staring into /dev/null

barrebas

Weekly Roundup 2015 #2

A bit later and shorter than planned due to the CTF, but here’s another weekly roundup!

I want to kick this one off with a beautiful writeup by drone on a local ntpdc overflow. drone really takes you down the rabbit hole in terms of exploit dev and even manages to find that Debian x86 does not ship with PAE enabled. This means that protections such as NX are not enabled on these systems! Very detailed writeup which discusses the buffer overflows and the use of ROP and I highly recommend it.

No less than three VMs were released on VulnHub this week! Pandora’s Box by c0ne and the Purge and theFrequency by strata. I highly recommend Pandora’s Box if you like exploit dev. I finished the Purge, which felt quite polished and is really left-field. Still working on the Frequency, which shows me a whole different world of audio stego!

Apparently, ASUS routers have a vulnerable service listening on UDP 9999 with runs with root privileges. This infosrv serivce contains a vulnerability that allows unauthenticated root command execution. There’s also a published exploit already. It’s a pretty interesting writeup, including technical details. It seems to boil down to a programmer mistakenly using memcpy where he or she meant to use memcmp. Ouch.

Finally, I came across this blog that describes SROP or Sigreturn Oriented Programming, a variation on ROP. According to the blog post, it’s a way to make stack overflows more reliable. The way I understand it, you need to overwrite a saved return address to execute a sigreturn syscall, which in turn allows one to call any syscall by forging the appropriate uc_mcontect struct in memory. This is convenient as one needs less gadgets to pull it off. Cool stuff! Hope to see this in one of the VulnHub VMs once :)

Comments