1. All Your Base Are Belong
To Us
0x48 0x41 0x43 0x4B 0x45 0x52 0x5A
Or: so, you wanted to be a hacker
By Gil Megidish (2004)
2. All Your Base Are Belong
To Us
You think you know hackers?
3. All Your Base Are Belong
To Us
Hacking, Cracking & Phreaking
• Hacker n. (Jargon File)
• One who programs enthusiastically
and even obsessively.
• A person who enjoys exploring the
details of systems and such.
• Cracker n.
• One who breaks security on a system.
• Phreaking
• The pure art of telephony hacking (Captain Crunch)
4. All Your Base Are Belong
To Us
Cracking
• All software can be cracked:
If a program can be written with protection, it can surely exist without one.
• Crackers brag their accomplishments.
• Types of interesting cracking:
– Cracking software
– Cracking into servers
– Denial of Service (DoS)
5. All Your Base Are Belong
To Us
Cracking Software
• Software will let you know if you have no permission to continue
• Starting there, it is possible to find the root cause of this limitation
6. All Your Base Are Belong
To Us
Always Use Protection
Protection code
Registry
File System
Network
CPU
Devices (plug)
Since it is always possible to crack software, the coders
have one thing in mind: make the cracker’s life a living hell
Introducing: Doc Witness’ OpSecure
8. All Your Base Are Belong
To Us
Database Hacking
SELECT * FROM USERS_TABLE WHERE USER=$PARAM
Inexperienced programmers sometimes make the mistake above. No matter
how many firewalls are in the middle, you can delete the entire database, or
even destroy the machine it is running on.
What if
$USER = “userName%01EXEC rm –rf /”
Or
$USER = “userName OR 1=1” ?
9. All Your Base Are Belong
To Us
Buffer Overflows
void store(char *str)
{
char buffer[16];
strcpy(buffer, str);
}
What is wrong with this function??
10. All Your Base Are Belong
To Us
Call stack overview
void function(char *str)
{
char buffer[16];
Low memory High memory
buffer
(16)
oldsp
(4)
ret
(4)
*str
(4)
11. All Your Base Are Belong
To Us
buffer
(16)
oldsp
(4)
ret
(4)
*str
(4)
So, if we call:
store (“this is my name, what is your name ?”);
What will happen?
this is my name, what is your
After the function completes, the processor jumps to the address
stored in ‘ret’. Right now, this address contains garbage. The process
will crash immediately upon function return. Now, why is this
interesting?
12. All Your Base Are Belong
To Us
buffer
(16)
oldsp
(4)
ret
(4)
*str
(4)
Scary – if we get ‘ret’ to point to our buffer, we can send arbitrary code to be
executed on the remote machine.
MOST server hacking, are done using this mechanism. So, if everybody knows
about it, why nobody fixes the problem once and for all?
code
16. All Your Base Are Belong
To Us
ICMP Smurf
Evil sends an ICMP Echo
Request to broadcast
address on his network
All servers reply to the request
and send ICMP Echo Reply to
the spoofed source
64 K
64 K
64 K
64 K
64 K
17. All Your Base Are Belong
To Us
One Last Slide: Root Kits!
* Root Kits are the fastest, and easiest way to hide the presence of a cracker.
• How do they work –
• Replacing ps; so you won’t see them running
• Replacing ls; so you won’t find the files
• Replacing cat; so you won’t notice altered configurations
• There are rootkits for Windows as well!
• Open Source projects, such as ChkRoot, find these kits
18. All Your Base Are Belong
To Us
Links
www.blackhat.com
www.2600.com
www.bugtraq.org
www.securiteam.com