Writing a Wireshark dissector to parse data embedded in ICMP headers I recently spent some time repurposing fields in ICMP headers in order to do a basic file transfer. I decided to use the code, ID, and sequence fields to achieve this which meant I could fit 5 bytes of data into each header. The PoC implementation was very straightforward to create using scapy. Essentially just read in the file and for every 5 bytes create an ICMP packet, append that packet to a list, and send out the list of packets once complete.

Crashing munpack for BGGP3 BGGP3 The goal of this year’s BGGP is to ‘find the smallest file which will crash a specific program’. I liked the idea of this challenge as it seemed both interesting and approachable. After reading through the challenge rules and examples: https://tmpout.sh/bggp/3/ I decided to look for a good target to start fuzzing. Target My first target was tshark, I figured this would be good to target as I had recently done some work modifying the wireshark source code and had some idea of how it worked.

Reverse Engineering Binary Protocols to Create IPS Signatures The purpose of this article is to demonstrate some tools and techniques used in reverse engineering binary protocols from packet captures, and using the discovered fields and commonalities to create IPS signatures. I decided to write this article as there seemed to be limited information regarding protocol reverse engineering from network traffic and I figured this could be a good resource for people looking to learn more about the process.

CVE-2018–1160 Writeup CVE-2018–1160 is an out of bounds write in Netatalk versions prior to 3.1.12 which was disclosed by Jacob Baines of Tenable who also did a great writeup on this vulnerability that really helped in my investigation into how it works and how to exploit it. Netatalk is an open source implementation of AFP, which is a file control protocol specifically designed for Mac based systems. AFP uses DSI as a session layer protocol to establish new sessions between the client and server.

Qemu Escape CTF Writeup This writeup will demonstrate my analysis and solution of the X-NUCA 2019 qemu escape CTF challenge. For those interested in following along or attempting the challenge themselves, the archive can be found at vexx.zip Initial Analysis After extracting the archive, we are presented with the following files. launch.sh is of interest here as it includes specific arguments for running this version of qemu, including a reference to a custom device named vexx.

CVE-2021–33913 Analysis CVE-2021–33913 is a heap-based buffer overflow that takes place in the SPF macro expansion process of the open source SPF library libspf2. According to the website, libspf2 is used by systems such as Sendmail, Postfix, Exim, Zmailer, and MS Exchange. This vulnerability was discovered along with CVE-2021–33912 by security researcher Nathaniel Bennett, who provided some details in a blog post: https://nathanielbennett.com/blog/libspf2-cve-jan-2022-disclosure along with a patch to fix both issues: https://github.