Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

> BGGP #3 (2022), Find loophole in any software

views
     
angch
post Jun 18 2022, 01:34 PM

On my way
****
Junior Member
515 posts

Joined: Jul 2006
QUOTE(FlierMate1 @ Jun 18 2022, 04:56 AM)
Here comes the third year of small file competition organized by a group of security researcher or reverse engineer:

tmpout.sh/bggp/3/

Unlike the prior contests in 2020 and 2021, this year's contest will involve a lot of creative thinking.
Now I will become more like ethical hacker...
I don't dare to try the last two scenario. If I were able to create EXE that crashes Windows, I will be in the tech news headline tomorrow. Smile

This contest runs from June 17th 2022 to August 19th 2022 (New York time)

@angch, I see you followed @binarygolf on Twitter. Nice to see you there! This year contest is more challenging, isn't it?  wink.gif
*
Meh. It's just a fuzzing challenge. Boring.

Start here: Divide by zero.

Edit: Wait. Re-reading instructions.

This post has been edited by angch: Jun 18 2022, 01:39 PM
angch
post Jun 23 2022, 02:37 PM

On my way
****
Junior Member
515 posts

Joined: Jul 2006
QUOTE(FlierMate1 @ Jun 22 2022, 07:39 PM)
Looks like I have no luck in crashing random media player.  tongue.gif

user posted image

Me trying to fool "aplay" to play 0-byte and 1-byte MP3/WAV.

user posted image
*
Why aren't you using honggfuzz like mentioned in the challenge? Much easier.
angch
post Jun 24 2022, 10:19 AM

On my way
****
Junior Member
515 posts

Joined: Jul 2006
aplay is gonna be tough. Unless detects it as a .wav file, it just memcpy to the kernel, and for wav, it just uses the length to chunk read/write the file.

https://github.com/bear24rw/alsa-utils/blob...r/aplay/aplay.c
angch
post Jun 25 2022, 01:37 PM

On my way
****
Junior Member
515 posts

Joined: Jul 2006
QUOTE(FlierMate1 @ Jun 24 2022, 06:46 PM)
Look! My second attempt. This time with DOS emulator (DOSBox).

I downloaded Enhanced DEBUG from the Internet (since DOSBox does not include DEBUG.COM/EXE) and assemble a small COM program.

CODE
JMP FFFF:FFFE


It is 5 bytes executable. Upon running BOOT.COM, this is the result in DOSBox! (Sadly, not considered "crash")

user posted image
*
Crashing DOS is like shooting fish in a barrel. C'mon lar. One 0xCC should be enough to trigger the non-existent debugger.

Edit. I was bored. 5 minute hack, fully recorded. Who needs DOSbox.

https://www.youtube.com/watch?v=rD17005enXM

This post has been edited by angch: Jun 25 2022, 01:48 PM
angch
post Jun 25 2022, 03:17 PM

On my way
****
Junior Member
515 posts

Joined: Jul 2006
Depends on where the address at int 3 is pointing to.

or do a 0xeb 0xfe
JMP 100

2 byte infinite loop.

Not quite crashing the *caller*, mind you, which I interpret as not a valid entry to the competition.

This post has been edited by angch: Jun 25 2022, 03:21 PM

 

Change to:
| Lo-Fi Version
0.0102sec    0.34    6 queries    GZIP Disabled
Time is now: 18th August 2022 - 09:50 PM