desock assistance #35
Description
Hey Zardus.
I'm working on ftp from csaw2015: https://github.com/ctfs/write-ups-2015/tree/master/csaw-ctf-2015/reverse/ftp-300
Uploading ftp.zip…
When I run: LD_PRELOAD=./desock.so:./defork.so ./ftp
I can manually enter USER blankwall then PASS cookie to get the expected functionality.
Quite awesome!
% LD_PRELOAD=./desock.so:./defork.so ./ftp
[+] Creating Socket
[+] Binding
[+] Listening
[+] accept loop
[+] socket fd: 4
Welcome to FTP server
USER blankwall
Please send password for user blankwall
PASS cookie
logged in
^C
Unfortunately, if I make a file to emulate the way fuzzers interact with the binary and run the program that way, I do not get the expected functionality:
% cat ftp_in
USER blankwall
PASS cookie
% LD_PRELOAD=./desock.so:./defork.so ./ftp < ftp_in
[+] Creating Socket
[+] Binding
[+] Listening
[+] accept loop
[+] socket fd: 4
Welcome to FTP server
Please send password for user blankwall
PASS cookie
^C
I investigated a little and believe the first read(preeny_fd,65536) collects all of ftp_in and writes it to the socket.
FTP only accepts the first line; this leaves PASS cookie on the dup socket.
FTP then writes to STDOUT Please send password for user blankwall\nPASS cookie\n.
Nothing remains for the next FTP read (that expects the password).
How can I mitigate this issue?
Thank you so much for your outstanding tool!
I'm working on a universal way to communicate with ELF binaries through a single file (for fuzzing).
The things I've done and will hopefully push to your project are: injecting argv/argc, redirecting file reads (simple to just LD_PRELOAD a custom read function).