Saturday, January 01, 2022

Universal Go exploit using data races, no imports

In the last two blog posts, I described a challenge and exploits to get code execution from arbitrary Go code only allowing the fmt package, at fixed Go version 1.13.3 and without PIE.

These factors made the challenge easier for a CTF: the fmt package gives a nice leak with %p, no pie and fixed Go version 1.13.3 allows to hardcode addresses and behave deterministically with code layout, heap, compiler optimizations and calling convention.

Is it possible to achieve arbitrary code execution on any Go version, even with PIE, and with no package import at all, just builtins? Yes! It's been sitting in my exploits folder for long enough that it's time to write about it.

Saturday, December 07, 2019

The Gomium Browser - Exploits

In my last blog post, I described The Gomium Browser, a pwn challenge of the Google CTF 2019 finals that 4 teams (pasten, 5BC, p4, A*0*E) solved.

The challenge was framed as a command-line browser, but basically boiled down to answering this question: if you control Go source code but can only import the fmt package, can you get enough code execution to execute xcalc?

In this blog post let's look at some of the exploits that teams came up with, either during the CTF or after.

Thursday, November 07, 2019

The Gomium Browser - Google CTF 2019 finals challenge

Last weekend were the Google CTF 2019 finals in London with 10 invited teams, part of a larger event named ESCAL8 with VRP researchers (BugSWAT), students (init.g), etc.

I wrote a CTF challenge for the event: The Gomium Browser. Out of 10 teams 4 teams solved it (pasten, 5BC, p4, A*0*E) and a 5th team (Balsn) was really close, unfortunately their exploit was unreliable.

In this blog post I won't spoil too much and just introduce the challenge, if you'd like to try it yourself. Then in another post, I'll explain what it was all about, present my exploit and links to some of the other teams write-ups. There were some really interesting ones.

Thursday, December 03, 2015

From remote shell to remote terminal

If you like exploitation surely you've had your own reverse or connect-back shells. Set up a listening netcat, run the payload and boom: you get a shell back! Then you explore the box, start a program, want to stop it, and do Ctrl-C... no!!! You just lost your shell, because that interrupted netcat, not the remote process.

In this post we'll look at shells and terminals, from the most simple like this netcat with /bin/sh over the network, to a remote terminal emulator supporting terminal window size changes out of band. Think all the goodness SSH is doing for you, could we attempt something like it?

Wednesday, April 22, 2015

Creating Burp extensions in Python, the "editor" case

Surely you've heard of the Burp Suite, quite useful software to perform security testing of web applications and in general to play with anything that talks HTTP(S). There's even a free edition which is often more than enough since I mostly use just Proxy and Repeater.

You can even write extensions to automate things or support some weird things you might see on top of HTTP. Burp being written in Java, you can write your extensions in Java. They also allow you to write them in Python or Ruby, using Jython or JRuby.

I needed to write an extension recently, in Python since I don't particularly like Java. This post shares my experience and resulting code.

Wednesday, April 15, 2015

Golang data races to break memory safety

Go is becoming more and more popular as a programming language and getting more scrutiny from a security point of view. You might remember my heap corruption during garbage collection post. A few days ago Scott Piper wrote Looking for security trouble spots in Go code, an interesting read.

I'd like to expand on a topic I've researched a few months ago after discussing with Dmitry Vyukov (ASAN, TSAN, core Go contributor). He mentioned once on the public Go mailing list that you can break the memory safety of Go with data races, and it piqued my interest so we'll explore that in this post with some exploits.

Before I start, it's important to realize that the Go team knows about this: see Russ Cox detailed blog post Off to the Races.

Sunday, January 25, 2015

DNS reverse proxy

I have a server with a single IPv4 and I want to run two DNS servers:
  • one to serve zones like stalkr.net - if you recall, I like PowerDNS;
  • another one for tunneling - I like dns2tcp (TCP level), another good one is iodine (IP level).
Problem: I looked a bit but none of the DNS server software I've seen support forwarding queries that aren't for them to another server. Basically what I need is a reverse proxy that looks at the DNS query, and route it based on the name. It's the same as an HTTP reverse proxy that looks at the Host field to proxy the request to another server. I tried to hack with resolvers and stub/forward zones but it didn't work.

So I made my own dns-reverse-proxy in just a few lines of Go, using a fully featured DNS library. It's running smoothly, if you have the same need feel free to use it!

Monday, October 13, 2014

Tiny ELF 32/64 with nasm

Sometimes I need to create a tiny ELF with some assembly code, because I'm restricted in size or just don't like the bloated binary produced by gcc and the linker. The classic reference about this is A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux. I often use their nasm listing as a template.

I was working with 64bit code the other day and realized there's no 64bit version of it, so here's one.

Saturday, January 04, 2014

IDA on Debian amd64 with python

Are you the lucky owner of an IDA Pro linux license? Since I had errors last time I set it up, here is a quick brain dump on setting up IDA Pro 6.5 on Debian sid with IDA python 2.7. It may even work for Ubuntu.

Wednesday, June 19, 2013

Defcon 21 quals - blackbox write-up

It was DEFCON 21 quals last week-end, with new organizers. It went well, good organization and good challenges. If you're curious about the results, here is a fancy top15 graph. Apparently it was too easy for PPP who finished all of the challenges... insane! :)

There were 5 categories:
  • 3dub: web-based challenges
  • 0x41414141: exploitation
  • \xff\xe4\xcc: shellcode
  • OMGACM: guerilla programming
  • gnireenigne: reverse engineering
I liked the exploitation ones with ARM under Linux/FreeBSD. Reverse was nice, shellcoding interesting but some painful, web was way too easy and OMGACM just annoying.
If you want to have a look, @JonathanSalwan saved some of the binaries on his repo.