BkPctf - Kendall

I was going to write how to solve Kendall, a "pwn" challenge, but the author posted a nice write up

I probably spent a good hour and a half looking at the binary trying to see if something is exploitable (good job!) before I managed to figure out the DNS request part. I only managed to find two bugs:

  • You could remove the null terminator on the IP address by writing an address of exactly 16 bytes (eg "1111111111111111")
  • If you made the Source, Dest, and netmask all 16 bytes, and the Nameserver 3, the renew_client would print an error. This was due to the snprintf before the system being truncated.

I did learn an important lesson. If there's an opportunity to put a hostname or ip somewhere PUT IN AN IP YOU CONTROL

I ended up using dnsmasq for dns as I had a server that wasn't running dns. I'll have to take a look at minidns for next time. I ended up using python's SimpleHTTPServer:

python -m SimpleHTTPServer 80

And a real simple HTTPs server I found on the web

import BaseHTTPServer, SimpleHTTPServer
import ssl
 
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
httpd.serve_forever()
Show Comments