Tuesday, January 5, 2016

SANS Holiday Hack 2015-Part 4

Super Gnome 4

The hint to solve Super Gnome 4 was given by Tim Medin.
Tim: “LOL, fired from a volunteer position, Classic Dan. So yeah, SSJS injection attacks are pretty exciting. Like classic injection attacks, which allow you to run a local command on the target platform, SSJS injection attacks allow you to run arbitrary commands. Unlike XSS which allows you to run JavaScript on the victim’s browser, SSJS injection allows you to run arbitrary JavaScript on the server.
When a developer uses the JavaScript eval() method without validating the input, it is vulnerable to
SSJS injection. Anytime you see a parameter that can be manipulated on a site using Node.js, replace it with JavaScript that would produce a calculated value. Check out Bryan Sullivan’s paper Server-Side JavaScript Injection and SSJS Web Shell Injection by @signalcha0s.”
The vulnerable code in the index.js script in the www/routes directory was:
router.post('/files', upload.single('file'), function(req, res, next) {
if (sessions[sessionid].logged_in === true && sessions[sessionid].user_level > 99) { // NEDFORD:

this should be 99 not 100 so admins can upload var msgs = [];
file = req.file.buffer;
if (req.file.mimetype === 'image/png') {

msgs.push('Upload successful.');
var postproc_syntax = req.body.postproc;
console.log("File upload syntax:" + postproc_syntax);
if (postproc_syntax != 'none' && postproc_syntax !== undefined) {

msgs.push('Executing post process...'); var result;
d.run(function() {

result = eval('(' + postproc_syntax + ')');
});
// STUART: (WIP) working to improve image uploads to do some post processing. msgs.push('Post process result: ' + result);

}
msgs.push('File pending super-admin approval.'); res.msgs = msgs;

} else {
msgs.push('File not one of the approved formats: .png'); res.msgs = msgs;

}
} else

res.render('index', { title: 'GIYH::ADMIN PORT V.01', session: sessions[sessionid], res: res }); next();
});
All I had to do was to upload an image with file processing. It didn't matter which type. Then I just replaced what was in the postproc variable with the SSJS injection that I wanted to use. I was given this injection in the papers that were mentioned in the game.
I had trouble realizing that I wasn't requesting the correct directory. I checked the directory structure using:
res.end(require('fs').readdirSync('.').toString()) and res.end(require('fs').readdirSync('..').toString()) Once I corrected the directory, it worked as expected.
Here is the SSJS injection that I used to get the gnome.conf file.
res.end(require('fs').readFileSync('files/gnome.conf').toString())
Tim Medin gave an excellent paper on the SANS Pen Testing blog about how to make an asynchronous request. For the smaller files, a synchronous request is just fine, but for the larger files, the asynchronous request works better because it doesn't have the chance of causing the server to hang up. Unfortunately, I could not get his asynchronous method to work.
The second part was a bit more difficult. I couldn't send the zip files in the same way as before because they were too big. I tried the method that Tim Medin had mentioned in the Pen Testing Blog, however, the “Postproc Result” was undefined, and I kept getting a message that stated that the file had to be approved by “Nedford”. I would not have been able to solve this on my own with my current amount of knowledge. I e-mailed Counter Hack asking if I'm on the right track several times. I told them what I was doing, and they helped with methods and syntax that I didn't know. I was given this to try.
Buffer(fs.readFileSync('./files/factory_cam_4.zip').toString('base64'))


Gnome 4 E-Mail

To: <psychdoctor@whovillepsychiatrists.com>
Subject: Answer To Your Question
Date: Thu, 3 Dec 2015 13:38:15 -0500
Message-ID: <005a01d12df9$c5b00990$51101cb0$@atnascorp.com> MIME-Version: 1.0

Content-Type: multipart/alternative; .boundary="----=_NextPart_000_005B_01D12DCF.DCDA76C0" X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdEt+b3jejRUkW/FSByK/qhouKyIpQ== Content-Language: en-us

This is a multipart message in MIME format.
------=_NextPart_000_005B_01D12DCF.DCDA76C0 Content-Type: text/plain;
.charset="us-ascii"
Content-Transfer-Encoding: 7bit

Dr. O' Malley,
In your recent email, you inquired:
> When did you first notice your anxiety about the holiday season? Anxiety is hardly the word for it. It's a deep-seated hatred, Doctor.

Before I get into details, please allow me to remind you that we operate under the strictest doctor-patient confidentiality agreement in the
business. I have some very powerful lawyers whom I'd hate to invoke in the event of some leak on your part. I seek your help because you are the best
psychiatrist in all of Who-ville.
To answer your question directly, as a young child (I must have been no more than two), I experienced a life-changing interaction. Very late on
Christmas Eve, I was awakened to find a grotesque green Who dressed in a tattered Santa Claus outfit, standing in my barren living room, attempting

to shove our holiday tree up the chimney. My senses heightened, I put on my best little-girl innocent voice and asked him what he was doing. He explained that he was "Santy Claus" and needed to send the tree for repair.
I instantly knew it was a lie, but I humored the old thief so I could escape

to the safety of my bed. That horrifying interaction ruined Christmas for me that year, and I was terrified of the whole holiday season throughout my teen years.
I later learned that the green Who was known as "the Grinch" and had lost his mind in the middle of a crime spree to steal Christmas presents. At the very moment of his criminal triumph, he had a pitiful change of heart and started playing all nicey-nice. What an amateur! When I became an adult, my fear of Christmas boiled into true hatred of the whole holiday season. I knew that I had to stop Christmas from coming. But how?
I vowed to finish what the Grinch had started, but to do it at a far larger scale. Using the latest technology and a distributed channel of burglars, we'd rob 2 million houses, grabbing their most precious gifts, and selling them on the open market. We'll destroy Christmas as two million homes full of people all cry "BOO-HOO", and we'll turn a handy profit on the whole deal.
Is this "wrong"? I simply don't care. I bear the bitter scars of the Grinch's malfeasance, and singing a little "Fahoo Fores" isn't gonna fix that!
What is your advice, doctor? Signed,
Cindy Lou Who



Super Gnome 5

I didn't solve this one. I do not know much about exploit writing, (or writing programs in general). I can read programs. It's strange that I can't write them. I read the articles that were given to me, but I didn't understand them. About the most that I'd understood was the Oxdusty paper about Address Space Layout Randomization. He wrote 112 characters in his example because he needed 100 to fill up the buffer, 4 bytes to overwrite the return address, 4 bytes to overwrite the eip, and 4 bytes to overwrite the esp. He put the address of the jmp instruction in the eip, and the shell code in the esp.
I found out how to get the program running on my local system to test it. I used Google to help me figure that out. It's “gcc -c snet.c”, “gcc -c sgstatd.c”, then “gcc snet.o sgstatd.o sgstatd”. I had to make a directory called, “/var/www/sgstatd”. I disassembled the program.
Josh Wright had told me in an e-mail that case 88 looked interesting. I tried typing hex numbers into the prompt to see if anything different happened. I figured out that it took one byte, so I was thinking about how I could make a one-byte character that would make hex 58. I was just thinking about numbers. I completely missed ascii. Then someone was kind and told me to type a letter “X”. I don't know why I didn't think of that because I've done hex to ascii conversions before. I guess that it was just lack of sleep. I found out that there was a hidden command prompt by typing the letter “X” into the selection screen instead of 1, 2, or 3.
I think that this is the vulnerable code. Odd that it's in the canary. *I meant the same method.  Now it makes perfect sense.  The canary job is to protect the return address.* Looks like there are 200 characters allowed to be stuffed in a 100 character buffer.
int sgstatd(sd) {
__asm__("movl $0xe4ffffe4, -4(%ebp)"); //Canary pushed
char bin[100];
//recv(sd, &bin, 200, 0);
sgnet_readn(sd, &bin, 200);

// Canary checked
write(sd, "\nThis function is protected!\n", 30); fflush(stdin);
__asm__("movl -4(%ebp), %edx\n\t" "xor $0xe4ffffe4, %edx\n\t" "jne sgnet_exit");
return 0; }


The Boss

I didn't capture enough gnomes to make a clear image, but I think that I know how to solve this particular part. You bitwise xor the pixels of the static images together to uncover a hidden image. I recently read an article about steganography detailing this technique. For example, “Image A XOR Image B = Image C; Image C XOR Image A = Image B; Image C XOR Image B = Image A”
I used ImageMagick to xor the images that I had together. Someone on stack overflow was kind enough to post this method.

convert factory_cam_1.png factory_cam_2.png -fx "(((255*u)&(255*(1-v)))|((255*(1- v))&(255*v)))/255" factorycam1and2.png
convert factorycam1and2.png factory_cam_3.png -fx "(((255*u)&(255*(1-v)))|((255*(1- v))&(255*v)))/255" factorycam12and3.png
convert factorycam12and3.png camera_feed_overlap_error.png -fx "(((255*u)&(255*(1-v)))|((255*(1- v))&(255*v)))/255" overlap12and3.png

convert overlap12and3.png factory_cam_4.png -fx "(((255*u)&(255*(1-v)))|((255*(1- v))&(255*v)))/255" overlap12and3.png 

No comments:

Post a Comment