An exploit is a computer programm, which circumvent computer security.
There are many ways to exploit security holes. If a computer programmer
make a programming mistake in a computer program, it is sometimes possible to
circumvent security. The coding of such programs, which attack (hack) the
programming mistakes or security holes is the art of exploitation or exploit
coding. Some common exploiting technics are stack exploits, heap exploits,
format string exploits, ...
*** What is an stack exploit ***
A stack exploit occurs, if you can write more than the size of a buffer
located on the stack into this buffer. If you can write more data,
as the size of the buffer (more than 1024 bytes in this example) a stack
overflow occurs. For example:
main(int argc, char **argv)
{
// This buffer is located at the stack
char buf[1024];
// i is located on the stack
int i;
// A 6 byte stack buffer overflow
for(i=0;i<1030;i++)
buf[i] = 'A'
// Another example
// if argv larger than 1024 a overflow occur
strcpy(buf, argv[1]);
}
Why a stack overflow is a security threat ? The assembler instruction 'call'
push the return address on the stack. 'call' jump into a function in our
example the function is main. If the function returns with the assembler
instruction 'ret', it returns to the function pointer at the stack.
If you can overflow the stack you can overwrite the return address located
at stack. You can return to another location. The location should a pointer
to a shellcode address. Read alephonestack.txt for more information.
You can download it at my papers section.
*** What is a shellcode ***
Shellcode are machine instructions, which launch a shell for example.
A shellcode looks like this:
char shellcode[]="\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
"\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80";
Every char is a machine instruction. \xcd\x80 is 'int 80' for example. After
an overflow occur we need a address to return. This shellcode launch a
shell. If you point to the shellcode (after a stack overflow for example),
the machine instructions are launched and spawns a shell. Compile this
program. It tests the shellcode and spawns a shell:
// Compile this program with gcc sctest.c -o sctest and start it: ./sctest
// now you have someting like
// sh-2.03$
#include
char shellcode[]=
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89"
"\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80";
int
main()
{
void (*dsr) ();
(long) dsr = &shellcode;
printf("Size: %d bytes.\n", sizeof(shellcode));
dsr();
}
read alephonestack.txt for basic shellcode coding
*** What are heap overflows ***
If the heap is overflowed a heap buffer overflow occurs.
A heap overflow looks like that:
// It dynamically create a 1000 byte buffer on the heap.
main(int argc, char **argv)
{
// pointer points to a heap address
char *pointer = malloc(1000);
char *pointer2 = malloc(200);
// Overflowed, if argv[1] is larger than 1000 bytes.
// The buffer pointer 2 is overflowed if pointer
// contains more than 1000 bytes.
strcpy(pointer, argv[1]);
// Free dynamically allocated data
free(pointer)
free(pointer2);
}
Read heaptut.txt for more information.
*** Format String exploit's ? ***
If you control the format string in one of the printf, syslog or
setproctitle function, a exploitation is possible. Format strings
are something like "%s", "%x", "%d", ... For example:
main(int argc, char **argv)
{
char *buf = "TEST";
// The wrong way
// The user can control the format string
printf(argv[1]);
// You should code:
printf("%x", argv[1]);
}
A good paper about this topic is format_bugs.txt
***************************************************************************
I hope this help you a little bit. If not then not :-).