exploitation – devel0pment.de

13. May 202113. May 2021

Hacky Easter 2021 writeup

HackyEaster was awesome again. From a technical point of view there weren’t too much new things, but the creativity of the provided challenges made it really fun. Including the little teaser challenge there were a total amount of 37 challenges. These challenges were divided into different levels. You could only proceed to the next level, if you have earned enough points in the current level. I really liked that new idea.

12. April 202113. April 2021

mpv media player – mf custom protocol vulnerability (CVE-2021-30145)

The mpv media player provides a custom protocol handler (mf://) in order to merge multiple images to a video. An undocumented feature within this protocol handler allows the usage of a format specifier in the provided URL, which is evaluated using sprintf. This results in both, a format string vulnerability as well as a heap overflow (CVE-2021-30145).

After disclosing the vulnerability to the mpv team on the 3rd April 2021 I got an immediate response. The mpv team took the issue very seriously and immediately started to work on a patch with me. This was the first time I disclosed a vulnerability to an open source project and I was really impressed about the professional reaction and the passionate commitment. The patch was released only two days after my report on the 5th April 2021 (commit). Thanks a lot to avih, sfan5 and jeeb.

The impact of the format string vulnerability is limited on Linux, because the binary is compiled with FORTIFY_SOURCE by default. Though the heap overflow can be used to gain arbitrary code execution by overflowing into an adjacent heap chunk and setting a function pointer to an attacker controlled value. Nevertheless I estimate the probability of exploitation in real life as quite low, because a victim has to be tricked into opening a malicious playlist (e.g. via a URL like http://10.0.0.1/evil.m3u) and the attacker has to have detailed information about the victim’s system to fine-tune the exploit.

Within this article I describe the vulnerability itself as well as the development of a proof of concept exploit for Ubuntu 20.04.2 LTS with ASLR disabled. At the end of the article I outline a few thoughts on how ASLR can be bypassed and what changes if we develop an exploit for Windows. The article is divided into the following sections:

– Introduction
– Format String Vulnerability
– Heap Overflow
– Exploitation
– Further Thoughts
– Conclusion

1. January 202124. January 2021

HACKvent20 writeup

This year’s HACKvent hosted on competition.hacking-lab.com has been as great as every year.
There was a total amount of 28 awesome challenges with varying difficulties.

6. September 20206. September 2020

ALLES! CTF 2020 – Actual ASLR 1/2

The ALLES! CTF (ctftime.org) took place from 04/09/2020, 16:00 UTC to 06/09/2020, 19:00 UTC with a variety of interesting, creative challenges.

Within this article I want to share my writeup on the two challenges Actual ASLR 1 and 2, which were authored by LiveOverflow. What I especially liked about the challenge(s) is that you could make progression step by step even getting a first flag on the way to a full shell, which grants access to the second flag.

The article is divided into the following sections:

→Actual ASLR 1
    – Binary
    – Random Algorithm
    – Reimplementation In Python
    – First Flag

→Actual ASLR 2
    – Custom Heap
    – Vulnerability
    – Heap Leak
    – Image Base Leak
    – Overwriting Function Pointer
    – Final Exploit

9. June 202015. June 2020

AnyDesk UDP Discovery Remote Code Execution (CVE-2020-13160)

One of my goals for this year is to spend a little bit more of my spare time on real world applications. Doing so I took a look at the remote desktop application AnyDesk, which seems to quickly raise in popularity not only because of COVID-19. AnyDesk is available for a variety of operating systems including Windows, Linux, Android and iOS. By reversing and fuzzing the Linux version 5.5.2 of the application I was able to find a format string vulnerability, which can be used to gain Remote Code Execution (RCE) by sending a single UDP packet to the target machine. AnyDesk took the issue very seriously. They released a patch only three days after my notification (5.5.3) and paid me a bounty of 5.000 EUR. The vulnerability is tracked as CVE-2020-13160. Within this article I want to share all steps, which were involved in finding the vulnerability, understanding the bug and developing the RCE exploit. The article is divided into the following sections:

→ Fuzzing
→ Bug
→ Exploit
    – Strategy
    – The v in vsnprintf
    – Gaining arbitrary write
    – Controlling the instruction pointer
    – Hitting our shellcode: dynamic field width
    – Final exploit
→ Conclusion

Continue reading

23. May 202024. May 2020

Hack The Box – Rope

This article contains my writeup on the machine Rope from Hack The Box. I really enjoyed the box, since it provides a total of three custom binaries, which are supposed to be exploited 🙂

The article is divided into the following parts:

→ User
    – Initial Recon
    – httpserver
    – Leak Memory Address
    – Exploit Format String Vulnerability
    – Escalating from john to r4j (readlogs)

→ Root
    – Local Recon
    – contact
    – Bruteforce
    – Libc Leak
    – Final Exploit