Doubtfully Malignant

Darksonar1 · 05-13-2025, 07:45 AM

DoubtfullyMalignant - BenignCertain DoS PoC

his is a denial of service exploit that targets the NSA/TAO "BenignCertain" exploitation tool, the capabilities which are explained quite well over at Mustafa Al-Bassam's blog post on the topic.

I know, I know, "No More DoS PoC's", however, upon having a more skilled at reverse engineering colleague at Xiphos examine the binary in IDA, it was determined that this bug is probably not exploitable to gain RCE. Either that or we just don't know how to do it

Anyway, I drop this PoC here for you, so you, too, can crash silly NSA toys. And maybe one of you clever folks can figure out what we missed to gain RCE?

Anyhow, how this all works is. You set it up listening on a port.
When bc-id is ran against it, it responds with the crashing data.

For BenignCertain v1100:
BenignCertain v1100 has the parser built into the bc-id tool. If the -p, -c, -u or -P flag is set, which tells it to do parsing, it will crash on receiving the reply. It will also crash if told to read in such a file and analyse it.

For BenignCertain v1110:
This will NOT crash bc-id, however, bc-id will write the data out to a file (serversipaddress.raw and serversipaddress.hex). This is due to the parsing code being split off to bc-parser.
HOWEVER, when the parser (bc-parser) is ran on the created file, it will segfault because it is a hilariously badly coded piece of shit.

05-13-2025, 07:45 AM	#1
Darksonar1 Junior Member Join Date: Nov 2024 Posts: 9	Doubtfully Malignant DoubtfullyMalignant - BenignCertain DoS PoC his is a denial of service exploit that targets the NSA/TAO "BenignCertain" exploitation tool, the capabilities which are explained quite well over at Mustafa Al-Bassam's blog post on the topic. I know, I know, "No More DoS PoC's", however, upon having a more skilled at reverse engineering colleague at Xiphos examine the binary in IDA, it was determined that this bug is probably not exploitable to gain RCE. Either that or we just don't know how to do it Anyway, I drop this PoC here for you, so you, too, can crash silly NSA toys. And maybe one of you clever folks can figure out what we missed to gain RCE? Anyhow, how this all works is. You set it up listening on a port. When bc-id is ran against it, it responds with the crashing data. For BenignCertain v1100: BenignCertain v1100 has the parser built into the bc-id tool. If the -p, -c, -u or -P flag is set, which tells it to do parsing, it will crash on receiving the reply. It will also crash if told to read in such a file and analyse it. For BenignCertain v1110: This will NOT crash bc-id, however, bc-id will write the data out to a file (serversipaddress.raw and serversipaddress.hex). This is due to the parsing code being split off to bc-parser. HOWEVER, when the parser (bc-parser) is ran on the created file, it will segfault because it is a hilariously badly coded piece of shit.