After the seminal blog post by James Jardine in 2016 on XXE exploitation in .NET applications back in 2016, Microsoft seems to have implemented some additional changes regarding the default behavior of XML parsers. We work through the different XML methods provided and their corresponding vulnerable configurations. For all experiments, .NET framework 4.6 was chosen. TL;DR In order to create an XXE vulnerability for applications using .NET framework 4.6+, you have to instantiate a vulnerable XmlResolver beforehand.

In a recent engagement I was confronted with a blind path traversal vulnerability on a server running with the Microsoft Windows operating system. That is, it was not possible to display folder contents but the complete file name and path had to be guessed. Due to the lack of a comprehensive website I was forced to gather information from various different sources. In this blog post, I want to summarize my findings and focus on the exploitation of this kind of vulnerability.

Almost two years ago, in October 2016, James Kettle published an excellent blog post about the various types of Cross-Origin Resource Sharing (CORS) misconfigurations and how they can be exploited. Recently, I encountered a web application that allowed for two-way interaction with the so-called null origin. More precisely, when sending an HTTP request specifying the header: 1 Origin: null the server would respond with the following two HTTP headers:

This blog posts will highlight how you can utilize the angr dynamic binary analysis framework and symbolic execution for reverse engineering tasks. More precisely, we will look at the first two tasks in the lab1 of the RPISEC MBE labs. While angr’s internals are quite complex and require substantial effort for mastering, getting started for our simple examples requires not too much knowledge. lab1C The first example we will look at is lab1C from lab01, which requires the user to enter a certain password:

In the pwnable.kr challenge crypto1 in the rookies section, we are given the following two files client.py and server.py: client.py 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 #!

Exercise 11 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called mystery11 - the last exercise of the ARM chapter: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 01: 010185B0 mystery11 02: 010185B0 2D E9 F8 4F PUSH.

Exercise 10 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called mystery10: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 01: mystery10 02: 2D E9 70 48 PUSH.

Exercise 9 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called mystery9: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 01: mystery9 02: 2D E9 30 48 PUSH.W {R4,R5,R11,LR} 03: 0D F2 08 0B ADDW R11, SP, #8 04: 09 4D LDR R5, =byteArray 05: 06 E0 B loc_100E312 06: loc_100E304 07: 0B 78 LDRB R3, [R1] 08: 5A 5D LDRB R2, [R3,R5] 09: 63 5D LDRB R3, [R4,R5] 10: 93 42 CMP R3, R2 11: 04 D1 BNE loc_100E318 12: 01 30 ADDS R0, #1 13: 01 31 ADDS R1, #1 14: loc_100E312 15: 04 78 LDRB R4, [R0] 16: 00 2C CMP R4, #0 17: F5 D1 BNE loc_100E304 18: loc_100E318 19: 0B 78 LDRB R3, [R1] 20: 5A 5D LDRB R2, [R3,R5] 21: 03 78 LDRB R3, [R0] 22: 5B 5D LDRB R3, [R3,R5] 23: 98 1A SUBS R0, R3, R2 24: BD E8 30 88 POP.

Exercise 8 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called mystery8: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 01: mystery8 02: 2D E9 78 48 PUSH.W {R3–R6,R11,LR} 03: 0D F2 10 0B ADDW R11, SP, #0x10 04: 0C 4E LDR R6, =byteArray 05: 09 E0 B loc_100E34C 06: loc_100E338 07: 05 78 LDRB R5, [R0] 08: 01 3A SUBS R2, #1 09: 4D B1 CBZ R5, loc_100E352 10: 0B 78 LDRB R3, [R1] 11: 9C 5D LDRB R4, [R3,R6] 12: AB 5D LDRB R3, [R5,R6] 13: A3 42 CMP R3, R4 14: 04 D1 BNE loc_100E352 15: 01 30 ADDS R0, #1 16: 01 31 ADDS R1, #1 17: loc_100E34C 18: 00 2A CMP R2, #0 19: F3 DC BGT loc_100E338 20: 01 3A SUBS R2, #1 21: loc_100E352 22: 00 2A CMP R2, #0 23: 01 DA BGE loc_100E35A 24: 00 20 MOVS R0, #0 25: 04 E0 B locret_100E364 26: loc_100E35A 27: 0B 78 LDRB R3, [R1] 28: 9A 5D LDRB R2, [R3,R6] 29: 03 78 LDRB R3, [R0] 30: 9B 5D LDRB R3, [R3,R6] 31: 98 1A SUBS R0, R3, R2 32: locret_100E364 33: BD E8 78 88 POP.

Exercise 7 on page 79 of the book Practical Reverse Engineering specifies the following ARM disassembly of a function called mystery7: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 01: mystery7 02: 02 46 MOV R2, R0 03: 08 B9 CBNZ R0, loc_100E1D8 04: 00 20 MOVS R0, #0 05: 70 47 BX LR 06: loc_100E1D8 07: 90 F9 00 30 LDRSB.