해킹방어대회기출문제풀이 (CODEGATE2012/2013, DEFCON20) KAIST GoN 김은수 (hahah), 이유진 (soma), 김동관 (Dkay),
THIS TALK IS ABOUT... CTF tips =) CODEGATE2012/2013, DEFCON20 에출제되었던문제들 CODEGATE pwnable, binary 그중에서도비교적 real world 에가까웠던재미있는문제! DEFCON pwnable, binary, grabbag 국내 CTF, 해외 CTF
WE ARE! KAIST 잉여해킹보안동아리 다양한 CTF 참가 DEFCON, CODEGATE, SECUINSIDE, HDCON, 대학생해킹컨퍼런스 INCOGNITO 참여동아리세미나및 CTF 진행 2012 INCOGNITO 2012 DEFCON 본선 2011 CODEGATE 본선
REAL WORLD VS CTF APT? Breakthrough?
WHY CTF? 다양한분야의문제를접할기회 보안이슈반영 Free training zone Just For Fun!
HOW TO SOLVE? 출제의도파악이중요 길이있지만대부분은막다른길
TIPS FOR PWNABLES strcpy memcpy gets printf Integer overflow Uninitialized values
TIPS FOR PWNABLES 다양한 code flow control 방법들 Return address + ROP Fake SFP Function pointer (GOT, structures)... Make Exploit!
TIPS FOR PWNABLES Shellcode Metasploit Handmade shellcodes 상황에맞는 Shellcode Reverse telnet Read file Encoded
TIPS FOR BINARIES Reverse Engineering Key 와관련된부분 Message Box File IO Network Connection
TIPS FOR BINARIES 다양한환경의시스템을미리구축 Windows XP Linux x86 / x64 ARM (Android) ios (iphone) SPARC
TIPS FOR WEB SQL Injection 웹문제의절반이상 Filtering bypass CheatSheet admin char(97,100,109,105,110) 0x61646D696E Blind SQL Injection sleep() insert 구문에서도가능!
TIPS FOR WEB Web programming language php, jsp, asp, File upload Webshell File download 소스코드유출
START FROM PREQUALIFICATION FOR CODEGATE! CODEGATE
CODEGATE 2012/2013 CODEGATE2012/2013 예선에출제되었던문제들 2012 binary300 2013 vulnerability400 2013 binary 300 CTF 문제지만현실적인취약점을담고있던문제들
CODEGATE 2012 BINARY300 7.7DDOS 등봇넷을이용한공격이이슈였음 이름부터불길한 zombie.exe Zombie.exe 가공격할대상을담고있을것으로추정되는암호화된파일 drcw.ziq 패킹까지되어있어언패킹이필요함 : ollydbg 로실행한후 dump 해서 IDA 로 파일을여는것처럼생긴루틴을발견하고해당함수를확인 (401DE0) Ollydbg 에서프로세스가종료된뒤에남아있는 import table 의정보를이용해해당루틴에서로드하는함수들확인
CODEGATE 2012 BINARY300 (CONT D) 파일여는부분 : drcw.ziq 로추정 ollydbg 로부터뜬 dump 를 IDA 에서열면실행가능 Import table 이없으므로 ollydbg 를보고참고해서함수이름을확인하면리버싱하기수월해진다
CODEGATE 2012 BINARY300 (CONT D) 처음 1 바이트가 0x01, 다음 4 바이트 (dword), 그다음 2 바이트 (word) 가특정한값과맞는지비교 Offset 이 9 만큼떨어진곳에있는값만큼 loop 0x4022b0 에있는함수를이용하여읽어온파일내용을복호화
CODEGATE 2012 BINARY300 (CONT D) argv1 이가리키는값을 argv3 으로 xor 하여복호화하는것을 argv2 로받아온값만큼반복 문제와첨부된 drcw.ziq 파일에암호화되어리버싱을통해얻어낸정보안에공격대상과포트번호, 공격횟수등이들어있음 실제봇넷에이용되는바이너리를응용해서만든문제!
CODEGATE 2012 BINARY300 DDOS 등과같이실제로봇넷을동원해공격하는형태의사이버테러에서사용되는바이너리를분석하는것과유사한문제 패킹을통해리버싱이어렵게되어있고, command 를담고있는파일역시암호화로분석이쉽지않게되어있음. ( 문제의풀이에는직접적인관련은없지만 ) 실제로제시된바이너리안에는하드디스크를날려버리는 command 가들어있었음 7.7 DDOS 에사용된악성코드와유사함 우와진짜같다!
CODEGATE 2013 VULN400 데몬에접속해보면책정보를등록할수있고, 읽거나 reply 를달수있는기능이있다는것을확인할수있다. 함수를구경해보면 add_reply 에서이상한점을찾을수있음 constructor 와 destructor 를초기화해주지않기때문에, malloc 으로 struct 가들어갈공간을 heap 에서잡아줄때 heap 에있는쓰레기값이그대로남게됨
CODEGATE 2013 VULN400 (CONT D) 사실초기화가전혀안되는것은아님 삭제할때에수정되지않은 book 정보일경우 ctor 와 dtor 를바로잡아줌왜죠 만약공격자가원하는내용이 heap 에들어있는상태로책정보가등록된다면??
CODEGATE 2013 VULN400 (CONT D) Book 정보를남길때공격자가원하는함수를많이많이넣어서등록한뒤에지워버린다면 Heap 에해당정보들이그대로남아있게됨 그다음에다시 book 정보가등록된다면 reply 가생길때마다 malloc 으로메모리를잡으면서 heap 에있던함수의주소가 reply 의 ctor 나 dtor 로들어가는게가능해질수있음 다시등록한 book 정보에서는 Reply 를단뒤에글을한번수정 -> book 정보를삭제할때에 dtor 가올바르게설정되지않음 book 정보를삭제해줌 -> 삭제할때에 book 에등록된하위 reply 가삭제되면서 dtor 가불릴때 malloc 시에등록된함수가대신실행되어버림 Wait, keep this in mind!
CODEGATE 2013 VULN400 (CONT D) Let s make an exploit ;-).plt 에있는 system() 과 reply dtor 의주소 글하나작성 : content 에 ( 정상적인 dtor + system() 으로 ) 필요한함수의주소를잔뜩적고 Reply 를많이달아서삭제가가능하게한뒤에삭제 새로글을작성 : 이번에는 reply 를달아줄때에 comment 로 system 함수의 argument 가될것을적어준뒤에수정후삭제
CODEGATE 2013 VULN400 book 과 reply 가구조체로되어있기때문에실제로바이너리를분석할때구조체로들어있는것을읽어내는것이관건 초기화되지않은함수포인터를이용해서 code flow 를마음대로바꿀수있는취약점을통해공격자가원하는함수를실행할수있음 사소한코딩상의실수로생기는실제취약점과유사
CODEGATE 2013 BINARY300 STEP 1 실행을시키면뜬금없이패스워드를달라고하더니에러메시지를뿜고종료 리버싱해보면 DialogFunc 에서패스워드확인후호출하는함수 0x402770 자기자신을열어서어떤오프셋으로부터 0xCA 로 xor 하는루틴이들어있음 따라해보자! 웬 exe 파일이들어있으니뽑아보자
CODEGATE 2013 BINARY300 STEP 2 실행안되어서확인후 PE 헤더고쳐서실행 옼ㅋㅋㅋ EZ2DJ ㅋㅋㅋㅋㅋ 문제출제자분멋져요
CODEGATE 2013 BINARY300 STEP 2 게임은그만하고리버싱을해봅시다 0x402D10 에서 input key 5 개와난이도 1~3 중하나를입력받음 중간에낚시로집어넣은압축파일이있었지만역시답은아님 note 를보자! Note 를만드는함수는 0x401B80(makeNotes 라고 rename 해둠 )
CODEGATE 2013 BINARY300 STEP 2 input 으로받은 difficulty 에따라 switch 문이동작함 Case 에 difficulty 가 1,2,3 외에도 4 가있음 랜덤하게노트를뿌리는 1,2,3 과는달리 4 는특정부분 (0x416E30) 으로부터일정한값을받아와서뿌림 메인에서는 difficulty 로 4 가들어올경우잘못된 input 값이라며종료 해당부분만저장해서뿌리도록코딩
CODEGATE 2013 BINARY300 재미있는바이너리라서소개하려고가져왔어요 ;-) 리듬게임좋아요 소리는당연히안나지만콘솔로리듬게임을구현하신제작자분멋져요
START FROM PREQUALIFICATION FOR DEFCON 20! DEFCON 20 PREQUAL
GRAB BAG 100
START PREQUAL! Q: _!
HACK THE PLANET!
HISTORY 2006: Trivia 100: Hack the 2007: 100: the planet 2008: defcon ctf quals 100: Hack planet 2011: Q:.
URANDOM 100
!? Q: How many developers are there in microsoft?
DEVELOPERS! 40+12+16+4+80 = 152 Developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers developers
GRAB BAG 400 SQL INJECTION
FAKE BANK SITE Q: What is Jeff Moss checking account balance?
SIMPLE SQL INJECTION 1 and 1=2 union select BOOM!
GET DATA! Get firstname, lastname, username, password, account from the table. username: dtangent password: erl)<qzsxz
URANDOM 400 KINECT
SHIT! 64BIT & IDA does not decompile 64bit binary to beautiful C code. Open source sdk for 3D sensing. Several APIs to draw and capture motion.
AXIOM STRINGS FIRST
ROUTINES..Phi, Chi,, Omega you got it, that s all folks
FOLLOW IT Follow the up root for you got it, that s all folks
GET REFERENCE
FOLLOW AGAIN No Reference
SUB_4044F0 MOTION CAPTURE
INSIDE IT M_HANDLER
SUB_4043C0 CHECK HAND SHOULDER ANGLE ffffffd3 = -45 ffffffa6 = -90 Right side Angle! Left side
INSIDE IT M_HANDLER
SUB_4044A0 PERCENT DATA WRITE
THEREFORE M_HANDLER Check motion value Write to Percent data
GET REFERENCE
MOTION VALUE TO CHAR
END OF URANDOM 400
BINARY 400 HAMILTONIAN PATH
WHAT IS IT? Seems like the binary is a server
INPUT MAGIC KEY At first, server gets several Magic keys User should type it first.
INITIALIZATION Server stores 5 th value in the buffer. used as loop counter Server initialize registers. r13d = -1, r14 = 0, r15 = 0
MATH PROBLEM
JUMP TABLE
CHECK VALUE & BIT COUNTER
TODO To satisfy bit counter All numbers 0 ~ 63 should be used. Constraint Our input should be fit in the proper index of jump table.
HAMILTONIAN PATH A path in an undirected graph that visits each vertex exactly once
END OF BINARY 400 63 48 54 64 47 62 56 39 24 7 13 3 9 26 41 58 52 42 57 51 61 55 40 46 36 30 15 32 38 53 59 49 34 17 2 19 25 10 4 21 6 16 31 14 8 23 29 44 50 60 45 35 20 5 11 1 18 33 27 12 22 28 43 37 (perl -e 'print "\x53\x79\x45\x50\x4a\x75\x40\x2c\x03\x81\x8a\x37\xac\xf7\xbc\x51 \x00\x00\x00\x40\x00\x00\x00\x3e\x00\x00\x00\x2f\x00\x00\x00\x35 \x00\x00\x00\x3f\x00\x00\x00\x2e\x00\x00\x00\x3d\x00\x00\x00\x37 \x00\x00\x00\x26\x00\x00\x00\x17\x00\x00\x00\x06\x00\x00\x00\x0c \x00\x00\x00\x02\x00\x00\x00\x08\x00\x00\x00\x19\x00\x00\x00\x28 \x00\x00\x00\x39\x00\x00\x00\x33\x00\x00\x00\x29\x00\x00\x00\x38 \x00\x00\x00\x32\x00\x00\x00\x3c\x00\x00\x00\x36\x00\x00\x00\x27 \x00\x00\x00\x2d\x00\x00\x00\x23\x00\x00\x00\x1d\x00\x00\x00\x0e \x00\x00\x00\x1f\x00\x00\x00\x25\x00\x00\x00\x34\x00\x00\x00\x3a \x00\x00\x00\x30\x00\x00\x00\x21\x00\x00\x00\x10\x00\x00\x00\x01 \x00\x00\x00\x12\x00\x00\x00\x18\x00\x00\x00\x09\x00\x00\x00\x03 \x00\x00\x00\x14\x00\x00\x00\x05\x00\x00\x00\x0f\x00\x00\x00\x1e \x00\x00\x00\x0d\x00\x00\x00\x07\x00\x00\x00\x16\x00\x00\x00\x1c \x00\x00\x00\x2b\x00\x00\x00\x31\x00\x00\x00\x3b\x00\x00\x00\x2c \x00\x00\x00\x22\x00\x00\x00\x13\x00\x00\x00\x04\x00\x00\x00\x0a \x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x20\x00\x00\x00\x1a \x00\x00\x00\x0b\x00\x00\x00\x15\x00\x00\x00\x1b\x00\x00\x00\x2a \x00\x00\x00\x24"';cat) nc 140.197.217.239 11553
PWNABLE 400
32BIT! +_+
MAIN ROUTINE
GET_DATA FUNCTION BOOM!
SUB_8048C70 - ENCRYPTION
KEY SCHEDULING
RECONSTRUCTION Calculate key table Simulate with shellcode input Shellcode must be written as float!
END OF PREQUAL Some problems are fun. Some probs.
NEW ORGANIZER
DEFCON FINAL ROUND?
CODEGATE AND OTHER CTF GAMES 참가자의입장에서개인적으로느낀것들임을알려드립니다! ;-) Codegate, secuinside, ISEC CTF, hdcon 행정기관등에서많은관심을갖고아낌없는지원! 보안에대한관심에비례해규모도커지고다양해지는각종컨퍼런스및대회들 진지한분위기 DEFCON, plaidctf, Ghost in the Shellcode 행정기관의관심및후원 << 각종 geek들의놀이터 편한분위기, 시끌시끌
Q&A =)