EXPLOIT-DEV : Quick TFTP Server Pro 2.1 Case Study

Quick TFTP Server Pro is a multi-threaded tftp server and telnet server for Microsoft Windows . It designed to allow network administrators and users to save and write files from various network equipment , and allow users to login to the server to execute various commands, such as listing file and directory information, reverse ping network equipment.

The current version 2.1 is vulnerable to Buffer Overflow which is announced on March 26, 2008 and Directory Traversal Vulnerability which is announced on November 5, 2011.

I only focus on the Buffer Overflow vulnerability. This piece of software does not fix the problem since 2008 after the vulnerability is discovered. I wonder to know the reason why.

Then I make up my mind to investigate. After the enquiry, it is confirmed that this piece of software is only exploitable on Windows XP SP2 and below. Windows XP SP3 or up cannot be exploited even it is vulnerability. Why?

I find out that this piece of software comes with no dll file and it is a standalone executable file. After the Windows XP SP3, Microsoft implemented Data Execution Prevention (DEP) and it enforces non-executable pages on the stack that prevent the execution of arbitrary shellcode.

In addition, this software has no other modules file (dll) that is not compiled with SafeSEH and all the system files are SafeSEHed. Although you can find a pointer at unicode.nls but because of null byte there is no chance to make the shellcode to work.

At least, I find out that so far. If anyone find out any method to exploit this software on Windows XP SP3 or up, please let me know. By the way, the ret2libc and ROP methods I have not been tried yet.

Therefore, it is only affect Windows XP SP2 and below. Since Windows XP SP2 is not supported by Microsoft any more, I think the developer of the software think that it is not necessary to fix the vulnerability.

That's all! See you.

HOWTO : Back|Track 5 r3 on Gigabyte TouchNote T1028X/M1028

Gigabyte TouchNote T1028X/M1028 equipped with Intel Atom N280 and eGalax touch screen. It runs Back|Track 5 r3 flawlessly except touchpad. This tutorial is telling you how to overcome this problem.

The kernel version of Back|Track 5 r3 is 3.2.6 and the touch screen is functioning flawlessly.

Touchscreen Hardware

"lsusb" shows the following :

Bus 005 Device 002: ID 0eef:0001 D-WAV Scientific Co., Ltd eGalax TouchScreen

Step 1 :

Boot up the 32-bit version of Back|Track 5 r3 USB stick which is created by Unetbootin or DVD-ROM. On the menu screen, press "Tab" and append the following to the end of the line.

i8042.noloop=1 reboot=b

Then install as usual and then reboot.

Step 2 :

After login, enter the following :

nano /etc/default/grub

Append "i8042.noloop=1 reboot=b" to "GRUB_CMDLINE_LINUX_DEFAULT".

It will look like this :

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash i8042.noloop=1 reboot=b"

Save and exit.

Then execute the following commands :

update-grub
fix-splash

Then power off the computer and switch it on again.

That's all! See you.

HOWTO : Encrypt the Home Directory in Ubuntu

You may want to encrypt the home working directory or any user's working home directory if you have not been set it up during the installation of Ubuntu.

Step 1 :

sudo apt-get install ecryptfs-utils

Step 2 :

adduser tempuser admin

Logout and re-login as tempuser.

Step 3 :

sudo ecryptfs-migrate-home -u samiux

Logout and re-login as samiux. But DO NOT reboot your system.

If you are not asking for the "Passphrase", you should enter the following command :

sudo ecryptfs-add-passphrase

Step 4 (Optional) :

You can check the Passphrase at any time by the following command :

sudo ecryptfs-unwrap-passphrase

Save the "Passphrase" somewhere and keep it safe for manual recovery.

Step 5 (Optional) :

I suggest you to encrypt the swap too.

sudo ecryptfs-setup-swap

Step 6 :

Then, if everything is working fine, you can delete the ramdonized file and delete the tempuser.

sudo rm -rf /home/samiux.*
sudo deluser --remove-home tempuser

That's all! See you.