Chapter 7: h3X and The Big Picture


by FX as "h3X"

Overview

h3X paints a picture. Actually, she doesn t really paint but rather just creates a plain white canvas of 256 by 512 pixels in Microsoft Paint, because you can hardly do more with that program than the equivalent of the childish drawings young parents hang on the walls of their cubicles to scare away art-interested managers. The reason h3X does create the picture is not for the artistic content but rather for the file format created when she clicks on Save as in the menu. The white box becomes a data file with the extension .bmp, and that s what she is after

h3X is a hackse “ a female hacker, and has been around in this environment for some time. Not that she would consider herself a pro or, even worse , a 1337 hacker. Sure, she knows her kung-fu, but she rather sees the whole hacking thing as a process and an excellent way to constantly learn and have fun at the same time. It s always a mental challenge. Look at what you ve got, try to gain access via some unexpected data, timing, order or whatever comes to your mind, see if it works or not, draw conclusions, learn, repeat. The thrill of understanding what s going on and having your insight certified by a remote root shell is magnitudes more exciting than just hacking the box.

The picture h3X is working with is nothing special yet. So far, it s just another .bmp file on her hard drive. But due to the fantastic effects of open source, it will soon become something more powerful and much more fun than it is now. A while ago, the news hit the Net: parts of Microsoft s Windows source code leaked from the fortress-like perimeter into the world of the more or less free Internet. Scores of hackers all over the world started looking for the code and got their HTTP or FTP connections on it sooner or later. The distribution of a 180-megabyte-large file to so many locations in parallel should serve as the basis for the next source code replication platform , h3X thinks with a smile. Indeed, the code reached more computers in the first 24 hours after its leak than any open source software she has heard of so far. Well, maybe except for a new major Linux kernel release. A few days later, a hacker named gta sent an e-mail to a well-known list explaining the first bug he spotted in Window s MS-HTML engine “ and this is what h3X decided to use this night for. It s a client side bug, and has been the topic of many furious discussions; whether or not such a bug is actually a big threat to the security of a network or just a minor coding mistake. Since the vulnerable software doesn t sit there and listen for attackers to make connections to it from all over the world, but rather requires the user to actively access an evil server, many people doubt there is a real danger. h3X is about to find out if this is true or not.

She starts by making the necessary preparations for the session. A Windows 2000 system has to be started, which, as usual, takes ages. Coffee and a fresh pack of good cigarettes is also needed in advance, pretty much like the payment requested in the Viagra offer she just received by e-mail. When the Windows box finally finishes painting boxed little blue bars from left to right, thereby imitating real activity, she logs in and realizes that this is her stock Windows exploitation system with nothing except the default installed services and tools on it. Well, let s get shopping, she says to the empty desktop screen and starts the browser. What she needs is freely available, but vital for the task at hand.

First, it s a debugging software. Her Windows debugger of choice, of course, is OllyDbg. It s a full-blown graphical user interface debugger for Windows with all the bells and whistles you may want. The debugger is important not only for the process of exploitation, but also for checking under which circumstances the bug is actually triggered and how. In Windows land, not all capital crimes a program can commit are reported to the user. Only the program that doesn t install the necessary hooks and safety nets will actually trigger the famous Dr. Watson window. And if you don t have a debugger watching the programs flow, as a spider watches its web for vibrations, you will miss the point where your bug is triggered and wonder why the program doesn t crash.

Next on the list is a whole batch of tools, all available on the same website. h3X surfs to www.sysinternals.com and gets the pstools, Process Explorer, TCPview, and a number of other things. These tools are needed as add-ons because the Windows default tools will often refuse service, especially when dealing with recently exploited processes. Now we can start , h3X thinks, and loads up the information in the hacker s -e-mail to the world:

 I downloaded the Microsoft source code.  Easy enough.  It's a lot bigger than Linux, but there were a lot of people mirroring it and so it didn't take long. Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS. For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx:     // Before we read the bits, seek to the correct location in the file     while (_bmfh.bfOffBits > (unsigned)cbRead)     {         BYTE abDummy[1024];         int cbSkip;         cbSkip = _bmfh.bfOffBits - cbRead;                  if (cbSkip > 1024)             cbSkip = 1024;         if (!Read(abDummy, cbSkip))             goto Cleanup;                      cbRead += cbSkip;     } .. Rrrrriiiiggghhhttt.  Way to go, using a signed integer for an offset.  Now all we have to do is create a BMP with bfOffBits > 2^31, and we're in. cbSkip goes negative and the Read call clobbers the stack with our data. 

Right when h3X opens her bitmap file in her hex editor, her mobile phone rings. Yea, she says into the phone without really listening “ her eyes are glued to the screen and her brain starts simulating memory copy operations on Intel x86 architecture processors. The person on the other end of the line turns out to be one of the girls she hangs out with frequently. The voice reminds her of the planned trip to their favorite bar tonight. A friend of theirs just returned from a fairly long trip and a little welcome back party is in order. Oh, yes, erm h3X says. The other side says, Let me guess, you are sitting on your computer and ready do something totally strange . Did you even listen to what I just said? I will be at your place in about 15 minutes and you should be ready to go by then. Hello?

Yea, I m still here or did you hear me hang up? I m working on something. Let s make it 20 minutes. The person on the other end agrees with a few more biting comments on h3X s lack of focus to the topic of the call and hangs up. Now h3X has to shut down everything and get dressed into anything, because going out the way she looks right now is not an option “ both for her health and her security, since people tend to react strangely to naked young females in cocktail bars. The night turns out to be fairly nice but also quite eventless. The girls enjoy the service at their favorite place and have a number of drinks, then go home. Thanks to the cocktails consumed, returning to the computer is out of question for h3X right now.




Stealing the Network. How to Own a Continent
Stealing the Network. How to Own a Continent
ISBN: 1931836051
EAN: N/A
Year: 2004
Pages: 105

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net