What is an exploit?
An exploit is a computer programm, which circumvent computer security. There are many ways to exploit security holes. If a computer programmer make a programming mistake in a computer program, it is sometimes possible to circumvent security. The coding of such programs, which attack (hack) the programming mistakes or security holes is the art of exploitation or exploit coding. Some common exploiting technics are stack exploits, heap exploits, format string exploits, ...
An exploit is a computer programm, which circumvent computer security. There are many ways to exploit security holes. If a computer programmer make a programming mistake in a computer program, it is sometimes possible to circumvent security. The coding of such programs, which attack (hack) the programming mistakes or security holes is the art of exploitation or exploit coding. Some common exploiting technics are stack exploits, heap exploits, format string exploits, ...
What is an stack exploit?
A stack exploit occurs, if you can write more than the size of a buffer located on the stack into this buffer. If you can write more data, as the size of the buffer (more than 1024 bytes in this example) a stack overflow occurs. For example:
main(int argc, char **argv)
{
// This buffer is located at the stack
char buf[1024];
// i is located on the stack
int i;
// A 6 byte stack buffer overflow
for(i=0;i<1030;i++) buf[i] = 'A' // Another example // if argv larger than 1024 a overflow occur strcpy(buf, argv[1]); } Why a stack overflow is a security threat ? The assembler instruction 'call' push the return address on the stack. 'call' jump into a function in our example the function is main. If the function returns with the assembler instruction 'ret', it returns to the function pointer at the stack. If you can overflow the stack you can overwrite the return address located at stack. You can return to another location. The location should a pointer to a shellcode address. Read alephonestack.txt for more information. You can download it at my papers section. What is a shellcode
{
// This buffer is located at the stack
char buf[1024];
// i is located on the stack
int i;
// A 6 byte stack buffer overflow
for(i=0;i<1030;i++) buf[i] = 'A' // Another example // if argv larger than 1024 a overflow occur strcpy(buf, argv[1]); } Why a stack overflow is a security threat ? The assembler instruction 'call' push the return address on the stack. 'call' jump into a function in our example the function is main. If the function returns with the assembler instruction 'ret', it returns to the function pointer at the stack. If you can overflow the stack you can overwrite the return address located at stack. You can return to another location. The location should a pointer to a shellcode address. Read alephonestack.txt for more information. You can download it at my papers section. What is a shellcode
Shellcode are machine instructions, which launch a shell for example. A shellcode looks like this:
char shellcode[]="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62 \x69\x89"
"\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\ xcd\x80";
Every char is a machine instruction. \xcd\x80 is 'int 80' for example. After an overflow occur we need a address to return. This shellcode launch a shell. If you point to the shellcode (after a stack overflow for example), the machine instructions are launched and spawns a shell. Compile this program. It tests the shellcode and spawns a shell:
// Compile this program with gcc sctest.c -o sctest and start it: ./sctest
// now you have someting like
// sh-2.03$
#include
char shellcode[]=
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\ x69\x89"
"\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\ xcd\x80";
int
main()
{
void (*dsr) ();
(long) dsr = &shellcode;
printf("Size: %d bytes.\n", sizeof(shellcode));
dsr();
}
char shellcode[]="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62 \x69\x89"
"\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\ xcd\x80";
Every char is a machine instruction. \xcd\x80 is 'int 80' for example. After an overflow occur we need a address to return. This shellcode launch a shell. If you point to the shellcode (after a stack overflow for example), the machine instructions are launched and spawns a shell. Compile this program. It tests the shellcode and spawns a shell:
// Compile this program with gcc sctest.c -o sctest and start it: ./sctest
// now you have someting like
// sh-2.03$
#include
char shellcode[]=
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\ x69\x89"
"\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\ xcd\x80";
int
main()
{
void (*dsr) ();
(long) dsr = &shellcode;
printf("Size: %d bytes.\n", sizeof(shellcode));
dsr();
}
read alephonestack.txt for basic shellcode coding
What are heap overflows
If the heap is overflowed a heap buffer overflow occurs.
A heap overflow looks like that:
// It dynamically create a 1000 byte buffer on the heap.
main(int argc, char **argv)
{
// pointer points to a heap address
char *pointer = malloc(1000);
char *pointer2 = malloc(200);
// Overflowed, if argv[1] is larger than 1000 bytes.
// The buffer pointer 2 is overflowed if pointer
// contains more than 1000 bytes.
strcpy(pointer, argv[1]);
// Free dynamically allocated data
free(pointer)
free(pointer2);
}
Format String exploit's ?
If you control the format string in one of the printf, syslog or setproctitle function, a exploitation is possible. Format strings are something like "%s", "%x", "%d", ... For example:
main(int argc, char **argv)
{
char *buf = "TEST";
// The wrong way
// The user can control the format string
printf(argv[1]);
// You should code:
printf("%x", argv[1]);
}
If the heap is overflowed a heap buffer overflow occurs.
A heap overflow looks like that:
// It dynamically create a 1000 byte buffer on the heap.
main(int argc, char **argv)
{
// pointer points to a heap address
char *pointer = malloc(1000);
char *pointer2 = malloc(200);
// Overflowed, if argv[1] is larger than 1000 bytes.
// The buffer pointer 2 is overflowed if pointer
// contains more than 1000 bytes.
strcpy(pointer, argv[1]);
// Free dynamically allocated data
free(pointer)
free(pointer2);
}
Format String exploit's ?
If you control the format string in one of the printf, syslog or setproctitle function, a exploitation is possible. Format strings are something like "%s", "%x", "%d", ... For example:
main(int argc, char **argv)
{
char *buf = "TEST";
// The wrong way
// The user can control the format string
printf(argv[1]);
// You should code:
printf("%x", argv[1]);
}