kaist-is521 / 2017-spring Goto Github PK
View Code? Open in Web Editor NEW2017s-IS521
2017s-IS521
I confuse the exact definition of benign program....
In activity instruction, there is the definition of benign program.
By benign, we mean that your program should not leak any information from the vulnerable server other than the fact that the server is running a vulnerable vulnet server
If there is a program, which is connect to server with backdoor id "superuser" and send command "ls" only, then is it malicious or benign?
Two worm files are compiled in 64-bit and thus does not run on the provided vagrant vm.
Those files can be easily checked by the following command:
$ file * | grep 64-bit
backdoor가 동작되는 기준이
강력한 backdoor라고 가정하고 3)으로 구현했는데...
혹시 해석상의 차이로 감점을 당하지 않을지 걱정되어서 문의 드립니다.
수업에서 주어진 box로 만들어진 VM에 vagrant ssh로 접속했을 때, 저의 경우엔 /vagrant에 deb32-jessie-base-vb5.1.12.box가 있어서 yr_rules_scan_file을 통해 scan을 진행해보았는데 "killed"라는 메시지와 함께 scanner가 종료됩니다.
여러 테스트를 해봤지만 확실한 원인을 알수 없었고, 한 가지 의심해본 부분이 파일사이즈가 870MB정도 되는데 VM 메모리가 작아서 kill되는 시나리오였는데, 다른 OS를 쓰는 VM(메모리 512MB)에서는 yr_rules_scan_file이 동작하길래 질문드립니다.
다른 환경에서는 정상 동작해서 코딩 실수가 아닌 다른 요소가 원인일거라고 추측하고 있습니다.
원인을 찾아보다가 너무 모르겠어서 질문드립니다. 의심되는 부분에 대해 의견주시면 확인해보겠습니다.
그리고, 저처럼 수업에서 주어진 vagrant box 설정 그대로 쓰시는 분들이 있으시다면, box파일을 vm에 올려놓고 scan 테스트 해주실수 있을까요?
If there is a 'myworm' malware that has slightly different semantics (such as not scanning given ip range),
should our scanners filter it? or not?
ite and jump opcodes have immediate value(s) as operand.
I guess the size of ite's operand (immediate value) is 1 byte.
Is the size of jump's operand also 1 byte?
If so, is it okay to assume that the size of code does not exceed 1024 bytes? (at most 256 instructions, each being 4 bytes)
공개키 어디있는지 찾다가...
혼자 너무 헤매다가.. ㅠㅠ 혹시나 해서 올려요.
pgp.mit.edu에서 [email protected][교수님] 메일로 검색하면
공개키 번호로 다운 받을수 있어요!!
gpg --keyserver [keyserver] --recv-key [pub id]
The signatures of myworm-
s in the zip file seem to be various.
For example, the default output file should be slaves.csv
according to the specification.
However, some worms are using different file names (e.g., slave.csv
, juicy.csv
).
Should YARA rule include all these variations to detect if provided myworm-
or not?
Can I assume that the victim's machine has been already installed netcat
?
Hello,
The last item in in Activity 1 asks the student to create a pull request. Unfortunately I am not sure exactly what is expected:
Thank you very much,
Markus
I just got noticed that I don't have any repository for proposal at the moment.
Please make it for me :)
After reading the Part 1 of the activity description I am not sure wether I should delete binary or just unlink.
Having the following files:
/tmp/myworm
/proc/self/exe [ -> /tmp/myworm]
Should I delete the actual binary worm file (rm /tmp/myworm
), delete the link (unlink /proc/self/exe
) or both?
윈도우에서 TeXworks 설치해서 사용하고 있습니다.
그런데 '0313-backdoor.tex' 파일이 컴파일 되지 않습니다.
'console output' 에는 다음과 같이 나옵니다.
로그파일에는 다음과 같이 적혀있습니다.
2017-02-27 16:31:23,437+0900 INFO texify - running 'initexmf --quiet --update-fndb' to refresh the file name database
그래서 해당 명령어를 입력해보았는데도 컴파일이 되지 않습니다.
추가로 tex내의 '\bibliography{references}' 라인을 주석처리 하니 정상적으로 컴파일 됩니다.
I'm confused the meaning of that:
"If there exist a file in /tmp/myworm, ... it stores the binary of itself to /tmp/myworm"
I think the meaning is that my worm stores itself to /tmp/myworm.
Its path is /tmp/myworm, /tmp/mywormm is not directory.
Is it correct?
The recvSock of vulnet has been modified,
Commit: 0bdfcf5a45b496e35e5be554410480bea96adabc
When I tested it during homework, it works correctly in the version before modification.
When creating a variant worm, what version should I test?
Also, do I need to modify myworm to match the current version for Activity4?
과제 3.1에 4번을 보면
For the purpose of this exercise, we just close
the connection at this point without running the worm binary, but in reality, you
would run the binary. N.B., we will deduct points if you execute the worm after
propagation.
라는 부분이 있는데요.
이 말이 실제와는 다르게 과제에서는 worm을 시작하는 호스트에서만 propagation이 발생하고 감염된 호스트들에서는 따로 propagation이 이뤄지면 안된다는 의미인가요?
Activity-1 과제 수행 내용을 KAIST-IS521/grades-[user id] private repository에 push 하는 것이 맞나요?
이상한(?) 질문일수도 있지만, myworm의 인자로 ip주소가 192.168.023.048 이런식으로 들어올 수도 있나요?
찾아보니까 특정함수를 사용할 경우 023, 048을 octal로 인식해서 계산을 해주더군요...
저런 이상한 입력에 대하여 invalid하다고 처리해야하는지, 아니면 앞에 0이 없다고 생각하고 처리(위의 예시는192.168.23.48로 처리)해야하는지 궁금합니다.
Is the interpreter-code working?
Maybe, there is a link error in Makefile.
.../interpreter/interpreter.c:76: undefined reference to initVMContext' .../interpreter/interpreter.c:87: undefined reference to
stepVMContext'
collect2: error: ld returned 1 exit status
Makefile:17: recipe for target 'build/interpreter' failed
make: *** [build/interpreter] Error 1
I searched google... but I can't find because link error is case by case...
If this error is occurred only in my environment, I will close this issue.
Thanks.
When I scan files recursively with 'scanDir', 'opendir' function is failed after scanning thousands of files.
The error message said "Too many open files".
If our mission is only considering limited number, 90, of files, my scanner looks fine.
Is my scanner needed to handle thousands of files?
I am doing a homework about PGP. but on the last step, I cannot find the professor's key.
Where could I get a professor's key (Public key) ?
Thanks.
About yara's functions :
When I start the function x = yr_rules_scan_file(rules, dir, SCAN_FLAGS_FAST_MODE, callback_function, NULL, 0); in order to scan my file, the value x that I have is always
CALLBACK_MSG_SCAN_FINISHED. Isn't it suppose to give the two messages CALLBACK_MSG_RULE_MATCHING or CALLBACK_MSG_RULE_NOT_MATCHING ?
I make a pull request from 2nd-activity branch to master. Do I have to merge pull request if there is no conflict or just leave it as a pull request. I am little bit confused.
There is a specification for print of scan result in document.(2.3.)
I think that the meaning of 'File Name' is not full path(only file name).
But some people said that it is not intuitive.
Is it right that print out only file name?
At this line, 0x1000,0x4000. This line means that your value tracer needs to print out the 4-byte value
Should we consider this 4-byte value as an integer value? or just 4-byte dump?
And what should be output format of registers and 4-byte memory value?
During PGP activity, I updated my mail address of my pgp key after signed from 4 classmates
(There is some typo in my email address. I noticed it after signed).
I have not checked my activitiy score so I wonder there is any penalty on my case.
There are some useful modules in yara.
Some modules are installed default and not the rest.
Has anyone used "hash" module?
I have an error message: unknown module "hash".
This is documentation to install: http://yara.readthedocs.io/en/v3.5.0/modules/hash.html
I did above instruction. but, I still can not use it.
I use given vagrant in the class and yara v3.5
I fixed bug in my interpreter code after copy my previous code to the backdoor folder.
Is there a good way to apply both?
diff is not helpful to me.
I turned on GUI setting in Vagrantfile, by deleting annotation.
config.vm.provider "virtualbox" do |vb|
# Display the VirtualBox GUI when booting the machine
vb.gui = true
end
So I logged in VM with the ID: vagrant , PW: vagrant.
But, if I execute 'vagrant ssh', the error message is like following.
$ vagrant ssh
ssh_exchange_identification: read: Connection reset by peer
Is it OK for the future activities?
안녕하세요.
제가 저번 Key-Signing Party를 진행할 때 노트북의 일부 설정이 잘못되어 일찍 돌아가게 되었습니다.
그래서 아무와도 키 교환을 하지 못했습니다.
이상입니다.
Am I allowed to print information (such as which IP is being scanned) to stdout other than error messages stated in the spec?
After debugging for a while, I realized that /proc/ does not exist in MacOS.
Is there another way for Mac users..?
thanks
av과제 설명 중
5. ./benign/Makefile file should produce your benign sample in ./build/benign.bin.
에서 여기서 말하는 ./build/가 ./benign/build/를 말하는 것인지. scanner가 생기는 ./build/를
말하는 것인지 모르겠어서 질문드립니다.
To student.
I can't compile puts and gets function since it collide with <stdio.h>'s puts and gets.
I don't know how to override or overload in C language. Does anyone knows about it?
To professor.
May I change to another name in interpreter.c.(Is it allowed?)
In a document, behavior of puts is described as libc puts function.
But I think that it is impossible to implement a pseudocode listed at "Listing 1".
In a detail, printf("User: ");
doesn't print any new line char, but libc puts function always prints new line character at the end of output.
So I suggest a new spec that is same with libc puts except new line char.
In our grades-* repository, only grading criteria and score is uploaded
But sometimes, I confused which one is my missing since there are several subjective criteria such as 'If the code is difficult to read and understand'.
So if I'd like to check exact criteria making my points deducting, I should ask to TA, but I think it is uncomfortable for both.
So my suggestion is, uploading a O/X table for each criterion.
It also gives enough time for students to think what was wrong from previous activities and check whether it is wrong or not.
From #55 , I see that it's better to put entire email body into a file with .asc
extension.
I wonder if there is any naming convention for the file like body.asc
or such.
I noticed that my worm (mickan921) is not present among the worms given.
Were the worms randomly selected? or should I be worried?
thanks
This might be a dumb question, but is it allowed to use a .gitignore
file instead of just not committing the build/myworm
binary?
The reason for me asking is that the activities are always very precise on final deliverables and usually deduct point if the delivery deviates from the specification. Activity 4 lists three files, README.md
, src/
and Makefile
, and specifically states that binary should not be commited. The usual way is using a .gitingore
file, but this would add a fourth file.
Whenever I send out any commands to the new vulnet
it first gives me a error message saying that command is not found but then it gives me what I want in the next line. For instance:
ls
/bin/bash: line 1: checkin: command not found
Makefile
README.md
build
vulnet.c
However, it does not have that "/bin/bash: line 1: checkin: command not found" on the original vulnet.
Am I the only one having this problem..?
과제활동을 통해 암호화한 메세지 내용을 보내기 위해 사용하는 두가지 Approach가 있음을 알게 되었습니다.
Inline PGP는 암호화한 메세지 자체를 메일내용에 포함시키는 방식. 보내는 과정가운데 HTML formatting과 관련되어 이슈가 될 수 있음.
필자의 경우 "Message contains HTML formatting information that will be lost when converting to plain text for signing/encryption. Do you wish to proceed?"라는 alert dialog가 나옴.
PGP/MIME는 암호화한 메일의 내용자체를 .asc파일로 converting한후 첨부하는 방식
본 과제활동에서의 결과물제출 방법으로 Inline PGP보다는 PGP/MIME Apporach를 채택하는 것이 더 적합할까요?
As for getting all running processes the activity hints to the ps
source code. May be use the libproc
, as ps
does, or should we include necessary code with the scanner binary?
The provided vagrant box includes libprocps.so.3.0.0
, though I am unable to find the header files.
If user runs scanner as a user permission, should scanner check root permission processes?
The value tracer receive the executable binary as first argument, csv file as second argument.
Don't we need to consider the program which need arguments?
My worm works fine in my system. Except two cases:
Little bit specifically when remove binary itself.
When I check using perror.
It prints out
Text File Busy
But except that 2 cases it works fine.(It means program execute self remove function successfully.) I guess in that case reading pathname of binary get encoding kinda problems. Is anyone have an idea regarding to this?
Thank you.
I just confused about this description.
Second, when a user specifies at least one directory to scan, then you simply recursively enumerate and scan all the files in the directory.
When I specifies the directories after specifying rule file, Is it right to specify a "directory name" only?
If so, how is the path set?
Do I need to specify the directory that contains the path?
It is very simple question. If there is a directory in the specified directory, about scan, can I just ignore it?
At step 5 in 3.1,
It re-connects to the server with the obtained user name and the password from Step 3. If the login works, it records the IP address of the vulnerable host along with a user name and a password. Otherwise, it simply records the IP address with a user name “superuser”.
I cannot understand meaning of "Otherwise".
As I think, If I can login with 'superuser', I can get correct a pair of id/pw always.
So I can guess there is no possibility for "Otherwise".
Am I misunderstanding?
I would like to know more precise condition to record "superuser" for certain IP address.
수업에서 제공된 VM에서 libyara-dev를 설치했는데 버전을 확인해보니 3.1.0입니다.
주어진 scanner.c 코드를 보면
yr_compiler_set_callback() compiler, cbCompile, NULL );
이 있는데
libyara 3.1.0 docs에는 yr_compiler_set_callback함수가 인자가 2개뿐입니다. (void *user_data가 빠져있습니다.)
이 경우는 별 상관이 없을 것 같긴 하지만, 버전별로 차이가 있을것으로 생각되어서 질문드립니다.
기준이 되는 yara version이 있을까요?
myworm-seongil-wi in the given worm-bins.zip file is not working correctly.
It is also different from a binary file compiled with source code that I submitted to my private repository.
(I used the most recent version of vulnet)
Please confirm.
Thank you.
메시지를 파일로 만든 후,
개인의 공개키로 서명하고, 교수님 공개키로 암호화
그 다음 메일로 전송하는건지 궁금합니다.
아니면 메일 자체를 서명하고 암호화해서 보내는건지 궁금합니다!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.