this so I dont really have any experience with reverse engineering or fuzzing, but I do have some tools available. I have some tools available and the suggested tools are Python, Perl, IDA Pro, OllyDbg, Hex editor
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Aug 04, 2010 7:51 am

Re: Challenge

UNGH!  I had a fairly long response typed in, and when I hit POST, my connection was timed out, and got lost.

In a nutshell, per your PM request to me, for further info, I'll respond here, so as to benefit any others who might learn from this.

Based on the tools list you provided, and the challenge you described, I'm assuming you're in some class (school, online, or other) where you're learning about process execution and / or reverse-engineering / assembly code programming, etc.  You may not have prior experience fuzzing, but you're likely going to have to gain some, here, or sit with OllyDebug, IDA and your hex editor, and slowly go through the source code for the 'vulnerable' exe in question, looking for exploitable / overflowable buffer space from input variables.  In a nutshell, you need to either analyze the code, or fuzz, to find input commands which allow more than the 'normal' length to be submitted to the process (you say telnet on port 23), so as to inject shellcode, direct process execution TO that shellcode, and then safely return from it, so as not to crash the target system, and force or instantiate a reboot, in the process, and waste all of your efforts.

Are you given a copy of said target exe to test with?  If not, you might need to do some reconnaissance, such as banner grabbing, etc, to get exact version, etc, and see if you can obtain a copy from the net, somewhere, as having a local copy to test against is often easier and helpful.  If you ARE given a copy (or you obtain one,) well, then at least you have better opportunity to learn, as crashing your own system or the running exe process and restarting the process or rebooting is easy for you to do.

Either way, you've pretty much got to examine the possible inputs and values for the service, to see if one or more will crash the service, if you enter an excessive amount of data (typically, send the expected command and an inordinate amount of 0x42 (hex for A) or other characters, to try to crash the running process.  You'd then shorten this amount of data down, until you reach a point where you DON'T crash the service anymore, see if that amount of data is enough to allow you to upload shellcode and pass execution to it, etc.

I'm not going to give you a full tutorial on fuzzing and buffer overflows here, as a bit of research on Google (or insert your favorite search engine here) will yield plenty of them.  Assumably the idea of your course / challenge is to teach you, and to show you how to learn about these things on your own, so I'm not going to spend a ton of time pointing you in that direction.  (The fact that you found EH-net and posted here, is a good beginning, and shows your desire to try to learn...)  One of the best / most well-known tutorials / examples can be found all over the net, but here's one location for it:

http://www.amsta.leeds.ac.uk/~read/bofs.html

I wish you luck, and if you hit a point where you can't seem to progress, feel free to ask further questions, etc., and I'm sure that I, or another member, will try to give you some subtle hints and such to get you past your roadblock, and moving forward, again  But you'll need to spend some time learning, and trying things out, first, as we're not here to simply hand you the answers to your homework assignments.  :-)

If time / money permit, and what you're working on is self-paced, you might consider, anyway, looking at OSCP or eLearnSecurity's training, as both cover fuzzing and buffer overflows, in more detail, and might help.  But regardless, you'll need to spend some more time coming up to speed on these, to get past this exercise / challenge you're working on.

Good luck, SRVblackhat, and keep us posted on your progress!
Last edited by hayabusa on Wed Aug 04, 2010 7:53 am, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Aug 04, 2010 8:25 am

Re: Challenge

@hayabusa ... vi/ed/nano/pico/wordpad/notepad is your friend. This has happened to me plenty of times. I'll begin to answer a post here, but immediately copy it over to a text file, answer it there, then post it back here. I'm tempted to answer this, but it would be booklong, therefore I stood away. I may re-visit this when I have some more time
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Aug 04, 2010 8:56 am

Re: Challenge

@sil - exactly...  I've decided, anytime I have something long, I'll be copy / pasting it in, from here on.  (This was the first time EH-Net had timed out on me, during a long post...  surprising, I guess... so it caught me offguard)  And I agree, on the 'booklong' thread, thus, my pointing him in a general direction, and giving him a place to start.  If he gives more detail, after showing he's working on it, I'm happy to keep assisting, but I don't want to 'hand him the keys to the ferrari'

;)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Aug 04, 2010 9:42 am

Re: Challenge

Hayabusa-san, you mean you're not capturing all your network traffic out of impulse? You could have just retrieved it from the trace file ;)
The day you stop learning is the day you start becoming obsolete.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Aug 04, 2010 11:32 am

Re: Challenge

R-O-F-L!!!  That's pretty good.  No, right now I'm not, however, since sneaky folks like you think that way, maybe I should, to make sure you're not 'a-snoopin' on me!

That was pretty funny, dynamik!  :D  Thanks!  Needed a chuckle right then!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to News Items and General Discussion About EH-Net

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software