[offtopic]Thanks in advance for willing to explain me this, I couldn't find anything on google about it. Anyway, I think I'm not going to think to much about this today since I am going on vacation tomorrow and I don't want to end up thinking this entire thing over when I'm supposed to give my head a rest .[/offtopic]... read more.
------------------------ 1: Jipman. no exploit / arbitary code execution, but managed to smash the stack, and "make the server do somthing its not supposed to" whiich counts
CONSOLE
C:\>date_server_win32 < hax Welcome to DATE server 0.1 This server accepts the following commands [HELP, GET_DAYS, QUIT]
COMMAND> the command 'QUIT' closes the connection and exits C:\>
--------------------------
Hey guys, in this challenge, you run a pretend server which i have delibratly programmed with a common securety hole. (an unchecked buffer)
for securety of your home computer, this server does NOT really listen on the network for connections, it uses stdin stream.
run the pretend server program, the porgram will act like a server that you have just telnetted into with the added advantage that the server reads the input as binary. (normally you cannot snd binary data (payloads) through telnet, and most windows machine dont have netcat installed).
the server is a date server. here is an xample session....
QUOTE
Welcome to DATE server 0.1 This server accepts the following commands [HELP, GET_DAYS, QUIT]
COMMAND> help This server gives the number of days in any given month for the year 2005 give the command 'GET_DAYS june' to return the number of days in june the command 'QUIT' closes the connection and exits
COMMAND> get_days january 31 days !!!
COMMAND> get_days foo ERR> unknown month, did you spell it correctly ???
COMMAND> fooo
COMMAND> get_days febuary ERR> unknown month, did you spell it correctly ???
COMMAND> get_days february 28 days !!!
COMMAND> quit Thankyou for using this service, goodbye
Your mission, is to hack this server and make it do somthing that it shouldnt. (other than crash, crashing this server is waaay too easy)
for example, make the server spawn a DOS prompt.. but anything will do... if you can make it output "hello world" for example, that will count as a sucessfull hack.
you will probably need a compiler/debugger and a hexeditor.
once you have generated your payload/viral code, you can send it to the server lwith a pipe... for example... echo $viral_code | date_server.exe, or cat payload.bin | date-server
this is a very difficult challenge, but you have the added advantage of bein able to examine the server program and sorce code.
i will be VERY surprised if more than one or 2 people manage this.
to prove you suceeded with this challenge you must provide the payload file and specift which of the above 3 servers it works on... OR if you used the source code to compile your own server, you must provide that aswell as the payload.
just to make this completely clear,, you cannot alter the source code ! but you can re-compile it (with different flags if you wish, linux versions have been compiled with --debug option already (aswell as -O2 optimisation)
ohh, and a hint.. you may want to google for things like "Smashing the stack for fun and profit" knoledge of c++ gdb and maybe a little assembly may be usefull.. but are not neccesserily needed.
I don't know HOW to do this. But by the Gods and Godesses, I WILL FIND IT. But for myself I'll go use the 64 bit linux LOL. I don't know why, but I always have issues in text based stuff in windows, and in Linux it just is there in me LOL.
Oh, don't you use Gentoo LOL I downloaded it but still gotta install.
you dont need to install, just gunzip it and execute. it only uses the STD libraries cstdio istream and string, it whould work on any linux distro.
(you may need to make the file executable first with chmod +x ./date_sever*.bin)
like i said, you can find a step by step guide on how to do this by reading the article "smashing the stack for fun and profit"
the article even provides shellcode, the hard part is finding the address of the return pointer, and overwirting it with the correct address, finding the correct offsets, etc etc.
If you think this is hard, imagine how hard it is to write buffer overflows for closed source applications like Microsoft windows RPC. (like MSblaster uses)
Like i said, this is a very difficult challenge (unless you know the black art of assembly programming)
If you have trouble running the linux binary's let me know and i will upload some statically linked ones (guaranteed to work on any linux kernel, even if glibc is missing)
or just compile yourself...
g++ ./main.cpp -o ./date_server
maybe this will be easyer if you turn optimisation off with -O0 as a g++ command... lol.
anyways, i only rite hard hacking challenges, i was almost not going to provide the source code, but i like the way the first clue on how to do it is on line 5
For you linux users who want to make this even more realistic, and make this pretend server act *almost* like a real server, grab netcat http://netcat.sourceforge.net/
I just want to make sure I understand this right. We're supposed to type input string at the COMMAND > prompt that makes the server does something cool? Right???
Anyway, I did found out that the program kills itself if you enter anything longer than 47 characters, that would mean that the return adress is overwritten causing the program to halt doesn't it?
Could you give a hint though on what tools to use for finding return adresses? do you think that ollydbg does the job?
google for smashing the stack for fun and profit. all the nfo you need is there.
you need a dis-assembler / debugger (gdb for linux or the windows alternative) and a hex-editor to create the payload file.
you have already managed to sucessfully smash the stack with a random return address (thus the segfault crash)
I would recoment creating a payload file containing byts starting from 0, and up to 255 with a hex editor.
then use a debugger (gdb) run through the program execution one step at a time, the step before it crashes, have a look in the cpu register holding the jump to address, if for example the return address has been over written by 45464748 then you know that the return adress (has ben over written by 4 bytes starting from the 46th byte of the payload file.
then you would need to work out where you want the program to jump too (maybe the start of the buffer, maybe an address of an envoronment variable holding some executable code.. work out the offsets, and generate a rea payload..
good luck.
[EDIT]
QUOTE
We're supposed to type input string at the COMMAND > prompt that makes the server does something cool? Right???
not exactly, since you cant TYPE machine code, i would recomend you use an assembler (or a c compiler) to make some binary code, save it to a file, and add it to you buffer overflow code with a hex-editor, then pipe the data to the server, will be much easyer that yping it all out.
after reading the article about "smashing the stack for fun and profit", I realized that you have to overflow the buffer and overwrite some sort of 'return adress', if i'm not wrong that adress is where the program will go back to after executing a (certain?) function.
Anyway, I just kept trying entering long input strings to find out when the program crashed, which indicates that you overwrote the adress (The chances are that you accidently enter a existing adress are almost equal to zero btw. since you can't enter the NULL character from the keyboard).
You can enter anything you want, i just used x'es.
like
CODE
xx xxx xxxx and so on untill the program crashes
after I found out about the number of x'es it takes to have the program crash I got myself a debugger -> OllyDbg
This program allowed me to see which memory adresses the program tried to read, also when it crashes due to the overwritten adress. It showes WHICH adress it tried to find AND I used it to find a valid adress I could use for the 'proof-of-concept'.
Since valid adresses usually contain NON printable characters, line-feeds etc etc. I got myself XVI32, a nice freeware hexeditor to create those characters with.
After creating a payload file (file where you store the string you want to use for input) I used a pipe to have the program use the file for the input.
eg. date_server_win32.exe < input.txt
If you did it right, the server should now popup and do something weird.
[offtopic] Thanks in advance for willing to explain me this, I couldn't find anything on google about it. Anyway, I think I'm not going to think to much about this today since I am going on vacation tomorrow and I don't want to end up thinking this entire thing over when I'm supposed to give my head a rest . [/offtopic]
The reason i made the buffer so small was to add an extra hurdle to the challenge. I believe one way around it is to store the shellcode in an environment variable.
The origonal chalenge here, is to simply "Make the server do somthing it shouldnt"
So you dont nessecerily need to spawn a prompt to succeed.
Jipman managed to overflow the EBP register, and jump execution to a different part of the main() function.
I believe 20 bytes is plently of buffer to insert shellcode to cause the program to exit cleanly with EXIT_SUCESS.
Although a shell exploit is possable, i will be very very very very impressed if you succeed. That is way beyond the scope of the challenge.
Since jipman asked about running a command line I'll explain it. It's good to have the Win32 Reference handy (I think the file is called win32.hlp, I'll confirm that when I'm back on Windows).
I'll start off with the program we would use to figure out what's needed to spawn a command line (under Win2K/XP)
/* C Programming */ /* func.c */ #include <windows.h>
void winexec(void) { WinExec("cmd", SW_SHOW); // SW_SHOW is constant for 0x5 }
void exitprocess(void) { exit(1); }
int main(void) { return 0; }
I would compile this as gcc -S -o func.s func.c
That way we get the output dumped in func.s as opcode, we can then use nasm to rewrite the functions if needs be.
When we compile that program to executable and run it, nothing happens (that's the point). Basically the key thing here is our functions, we use gdb to (disassemble) disas winexec to show us what's happening and exitprocess to show how we can exit successfully from the program, I used exit(1) because we don't want to use NULL and I'll explain why when shellcoding.
So that's a possible way of spawning a shell, just sending it cmd, but we could do more than send cmd we could "cmd /c start some_malicious_program" or start mspaint (which could be seen malicious ).
We can use OllyDbg too, infact I will recommend it over gdb for this as OllyDbg can also tell us what's happening, and makes it far easier than converting AT&T Syntax to Intel Syntax. (OllyDbg is also great for making game trainers due to it's ability to change memory addresses during runtime, but that's another tutorial )
We refer to the win32 reference book to discover what arguments need to be passed, and must remember that the stack works backwards, so our last argument must be push first and so on. We also need to know what to store in our registers for when we call WinExec or ExitProcess.
Now we don't even need to do this, if we knew what to pass and how the command is ran we wouldn't need to write the program in C and then disassemble it, this is just the easier way to do it and also provides an insight into how the program works.
Another thing I will have to tell you is finding the memory address for WinExec and ExitProcess (they exist in memory because all programs require it including the OS, it's also dynamic or shared, meaning multiple programs can use it at once).
If you have Win32Dasm then I suggest opening /system32/kernel32.dll and looking for WinExec and ExitProcess address and writing it down for later use. Otherwise I will show you how to write a program yourself in C++ to show you how to grab the addresses. There are more dll/APIs that we could write shellcode for, but since we're using WinExec and ExitProcess they both are from kernel32.dll. If you know Win32 APIs then you might know of some other locations that are interesting to know.
The reason we need these addresses is if you look at the call opcodes, it's not telling you much, but I can tell that the opcode when we write it will be call <memory_address> and it will be related to WinExec and ExitProcess. We ignore the calls for Main and Alloc, as that's part of our program, we aren't writing a runnable program (one that can be executed with no errors), just writing program code to load up in memory for the exploit to run.
Sorry that I ran on, there's a few vital things in here, but I'll write it properly when I'm on Windows. Hopefully have the majority of it done for this weekend, it's quite hard shuffling work and shuffling hobbies.
Thanks for the insight of Knoppix, I have 3.3, 3.4 and recently got 3.9 so I will also write a linux guide.
The thing with this program is, we do only have 20 bytes, which is not enough for our code.
What method I was going to suggest is known as egg/egghunt, we load the program in memory (our egg waiting to be hatched), our egghunt program finds this location (memory address for it) and we use the overflow to point to our program in which it will run the code inside our egg, now whether we try and return back into the program or just exit successfully is up to you.
I've also discovered some counter measures in Windows XP SP2, known as sandboxing as well as other techniques that don't apply to my processor, newer CPUs than P3 may have this protection, so you should probably know about that, I'm having a rough time overcoming this too, but I've asked a good mate of mine to help me with this now, since he's still doing exploit development (under Windows) and has methods to work around this, apparently he's going to let me in on a few 0 (zero) day exploits, not that I'm interested or anything
So give me time to write a guide, during this I may just write mini guides just to help you get ahead of my slow pace.
write a C++ program uses a system call to exectue anouther program, this is very similar to the UNIX way, somthing like a execve(NULL,"/bin/sh",NULL); and compile it statically.
then compile it, and dissasemble it with whatever the windows version of objdump is.
then you just need to tweak a few addresses, etc etc.
load the modified binary code into th buffer, (with as much NOP padding as possable) overflow the return address with a educated guess of what the address of the stack is + the address withing the stack that the buffer lives in. and if you guess right, the code will run, and whatever program you put in the shellcode will run.
The theory behind this is quite simple, but doing it requires a good knoledge of ELF binarys (or win32 for windows) and machine code.
ALSO, before i attmepted this challenge, i never noticed how different Intel assembly was to AMD assembly.
i compiled 3 different binary's to start with, just to look at the difference..
Hello, I am searching for a way to access my brothers computer Hard Disk through my Computer and
see it directly using Windows XP, what I mean, he has 120GB of music and when I am on Windows I got
fed up downloading it and listening it in my room. I got used to linux to just mount it as a
Partition in the fstab, but on windows I can't find a solution to this. 1) He does not want to
install samba on his linux "yet another service" 2) I do not understand after reading various
tutorials how to use NFS on windows, it did not work and he does not want me to help. 3) May....
Looking for realistic, server, hack, buffer, overflow, hack, server, daemon, gain, access
, gotta brush up my C++ skills and read some Smashing the stack literature 
.