UGN Security
Basic learning: Common techniques.
===============================================
Version: 1.2
Date: 2003-10-02
Written by: [email protected]
feedback: [email protected]
or http://www.warindustries.com/phpBB2
url: http://www.warindustries.com
===============================================
Welcome back, this document assumes you read Basic learning: Finding bugs(Part1), and Socketfunc(Part2). You can find them both here: http://www.warindustries.com/projects.htm

Document series
Part1 - Basic Learning: Finding bugs
Part2 - Basic Learning: Socketfunc
Part3 - Basic Learning: Common techniques

It's highly recommended that you start at Part1 and work your way up, this document series is aimed for people that are new to all this, and wish to build up a basic understanding/knowledge of computer security and hacking.

Introduction

In this document I will discuss some different types of vulnerabilites, and how they can benefit eachother. I will also talk a bit about general security. Additional ways of finding bugs, security risks, weak spots, in common systems. Also I will guide you through some packetsniffing, which can be very useful. Assuming most of you still work in a windows environment, I will equip you with some decent equipment, but really the only thing you will need in the future is Linux - so you should start looking into it, I will give some starting recommendations.
---------------------------------------------------------------------------------------------------
1:1 DoS attacks /overflow/buffer overflows, and how to benefit from them.
1:2 Shellcode
1:3 Packetsniffing
1:4 Vulnerability scanners.
1:5 End game.
---------------------------------------------------------------------------------------------------

1:1 DoS attacks /overflow/buffer overflows, and how to benefit from them.
One of the most common attacks on the net today are so called - D.o.S attacks, "Denial of Service". DoS attacks are usually used in order to prevent systems from doing their job, filling a network with "crap traffic" to hinder legitimate network traffic. Alot of people think that DoS attacks require high speed internet connections in order to perform them, not true. A person with a slow modem and outdated equipment could disable a modern day system with fast connection. The people that make use of "intelligent dos attacks", often use them to benefit somehow from the damage they cause.

DoS attacks are often used in order to find overflow vulnerabilites. Let me show to you a good example of why and how you can make use of overflow vulnerabilities. I will use a outdated bug found in GUILT Microsoft FTP Service (Version 4.0) part of IIS 4. We're doing this local, so it would equal trying to exploit your own system, just to try. Usually you use the character "A" when doing "overflows", I will explain why later. On to the example:

- We are now connected to a computer running Microsoft FTP Service (Version 4.0).
- We do some commands below

ftp: ls AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

ftp: Connection lost.

If you have no knowledge whatsoever about overflow/dos exploits, you're probably asking yourself, what the hell does that mean? In short, the command "ls", is used in command line ftp clients, and is short for "list", which is the same thing as "dir", or show files. We just sent the command ls followed by a large chunk of data, 316 chars to be precise, and after we done this we lost the connection, why? Simple, the ftp server got overflowed (crashed).

How can this be of any use to us? It's not fun just crashing a server, well it might be but we want to benefit from this and do something more! I am going to explain how in theory this works. Basically you can project 'code' into the memory, and this can be achieved by overflowing the application you're exploiting, by doing this you could put any code into the memory, and make the application execute the code. Imagine you send a chunk of code remotely to someone using icq for example, this code goes into the memory of the target computer and icq executes it. You trick icq into executing this code, you could say the code will work like a function of icq, only it does exactly what you tell it todo. Let's continue:

When the server crashed we got an error message like this on the same machine the server was running on:

"Application Error" pointing to inetinfo.exe , "The instruction at '0x00000000' referenced memory at '0x41414156'

More confusion I take it, 0x00000000 is a memory adress, I changed the original data, but it was a legit memory adress before I exchanged the original adress and replaced it with zeroes. So what can we do with this? A proper overflow bug could let us execute something called shellcode during runtime of the application we're exploiting, I will get to this later, read on. Let's look at the other memory string we got, "0x41414156", the number 41 is the same as the character "A", it's the hexcode that represents char "A", so we know that we have overwritten memory with our large chunk of data which we used to overflow the server, and that's why it's common to use the character "A" when performing this type of attack.

You have probably seen similar messages when some of your applications crashes. If you have Visual Studio or, visual c++, the error message will ask if you wish to debug the application that crashed. Note that you can debug any application if you have Borland C, visual c++ or another type of compiler that is capable of debugging, there are also single debuggers available. I choose to take a look at the debugger, it will spit out some memory registers like those below:

EAX = 0000005C EBX = 00000001
ECX = 00D3F978 EDX = 002582DD
ESI = 00D3F978 EDI = 00000000
EIP = 710F8AA2 ESP = 00D3F644
EBP = 00D3F9F0 EFL = 00000206

Don't panic, it's not as giberish as it might seem! You might wonder, where are we going with this? I will just explain the simple principles.

The 3 letter "words" above are assembler, but let's just focus on one of them right now. The one called "EIP". eip stands for "extended instruction pointer". If we could somehow overwrite the EIP with "A"-data, we could possibly use this to execute mean code in the memory. Please bare with me, I write this on a need to know basis, because this might be alot for you to grasp at once, so I will not go deeper into assembler or memory stuff at this time. Let's just focus on what you need to know. Logically if we want to overwrite "more" memory, like the EIP for example we would have to send a bigger amount of data. Let's try that:

ftp: ls AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

ftp: Connection lost.

Okay we lost the connection again, good...it means the server crashed again smile Keep in mind that 41 (hex) = "A", Let's now look at the registers:

EAX = 0000005C EBX = 41414141
ECX = 41414141 EDX = 002582DD
ESI = 41414141 EDI = 41414141
EIP = 710F8AA2 ESP = 00D3F644
EBP = 00D3F9F0 EFL = 00000206

Notice that we got more 41's in there now? Good, that means we have successfully overwritten more memory, now if you could manage to overwrite the EIP and get the (RET), "return adress" you could use that to inject code during runtime of an application into the memory and execute it, this code could do anything, execute any file, download a file...practically anything we want, given we got enough memory space to use a code large enough to perform many tasks. This is overcourse though, we need to take it slow, I can't teach you assembler in 2 minutes, nor C - you get the idea, but don't worry, we will get there eventually!

A short summary of this, by using overflow techniques you could find bugs that would let you do almost anything to the victim, by beeing able to inject code into the memory at runtime to execute any evil code you want. Only your skill limits you. Note that this is how alot if not the majority of exploits work. I could go on forever now and ramble about memory structure, the stack, how you're supposed to use the return adress which eip points at, but unfortunately this requires that you know some assembler/c, and this tutorial assumes you have no knowledge of these things yet, I am just preparing you for what's to come, for now smile , keep reading...

1:2 Shellcode
You've probably heard this word a couple of times. Shellcode is basically a list of instructions that can be inserted into an application during runtime. Inserting shellcode into an application can be done through many bugs, but amongst the common ones are what we just discussed, "buffer overflows". There are some great tutorials out there on this, but they're fairly advanced, and I can make it a bit easier for you.

We take a look at a piece of shellcode, that way you will be able to recognize shellcodes in the future, or when looking at sourcecode of exploits. Okay here is a piece of shellcode:
----------------------------------------------------------CODE_START----------------------------------------------------------------
\x55\x89\xe5\x57\x56\x53\xe8\x00\x00\x00\x00\x5b\x83\xc3\xf5\x8d\xb3\x50\x00\x00\x00\xfc\x8d\x7d\xd8\xb9\x03\x00\x00\x00\xf3\xa5\x66\xa5\x83\xe4\xf0\xbf\x01\x00\x00\x00\x8d\x4d\xd8 \xba\x0e\x00\x00\x00\xb8\x04\x00\x00\x00\x53\x89\xfb\xcd\x80\x5b\x89\xf8\x53\xbb\x00\x00\x00\x00\xcd\x80\x5b\x8d\x65\xf4\x5b\x5e\x5f\xc9\xc3\x48\x65\x6c\x6c\x6f\x20\x77\x6f\x72\x6c \x64\x21\x0a\x00
----------------------------------------------------------CODE_END-------------------------------------------------------------------
This code could be inserted into the memory, and executed. This code only does the "Hello world" message thing, but all shellcodes looks similar to this one, bigger or smaller.

You might also ask yourself how to write shellcode, there are a few ways. For example there are c>shellcode generators, also assembler>shellcode generators.


1:3 Packetsniffing
Remember in the last document I spoke about how to exploit a bug in a service by using the service against itself. Packetsniffing can be very useful when trying something like that, you can monitor TCP/IP or UDP sessions, and if they're not using encrypted communication you can have a peek at what they are saying to eachother smile . You could easily test this on your own machine, just install the server/service you want to exploit, use the client, load up a packetsniffer and look at the communication, see if you find anything useful in there. There are several good packetsniffers out there, both *nix / Win32, just use google, and you will come up with a bunch. One I have used occasionally is Iris by eEye Digital Security - http://www.eeye.com/html/Products/Iris/index.html

1:4 Vulnerability scanners.
There are several applications that will scan a <host> computer, and look for possible vulnerabilities in the system. This is very good if you want to check yourself for example. Personally I don't really bother to use those, because it's funnier to find new bugs, and exploit those than finding old ones. But like I said, it is very useful to have, and if you want to hack a specific computer this could be a step one to check it out, see what kind of security you're dealing with. A very good Win32 vuln scanner is Retina by eEye Digital Security - http://www.eeye.com/html/Products/Retina/index.html

1:5 End game.
And so you got some new knowledge to play with! In the next document I will start using examples based on C in *nix environment, so please look into trying out linux if you havent already. Alot of people recommend Redhat to start with, I just think it sucks, and I recommend Slackware for a start. It's fairly simple to handle, and it gives a good beginners view. You can config/play with it a whole lot. Remember, you don't have to sit in front of a console in linux, pitching commands to the shell, no you can make it look like windows using X windows, I might write a tutorial on that, the point is the c code I will use will not work in windows, that's why i encourage you to try out linux, it might seem hard in the beginning, but it's not that bad really, once you get a hang of it. There are several good starter books to read, anyway I will keep talking about Win32 stuff, also making "some" Win32 code just so all you guys out there that can't be arsed to learn linux will have some use of these tutorials smile - over & out!

Next part in a few days hopefully, hope I can find the time. I will introduce you to some basic socket coding in c. As always I will try to explain and make it as easy as possible for you to understand, if you have any questions/suggestions please send to: <[email protected]> , someone there will forward it to me, thanks.
© UGN Security Forum