va_start research

Tl;dr: I found a privilege escalation 0day (CVE-2019-12181) in the Serv-U FTP Server through command injection.

POC code available here
Target 🎯 I searched for a program that isn't too niche and market specific that it hasn't had time to develop its security. Yet, I didn't want to commit long months of research to find a vulnerability in an extremely popular program that has already been reviewed by many security researchers. I came across Serv-U FTP Server from shodan and decided to pursue this target after seeing the respectable number of over 168,000 instances running worldwide exposed to the Internet.

As its name suggests, Serv-U FTP Server is an FTP server; but it also has a web interface for easy file management and a web admin interface.
Serv-U is available both for Linux and Windows. On Linux, the ftp server is a SUID executable and runs as root. Therefore, even an attack that can only be executed locally is still a threat as it will give the attacker…

I often take breaks from vulnerability hunting, and occasionally I find myself doing some really random things.

For example, I stumbled across this poster and decided to make a version of my own. I wanted to make one that is slightly more offensive so that it can be gifted to a good friend. Here is the final result:

I used this image by PTNorbert with its free commercial license

In this post I compiled all the popular vulnerability research tools. In each category I first listed the tool(s) I personally use, and then followed with alternatives. I do not encourage pirating but all of the payed programs can be found on pirate websites.
Disassemblers and Reverse Engineering Tools Disassemblers decode machine instructions in binary into their readable assembly representation. The following programs have evolved beyond simple disassembly to become full platforms for reverse engineering with features such as custom symbol naming, graphically viewing code flow, and listing references in the assembly to functions and data. The more advanced tools also support decompilation which is the process of converting the assembly into higher level code such as C or C++.
IDA Pro Costs around $2000 for a license with multiple decompilers (free trial available)  A limited feature freeware version is available here.Supports decompiling~170 community sourced plugins hereMy persona…

The value in an uninitialized variable is one of: zero, a compiler dependent value (such as 0xCC's in visual studio), or data previously stored in that memory location (old data).
Types of Uninitialized Variables And Their Values Classic C/C++ Uninitialized Stack Variables The classic type of uninitialized variables are local function variables written in a low level language (such as C/C++). You would think when these variables are left uninitalized they would simply save the last value they were give. However, there is a catch: when code is compiled in debug mode, the compiler may inject its own code that initializes empty variables to a default value.
This is done to protect against vulnerabilities (more on this later), and to more easily detect bugs by giving the variable a bogus value that can be easily identified as uninitialized if it is for example printed to the screen.

Below, a  program compiled with Visual Studio in debug mode prints an uninitialized variable. Code c…

Refer to this page any time there's a vulnerability related term you want to better understand.
ASLR Address Space Layout Randomization. An exploit mitigation that randomizes the loading address of modules in memory to harden the system against exploits that depend on known memory addresses.
In Linux, the address of the heap, stack and external libraries is randomized.
In Windows the address of the code, heap, and stack is randomized. External libraries (DLLs) are randomized once when loaded, but their address is the same between separate processes.

Authentication Bypass A vulnerability that permits unauthorized users to bypass authentication and reach a protected resource or interface that would otherwise require authentication. Occasionally used as part of an exploit chain.

Brute-Force A methodology used to solve for an unknown value by exhausting all the possible options. Most commonly used as a password guessing technique, but can also be used to break ALSR by guessing the ra…

tl;dr In the broadest sense, a software vulnerability is a flaw that allows the vulnerable system to perform unplanned actions. Examples of the results of these unplanned actions include, sensitive information disclosure (example), denial of service (DOS) (example), authentication bypass (example), and most dangerously, full takeover of a system (aka RCE) (example) by a malicious attacker.
Formal Definitions According to ENISA (European Union Agency for Network and Information Security) a vulnerability is, "The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event" (reference).

According to  NICCS (National Initiative for Cybersecurity Careers & Studies) a vulnerability is, "Characteristic of location or security posture or of design, security procedures, internal controls, or the implementation of any of these that permit a threat or hazard to occur" (reference).

The definition I use defines a vulnerab…