bamed.org

I am apparently having some server issues and my blog keeps going down.  I hope to have this corrected soon.

I’ve spent quite a bit of time this weekend trying to write my own buffer overflow, but I haven’t quite got it yet. I understand the principles behind it, but the devil is in the details. In case you didn’t know what a buffer overflow is, here’s a quick/simple and probably not 100% accurate description.

It all starts with a program that asks you for information. We’ll keep this simple, and I won’t use any code so I don’t lose those who aren’t code-monkeys. Let’s say there’s a program that asks you what your name is, then you type in your name, and then it saves whatever you typed into a file or a database, or it just outputs it back to the screen. Not a very useful program, but that’s what it does. When the program asks for your name it waits for your input, then it takes your input and stores it in the system’s memory until it goes to the next part of the program that does something with whatever you just typed in. This area in the memory where it stores whatever you typed in until the next part of the program runs is called the buffer. (I know, over-simplified, but work with me here.) As is always the case in programming, there’s dozens of ways to do all this, and some things just don’t work as well as others. For example, if you use strcpy() you’ll get potential buffer overflows. What happens is the program sets the size of the buffer (where your input is stored in memory) before it receives your input. Then strcpy() doesn’t check to see if the input is bigger than the buffer, so if the input is bigger than the buffer it still copies all the input, which results in the buffer being overflowed, and the next section in the system’s memory is overwritten. As an analogy (lots of holes in it but it gets the basic idea across), you have an 8.5×11 sheet of paper and your start writing on it, but what you write takes up more space than the 8.5×11 sheet of paper so you start writing on your desk. And that’s a buffer overflow error. The key to a buffer overflow exploit is to write over the right section of memory and to change what’s in that section to something more useful to you. I’ll try to explain this without any code. A program is broken up into smaller sections that perform specific tasks. The example above would have one section that asks for you name, another section that receives your name when you type it in, then another section which will output your name back to the screen. When a program finishes running a section of the program it is then told where to return to so it can know what to do next. Another bad analogy: you’ve been given a piece of paper with instructions to go somewhere (“Turn left on Main, go 2.5 miles, turn right on 15th…”). When you finish with ones section of the instructions you’ll return to your instructions to see what the next section is. A buffer overflow exploit will overwrite the section in memory that tells the program where to return to and overwrites it with a different location. So instead of returning to your directions on your piece of paper, you’ll look at directions from another piece of paper, which will end up leading you to the wrong location. So then you just need to make certain you get the program to end up at a location that has something useful for you. So how does this help? Some programs may run with a higher level of access than the person running the program. So the program will run as the root (or admin) user even though someone with limited privilege started the program. So if you can exploit this program with a buffer overflow, than you can run a command as root even though you don’t have root privileges. On a system you can log on to, you would spawn a shell which would essentially log you in as the root user. On a remote system you may install some kind of backdoor that would let you access the system remotely.

So, next time I say buffer overflow, you’ll know what I’m talking about.

As far as writing one goes, I’m still trying to pick up on some of the finer points. It seems to require a decent understanding of assembly, an area where I still have much to learn. But I’m close, I can feel it.

(Disclaimer)In case your wondering, I’m not planning on any criminal activity, but the ability to identify insecure programs and figure out how their exploited should help me keep my systems more secure, and it’s fun!

I did it!! I’m now a Level 8 Mod-X Agent!!!  Level 7 required some ASM knowledge.  Luckily I’ve been reading up a lot about assembly, so it didn’t take too long.   Now I’m ranked at 451.

The next level involves privilege elevation on a*nix server.  This should be fun.  I’ve done some challenges like this before, so let’s see how it goes.  I should note that only 31 people have passed level 8, so this may take awhile.

The Alpha version of Samba 4 is now available.  I installed the last technical preview of Samba 4, but never really got around to testing it.  I’ve been pretty busy.   When I setup the servers recently, I created several empty partitions that I can use to add more VM’s.  So I’m thinking I can setup a Samba 4 VM on the server.  It should perform better than the VM I was running on my laptop.  I’m eager to see AD working on a Linux server!!

According to the WHATSNEW.txt file, some of the features that now work in alpha one that didn’t work in the last technical preview include:

Group Policy Support!!!
MMC Support:  We can now use AD Users and Computers

There are of course several other changes, but these two will make a HUGE difference when supporting Windows clients with a *nix server.

Some things that don’t work:

No printing support
Samba 4 works best as a PDC, and doesn’t support being a domain member very well
Apparently managing groups still needs some work
If your clocks aren’t in sync you’ll get some Kerberos errors

So it still needs some work, but I’m VERY excited!!!  If everything works the way the Samba development team plans for it to I believe this will go a long ways in making Linux more of an appealing server OS for all those Windows shops out there.  If I get a chance to play with it I’ll be sure to let you know how it goes.

I made it to Level 7!!!

A while back I ran across Mod-X and started going through their hacking challenges.   I made it through levels 1-5 in a matter of days, and then came level6.  I got stumped, then I got distracted and left it alone.  Every now and then I come back to it and give it a go.  I got through most of the challenge, but there was one final step I couldn’t figure out.   I can’t say much about it, we’re not supposed to give clues and that sort of thing, but at the end of the challenge I’m supposed to find some specific info on a forum that I’ve managed to get access to.  The forum is supposedly being used to pass info back and forth on, but it’s hidden.  It’s my job to figure out how the info is being passed back and forth, then report the info I found.  It was one of those things that’s sitting right in front of you the whole time.  But I got it!!  So now I’m a level 7 Mod-X Agent.  My ranking is now 624 of 6410.

Now on to Level 7, it looks like I need to do some reverse engineering for this level.