Archive for June, 2013

Radamsa Fuzzer Extension for Burp Suite

Radamsa is a cool tool that combines a set of fuzzers which generate data based on input string. You can feed it a PDF file for example and Radamsa will produce a bunch of PDF-alike documents that are fuzzed in all imaginable forms. Just see this:

$ echo "test123" | radamsa -n 10
ttestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestestest1
tes.--1
--test170141183460469231731687303715884105728
test4294129
test1
test65660
340282366920938463463374607431768211443t0
-0
test1710618
test-6

Perfect for looking for all kinds of buffer overflows. And this tool can be especially useful combined with Burp Suite, that is why here is quick and dirty extension that enables you to use Radamsa to generate Burp Suite’s Intruder payloads:
Снимок экрана от 2013-06-24 21:25:01
Grab the code here: https://github.com/Raz0r/burp-radamsa

DEFCON CTF 2013 Quals “grandprix” Writeup

This time at DEFCON CTF quals there was a special task category, namely OMGACM or competitive programming. Here is a solution to OMGACM 3 task. We have a remote host that offers to play a race game:

Connected to grandprix.shallweplayaga.me.
Escape character is '^]'.
Use 'l' and 'r' to move. Don't crash.
Press return to start

OK, we send ‘\n’ to start and see a 5×8 track with different obstacles: Read more »