Basic learning: Socketfunc =============================================== Version: 1.1 Date: 2003-09-24 Written by: anonymous@warindustries.com feedback: postmaster@warindustries.com or http://forums.warindustries.com/ url: http://www.warindustries.com =============================================== Welcome back, this document assumes you read Basic learning: Finding bugs, you can find it here: http://www.warindustries.com/download/dl_file.php?id=62 Introduction: Remember last time, we spoke about some simple analogys, viewpoints. I tryed to create a layout in your mind, to make you understand what you're dealing with. Although I didn't exactly tell you in detail how to find a bug and on to write a few lines code to abuse the 'bug'. The whole concept is simply to huge to explain in one step, it's like driving a car you can do it in a million different ways if you think about it. It all comes down to playful thinking. Before you continue I want you to re-read the previous document, or atleast make sure you have a clue just about what we we're talking about. In order to find a vulnerability in a service, you will need LOTS and LOTS of patience, this is like a game where you control your chances of winning, it's bits and pieces about luck but in the end it's your own brain that cracks the nut, not any helpful advice or tool(s). If you want to be a hacker, security wizard you need to be creative. You need to look at problems as challenges, you need to take what people say with a large grain of salt, let me tell you already, I only say this so that you wont get dissapointed in the end when you don't manage to find that darn bug you just knew were around the corner by your second try, more like 500 tries then maybe, just maybe you will end up making a working exploit. Anyway, in a nutshell you need to be patient, creative and be able to think on your own. Sounds easy nuff'? Thought so, let's go on :) ------------------------------------------------------------------------------ 1:1 Protocols 1:2 Sockets 1:3 Checklist 1:4 Prebug/exploit info 1:5 Short vb intro using sockets. 1:6 Examples, services, commands & encrypted data. 1:7 Server(s) 1:8 Exploiting a service /example ------------------------------------------------------------------------------ 1:1 Protocols I'm not going deep into protocols this time, it ain't vital until you get to take on harder stuff. The examples I made for you this time is probably the easiest there is, well maybe not but, just don't expect it to be like this when you try to break into StockWatch ;) . For now all you need to know is that there are 2 common protocols called 'TCP' (Transmission Control Protocol), and UDP (User Datagram Protocol). These protocols are used in most common software that communicates over the Internet with other computers, icq, webbrowsers, irc, msn, aim, etc are using those for example. 1:2 Sockets Right, on to the next step, sockets. What is a socket you might be asking? A socket is one endpoint of a two-way communication link between two programs running on two different computers, either on a network or over the internet. A socket is bound to a port number, see the previous document for a explination about a 'port', incase you're unsure. To futher make some sense here for all the new knowledge hungry people. Normally a server runs on a specific computer, and has a socket bound to a given port number. The server waits, listening to the socket for a client to make a connection request. On the other side, the client connects to the computer on which the server is running and the port number to which the server is connected. The client then sends some data to make the connection request, if the request is accepted, ie granted these 2 computers have an established link, call it tunnel if you will to send and receive data between them. Sockets use protocols in order to function, normally they use TCP / UDP to communicate. You can then write to the socket in order to send data, once a connection has been established. In order to make sure you understand this, I'll take an analogy as an example; A socket is bound to a port=The doorkeeper opens a door, people from the other side of the door can then send data through the door to the doorkeeper. Then the doorkeeper processes the data, and sends back an answer to whoever sent the data in the first place. You might ask yourself why these doors needs a number, ie port number? Just like with a big hotel each door has a number to keep track of things, who is going in what door, etc. 1:3 Checklist Okay so you know what a socket is, you know what tcp and udp is, you also have a clue about packets and how they're sent between computers on the internet. You also know and understand why ports are used, and why they are given numbers, you also know 'when' a connection is established between 2 computers. With this information you should be able to follow what we're going todo. 1:4 Prebug/explot info Like I said in the previous document I would use visual basic first in win32, just to make it a tad easier for you in the beginning. In general people agree that vb is a deceptive language, meaning you get a twisted view of coding if you only use/used vb, but I choose it because it will make sense for you, just as a first time try. Remember this is all part of making you understand, when you do understand you can go on to the fun and more rewarding stuff. Eventually the idea is to have you sitting in front of linux/unix writing a few lines of code to operate C-sockets, that is my goal anyway but before, you need to be fed with the basic material. If you don't have a visual basic compiler, (to make code into an executeable), you can still look at this code and try to get a view of what we're doing. 1:5 Short vb intro /using sockets. Let's test some socket commands in vb, see what it does. You will be using mswinsock control, so make sure you insert that into your new project. Name the socket, 'testSocket' for example. I choose to write this code as a button click, so if you have a button named 'testButton', you place the code under this button in order to do statements when you later press the button in runmode. Code below: Step 1: Connect to a computer ---------------------------------------------CODE-------------------------------------------- Private Sub testButton_Click() testSocket.Connect "127.0.0.1", 12 End Sub ------------------------------------------------------------------------------------------------- Basically you tell the socket to connect to ip: 127.0.0.1 on the port number 12. That wasn't so hard now, was it? Okay so the connection attempt will fail ofcourse because there is no server on the ip, 127.0.0.1 that runs on port 12. By the way, incase you didn't know, ip 127.0.0.1 always reffers to your own computer, (local machine). Anyway forget about the server, we don't need one, what we're doing is making examples. Now, if we want todo the same thing and send some random data, we do this: Step 2: When you're connected, send some data. ---------------------------------------------CODE-------------------------------------------- Private Sub testSocket_Connect() testSocket.SendData ("random data") End Sub ------------------------------------------------------------------------------------------------- Note: None of this code has any forms of error handling, this is intentional, it would be too much at once. Now this code will require the previous one, what it does is. When you click on the button we created, it tries to connect (What I explained just before), and if the connectionattempt is successful it will send the data "random data", just like that in plain text. So if you had a server that was listening on port 12, on your computer and printed all incoming data on your screen you would basically see the text "random data". Now we can assume you know how to send some data, using a socket in visual basic. If you have no knowledge of vb, there are alot of useful tutorials to get a brief overview of the language. I can't really find enough space in this document to explain to you about vb, since we're not going to use it in the future anyway, but if you're interested, get some vb books, or read some beginner guides. If you have any questions, suggestions just send to postmaster@warindustries.com, as I would like to remain anonymous someone there will forward it to me. I think some of you guys would want screenshots with some pointer perhaps of what we're doing on screen when we write code in vb, and compile it for a test. I may choose to make tutorials in html, with pictures but right now, I can't find the time to invest into a project like that. 1:6 Examples, services, commands & encrypted data. As I wrote in the previous version of this document, I mentioned a service often beeing a program with a socket bound to a port, sitting there listening waiting for the call. In general that is how a service works, just like I explained with ftp. Here is a little something you can try on yourself: Bring up the command prompt, like the dos prompt in WinX, in Win98/ME open command.com from run in the startmenu, type: netstat -AN , if you're in windows XP or 2000 type "cmd" in the run prompt then enter the same thing. You should get a list similar to this one below: Prot. Local adress Extern adress Status TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING UDP 127.0.0.1:1030 *:* UDP 127.0.0.1:1033 *:* UDP 127.0.0.1:1055 *:* Your list was probably alot bigger with a few IP numbers. Here you can see some of the service(s), or programs that operates as a server on your machine. Prot. means protocol just like we spoke about before with TCP and UDP. Take the first line for example: TCP=The protocol Local adress=0.0.0.0:135= The numbers 0.0.0.0 means it runs locally on your machine, :135 means it's bound to port 135. So, in theory if we connected to your machine on port 135, we would get a "Connection accepted", and then we could send data... The questions that remains is, what does this service do with the incoming data, what program is it that has opened port 135 on your machine? Well, don't worry most of this stuff is windows built in functions, like network share, webbrowser, and third party apps you might be running like: icq, aim, msn, irc. You might also find a line in your list that says "Connection Established" with your IP, and then the "extern" adress. This means, you are connected to the ip adress in the list. This would happend if you got an active connection to the icq network, or to a webserver, gameserver or whatever. In short, it means a socket is open, and has connected to a remote machine, or another machine is connected to yours. If you run a ftp server on your machine and someone is connected, downloading something from it, then it would be displayed in this list as "Connection established", displaying both your ip and the ip from the computer that is downloading. So if you try to connect to yourself on port 135, or any port that is open locally, and send some "random data", what would happend? and why? Answer to the questions is: Nothing, because when the program that has a socket bound to port 135 processes the data it looks for specific commands, information, etc. If you just send the data "random data", it won't understand it and just destroy that data because it didn't know what todo with it, it wasn't recognized. That brings us to the next step, the server part. Analogy: Sending the data "random data" to port 135 on your machine would be like sending a letter in english to someone that only speaks/reads/writes french for example. He would just throw the letter away cause it made no sense right? ... well yeah sort of. Bottom line is, you get the picture :) 1:7 Server(s) With the above in mind, I will go on and talk about how services usually operates. A service that runs on your machine listens for the correct contact. For example, if you have a ftp server running it listens and waits for a ftp client to connect to it, so that they can talk and the server can offer it's service(s), which would be sharing files for you to download. However if something else connected to the ftp server, ie (not a ftp client), it wouldn't recognize the commands, or the protocol. If you connect to an ftp and sent data "iluhfklsjdhflsjkh" it would have no clue what todo with that data and just discard it. What if for instance you connected to a port that you noticed were open, and sent the data "random data", and then received an answer like this : "Couldn't execute command" , you could start making conclusions based on the response you got. Don't get me wrong, most services will not reply at all when receiving unknown data. But some are coded in a way that the program will send back a response, call it error handling if you will. Anyway, from this you would know that the service waits for a command, could be any command, it's like looking for a needle in a haystack, but....maybe not? If this would happend you could call the service a piss poor coding job, but thats only one thing that creates vulnerabilities: piss poor coding :) Let me take an example with vb code: This time we use the same project, but instead of sending data we make it listen for incomming data. ---------------------------------------------CODE-------------------------------------------- Private Sub testButton_Click() testSocket.LocalPort = 500 testSocket.Listen End Sub ------------------------------------------------------------------------------------------------- What we have here is a program listening for connections on port 500, so the socket called 'testSocket' is now bound to port 500, which means port 500 is open. If you run this program and then use the "netstat -AN" command I told you about, port 500 will be displayed as open, and listening. Let's add some data handling to get a better view of how services works and processes incoming data: ---------------------------------------------CODE-------------------------------------------- Private Sub testSocket_DataArrival(ByVal bytesTotal As Long) Dim inData As String testSocket.GetData (inData) Select Case (inData) Case "command1" MsgBox "Received data: command1" Case Else testSocket.SendData ("Could not execute command") End Select End Sub ------------------------------------------------------------------------------------------------- Okay puh! Alot of new stuff. The "dim inData as string" part basically means we declare the variable inData as a container of text (data). Next part we check the socket for data, if any data should arrive we ask the inData container if the data received contained "command1", if it didn't we send a reply "Could not execute command", the remote part trying to send data would receive that response. Voila, now you get an idea of what a service possibly does with incoming data. It checks for commands, info, or just processes the data in another way. Notice that if the incoming data was "command1", a message would popup saying: "Received data: command1". So what we have here is basically a service waiting for a program to send a command so it can popup a message, pretty useful = not lol. You get the idea now, this is how servers operates, they listen for a correct command, or info. (Data). If the makers of a service (program), are smart they would be using encrypted communication, which means all data is beeing encrypted before it is sent, and when it's received the server decrypts it, and reads it after decryption completes. Unfortunately a vast number of programs communicating on the internet are not using encrypted communication...not that we care right? Better for us, worse for them. In fact it is very common that they just communicate in plain text, shame ;) . Anyway, you picked this info up? Good lets proceed. 1:8 Exploiting a service /example This will be so easy it's not even funny, but it will help you, and that's what we are trying todo so here we go. Lets say a person called "Superjames" had a company called "Superjames Software", and this company created a service called "Superexecute", this service works like a remote executer. If you're at home and need to execute a file where you work, you could use this incredibly "great" service utliity :) The program superexecute runs on port 9999, and you know it's purpose already, it's supposed to execute files on a remote machine to make it easier for the user! We want to exploit it ;) - he he. So we investigate a bit. From the previous examples you already know how to connect to a remote computer on any given port, and you know how to send data once you're connected. You already know what port superexecute runs on and you know that the computer behind the ip: 999.999.999.999 runs superexecute as a service. You try and send the data "random data", to ip 999.999.999.999 on port 9999, you receive the response: "Could not find filename". Now if you even have the smallest bit of brain you know what I am thinking? What if you try to send a common filename as data? Okay so we send the filename "notepad.exe", that all windows computers have. You receive the response "Filename executed". Yaaaay! it was that simple, omg not even funny. You see where I am getting at? What made superjames product superexecute piss poor and easy to hack? And what made it an exploit? Well for one, the error handling was total crap, it sent responses like "Could not find filename", now if Superjames would have had any brain he would have made a response like "Could not understand data", that way we would not been able to figure out what command it accepted that easy, well in fact it accepted any filename and just a thing like that is stupid, but that is how alot of services works, ofcourse alot more complex, and probably encrypted, but bottom line is, it's the same principle used mostly in every case. If we choose to publish this exploit we could call it "Superexecute, (remotely execute any application/filenames)" Compared to what hacking will be like in some cases this example will be like breaking a rotten wooden door, while normal/harder stuff will be more like breaking a bank vault door, you get the idea. Just incase you are unsure, I made a vb code example for the exploit, below: ---------------------------------------------CODE-------------------------------------------- Private Sub testButton_Click() testSocket.Connect "999.999.999.999", 9999 End Sub Private Sub testSocket_Connect() testSocket.SendData ("notepad.exe") End Sub ------------------------------------------------------------------------------------------------- Thats it! Go play with what you know now, you might come up with 1 million more questions, hopefully I will be able to answer those in future versions of this document series. I will try to release one each week. I think I will talk about bypassing next week! Each followup document will be a bit more advanced, so make sure you read those carefully, get prepared for the next one in a few days. Bye for now... One more thing, I said in the earlier version that I would include executeables to test this, well I didn't...it's too obvious already (with the code), and also people are suspicious to unknown executeables, especially if they came from me lol :) - feel free to compile the stuff yourself though, if you want to play around with it. Just note that you will get some errors here and there, because I didn't add any eror handling to the examples. After all this info, you should know and understand alot more about all the things we discussed! Remember to send feedback, also I might be holding irc chat sessions sometimes, if you would like to participate just send an email to the adress on top of the document.