September 20th, 2004, 06:36 PM
A few questions about testing proof of concept exploits
So a while back I was chatting on yahoo in hackers' lounge, and this dude was telling people he could hack anyone's computer. Then he started pming them and asking for IP's. Well when he pm'd me I started talking to him, and I gave him my IP cause I wasn't too worried. Luckily it didn't work on me. He ended up giving me the code and saying it was all secret and not to show anybody else. So I take part of the comment and put it in google and there's a bunch of hits for it as a proof of concept for a flaw in windows. Here is one of many (This was a while back, I know this is old)
So I decided I wanted to fool around with this. I have never coded in C before, so I had a hard time compiling the exploit, but with the help of some in IRC I got it compiled.
Anyway, just to be sure I was vulnerable I reinstalled windows and waited to start patching till after I messed with this thing. So I ended up running it against myself and it worked, and I also ran it against my older bro's box on the network. (he needs to run windows update :P). I have a few questions about this.
1. Does anyone else do this type of thing?
2. Is it considered skiddieish to test like this?
3. How is this type of thing detected on the computer being exploited? *
4. Is there any more extensive testing I can be doing?
* As I was doing my testing, I started to think that this sort of thing is hard to detect. In terms of the box the exploit was run against, I really couldn't think of any way other than being at the computer and typing netstat to tell if this is happening to you. If you happened to have an IDS between the computer and the internet, I'm sure that would pick it up, and if you had a firewall you probably wouldn't have the problem to begin with. So can it be traced by the casual admin?
Thanks fellas. Peace.
September 20th, 2004, 06:51 PM
I am a newbie to computer security and don't understand much of what you just posted. I followed the link and that looked even more confusing. I was wondering if someone could explain it to a first timer. It all looks really interesting. Thank you.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
September 20th, 2004, 06:54 PM
It is a buffer overflow exploit. There are others here that can explain what a buffer overflow is better than i can. Not being a smart ass or anything like that, plug buffer overflow into the search bar in the upper right hand corner of the main screen. Basiclay what a buffer overflow does is makes a program or service use more resources than it has been allocated thereby causeing a crash. Somebody correct me if im wrong on this
September 20th, 2004, 06:59 PM
You're kind of right I think. I'm going to attempt to explain it but I may be way off. The way I see it is, you have a buffer, and whatever is put into that buffer is unchecked which is what allows you to do a buffer overflow to begin with. When you overflow the buffer, you're basically overwriting memory. What you try and do, I believe, is overwrite memory that you know will be executed later, and you overwrite it with code that you want executed. In this example it overwrites it with code that will bind a system shell to a port you specify. I could be way off but that's how I understand it. The down and dirty way is to just crash it like ZM77 said, but you can manipulate it to get it to do things you want it to.
September 20th, 2004, 07:03 PM
Cider, the link shows a classical buffer overflow attack. That long sequence of hexadecimal contains the binary code of an assembly program that will run when buffer overflow happens. That assembly program should contains the necessary code to open another "Hole" on target machine to allow the attacker to inject code on target machine, or do whatever he/she wants. It is not a easy (:P) task to perform.
heretic, buffer overflow is a caused by a bad programming technic. Since the attacker can inject an arbitrary code, how can we "detect" it?
I can see 2 ways:
a) detect the buffer overflow "hole" at first time - not an easy task even with the source code
b) detect the exploit - how? attacker can use it from "crash the target system" until "inject a code to control target machine". Its a very large spectrum of analysis.
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt.
If I die before I wake, I pray the Lord my soul to brake.
September 20th, 2004, 08:06 PM
This is similar to MS04-007 which was covered on AO some time ago.
1) I do it occasionally, except I don't hang out in "hacker" channels
2) Testing it on your own computers/network isn't skiddish to me - doing it to others, it is. If you know what it does and have permission to do it to your brother, go ahead I guess...it's a grey line...
3) It can't really be *detected*. It appears to be a regular NETBIOS request, except one of the flags is malformed so that the data is loaded by the target and executed. A firewall can prevent random Internet machines from sending this packet, but if it is from your LAN you're out of luck if you want Windows' P2P file-sharing. Just patch and pray.
4) You could learn TCP/IP and how NETBIOS works so you can analyze the HEX equivilent of the packets that is in the code. Then you could understand the program, and maybe change the code to do something else like alert the person to visit Windows Update?
Personally, I've played with MS04-007 a bit on my LAN, and with concent of other people. It is freaky to suddenly see your computer wanting to reboot. When that happens, I just lock down my firewall and wait out the storm...