How is it done?

No explicit questions like "how do I hack xxx.com" please!
Post Reply
User avatar
Nerdz
The Architect
The Architect
Posts: 1127
Joined: 15 Jun 2005, 16:00
19
Location: #db_error in: select usr.location from sucko_member where usr.id=63;
Contact:

How is it done?

Post by Nerdz »

I don't want a step by step... just theorically, how is getting into a system is done?

I mean, OK you got an ip adress and then the guys has some open port. Then someone google some exploit on these port and then what? I read books and they all skip this part.

I'm not really clear, why when you run an exploit it give you control of the box? As an exemple, how an exploit could give you right to do arbitrary code? How you do arbitrary code?

Is it like:
#include <iostream>
using namespace std;

int main()
{
int pwd;

if ( pwd ==2)
{
cout<< "YAY";
}
return 0;
}


and then the user would type somthing like: ==2)//

// as comment

and then he can do whatever like: ==2){ cout << "I OWN YOU";} return 0;} /*

/* all comments

If you don't get what I mean just tell me and I'll try to be more specific.

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11638
Joined: 06 Apr 2005, 16:00
19
Location: In your eye floaters.
Contact:

Post by bad_brain »

Well, I can´t tell you details about the code, most exploits are written in C which is not my language. But I can tell you how it works in theory:
It not works with passwords, the exploit (in most cases) causes a buffer overflow in the attacked application.
What is a buffer overflow?
Imagine you´re using an application, and when you´re "telling" the program to do anything it "jumps" to a sub-routine. When the sub-routine is finished the program have to continue from the point where it has been before. So the program needs to know from which point of it´s code it has jumped to the sub-routine before, this information is stored in a buffer. This buffer is is designed for a specific information with a specific size, here´s a simple example:

The buffer has the size for 5 numbers
1 2 3 4 5

and awaits the specific information which is 5 numbers too:
2 2 2 2 2

but when you send 10 numbers it can lead to an overflow:
2 2 2 2 2 3 3 3 3 3

because the buffer is just designed for 5 numbers the extra 5 numbers overwrite the buffer, so the content isn´t
2 2 2 2 2 any more,
it´s 3 3 3 3 3 now.

2 2 2 2 2 was the original point to where the program has to return to, but by overwriting the buffer with 3 3 3 3 3 the program can be manipulated to return to any other position outside of the program, for example to the command shell. The 3 3 3 3 3 is the arbitrary code in this case.

It depends on the exploit what happens then, by spawning a shell you don´t have automatically full control over the system, but you have access to other applications, lets say sendmail for example. So maybe you have to use another exploit now on sendmail to gain higher rights on the system.
Hope it helped a bit... :wink:

User avatar
Nerdz
The Architect
The Architect
Posts: 1127
Joined: 15 Jun 2005, 16:00
19
Location: #db_error in: select usr.location from sucko_member where usr.id=63;
Contact:

Post by Nerdz »

yay thx:)
Give a man a fish, you feed him for one day.
Learn a man to fish, you feed him for life.

Post Reply