qwijibow 0 Report post Posted July 19, 2005 Notice from qwijibow: People who have completed this challenge.....------------------------1: Jipman. no exploit / arbitary code execution, but managed to smash the stack, and "make the server do somthing its not supposed to" whiich counts CONSOLE C:\>date_server_win32 < haxWelcome to DATE server 0.1This server accepts the following commands [HELP, GET_DAYS, QUIT]COMMAND> the command 'QUIT' closes the connection and exitsC:\> -------------------------- Hey guys, in this challenge, you run a pretend server which i have delibratly programmed with a common securety hole. (an unchecked buffer)for securety of your home computer, this server does NOT really listen on the network for connections,it uses stdin stream.run the pretend server program, the porgram will act like a server that you have just telnetted into with the added advantage that the server reads the input as binary. (normally you cannot snd binary data (payloads) through telnet, and most windows machine dont have netcat installed).the server is a date server. here is an xample session....Welcome to DATE server 0.1This server accepts the following commands [HELP, GET_DAYS, QUIT]COMMAND> helpThis server gives the number of days in any given month for the year 2005give the command 'GET_DAYS june' to return the number of days in junethe command 'QUIT' closes the connection and exitsCOMMAND> get_days january31 days !!!COMMAND> get_days fooERR> unknown month, did you spell it correctly ???COMMAND> foooCOMMAND> get_days febuaryERR> unknown month, did you spell it correctly ???COMMAND> get_days february28 days !!!COMMAND> quitThankyou for using this service, goodbye Your mission, is to hack this server and make it do somthing that it shouldnt. (other than crash, crashing this server is waaay too easy)for example, make the server spawn a DOS prompt.. but anything will do... if you can make it output "hello world" for example, that will count as a sucessfull hack.you will probably need a compiler/debugger and a hexeditor.once you have generated your payload/viral code, you can send it to the server lwith a pipe...for example... echo $viral_code | date_server.exe, or cat payload.bin | date-serverthis is a very difficult challenge, but you have the added advantage of bein able to examine the server program and sorce code.downloads:Download source code... http://forums.xisto.com/no_longer_exists/Download server for windows... http://forums.xisto.com/no_longer_exists/Download server for Linux 32bit... (AMD / Intel) http://forums.xisto.com/no_longer_exists/Download server for Linux Athlon64... http://forums.xisto.com/no_longer_exists/GOOD luck.i will be VERY surprised if more than one or 2 people manage this.to prove you suceeded with this challenge you must provide the payload file and specift which of the above 3 servers it works on... OR if you used the source code to compile your own server, you must provide that aswell as the payload.just to make this completely clear,, you cannot alter the source code ! but you can re-compile it (with different flags if you wish, linux versions have been compiled with --debug option already (aswell as -O2 optimisation)ohh, and a hint.. you may want to google for things like "Smashing the stack for fun and profit"knoledge of c++ gdb and maybe a little assembly may be usefull.. but are not neccesserily needed. Share this post Link to post Share on other sites
jipman 0 Report post Posted July 19, 2005 This one is reaaaaally cool, im gonna get this one, even if this is the last thing I do :)edit: , gotta brush up my C++ skills and read some Smashing the stack literature ..... This is going to take a while Share this post Link to post Share on other sites
Cross Road Designs 0 Report post Posted July 19, 2005 this is harder than it seems Share this post Link to post Share on other sites
moonwitch1405241479 0 Report post Posted July 19, 2005 qwijibow,I don't know HOW to do this. But by the Gods and Godesses, I WILL FIND IT. But for myself I'll go use the 64 bit linux LOL. I don't know why, but I always have issues in text based stuff in windows, and in Linux it just is there in me LOL.Oh, don't you use Gentoo LOL I downloaded it but still gotta install. Share this post Link to post Share on other sites
qwijibow 0 Report post Posted July 19, 2005 you dont need to install, just gunzip it and execute.it only uses the STD libraries cstdio istream and string, it whould work on any linux distro.(you may need to make the file executable first with chmod +x ./date_sever*.bin)like i said, you can find a step by step guide on how to do this by reading the article "smashing the stack for fun and profit"the article even provides shellcode, the hard part is finding the address of the return pointer, and overwirting it with the correct address, finding the correct offsets, etc etc.If you think this is hard, imagine how hard it is to write buffer overflows for closed source applications like Microsoft windows RPC. (like MSblaster uses)Like i said, this is a very difficult challenge (unless you know the black art of assembly programming)If you have trouble running the linux binary's let me know and i will upload some statically linked ones (guaranteed to work on any linux kernel, even if glibc is missing)or just compile yourself...g++ ./main.cpp -o ./date_servermaybe this will be easyer if you turn optimisation off with -O0 as a g++ command... lol.anyways, i only rite hard hacking challenges, i was almost not going to provide the source code, but i like the way the first clue on how to do it is on line 5 #######################################################EDIT:For you linux users who want to make this even more realistic, and make this pretend server act *almost* like a real server, grab netcat http://netcat.sourceforge.net/the command... netcat --tcp --listen --local-port=6660 --exec=./date_server32.bin will make date server listen on port 6660 of your local computer, (make sure 6660 is firewalled, just in case)you can then connect to the date server with either ten#lnet or netcat..telnet 127.0.0.1 6660netcat --tcp 127.0.0.1 6660echo $PAYLOAD | netcat --tcp 127.0.0.1 6660netcat --tcp 127.0.0.1 6660 < payload_file.hex /EDIT ################################################## Share this post Link to post Share on other sites
jipman 0 Report post Posted July 21, 2005 I just want to make sure I understand this right. We're supposed to type input string at the COMMAND > prompt that makes the server does something cool? Right???Anyway, I did found out that the program kills itself if you enter anything longer than 47 characters, that would mean that the return adress is overwritten causing the program to halt doesn't it? Could you give a hint though on what tools to use for finding return adresses? do you think that ollydbg does the job? Share this post Link to post Share on other sites
qwijibow 0 Report post Posted July 23, 2005 google for smashing the stack for fun and profit.all the nfo you need is there.you need a dis-assembler / debugger (gdb for linux or the windows alternative)and a hex-editor to create the payload file.you have already managed to sucessfully smash the stack with a random return address (thus the segfault crash)I would recoment creating a payload file containing byts starting from 0, and up to 255 with a hex editor.then use a debugger (gdb) run through the program execution one step at a time, the step before it crashes, have a look in the cpu register holding the jump to address, if for example the return address has been over written by 45464748 then you know that the return adress (has ben over written by 4 bytes starting from the 46th byte of the payload file.then you would need to work out where you want the program to jump too (maybe the start of the buffer, maybe an address of an envoronment variable holding some executable code.. work out the offsets, and generate a rea payload..good luck.[EDIT] We're supposed to type input string at the COMMAND > prompt that makes the server does something cool? Right???not exactly, since you cant TYPE machine code, i would recomend you use an assembler (or a c compiler) to make some binary code, save it to a file, and add it to you buffer overflow code with a hex-editor, then pipe the data to the server, will be much easyer that yping it all out.date_server32 < my_payload_file.hex Share this post Link to post Share on other sites
jipman 0 Report post Posted July 23, 2005 [spam] I got it I got it[/spam]I think i got it, pm'ed you about the payload, it's for windows though, sorry that I made you boot it again. Share this post Link to post Share on other sites
jipman 0 Report post Posted July 23, 2005 Oh.. Here is some info on HOW i think I did it.after reading the article about "smashing the stack for fun and profit", I realized that you have to overflow the buffer and overwrite some sort of 'return adress', if i'm not wrong that adress is where the program will go back to after executing a (certain?) function. Anyway, I just kept trying entering long input strings to find out when the program crashed, which indicates that you overwrote the adress (The chances are that you accidently enter a existing adress are almost equal to zero btw. since you can't enter the NULL character from the keyboard).You can enter anything you want, i just used x'es.like xxxxxxxxxand so on untill the program crashes after I found out about the number of x'es it takes to have the program crash I got myself a debugger -> OllyDbgThis program allowed me to see which memory adresses the program tried to read, also when it crashes due to the overwritten adress. It showes WHICH adress it tried to find AND I used it to find a valid adress I could use for the 'proof-of-concept'. Since valid adresses usually contain NON printable characters, line-feeds etc etc. I got myself XVI32, a nice freeware hexeditor to create those characters with.After creating a payload file (file where you store the string you want to use for input) I used a pipe to have the program use the file for the input.eg. date_server_win32.exe < input.txtIf you did it right, the server should now popup and do something weird. Share this post Link to post Share on other sites
etan 0 Report post Posted July 26, 2005 Ok i got pretty far I just dont know how to load my file into the server. I tried something than windows said it needed to close does that count lol? Share this post Link to post Share on other sites
qwijibow 0 Report post Posted July 26, 2005 Ok i got pretty far I just dont know how to load my file into the server. I tried something than windows said it needed to close does that count lol?Nope.. crashing the server is waaay to easy.The first thing to do, is make sure you are sucessfully overflowing the return pointer.load the program into your debugger (i recomend gdb) and run the program with some test date, maybe 100 'A' characters.if you have sucessfully overwritten the return pointer, the return pointer will hold the hexidcimal number 0x45454545 (0x45 hex is 65 dec (the ascii code for A)you can get a print out of the cpu registers at crash time with the command "info registers" the return pointer is stored in the EBP register.next, when you know your sample stream is long enough to overwrite the return pointer, and is doing so sucessfuly, you should work out at exactly what address in your buffer is over wrting the return popinter..example program...for (unsigned char n=0; n < 10; n++) { Â Â cout << c;}// server takes char 10 as end of stream.. miss it out.for (unsigned char n=11; n< 256; n++) { Â Â cout << n;} compiled as "test_buffer" and run "test_buffer > payload"now pass the payload to the server, and have a look at what numbers have overflowed into the EBP register.you can use this to work out where you need to place the buffer's address (once you find it)REMEMBER... in the stream, the address is read backwards... so to overflow the address 0xdeadbeef you would need to enter 0xefbeaddeThat is the first third of this challenge....the second third is to generate some shellcode.. you can either download pre-compiled shellcode... or you can compile your own, and extract the nessesery parts with the dissasembles "objdump".. for exmaple, compile a function that simply runs the command "execve(command.com)" compile it, extract the shell code, and insert to the start of your buffer.the final part of the challenge, is to find the address of the buffer in the stack...then your final exploit payload will be......<--some nop's to increace chance of hitting correct address-> <-- shell code--> <-- padding --> <-- stack address of buffer -->The shellcode can be anything you like, most impressive would be shellcode that spawns a dos prompt.. but you may stuggle for space... maybe add "exit(0)" to make the program exit cleanly... maybe make it output "hello world"i found anouther guide if there are still people having trouble with this...http://forums.xisto.com/no_longer_exists/OHHHH..and, adfter trying to hack the linux versions myself and failing... i realised i compiled them with my hardened compiler, (that relocates the stack, making stack overflows MUCH more difficult)so use the windows version, this is still vunerable.i will try to re-compile the linux versions without the stack protection.OOPS.... as far as im aware, you have all been using the windows server right ??LOL.enjoy. Share this post Link to post Share on other sites
iGuest 3 Report post Posted July 30, 2005 Hey qwijibow,A's hexidecimal value is 41 rather than 45.I was thinking of compiling an unpatched kernel to do this under Linux, but wouldn't that destroy the purpose?What I notice on Fedora Core 4. I can't overwrite the return address (EIP), so I thought about return into libc exploit, but again, I'm faced with NULL being the most significant bit then the case of random localisation of the memory address which isn't hard since it's commonly only 3 characters out of the address that change which means brute forcing it will definitely get it correct one way or another, but I'm still left with NULL being the significant bit which stops me in my tracks and the fact I still can't overwrite the return address.Lets see if Windows XP Pro SP2 still fails against this.MC Share this post Link to post Share on other sites
qwijibow 0 Report post Posted July 30, 2005 I tried to upload the vunerable linux version of the server, but it seems that Xisto FTP server is down.i have attached it here.OR you can compile your own version provided you have an UN-hardened version of GCC.The version attached here is vunerable to buffer overflows, and i have tested it myself.Easy :)Although the type of attack you can sucessfully use is limited by the 20byte buffer.Maybe i should allow people to re-compile with a bgger MAX constant... Share this post Link to post Share on other sites
iGuest 3 Report post Posted August 3, 2005 After many miserable attempts on Linux, which is good news for my system but bad news for my results. I tested Windows XP Pro SP2 and shock horror, it "could be possible" to exploit. Quoting could be possible because I've only seen the result of the overflow, they may have some countermeasures in which case I have not attempted to check.I will try to write a complete beginners guide to exploit development, I prefer Linux, but in this case, I will have to settle with Windows due to the fact, I couldn't exploit my own system, even tested easier vulnerable programs than the one above and still failed.There's quite a few tools we will need for this, I may need to provide binary/source code for some of the tools I created to find specific addresses we needed, so I will provide that as well as my way for loading our shellcode. I will try to cover all areas needed, from the basics of understanding the program at a low level (assembly) language, some calculations that maybe needed to determine stack size (so you know the right amount of bytes to overflow by), I will even explain writing Windows Shellcode preferably XP (since that's what I run) but I will try to explain how you can write your own, since it's likely OS dependant. After writing the shellcode, if we don't have room on the stack, we will need another method of loading it, in which I will explain too, since that's what we got to do with the above. There will be things that I can't explain in which you will need to read more to it, but the things I want to explain are things that aren't well explained to people starting out in this, especially shellcode writing for your own system. So please do ask those questions, since it's the only way to provide better answers and the end result means everyone will have a better understanding (hopefully).It won't be long till I release it, since I'm writing the guide as well as doing the outlinedtask it'll take longer than expected, but at least you should be able to attempt it and have similar results. I will probably also explain theoritically how it use to work in Linux, since this was where I first learnt exploit development, yet Linux security just improved vastly, that you need more than one mind to overcome the obstacles, it's really needs various input for methods that may or may not work.If I do encounter problems exploiting it, then I may just write a guide not based on the above vulnerable program, just a general guide that will give people better understanding.Cheers,MCP.S.I should add what we need:If you don't have Visual C++ then get Dev-Cpp or if you're comfortable with gcc/gpp/g++ then that will do but you require the windows.h header file.gcc, perl, gdb, ld, objdump, nasm, vi (or any text editor you prefer)I use MinGW with MSYS which has a majority of these tools, cygwin however can get you all of these tools and would probably be better in this case but it's up to you, what you use.I hope I haven't missed anything out, but if I have I'll update the list. Share this post Link to post Share on other sites
qwijibow 0 Report post Posted August 3, 2005 Cool !!!If it helps, i had a little sucess exploiting the linux server i re-compiled and attached to post lucky 13 http://forums.xisto.com/topic/79638-topic/?findpost=in Knoppix 3.3.Knoppix 3.3 was compiled with a un-hardened GCC 3.2 (i used knoppix 3. to compile the above program)Assuming you are going to put the shellcode into the buffer, Part of the problem here is guessing the address of the stack.with such a tiny buffer (20 bytes) there is virtually no space for padding with NOP'sJust to test that the server linux server (on knoppix) IS infact hackable i re-compiled with a buffer of 2048 bytes, with shellcode borrowed from "smashing the stack for fun and proffit"With just under 2Killobytes of padding NOP's at the start of the buffer, it was pretty hard to miss, and a bash session was spawned.I would appreciate a tutorial though, i understand a little about assembly / shellcode / buffer overflows, but not quite enough to do this 100% on my own.for example, i can generate shellcode by compiling the exploit as c++, and extracting the correct compiled function with objdump, but the tequniquw of adding a jmp call the the start, and a back call the the end to switch to "relative addressing mode" just goes wwaaaay over my head.If i write anouther challenge, ill have to make it harder, your too good at this Share this post Link to post Share on other sites