Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

> BGGP #3 (2022), Find loophole in any software

views
     
TSFlierMate1
post Jun 18 2022, 04:56 AM, updated 2 months ago

Getting Started
**
Junior Member
102 posts

Joined: Jun 2022
Here comes the third year of small file competition organized by a group of security researcher or reverse engineer:

tmpout.sh/bggp/3/

Unlike the prior contests in 2020 and 2021, this year's contest will involve a lot of creative thinking.

QUOTE
The goal of the 3rd Annual Binary Golf Grand Prix (BGGP3) is to find the smallest file which will crash a specific program.



Now I will become more like ethical hacker...

QUOTE
What's the smallest ROM that crashes your favorite emulator?
What's the smallest document that crashes Word?
What's the smallest video that crashes VLC?
What's the smallest plugin that crashes Ableton?
What's the smallest file that crashes your browser?
What's the smallest WAV that crashes Audacity?
What's the smallest ELF that crashes Linux?
What's the smallest EXE that crashes Windows?



I don't dare to try the last two scenario. If I were able to create EXE that crashes Windows, I will be in the tech news headline tomorrow. Smile

This contest runs from June 17th 2022 to August 19th 2022 (New York time)

@angch, I see you followed @binarygolf on Twitter. Nice to see you there! This year contest is more challenging, isn't it? wink.gif
angch
post Jun 18 2022, 01:34 PM

On my way
****
Junior Member
514 posts

Joined: Jul 2006
QUOTE(FlierMate1 @ Jun 18 2022, 04:56 AM)
Here comes the third year of small file competition organized by a group of security researcher or reverse engineer:

tmpout.sh/bggp/3/

Unlike the prior contests in 2020 and 2021, this year's contest will involve a lot of creative thinking.
Now I will become more like ethical hacker...
I don't dare to try the last two scenario. If I were able to create EXE that crashes Windows, I will be in the tech news headline tomorrow. Smile

This contest runs from June 17th 2022 to August 19th 2022 (New York time)

@angch, I see you followed @binarygolf on Twitter. Nice to see you there! This year contest is more challenging, isn't it?  wink.gif
*
Meh. It's just a fuzzing challenge. Boring.

Start here: Divide by zero.

Edit: Wait. Re-reading instructions.

This post has been edited by angch: Jun 18 2022, 01:39 PM
TSFlierMate1
post Jun 18 2022, 01:45 PM

Getting Started
**
Junior Member
102 posts

Joined: Jun 2022
QUOTE(angch @ Jun 18 2022, 01:34 PM)
Meh. It's just a fuzzing challenge. Boring.

Start here: Divide by zero.

Edit: Wait. Re-reading instructions.
*
Find bug, become white hat hacker, haha.

Like just now, I almost crash DependencyWalker 2.20 using a special EXE, but after 40 seconds not responding, it comes alive again, so sad, I did not succeed to make it crash.
user posted image
junyian
post Jun 19 2022, 08:44 AM

Casual
***
Junior Member
361 posts

Joined: Jan 2003


Interesting challenge. I joined their Discord out of curiosity and there are some really interesting conversations.

Someone managed to crash something, ended up with eip and edx with 33333333
TSFlierMate1
post Jun 19 2022, 12:25 PM

Getting Started
**
Junior Member
102 posts

Joined: Jun 2022
QUOTE(junyian @ Jun 19 2022, 08:44 AM)
Interesting challenge. I joined their Discord out of curiosity and there are some really interesting conversations.

Someone managed to crash something, ended up with eip and edx with 33333333
*
Hope to see your name in final result of BGGP #3. rclxms.gif

I guess Windows 11 is too strong to break, not easy to find way to crash their apps.

Like @netspooky said, someone managed to crash media player with 1-byte file, but I already tried that before, with 0-byte or 1-byte DOCX, WAV, MP3, Microsoft's apps handle them very steady and properly.

Looks like I must find not well-known app to crash. What do you think, @junyian and @angch?
junyian
post Jun 19 2022, 03:37 PM

Casual
***
Junior Member
361 posts

Joined: Jan 2003


QUOTE(FlierMate1 @ Jun 19 2022, 12:25 PM)
Hope to see your name in final result of BGGP #3.  rclxms.gif

I guess Windows 11 is too strong to break, not easy to find way to crash their apps.

Like @netspooky said, someone managed to crash media player with 1-byte file, but I already tried that before, with 0-byte or 1-byte DOCX, WAV, MP3, Microsoft's apps handle them very steady and properly.

Looks like I must find not well-known app to crash. What do you think, @junyian and @angch?
*
I’m equally clueless. Haha. It’s not as if I purposely find apps to crash every now and then. When I first read the intro to the competition, my first thought is to browse CVEs. But man, even that is so tedious.
TSFlierMate1
post Jun 22 2022, 07:39 PM

Getting Started
**
Junior Member
102 posts

Joined: Jun 2022
Looks like I have no luck in crashing random media player. tongue.gif

user posted image

Me trying to fool "aplay" to play 0-byte and 1-byte MP3/WAV.

user posted image
angch
post Jun 23 2022, 02:37 PM

On my way
****
Junior Member
514 posts

Joined: Jul 2006
QUOTE(FlierMate1 @ Jun 22 2022, 07:39 PM)
Looks like I have no luck in crashing random media player.  tongue.gif

user posted image

Me trying to fool "aplay" to play 0-byte and 1-byte MP3/WAV.

user posted image
*
Why aren't you using honggfuzz like mentioned in the challenge? Much easier.
angch
post Jun 24 2022, 10:19 AM

On my way
****
Junior Member
514 posts

Joined: Jul 2006
aplay is gonna be tough. Unless detects it as a .wav file, it just memcpy to the kernel, and for wav, it just uses the length to chunk read/write the file.

https://github.com/bear24rw/alsa-utils/blob...r/aplay/aplay.c
TSFlierMate1
post Jun 24 2022, 05:09 PM

Getting Started
**
Junior Member
102 posts

Joined: Jun 2022
QUOTE(angch @ Jun 24 2022, 10:19 AM)
aplay is gonna be tough. Unless detects it as a .wav file, it just memcpy to the kernel, and for wav, it just uses the length to chunk read/write the file.

https://github.com/bear24rw/alsa-utils/blob...r/aplay/aplay.c
*
Nice you found the source code online. I didn't read the entire source file of "aplay", though I see it handles quite well, I think the key method to make them crash is "unhandled exception" (as pointed out by the challenge intro).

Umm.... what about you, any progress so far?

QUOTE(angch @ Jun 23 2022, 02:37 PM)
Why aren't you using honggfuzz like mentioned in the challenge? Much easier.
*
(Chuckle) At first I thought it is a Chinese brand (because of "hong"), that's why I didn't bother to look further.

This post has been edited by FlierMate1: Jun 24 2022, 05:18 PM
TSFlierMate1
post Jun 24 2022, 06:46 PM

Getting Started
**
Junior Member
102 posts

Joined: Jun 2022
Look! My second attempt. This time with DOS emulator (DOSBox).

I downloaded Enhanced DEBUG from the Internet (since DOSBox does not include DEBUG.COM/EXE) and assemble a small COM program.

CODE
JMP FFFF:FFFE


It is 5 bytes executable. Upon running BOOT.COM, this is the result in DOSBox! (Sadly, not considered "crash")

user posted image
angch
post Jun 25 2022, 01:37 PM

On my way
****
Junior Member
514 posts

Joined: Jul 2006
QUOTE(FlierMate1 @ Jun 24 2022, 06:46 PM)
Look! My second attempt. This time with DOS emulator (DOSBox).

I downloaded Enhanced DEBUG from the Internet (since DOSBox does not include DEBUG.COM/EXE) and assemble a small COM program.

CODE
JMP FFFF:FFFE


It is 5 bytes executable. Upon running BOOT.COM, this is the result in DOSBox! (Sadly, not considered "crash")

user posted image
*
Crashing DOS is like shooting fish in a barrel. C'mon lar. One 0xCC should be enough to trigger the non-existent debugger.

Edit. I was bored. 5 minute hack, fully recorded. Who needs DOSbox.

https://www.youtube.com/watch?v=rD17005enXM

This post has been edited by angch: Jun 25 2022, 01:48 PM
TSFlierMate1
post Jun 25 2022, 02:24 PM

Getting Started
**
Junior Member
102 posts

Joined: Jun 2022
QUOTE(angch @ Jun 25 2022, 01:37 PM)
Crashing DOS is like shooting fish in a barrel. C'mon lar. One 0xCC should be enough to trigger the non-existent debugger.

Edit. I was bored. 5 minute hack, fully recorded. Who needs DOSbox.

https://www.youtube.com/watch?v=rD17005enXM
*
Woohoo! Great findings, angch!

Yours is PCE, my DOSBox also hang, but no crash message.
user posted image

I like your discovery. From my understanding, "int 3" is to set breakpoint in debugger.
TSFlierMate1
post Jun 25 2022, 03:03 PM

Getting Started
**
Junior Member
102 posts

Joined: Jun 2022
QUOTE(angch @ Jun 25 2022, 01:37 PM)
Crashing DOS is like shooting fish in a barrel. C'mon lar. One 0xCC should be enough to trigger the non-existent debugger.

Edit. I was bored. 5 minute hack, fully recorded. Who needs DOSbox.

https://www.youtube.com/watch?v=rD17005enXM
*
But the result is not consistent, if you save the 1-byte "0xcc" as a COM executable, next time restart the emulator and run the COM program again, DOSBox won't hang anymore, instead, it shows "list of mounted drives".


---

BUT... but, if I create two small program, run the first and then the second program:

CODE
JMP 0


CODE
INT 3

(On separate program)

Then, DOSBox will "exit to error":

user posted image

JMP 0 is equivalent to: JMP absolute address 0x0000ff00

This post has been edited by FlierMate1: Jun 25 2022, 07:29 PM
angch
post Jun 25 2022, 03:17 PM

On my way
****
Junior Member
514 posts

Joined: Jul 2006
Depends on where the address at int 3 is pointing to.

or do a 0xeb 0xfe
JMP 100

2 byte infinite loop.

Not quite crashing the *caller*, mind you, which I interpret as not a valid entry to the competition.

This post has been edited by angch: Jun 25 2022, 03:21 PM
TSFlierMate1
post Jun 25 2022, 05:18 PM

Getting Started
**
Junior Member
102 posts

Joined: Jun 2022
[ Entry Template ]

Please fill out this template for your submission.

---BEGIN BGGP3 ENTRY---
Name or handle:
Contact Info:
Website, twitter, other online presence:
Target Software and Version:
Description of Target Software's Environment (Platform/OS, Setup Instructions, etc.):
Target File Type:
SHA256 Hash:
Brief Description of Crash:
Was this a new crash, or a known bug?
Link to PoC video, screenshot, or console output, if any:
Link to writeup, if any:
CVE or other acknowledgement, if any:
File contents (base64 encoded please):
---END BGGP3 ENTRY---

Your entry's score will be associated with a specific software, and if necessary, software
version. Please only submit one entry per software.

We may contact you for questions on reproducibility, so please include your contact information
in your submission.

All entries should be sent via email to bggp [ AT ] tmpout.sh

More info at https://tmpout.sh/bggp/3/

junyian
post Jul 3 2022, 05:48 PM

Casual
***
Junior Member
361 posts

Joined: Jan 2003


I finally found a crash target after a lot of browsing CVEs. It comes with a POC file too so it saves me a lot of work. After a few nights of debugging and understanding the relevant code, I managed to reduce the file size a little bit. Now to try control the crash and get PC 3333.
TSFlierMate1
post Jul 4 2022, 07:02 PM

Getting Started
**
Junior Member
102 posts

Joined: Jun 2022
QUOTE(junyian @ Jul 3 2022, 05:48 PM)
I finally found a crash target after a lot of browsing CVEs. It comes with a POC file too so it saves me a lot of work. After a few nights of debugging and understanding the relevant code, I managed to reduce the file size a little bit. Now to try control the crash and get PC 3333.
*
All the best, hopefully you can make it crash at Program Counter 3 or 3333, which entitled to bonus points.

I am not participating, I know practicing from known bug is useful, but I want new crash! rclxm9.gif

At least now I know what these group of security researchers are doing, tiny PE/ELF, polyglot, and white hat hacking.

junyian, makes Malaysia proud. (BTW, they won't mention nationality)
junyian
post Jul 6 2022, 06:22 PM

Casual
***
Junior Member
361 posts

Joined: Jan 2003


QUOTE(FlierMate1 @ Jul 4 2022, 07:02 PM)
All the best, hopefully you can make it crash at Program Counter 3 or 3333, which entitled to bonus points.

I am not participating, I know practicing from known bug is useful, but I want new crash!  rclxm9.gif

At least now I know what these group of security researchers are doing, tiny PE/ELF, polyglot, and white hat hacking.

junyian, makes Malaysia proud. (BTW, they won't mention nationality)
*
I’ve never written exploits before, and this seems like a pretty hard buffer overflow to exploit (at least to a complete newbie that I am). I don’t think I can finish learning this by the deadline. Haha.

 

Change to:
| Lo-Fi Version
0.0192sec    0.26    5 queries    GZIP Disabled
Time is now: 11th August 2022 - 01:02 AM