Archive for the 'Spot the Vuln' Category

Spot the Vuln: Bored Games

justin April 15th, 2007

Sorry about the recent lull in posts. John and I have had some major changes with our day jobs, and Mark is busy closing out his month long "Dowd Live 2007 World Tour." We expect regular posting to begin again in the next week or two, though, so dont give up on us yet. Just to show we still care, heres a C++ vulnerability puzzle that should hold your attention for a minute or two.

Continue Reading »

Fun With Impersonation

justin December 19th, 2006

Here’s our first "Spot the Vuln" challenge. I originally put this together for a post to Matasano’s blog, but work got pretty hectic and I had to let it slip for a bit. Now I finally have a little breathing room, so I thought this would be a good place to post it.

The below function is a thread spawned from a named pipe server in Windows. The io parameter is an open named pipe handle returned from a call to ConnectNamedPipe(); data has been read from the pipe, so impersonation shouldn’t fail. 

int tclient(HANDLE io) {
     int hr = 0;
     STARTUPINFO si;
     PROCESS_INFORMATION pi;

     HANDLE hProc = GetCurrentProcess();

     if(!ImpersonateNamedPipeClient(io)) return GetLastError();

     ZeroMemory(&si, sizeof(si));
     si.dwFlags = STARTF_USESTDHANDLES;
     si.cb = sizeof(si);
     DuplicateHandle(hProc, io, hProc, &si.hStdInput, GENERIC_READ, TRUE, 0);
     DuplicateHandle(hProc, io, hProc, &si.hStdOutput, GENERIC_WRITE, TRUE, 0);
     DuplicateHandle(hProc, io, hProc, &si.hStdError, GENERIC_WRITE, TRUE, 0);
     CloseHandle(io);

     CreateProcess(NULL, SHELL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);

     CloseHandle(si.hStdInput);
     CloseHandle(si.hStdOutput);
     CloseHandle(si.hStdError);

     hr = RevertToSelf();

     if (pi.hProcess != NULL) WaitForSingleObject(pi.hProcess, INFINITE);

     return hr;
}

This post is open for comments, but we will be moderating first because we don’t want to spoil the fun for everyone.