Part IV: Software Hacking

CHAPTER LIST

CASE STUDY: ONLY THE ELITE

Jack had been good the past few months (he thought to himself). He hadn't tried to break into any system for a solid three months now. That is, no one had asked him to break into any system. And his conscience had begun to feel normal again. He had often wondered how he got to where he found himself: a pay-for-hire hacker willing to do almost anything for money.

While the public message boards and vulnerability mailing lists spewed forth dozens of vulnerabilities a day, Jack never paid much attention to them. In his line of work, he was finding these vulnerabilities himself and never releasing them. He was building his war chest for the day he would get the cell phone call from his contact.

The nameless woman on the other end of the phone spoke softly but directly, and always paid on time. But she hadn't called in monthsand then it came. Jack answered and knew immediately who it was. She said demurely, "Remote OpenSSH 3.9p1 on Solaris 9." He asked, "When?" She replied, "Two weeks." He hung up and was off to the races.

Normally, a job like this would take only hours because he would have already found something in the target application on his own, without prompting, months in advance. But this one was different. He didn't have any exploits for this application on this platform. He knew it was going to take longer than normaldays maybe. But he liked to give his contact the impression that it took weeks (so he could charge exorbitant prices).

Jack has this vulnerability hunt down to a science and has scripted much of the hard work. After downloading the latest version of the OpenSSH software and source, he immediately fires up CodeSurfer from GrammaTech and begins a source code review of OpenSSH. Within minutes he has over 323 potential flaws in the software. He jumps quickly to the first promising overflow condition and follows the function all the way up the pointer tree to understand what input variable could affect the overflow condition.

Next, he logs into his Solaris 9 SPARC system and downloads and installs OpenSSH 3.9p1. He then crafts a simple packet with hping2 to exploit the particular function he discovered by using CodeSurfer and inserts a large string value in the function parameter found. Instantly, OpenSSH goes down. Jack fires up his gdb debugger on Solaris and he does it again, and again it comes down. This time he knows where OpenSSH is choking because gdb captured it. He then traces the capture and sees that PC (the RISC-based system's instruction pointer) is overwriteable. The instruction pointer for SPARC is capable of being overwritten with this vulnerability. The crown jewels are at his doorstep. Next, he pulls out his most elite SPARC assembly shell code and plops it into some C code he wrote on Linux to forge the packets automatically, rather than rely on hping2. Jack could have used Solaris shell code from http://www.metasploit.com, but this time he wanted to craft everything himself. Finally, he tries his newly created exploit. And voil ! He is in. Game over.

Next, he makes his call .