Hi everybody, I'm writing a little story that has a scene with a cracker in it. He's taking advantage of a buffer overrun to install a little program on a remote machine. I have one question: let's say that the cracker knows that the product he is attacking has a "gets()" command somewhere in it, and he has a program that he wants to run on the distant machine. He knows that the buffer the gets() is writing into is 1024 characters long, so he can put his program after that. But how does it work after that? How does he get his program up and running? I guess I'm more interested in whether this can be done or not than in how to do it. Anyway, here is the story so far, first draft: _Overrun_ by Tim Allen Joe couldn't get his damn chair to act right. After fiddling with it for a while he finally gave up and accepted the see-sawing action. He leaned into the screen and started typing furiously. Joe produced about 1500 lines of code in just under 45 minutes. A good deal of it was fucked up and buggy, and it would take him a while to unfuck misspellings and plain bone-headedness, but the basic stucture was in place. It would connect to port 6009, authenticate itself, make a data update request, and then spew about 170 KB of bullshit into the Order Entry system. It was art. Of course someone would notice that someone out there was making a buttload of order entries at 3am. That could be a problem if someone ever figured out it was Joe, but they weren't ever going to think it was Joe. First off, this wasn't just any company that he was cracking. It was a fucking *Spanish* company. And Joe was in New Jersey. Not only was Joe Very Far Away, but the people running the system in Barcelona were Very Clueless and Fucked Up, and generally had better things to do than to worry about bullshit like security. With any luck they wouldn't worry about it at all. If Joe did this right, he would do it about a week before the end of the month. The Spaniards wouldn't even notice it until it came time to run the GL Posting, and then it would be too late. The majority of the data he would spew into their ERP system wouldn't show up anyway, at least not in the database. The biggest part of it would now be comefortably sitting on the hard disk of the web server Joe was attacking. Joe was going to take advantage of an old but reliable security hole in the ERP software-- a buffer overrun. See, it's like this. A lot of languages, like Java or BASIC, will warn you if you try to write past the end of an array. In Java, you create an array of ten elements (like this: char i = new char; ) , then you try to put something in (like this: i = 'f'; ) and you get an error like Hey you stupid twat Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 10 at Overrun.main(Overrun.java:4) Ah ha! 'Cuz Java arrays start with 0. But real programmers write in C. C is Real Fucking Fast, partially because it makes the programmer take care of stuff like not writing past the end of an array. You create an array in C (like this: char i; ) and then write into it (i = 'x'; ) and C just let's you do it. And if you want, you can write right past the end of that array into the ether until the cows come home. Or until everything you write gets written past the end of the array turns into it's *own* program, and takes on its own life, and has kids and settles down. 'Cuz even though that array was probably there to hold shoe sizes or pay raises for useless sales twats, the stuff you write past the end of the array has to go *somewhere*, and that somewhere is memory. So what was that 170 KB of bullshit going to do? Real simple. It was going to submit a very simple SQL query to the ERP database, and publish the result on demand at port 22. Port 22 was used for SSH clients normally, but Joe knew that if he did this in the wee fucking small hours of the morning there would be no one connecting and he'd have it to himself. This was important, 'cuz the SQL he was going to run in there was like this: SELECT cc_no, expy, lmt FROM cc ORDER BY lmt DESC Which looks pretty tame, but it was going to list off all of the credit cards ordered by credit rating, backwards. This could be useful information. [ November 07, 2003: Message edited by: Tim Allen ]
Anyway, here is the story so far, first draft: Was that the entire story? Where is the culmination and the surpirse? I think you've been influenced by Miguel de Cervantes Saavedra too much. Throw some drama into the plot, and then we'll talk 'bout it.
Originally posted by Eugene Kononov: Anyway, here is the story so far, first draft: Was that the entire story? Where is the culmination and the surpirse? I think you've been influenced by Miguel de Cervantes Saavedra too much. Throw some drama into the plot, and then we'll talk 'bout it.
�No! The whole story would have to be a lot longer than that-- I mean you could read this in a single trip to the toilet. At this point I'm interested in whether I'm saying something laughable technically. Actually, Cervantes was really quite long-winded by comparison! If I continue with this, I promise it will be a lot more dramatic-- I'm kind of thinking the whole cracking thing will be just one relatively unimportant layer of the whole thing.