Recently, I had the privilege to write a detailed analysis of
CVE-2023-34362,
which is series of several vulnerabilities in the MOVEit file transfer
application that lead to remote code execution. One of the several
vulnerabilities involved an ISAPI module - specifically, the MoveITISAPI.dll
ISAPI extension. One of the many vulnerabilities that comprised the MOVEit RCE
was a header-injection issue, where the ISAPI application parsed headers
differently than the .net application. This point is going to dig into how to
analyze and reverse engineer an ISAPI-based service!
This wasn’t the first time in the recent past I’d had to work on
something written as an ISAPI module, and each time I feel like I have to start
over and remember how it’s supposed to work. This time, I thought I’d combine
my hastily-scrawled notes with some Googling, and try to write something that I
(and others) can use in the future. As such, this will be a quick intro to
ISAPI applications from the angle that matters to me - how to reverse engineer
and debug them!
I want to preface this with: I’m not a Windows developer, and I’ve never run an
IIS server on purpose. That means that I am approaching this with brute-force
ignorance! I don’t have a lot of background context nor do I know the correct
terminology for a lot of this stuff. Instead, I’m going to treat these are
typical DLLs from typical applications, and approach them as such.
Continue reading →
Fork off: Three ways to deal with forking processes
Have you ever tested a Linux application that forks into multiple processes?
Isn’t it a pain? Whether you’re debugging, trying to see a process crash, or
trying to write an exploit, it can be super duper annoying!
In a few days, I’m giving a talk at NorthSec in Montreal. I asked some
co-workers to review my slides, and they commented that I have some neat
techniques to deal with forking, so I thought I’d share a couple!
Spoiler alert: The last one is the best, so you can just skip to that. :)
Continue reading →
Reverse engineering tricks: identifying opaque network protocols
Lately, I’ve been reverse engineering a reasonably complex network protocol, and I ran into a mystery - while the protocol is generally an unencrypted binary protocol, one of the messages was large and random. In an otherwise unencrypted protocol, why is one of the messages unreadable? It took me a few hours to accomplish what should have been a couple minutes of effort, and I wanted to share the trick I ultimately used!
I’m going to be intentionally vague on the software, and even modify a few things to make it harder to identify; I’ll probably publish a lot more on my work blog once I’m finished this project!
Continue reading →
BSidesSF 2023 Writeups: too-latte (medium-difficulty Java exploitation)
too-latte
is a challenge I wrote based on
CVE-2023-0669,
which is an unsafe deserialization vulnerability in Fortra’s GoAnywhere MFT
software. I modeled all the vulnerable code off, as much as I could, that
codebase. It’s obviously themed quite differently.
Continue reading →
BSidesSF 2023 Writeups: ROP Petting Zoo (educational challenge!)
ROP Petting Zoo is a challenge designed to teach the principles of
return-oriented programming. It’s mostly written in Javascript, with a backend
powered by a Ruby web server, along with a tool I wrote called
Mandrake. Source code is shared between
the three parts of the challenge, and is available
here.
Continue reading →
BSidesSF 2023 Writeups: overflow (simple stack-overflow challenge)
Overflow is a straight-forward buffer overflow challenge that I copied from
the Hacking: Art of Exploitation examples CD.
I just added a flag. Full source is here.
Continue reading →
BSidesSF 2023 Writeups: id-me (easy file identification challenge)
id-me
is a
challenge I wrote to teach people how to determine file types without extensions.
My intent was to use the file
command, but other solutions are absolutely
possible!
Continue reading →
BSidesSF 2023 Writeups: Get Out (difficult reverse engineering + exploitation)
This is a write-up for three challenges:
They are somewhat difficult challenges where the player reverses a network
protocol, finds an authentication bypass, and performs a stack overflow to
ultimately get code execution. It also has a bit of thematic / story to it!
Continue reading →
BSidesSF 2023 Writeups: Flat White (simpler Java reversing)
This is a write-up for flat-white
and flat-white-extra-shot
,
which are easier Java reverse engineering challenges.
Continue reading →
Blast from the Past: How Attackers Compromised Zimbra With a Patched Vulnerability
Last year, I worked on a vulnerability in Zimbra
(CVE-2022-41352 - my
AttackerKB analysis for Rapid7)
that turned out to be a new(-ish) exploit path for a really old bug in cpio
-
CVE-2015-1194. But that was patched in 2019, so what happened?
(I posted this as a tweet-thread awhile back, but I decided to flesh it out and
make it into a full blog post!)
Continue reading →
GDB Tricks: Tricking the Application into Generating Test Data
While reverse engineering a Linux binary, I ran into a fairly common situation:
I wanted to understand how a decompression function works, but I didn’t have
compressed data to test with. In this blog, I’ll look at how to we can
manipulate the instruction pointer in the GNU debugger (gdb
) to trick the
software into generating test data for us!
I posted this on Mastodon awhile back, but I cleaned it up and expanded it a bit
to make it a full blog post.
Continue reading →
BSidesSF 2022 Writeups: Miscellaneous Challenges (loca, reallyprettymundane)
Hey folks,
This is my (Ron's / iagox86's) author writeups for the BSides San Francisco 2022 CTF. You can get the full source code for everything on github. Most have either a Dockerfile or instructions on how to run locally. Enjoy!
Continue reading →
BSidesSF 2022 Writeups: Game-y Challenges (Turtle, Guessme)
Hey folks,
This is my (Ron's / iagox86's) author writeups for the BSides San Francisco 2022 CTF. You can get the full source code for everything on github. Most have either a Dockerfile or instructions on how to run locally. Enjoy!
Continue reading →
BSidesSF 2022 Writeups: Apache Challenges (mod_ctfauth, refresh)
Hey folks,
This is my (Ron's / iagox86's) author writeups for the BSides San Francisco 2022 CTF. You can get the full source code for everything on github. Most have either a Dockerfile or instructions on how to run locally. Enjoy!
Continue reading →
BSidesSF 2022 Writeups: Tutorial Challenges (Shurdles, Loadit, Polyglot, NFT)
Hey folks,
This is my (Ron's / iagox86's) author writeups for the BSides San Francisco 2022 CTF. You can get the full source code for everything on github. Most have either a Dockerfile or instructions on how to run locally. Enjoy!
Continue reading →
BSidesSF CTF 2021 Author writeup: log-em-all, a Pokemon-style collection game [video]
This is a video walkthrough of Log ‘em All, a difficult Hacking / Reverse Engineering challenge based on a classic bug in Pokemon Red. You can view the video below, or directly on Youtube.
I’ve never done a video-based writeup before, so I’d love feedback!
Continue reading →
BSidesSF CTF 2021 Author writeup: glitter-printer, a buffer underflow where you modify the actual code
Hi Everybody!
This is going to be a challenge-author writeup for the Glitter Printer challenge from BSides San Francisco 2021.
First, a bit of history: the original idea I had behind Glitter Printer was to make a video game challenge involving cartridge-swap, where I’d write a handful of simple video games in 100% x86 code with no imports or anything (like an old fashioned cartridge game), and the player could swap between them without memory being re-initialized. Folks used to do this sorta thing on NES, and maybe I’ll use it in a future challenge, but I decided to make this a bit simpler.
While experimenting with writing libraries without libc, I realized just how much work it was going to be to write a bunch of games, and decided to simplify. My next ide was to write a “driver” type thing, where a blob of code is loaded into +RWX memory and the player could go wild on it. The the name Glitter Printer came across my radar, I don’t even remember why, and that gave me the idea to do an LPR server.
That’s quite the background!
Continue reading →
BSidesSF CTF 2021 Author writeup: secure-asset-manager, a reversing challenge similar to Battle.net bot dev
Hi Everybody!
This is going to be a challenge-author writeup for the Secure Asset Manager challenge from BSides San Francisco 2021.
It’s designed to be a sort of “server management software”. I sort of chose that theme to play off the Solarwinds thing, the theme wasn’t super linked to the challenge.
The challenge was to analyze and reverse engineer a piece of client-side software that “checks in” with a server. For the check-in, the client is required to “validate” itself. The server sends a random “challenge” - which is actually a block of randomized x86 code - and that code used to checksum active memory to prevent tampering. If anybody reading this worked on bots for the original Starcraft (and other Battle.net games), this might seem familiar! It’s based on Battle.net’s CheckRevision code.
Continue reading →
BSidesSF CTF 2021 Author writeup: Hangman Battle Royale, where you defeat 1023 AI players!
Hi Everybody!
This is going to be a challenge-author writeup for the Hangman Battle Royale challenge from BSides San Francisco 2021.
This is actually a reasonable simple challenge, overall. I got the idea of using a bad mt19937 implementation (the Mersenne Twister PRNG used by Ruby and Python) from SANS Holiday Hack Challenge 2020 (which is still online if you want to play!), and wanted to build a challenge around it. I had the idea of Battleship originally, but ended up deciding on Hangman for reasons I no longer remember, but that I’m sure made sense at the time.
Continue reading →
BSidesSF CTF 2021 Author writeup: Reverseme and Reverseme2 – simpler reverse engineering challenges
This is going to be a writeup for the Reverseme challenges (reverseme and reverseme2 from BSides San Francisco 2021.
Both parts are reasonably simple reverse engineering challenges. I provide the compiled binaries to the player (you can find those in the respective distfiles/ folders), and you have to figure out what to do with them.
Both challenges use the same basic code as the runme challenges, where you send shellcode that is executed. Only in this case, the shellcode must be modified or “encoded” in some way first!
Continue reading →