desock assistance

Question

desock assistance

Tim-Nosco opened this issue 7 years ago · comments

Hey Zardus.
I'm working on ftp from csaw2015: https://github.com/ctfs/write-ups-2015/tree/master/csaw-ctf-2015/reverse/ftp-300
Uploading ftp.zip…

When I run: LD_PRELOAD=./desock.so:./defork.so ./ftp
I can manually enter USER blankwall then PASS cookie to get the expected functionality.
Quite awesome!

% LD_PRELOAD=./desock.so:./defork.so ./ftp         
[+] Creating Socket
[+] Binding
[+] Listening
[+] accept loop
[+] socket fd: 4
Welcome to FTP server
USER blankwall
Please send password for user blankwall
PASS cookie
logged in
^C

Unfortunately, if I make a file to emulate the way fuzzers interact with the binary and run the program that way, I do not get the expected functionality:

% cat ftp_in
USER blankwall
PASS cookie
% LD_PRELOAD=./desock.so:./defork.so ./ftp < ftp_in
[+] Creating Socket
[+] Binding
[+] Listening
[+] accept loop
[+] socket fd: 4
Welcome to FTP server
Please send password for user blankwall
PASS cookie
^C

I investigated a little and believe the first read(preeny_fd,65536) collects all of ftp_in and writes it to the socket.
FTP only accepts the first line; this leaves PASS cookie on the dup socket.
FTP then writes to STDOUT Please send password for user blankwall\nPASS cookie\n.
Nothing remains for the next FTP read (that expects the password).

How can I mitigate this issue?

Thank you so much for your outstanding tool!
I'm working on a universal way to communicate with ELF binaries through a single file (for fuzzing).
The things I've done and will hopefully push to your project are: injecting argv/argc, redirecting file reads (simple to just LD_PRELOAD a custom read function).

Yan Shoshitaishvili · Answer 1 · Tue Dec 05 2017 19:32:04 GMT+0800 (China Standard Time)

Sorry for the laggy response. Super busy times lately. The problem you’re describing is common with fuzzers (in fact, Driller suffers heavily from this, fully externally from preeny). Are you sure that the FTP server itself doesn’t suffer from this problem (i.e., reads as much as it can, instead of byte by byte)? In that case, there’s little that we can do. Of course, you can try reducing that read() to 1 byte. Most network applications should be able to adapt to that and keep reading until they’ve read whatever they’re supposed to. That might be an easy solution.

…

On Tue, Nov 14, 2017 at 10:51 AM Tim Nosco ***@***.***> wrote: Hey Zardus. I'm working on ftp from csaw2015: https://github.com/ctfs/write-ups-2015/tree/master/csaw-ctf-2015/reverse/ftp-300 When I run: LD_PRELOAD=./desock.so:./defork.so ./ftp I can manually enter USER blankwall then PASS cookie to get the expected functionality. Quite awesome! [+] Creating Socket [+] Binding [+] Listening [+] accept loop [+] socket fd: 4 Welcome to FTP server USER blankwall Please send password for user blankwall PASS cookie logged in ^C``` Unfortunately, if I make a file to emulate the way fuzzers interact with the binary and run the program that way, I do not get the expected functionality: ```% cat ftp_in USER blankwall PASS cookie % LD_PRELOAD=./desock.so:./defork.so ./ftp < ftp_in [+] Creating Socket [+] Binding [+] Listening [+] accept loop [+] socket fd: 4 Welcome to FTP server Please send password for user blankwall PASS cookie ^C``` I investigated a little and believe the first `read(preeny_fd,65536)` collects all of `ftp_in` and writes it to the socket. FTP only accepts the first line; this leaves `PASS cookie` on the dup socket. FTP then writes to STDOUT "Please send password for user blankwall\nPASS cookie". Nothing remains for the next FTP read (that expects the password). How can I mitigate this issue? Thank you so much for your outstanding tool! I'm working on a universal way to communicate with ELF binaries through a single file (for fuzzing). The things I've done and will hopefully push to your project are: injecting argv/argc, redirecting file reads (simple to just LD_PRELOAD a custom read function). — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#35>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADSzlwDPfi28EyFRrE1NgE9XngYqJ-vjks5s2dMogaJpZM4QdvXm> .

Krace · Answer 2 · Wed Sep 05 2018 13:42:01 GMT+0800 (China Standard Time)

I also meet this problems, any other ideas about how to solve it? :P

Yan Shoshitaishvili · Answer 3 · Wed Sep 05 2018 14:19:07 GMT+0800 (China Standard Time)

The only thing that pops into my mind is to change preeny in these cases to have recv always read a single byte. A well-written program should loop until it has the number of bytes it needs. This isn't a general solution, though, and will likely slow things down since the program will perform many more system calls than before.

Krace · Answer 4 · Wed Sep 05 2018 14:45:48 GMT+0800 (China Standard Time)

Wow,thanks for your quick reply.
Do you know the root cause of this problem?The souce code I need to patch is too complex,maybe we can find another way to solve it. :P

Krace · Answer 5 · Wed Sep 05 2018 15:36:42 GMT+0800 (China Standard Time)

PS:I've tried it with the singe byte every time patch,it seems to be run correctly!
But...why,I can't understand that.