Chat with
Hackers

How to Defend
Your Computer 

The Heretic! 
A Hacker Thriller

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

GUIDE to (mostly) Harmless Hacking

More on Shortcuts to Discovering New Ways to Break into Computers

___________________________________________________________

*** Memory Exploits
___________________________________________________________

Stack and heap buffer overflows are special cases of fault injection. The problem is that computer programs set up temporary locations in the RAM (random access memory) known as buffers to store things. The idea is to keep these memory locations from becoming unnecessarily large, or else all the RAM can get used up. Basically, a buffer overflow is a condition in which too much data is placed into too little allocated space in a computer's memory. The extra data, if properly crafted, can end up in another part of memory that will enable a break-in. Buffer overflows are the most common of all computer security flaws known today.
___________________________________________________________
Newbie note: Heap memory is used for arbitrarily large buffers. Stack memory is a buffer used for storing requests that need to be handled.
___________________________________________________________

When some sorts of error condition results from an attempt at a buffer overflow, these may indicate that the attack was successful. An example would be to get the error message on a Unix-type system of "segmentation fault." In a Windows program, you might see it crash.

So, whoopie, let's say you just accomplished a buffer overflow! Is it time to get excited? Maybe not. It's always a good idea to remove buffer overflows from any program because they can cause it to do unexpected things. However, there is a big difference between a buffer overflow that is merely bug in a program, and one so serious that it could crash the victim program, reboot the computer, or enable someone to break in. The main point of buffer overflow exploits is to stick something into a portion of memory that does something dastardly, for example setting up a back door that enables the bad guys to remotely control the victim computer. In order to do something dastardly, the program (or thread or process created by the program) in which the overflow occurs has to have enough power to do these bad things.
___________________________________________________________
Newbie note: A process is a program that is running. A thread is a part of a program that can run independently of other parts. In most operating systems a thread is very similar to a new process except that it shares memory space and
other resources with other threads in the same process. Some programs might have many threads running at once. For example, a webserver might run a separate thread to serve each browser currently connected to it. A program might only be able to run with only one process, or it might be designed to run many processes. In Windows XP, you can see most of the processes currently running with Control-Alt-Delete, click the processes tab and the "Show processes from all users." In Unix, OSX and Linux operating systems, bring up a shell and at the prompt type ps aux. (For other options for the ps command, type "man ps".)
___________________________________________________________

For example, buffer overflows in webservers are typically a big deal because this might enable an attacker to deface a website. If you can exploit a server on the Everquest game, you might be able to move up many levels in the game by cheating. On the other hand, a buffer overflow in the Everquest client that runs on your home computer isn't likely to be able bestow god-like powers upon your character.
___________________________________________________________
You can get punched in the nose warning: Hacking to cheat at commercial online games is a good way to get kicked off for life.

You can go to jail warning: If you break into an online game server, you can wind up playing games at "Club Fed" that are involuntary and much less fun
___________________________________________________________

In the case of Unix, OSX and Linux operating systems, a process that runs as root can do anything, and therefore has the potential to be exploited to take total control of the victim computer. In the case of Windows NT/XP/2K/2003 operating systems, the ideal exploitable process or thread runs with administrator powers.

OK, so you found a buffer overflow that occurs in a thread or process that runs as root or administrator. Your next step is to see if you can find a way to insert "shellcode" into the buffer overflow you have just found. Note that you can't just place assembly code or any other form of source code directly into the buffer overflow payload. It must be compiled. Shellcode is a compiled program that actually performs the break-in (or whatever else you want the victim computer to do). This is called the "payload" of the exploit. Fortunately for the wannabe writer of buffer overflow exploits, a web search will turn up lots of shellcode free for the download.

If you want to do more than just reuse somebody else's shellcode, if you want to write your own, there are some excellent tutorials on the topic:
· Writing buffer overflow exploits - a tutorial for beginners http://mixter.void.ru/exploit.html
· Shellcoding for Linux and Windows Tutorial http://www.vividmachines.com/shellcode/shellcode.html
· Links to many shellcode tutorials: http://shellcode.org/shellcode/tutorial/

The next trick is to use the buffer overflow to place your shellcode payload into the right place in memory. A common way to do this is to place many "NOP" commands in front of the payload. This is known as a "NOP sled." NOP is a Pentium-compatible CPU assembly language command that means "no operation," that is to say, the program should do nothing. The advantage of using NOP commands is that it doesn't matter as much where the payload is inserted into the buffer overflow, because any commands cut off at the beginning of the payload are merely NOPs.

In shellcode, a series of NOPs might appear in a buffer overflow as "AAAAAAAAAAA… etc." The victim process or thread will translate these characters into a series of NOP commands.

You can more easily find buffer overflow exploits by automating tests for them. However, this can't be done blindly by just running a program; it takes a bit of creativity. The book Exploiting Software: How to break Code by Greg Hoagland and Gary McGraw (that Ph.D guy again!) has a chapter on how to find buffer overflows using IDA-Pro.

Buffer overflow exploit finder programs:
· IDA-Pro: http://www.datarescue.com/
· Buffer Overflow Utility, used to find them on webservers: http://www.imperva.com/application_defense_center/tools.asp
· Flaw Seeker: http://www.securiteam.com/tools/5QP040KEUA.html

Finally, for yet more help to find new ways to break into computers, the Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. http://www.metasploit.com/projects/Framework/. Warning: McAfee antivirus will try to delete this program as a virus. This does not mean that Metasploit is a danger to your computer, but rather that McAfee fears that you may use it to create a program that will attack other computers.

More --->>

Back to the Guides to (mostly) Harmless Hacking --->>   
Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's

© 2005 Happy Hacker All rights reserved.