Security Challenge V

h57xiucj2z946q

Ok this is the fifth Security Challenge. Its an exploit-me this time.

The server is running Security Challenge V v1.0 on Windows XP SP3 (incl. latest updates) and you can find a local copy of the server for analysis attached in this post.
(For the nervous http://www.virustotal.com/file-scan/report.html?id=2fe6f51e35c2f4d97b2dc2067debc7eab71fd1603ffd6eb5f8b775f7e39856ac-1314294638 [ByteHero] is false positive. Also http://anubis.iseclab.org/?action=result&task_id=14781ea2369f26a94716a162df92ecee0&format=html. Someone else already submitted here: http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=84747569&cs=69F7D6EBF25A701A3D22969F290F98F7. I can give source code to those still in doubt :-P )

The exploitable server address is: damo2k.dyndns.org

There are a few different parts I have suggested for this challenge (although I'm sure you can do other fun stuff if you use your imagination, once you don't wreck the server for everyone else)

Part 1 : Create a text file with your name in it on Challenge 5's Desktop e.g. "Damo" in damo2k.txt

Part 2 : Retrieve Challenge 5's log in details. Send PM when done

Part 3 : Take a screen shot of Challenge 5's Desktop. Send PM when done. Upload to tinypix or similar.

Bonus : Enter your name to hall of fame (read below first!!)

For fun, a hall of fame will be maintained on free web-hosting here: http://damo.clanteam.com/sch5.php
NOTE: this hall of fame is separated from the exploitable server and NOT part the challenge itself. This is on free web-hosting and its only propose is to manage a hall of fame. You do NOT hammer/scan this page. Its NOT crack-able anyway and messing around with it will most likely make the owners delete my account.
You need an "unlock-code" to submit your name to the hall of fame. You will get this when you complete the challenge, specifically completing Part 3.

Usual rules apply:

No DoS

No deliberate malicious

No spoiling challenge for others, that involves changing the challenge configurations

Use SPOILER tags when posting hints here.

Clean up after yourselves on the server, so other peoples experience isn't ruined.

Good luck


http://dl.dropbox.com/u/14338572/SecurityChallenge5.zip

dlofnep

Sound Damo Gunna give it a crack now.

dlofnep

Left peann.txt on the desktop

dlofnep

Password sent

h57xiucj2z946q

dlofnep wrote: »

Password sent

Well done, your doing good.

h57xiucj2z946q

Are people stuck?

Need hints?

h57xiucj2z946q

Hmm someone did something which caused the app to hang, it still allowed incoming connections but did nothing. Normally the service crashes when an exploit attempt fails, when that happens, firedaemon will restart it. It also restarts if it simply exits, but tha shouldn't ever happen. So I dunno what would cause it to hang but still accept connections. Either way, I have firedaemon restart the service every hour. So if you get disconnected, just reconnect/exploit again.

dlofnep

Completed

dlofnep

Anybody else giving this a crack?

h57xiucj2z946q

Seems very dead.

dlofnep

If anyone needs tips - just ask.

dlofnep

Worst case scenario, if people are having problems finding an XP VM to test it on - Perhaps if you provided a valid RET address for them? I had problems with a few.

h57xiucj2z946q

This might be considered a very strong hint:

https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
and also https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/

Also look at meterpreter!!

Windows XP SP3 incl latest updates: NTDLL.DLL - JMP ESP - 0x7e498c6b

dlofnep

Novalee Tight Haze wrote: »

This might be considered a very strong hint:

https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
and also https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/

Also look at meterpreter!!

Windows XP SP3 incl latest updates: NTDLL.DLL - JMP ESP - 0x7e498c6b

That should be more than enough

obviousTroll

I didn't realise that it would take this angle of exploiting. Going to study up on this over the next day or so, and try to hack my VM with it. Great project Damo.

h57xiucj2z946q

obviousTroll wrote: »

I didn't realise that it would take this angle of exploiting. Going to study up on this over the next day or so, and try to hack my VM with it. Great project Damo.

No problem, it should be good fun.

There is a hint above if you get stuck.

h57xiucj2z946q

Anyone still trying this? If not, then I'll take it down this evening.

woodyg

any chance you could leave it up for another day or so, going to do some reading on it an give it a bash!
cracking idea for a project

h57xiucj2z946q

Its still up.

obviousTroll

Still learning about the topic at hand, and trying to feck with my VM.

obviousTroll

Right, I managed to exploit it on my VM, and knocked up a basic perl script to do so. Can't seem to get it to work on your server however.

I even used a value that you posted in the spoiler section, and still it does not work. Care to take a look at my code? I'm almost there!

h57xiucj2z946q

You cannot open ports for incoming connections, as I'm behind a router and that would have to be defined in my NAT table.

But the machine is able to make outgoing connections.. does that give you any hints?

obviousTroll

It gives me plenty. Thanks!

digme

meow
cool challenge damo.
I've no time to do it but it looks like a real world hack.
niceeee

obviousTroll

If I'm the only one at the minute trying to connect, then you can power it down.

I'm having multiple problems with hacking my VM. I know that I'm close, but I can't get the exploit to work. Creating a meterpreter exe works fine, but implementing it into shellcode doesn't yield the same results, i.e. it doesn't spawn a shell.

I'll figure it out on my side, and see what's the matter. For now, if you wish to discontinue it, fair enough. I'll be awaiting the next challenge.

dlofnep

digme wrote: »

I've no time to do it but it looks like a real world hack.

It absolutely was Best challenge so far, and easily the most difficult.

dlofnep

obviousTroll wrote: »

If I'm the only one at the minute trying to connect, then you can power it down.

I'm having multiple problems with hacking my VM. I know that I'm close, but I can't get the exploit to work. Creating a meterpreter exe works fine, but implementing it into shellcode doesn't yield the same results, i.e. it doesn't spawn a shell.

I'll figure it out on my side, and see what's the matter. For now, if you wish to discontinue it, fair enough. I'll be awaiting the next challenge.

If you follow this, it will help lots: http://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/ - Check out the 'Converting the exploit to metasploit' section.

I had problems with shellcode also, so I just used metasploit as a platform to launch the payload.

h57xiucj2z946q

obviousTroll wrote: »

If I'm the only one at the minute trying to connect, then you can power it down.

I'm having multiple problems with hacking my VM. I know that I'm close, but I can't get the exploit to work. Creating a meterpreter exe works fine, but implementing it into shellcode doesn't yield the same results, i.e. it doesn't spawn a shell.

I'll figure it out on my side, and see what's the matter. For now, if you wish to discontinue it, fair enough. I'll be awaiting the next challenge.

I will leave it up for a couple of days.

h57xiucj2z946q

Are you's using WinDbg, OllyDbg or Immunity Debugger?

obviousTroll

Just sent you a PM.

I was using Immunity. Got what I came for!

Going to submit my score.

obviousTroll

Thanks to dlofnep and Damo2k for pointing me in the right direction. I knew next to nothing about

buffer overflows

in general, but once

meterpreter

came into use, it was easy.