In this post I’ll explain to you how to make a *unix backdoor using a “port knocking” scheme. That is, if we’ll “knock” to some TCP ports that we have initially decided, our program will open a backdoor for us (but only for us :) ).
How does the “port knocking” scheme work? The attacker decides a particular sequence of packets that will be sent to a compromised server where the backdoor is running. When the backdoor program will receive this particular sequence then it will give to the attacker the server’s shell.
in this brief post I will show you the improvements I have made on “Smashing the stack in 2010″. First of all I have improved the bibliography in order to help the readers to learn and delve into as well as to give the credits to others researchers for their works. Then I have rewritten the section “write an exploit” in my Windows part because of lack of clarity in the previous version, now I hope it is suitable to a newbie. Last but not least I have added a new part called “Real Scenario” in which we are going to analyze real exploits, in fact it is important – to gain a real and useful knowledge – to be able to analyze a real attack even it can be complex and sophisticated. In the report I have analyzed in detail CVE-2010-0249 (Operation Aurora exploit) and CVE-2010-2883 (the Adobe cooltype sing table exploit), they are good examples of attacks through memory corruption vulnerabilities. I know that thare are a lot of analyses especially for CVE-2010-2883, but we know the paradigm “learning by doing” anyway if you want to read other good works I suggest you the following VUPEN (a great analysis!) and jduck (on Metasploit blog).
Smashing the stack in 2010 (improved) : download
Table of contents (of the new part):
IV Real Scenario 75
8 Attacks and memory corruption 75
9 Memory corruption in practice 76
10 Examples of real attacks 77
10.1 Theory: Heap Spraying . . . . . . . . . . . . . . . . . 77
10.2 CVE-2010-0249 – Internet Explorer 6, 2010 – Graziano. . 78
10.3 CVE-2010-2883 – Adobe Acrobat Reader, 2010 – Graziano . 84
As usual feel free to contact me to ask questions, to give a feedback, to point an error out to me or just to chat or you can find me on irc ( irc.azzurra.org chan #hacklab or on freenode chan #corelan )
Happy hacking!! (again )
Hi. Sometimes you can’t connect directly to internet, because you have to go through a proxy (i.e. working environment).
Did you ever have to set up an http proxy on linux shell in order to (i.e) download a new package or manually update your distribution with a packet manager?
If so, you need to be a superuser. If you use the “sudo” command, you will probably stumbled across the inability to export variables from the user environment to the “sudo” one.
Hi. In this post I talk to you how to correctly pass a socket created in a parent process to a child process in Microsoft 9x systems.
If you have ever written a multi-process concurrent server in a Unix environment, you may have noticed that the passage of the socket between parent and son processes takes place directly. That is, the child inherits the variables of his parent, also including the file descriptor associated with the socket.
Hi. How can we write an “hello world!” in brain-mode?
When we want to greet someone, the brain is activated and set as a greeting a phrase known to us: in our case, “hello world!”.
If you try to compile r5u870 driver for Ricoh webcams under Ubuntu 10.10 you’ll fail due to a recent renaming of some functions in the linux kernel.
usb_buffer_alloc() is renamed to usb_alloc_coherent() usb_buffer_free() is renamed to usb_free_coherent()
For more information: http://kerneltrap.org/mailarchive/git-commits-head/2010/4/30/32383
To avoid this problem, make this substitution in the usbcam_util.c file that can be found here: ttp://www.palmix.org/download/r5u870_k2.6.30_i386.tar.bz2