GUIDE to (mostly)
More on Shortcuts to Discovering New Ways
to Break into Computers
*** Memory Exploits
Stack and heap buffer overflows are special cases of fault
injection. The problem is that computer programs set up temporary
locations in the RAM (random access memory) known as buffers
to store things. The idea is to keep these memory locations from
becoming unnecessarily large, or else all the RAM can get used
up. Basically, a buffer overflow is a condition in which too
much data is placed into too little allocated space in a computer's
memory. The extra data, if properly crafted, can end up in another
part of memory that will enable a break-in. Buffer overflows
are the most common of all computer security flaws known today.
Newbie note: Heap memory is used for
arbitrarily large buffers. Stack memory is a buffer used for
storing requests that need to be handled.
When some sorts of error condition results from an attempt
at a buffer overflow, these may indicate that the attack was
successful. An example would be to get the error message on a
Unix-type system of "segmentation fault." In a Windows
program, you might see it crash.
So, whoopie, let's say you just accomplished a buffer overflow!
Is it time to get excited? Maybe not. It's always a good idea
to remove buffer overflows from any program because they can
cause it to do unexpected things. However, there is a big difference
between a buffer overflow that is merely bug in a program, and
one so serious that it could crash the victim program, reboot
the computer, or enable someone to break in. The main point of
buffer overflow exploits is to stick something into a portion
of memory that does something dastardly, for example setting
up a back door that enables the bad guys to remotely control
the victim computer. In order to do something dastardly, the
program (or thread or process created by the program) in which
the overflow occurs has to have enough power to do these bad
Newbie note: A process is a program
that is running. A thread is a part of a program that can run
independently of other parts. In most operating systems a thread
is very similar to a new process except that it shares memory
other resources with other threads in the same process. Some
programs might have many threads running at once. For example,
a webserver might run a separate thread to serve each browser
currently connected to it. A program might only be able to run
with only one process, or it might be designed to run many processes.
In Windows XP, you can see most of the processes currently running
with Control-Alt-Delete, click the processes tab and the "Show
processes from all users." In Unix, OSX and Linux operating
systems, bring up a shell and at the prompt type ps aux. (For
other options for the ps command, type "man ps".)
For example, buffer overflows in webservers are typically
a big deal because this might enable an attacker to deface a
website. If you can exploit a server on the Everquest game, you
might be able to move up many levels in the game by cheating.
On the other hand, a buffer overflow in the Everquest client
that runs on your home computer isn't likely to be able bestow
god-like powers upon your character.
You can get punched in the nose warning:
Hacking to cheat at commercial online games is a good way to
get kicked off for life.
You can go to jail warning: If you
break into an online game server, you can wind up playing games
at "Club Fed" that are involuntary and much less fun
In the case of Unix, OSX and Linux operating systems, a process
that runs as root can do anything, and therefore has the potential
to be exploited to take total control of the victim computer.
In the case of Windows NT/XP/2K/2003 operating systems, the ideal
exploitable process or thread runs with administrator powers.
OK, so you found a buffer overflow that occurs in a thread
or process that runs as root or administrator. Your next step
is to see if you can find a way to insert "shellcode"
into the buffer overflow you have just found. Note that you can't
just place assembly code or any other form of source code directly
into the buffer overflow payload. It must be compiled. Shellcode
is a compiled program that actually performs the break-in (or
whatever else you want the victim computer to do). This is called
the "payload" of the exploit. Fortunately for the wannabe
writer of buffer overflow exploits, a web search will turn up
lots of shellcode free for the download.
If you want to do more than just reuse somebody else's shellcode,
if you want to write your own, there are some excellent tutorials
on the topic:
· Writing buffer overflow exploits - a tutorial for beginners
· Shellcoding for Linux and Windows Tutorial http://www.vividmachines.com/shellcode/shellcode.html
· Links to many shellcode tutorials: http://shellcode.org/shellcode/tutorial/
The next trick is to use the buffer overflow to place your
shellcode payload into the right place in memory. A common way
to do this is to place many "NOP" commands in front
of the payload. This is known as a "NOP sled." NOP
is a Pentium-compatible CPU assembly language command that means
"no operation," that is to say, the program should
do nothing. The advantage of using NOP commands is that it doesn't
matter as much where the payload is inserted into the buffer
overflow, because any commands cut off at the beginning of the
payload are merely NOPs.
In shellcode, a series of NOPs might appear in a buffer overflow
etc." The victim process or thread
will translate these characters into a series of NOP commands.
You can more easily find buffer overflow exploits by automating
tests for them. However, this can't be done blindly by just running
a program; it takes a bit of creativity. The book Exploiting Software: How to break Code
by Greg Hoagland and Gary McGraw (that Ph.D guy again!) has a
chapter on how to find buffer overflows using IDA-Pro.
Buffer overflow exploit finder programs:
· Buffer Overflow Utility, used to find them on webservers:
· Flaw Seeker: http://www.securiteam.com/tools/5QP040KEUA.html
Finally, for yet more help to find new ways to break into
computers, the Metasploit Framework is an advanced open-source
platform for developing, testing, and using exploit code. http://www.metasploit.com/projects/Framework/.
Warning: McAfee antivirus will try to delete this program as
a virus. This does not mean that Metasploit is a danger to your
computer, but rather that McAfee fears that you may use it to
create a program that will attack other computers.
Back to the Guides to
(mostly) Harmless Hacking --->>