Cooking With Technology

Hacking: Lecture Two Follow-up

Yesterday I gave the second lecture in my “hacking” series. We’ve progressed beyond general descriptions and terminology and moved into the technical aspects of the stack, vulnerable code, and crafting exploits. The lecture ran about 45 minutes, and was accompanied by a live demonstration of exploiting vulnerable code.

For those that came late or missed it, the slides are available here (pdf format), although once again the real content was in the accompanying talk.

The demonstration used three source files. The shellcode was written by BreeZe of binbash.org, while the other two are my own. They are:

• The vulnerable sample program
• The shellcode
• The exploit code

Running the Exploit

First, I only tested the exploit running on Debian Linux, running a 2.6.23 kernel on a 32bit x86 machine. It probably won’t work on Windows or a Mac, and it definitely won’t run on your SPARC.

Second, I used version 3.3 of gcc’s compiler. Newer versions contain checks to make stack smashing harder, but 3.3 is free of any of these security features. You’ll have to use it when compiling these, which can be done by issuing gcc-3.3 -o <name> <name.c>, like:
gcc-3.3 -o exploit exploit.c

Third, Linux kernels after 2.6.12 do virtual address space randomization, which will prevent the exploit from running successfully after being compiled. To disable this, issue (as root):
sysctl -w kernel.randomize_va_space = 0

Fourth and finally, if you want to trigger a core dump in the vuln program, you have to lift any restrictions on dumping core files. Something like the following should work:
ulimit -c 100000

Note that the shellcode file is superfluous, I only included it as an example and guide.

Next Time

At this point, I’m not sure what I’ll be covering next week. There is a lot I could do - writing shellcode, showcase more advanced shellcode, demonstrate gaining a remote shell (remote exploitation is a whole other beast), secure coding, polymorphic and self-modifying shellcode… there are a lot of topics, and only one lecture left before the end of the series.

Regardless, it will be fun, and we’ll all learn a hell of a lot.

I’ll be at Barcamp Rochester 3 this Saturday in GCCIS, and more likely than not I’ll be talking about anything and everything computer security. If you have any questions anything or find something I’ve said interesting, hit me up! I’m friendly, and always up for talking about computer security :)

An Introduction to Shellcode

More updates for the Society of Lectors!

The next group of lectures is occurring tomorrow, Tuesday March 24th, 2008 in the first floor auditorium (room 1400) of GCCIS (building 70) at RIT. We are meeting at 8:00PM, and this new day and time has been settled on for the near future.

The reason I’m especially excited about tomorrow is that I am lecturing! I’ve been given the go-ahead to give a series of lectures on shellcode, a fairly heady computer security topic that is never taught in classes. Part one of the series is a very general, non-technical overview and topic introduction that is accessible to those of all backgrounds. After building a solid base of understanding, we’ll really dive into things with later lectures. Afterward, I’ll post the slides here and to the Society of Lectors group, as well as publish a corollary technical component for those that didn’t have their appetites whetted by the presentation. My blurb:

Computer hackers continue to be the bane of the networked computer - but have you ever wondered exactly how they strike? In part one of this series, we will dive into a very accessible view of how they gain control of computers they do not possess.

Heewa Barfchin is also presenting on neural networks from biological and computer model perspectives. Tomorrow should be great!