I don't want a step by step... just theorically, how is getting into a system is done?
I mean, OK you got an ip adress and then the guys has some open port. Then someone google some exploit on these port and then what? I read books and they all skip this part.
I'm not really clear, why when you run an exploit it give you control of the box? As an exemple, how an exploit could give you right to do arbitrary code? How you do arbitrary code?
Is it like:
#include <iostream>
using namespace std;
int main()
{
int pwd;
if ( pwd ==2)
{
cout<< "YAY";
}
return 0;
}
and then the user would type somthing like: ==2)//
// as comment
and then he can do whatever like: ==2){ cout << "I OWN YOU";} return 0;} /*
/* all comments
If you don't get what I mean just tell me and I'll try to be more specific.
How is it done?
-
bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
Well, I can´t tell you details about the code, most exploits are written in C which is not my language. But I can tell you how it works in theory:
It not works with passwords, the exploit (in most cases) causes a buffer overflow in the attacked application.
What is a buffer overflow?
Imagine you´re using an application, and when you´re "telling" the program to do anything it "jumps" to a sub-routine. When the sub-routine is finished the program have to continue from the point where it has been before. So the program needs to know from which point of it´s code it has jumped to the sub-routine before, this information is stored in a buffer. This buffer is is designed for a specific information with a specific size, here´s a simple example:
The buffer has the size for 5 numbers
1 2 3 4 5
and awaits the specific information which is 5 numbers too:
2 2 2 2 2
but when you send 10 numbers it can lead to an overflow:
2 2 2 2 2 3 3 3 3 3
because the buffer is just designed for 5 numbers the extra 5 numbers overwrite the buffer, so the content isn´t
2 2 2 2 2 any more,
it´s 3 3 3 3 3 now.
2 2 2 2 2 was the original point to where the program has to return to, but by overwriting the buffer with 3 3 3 3 3 the program can be manipulated to return to any other position outside of the program, for example to the command shell. The 3 3 3 3 3 is the arbitrary code in this case.
It depends on the exploit what happens then, by spawning a shell you don´t have automatically full control over the system, but you have access to other applications, lets say sendmail for example. So maybe you have to use another exploit now on sendmail to gain higher rights on the system.
Hope it helped a bit...
It not works with passwords, the exploit (in most cases) causes a buffer overflow in the attacked application.
What is a buffer overflow?
Imagine you´re using an application, and when you´re "telling" the program to do anything it "jumps" to a sub-routine. When the sub-routine is finished the program have to continue from the point where it has been before. So the program needs to know from which point of it´s code it has jumped to the sub-routine before, this information is stored in a buffer. This buffer is is designed for a specific information with a specific size, here´s a simple example:
The buffer has the size for 5 numbers
1 2 3 4 5
and awaits the specific information which is 5 numbers too:
2 2 2 2 2
but when you send 10 numbers it can lead to an overflow:
2 2 2 2 2 3 3 3 3 3
because the buffer is just designed for 5 numbers the extra 5 numbers overwrite the buffer, so the content isn´t
2 2 2 2 2 any more,
it´s 3 3 3 3 3 now.
2 2 2 2 2 was the original point to where the program has to return to, but by overwriting the buffer with 3 3 3 3 3 the program can be manipulated to return to any other position outside of the program, for example to the command shell. The 3 3 3 3 3 is the arbitrary code in this case.
It depends on the exploit what happens then, by spawning a shell you don´t have automatically full control over the system, but you have access to other applications, lets say sendmail for example. So maybe you have to use another exploit now on sendmail to gain higher rights on the system.
Hope it helped a bit...