Win a copy of Head First Android this week in the Android forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Rob Spoor
  • Bear Bibeault
Saloon Keepers:
  • Jesse Silverman
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • Al Hobbs
  • salvin francis

Cracking story

 
Ranch Hand
Posts: 161
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi everybody,
I'm writing a little story that has a scene with a cracker in it. He's taking advantage of a buffer overrun to install a little program on a remote machine.
I have one question: let's say that the cracker knows that the product he is attacking has a "gets()" command somewhere in it, and he has a program that he wants to run on the distant machine. He knows that the buffer the gets() is writing into is 1024 characters long, so he can put his program after that. But how does it work after that? How does he get his program up and running?
I guess I'm more interested in whether this can be done or not than in how to do it.
Anyway, here is the story so far, first draft:
_Overrun_ by Tim Allen
Joe couldn't get his damn chair to act right. After fiddling with it for a while he finally gave up and accepted the see-sawing action. He leaned into the screen and started typing furiously.
Joe produced about 1500 lines of code in just under 45 minutes. A good deal of it was fucked up and buggy, and it would take him a while to unfuck misspellings and plain bone-headedness, but the basic stucture was in place. It would connect to port 6009, authenticate itself, make a data update request, and then spew about 170 KB of bullshit into the Order Entry system.
It was art.
Of course someone would notice that someone out there was making a buttload of order entries at 3am. That could be a problem if someone ever figured out it was Joe, but they weren't ever going to think it was Joe. First off, this wasn't just any company that he was cracking. It was a fucking *Spanish* company. And Joe was in New Jersey. Not only was Joe Very Far Away, but the people running the system in Barcelona were Very Clueless and Fucked Up, and generally had better things to do than to worry about bullshit like security.
With any luck they wouldn't worry about it at all. If Joe did this right, he would do it about a week before the end of the month. The Spaniards wouldn't even notice it until it came time to run the GL Posting, and then it would be too late. The majority of the data he would spew into their ERP system wouldn't show up anyway, at least not in the database. The biggest part of it would now be comefortably sitting on the hard disk of the web server Joe was attacking. Joe was going to take advantage of an old but reliable security hole in the ERP software-- a buffer overrun.
See, it's like this. A lot of languages, like Java or BASIC, will warn you if you try to write past the end of an array. In Java, you create an array of ten elements (like this: char i[] = new char[10]; ) , then you try to put something in (like this: i[10] = 'f'; ) and you get an error like
Hey you stupid twat Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 10
at Overrun.main(Overrun.java:4)
Ah ha! 'Cuz Java arrays start with 0.
But real programmers write in C. C is Real Fucking Fast, partially because it makes the programmer take care of stuff like not writing past the end of an array. You create an array in C (like this: char i[10]; ) and then write into it (i[10] = 'x'; ) and C just let's you do it. And if you want, you can write right past the end of that array into the ether until the cows come home. Or until everything you write gets written past the end of the array turns into it's *own* program, and takes on its own life, and has kids and settles down. 'Cuz even though that array was probably there to hold shoe sizes or pay raises for useless sales twats, the stuff you write past the end of the array has to go *somewhere*, and that somewhere is memory.
So what was that 170 KB of bullshit going to do?
Real simple. It was going to submit a very simple SQL query to the ERP database, and publish the result on demand at port 22. Port 22 was used for SSH clients normally, but Joe knew that if he did this in the wee fucking small hours of the morning there would be no one connecting and he'd have it to himself. This was important, 'cuz the SQL he was going to run in there was like this:
SELECT cc_no, expy, lmt FROM cc ORDER BY lmt DESC
Which looks pretty tame, but it was going to list off all of the credit cards ordered by credit rating, backwards. This could be useful information.
[ November 07, 2003: Message edited by: Tim Allen ]
 
Ranch Hand
Posts: 2937
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Anyway, here is the story so far, first draft:
Was that the entire story? Where is the culmination and the surpirse? I think you've been influenced by Miguel de Cervantes Saavedra too much. Throw some drama into the plot, and then we'll talk 'bout it.
 
Timothy Chen Allen
Ranch Hand
Posts: 161
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Eugene Kononov:
Anyway, here is the story so far, first draft:
Was that the entire story? Where is the culmination and the surpirse? I think you've been influenced by Miguel de Cervantes Saavedra too much. Throw some drama into the plot, and then we'll talk 'bout it.


´┐ŻNo! The whole story would have to be a lot longer than that-- I mean you could read this in a single trip to the toilet. At this point I'm interested in whether I'm saying something laughable technically.
Actually, Cervantes was really quite long-winded by comparison!
If I continue with this, I promise it will be a lot more dramatic-- I'm kind of thinking the whole cracking thing will be just one relatively unimportant layer of the whole thing.
 
reply
    Bookmark Topic Watch Topic
  • New Topic