Skip to content

Category: debugging

NcN 2013 CTF canada write up

In this post I will cover the second binary challenge of the No Con Name 2013 CTF driven by the Facebook security team. The binary is available here

This binary challenge is based on a i386 stripped elf file which prompts for a flag:

$ file ./howtobasic
./howtobasic: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=4f288f1a66ad673dc50b51c7e85635358bb11da0, stripped
$ ./howtobasic
Facebook CTF
Enter flag: asdasdasdasd
Sorry, that is not correct.
$ 

NcN 2013 CTF australia bin write up

In this post I will cover the first binary challenge of the No Con Name 2013 CTF driven by the Facebook security team. The binary is available here

This binary challenge is based on a i386 elf file which prompts for a flag:

$ file ./derp 
./derp: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=b77361bfdab4b30a5ed258ee173fe306184a4438, not stripped
$ ./derp 
Facebook CTF
Enter flag: asdasdasdasd
Sorry, that is not correct.
$ 

bypassing devmem_is_allowed with kernel probes

In this article I’m going to illustrate how to read the full content of /dev/mem on linux 3.x machines. I will bypass the function devmem_is_allowed with a kernel return probe.

The kernel probes is a kernel component designed for kernel developers to debug the system internals.It can dynamically break into any kernel routine and modify the function’s behavour. This proves had been heavily since yeah by kernel developers. RedHat has build an user interface to kprobes called SystemTap
You can find kprobes’ documentation in Documentation/kprobes.txt. You should also download the article example files kprobe.tgz

NetBSD i386 shellcoding

This article shows basic shellcoding on NetBSD/i386. I hope this won’t be the last on exploitation BSD archs.
The playground is prepared with a fresh NetBSD 5.1.2 installation, virtualized with kvm.

net# uname -a
NetBSD net 5.1.2 NetBSD 5.1.2 (GENERIC) #0: Thu Feb  2 17:22:10 UTC 2012  
builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-2-RELEASE/i386/201202021012Z-obj/home/builds/ab/netbsd-5-1-2-RELEASE/src/sys/arch/i386/compile/GENERIC i386

php-fpm SEGFAULT debugging

This is a little logfile from a php-fm SIGSEV I found on a web server some months ago.
I will post more logfiles and tech descriptions as soon as I can continue with the debugging.

[bash]
root@localhost:/home/user# gdb /usr/sbin/php-fpm core-php-fpm.3915
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>…
Reading symbols from /usr/sbin/php-fpm…(no debugging symbols found)…done.

warning: Can’t read pathname for load map: Error de entrada/salida.

warning: .dynamic section for "/usr/lib/libkrb5.so.3" is not at the expected address (wrong library or version mismatch?)

warning: .dynamic section for "/usr/lib/libldap_r-2.4.so.2" is not at the expected address (wrong library or version mismatch?)
[/bash]