Thursday, December 4, 2008

Alertpay DDoS'd


The world famous payment processor Alertpay has been under attack this Sunday. I would have posted this that very day, but I just got to the site today and saw what they had written there.

The site faced 7 hours of downtime, and then had to be shifted to another IP. The massive DDoS attack affected many businesses associated with Alertpay for payment processing. The attack was definitely a well planned attack, committed right in the middle of the christmas shopping season. This of course caused a loss to associated end users and businesses.

During the attack, the Alertpay authorities posted this message:

We are currently experiencing a large scale DDOS attack that has hit our sites which started at approximately 6:00am EST Sunday. We are working with our data center to resolve and/or mitigate this issue.

More information will be posted here as we get updates.

For the time being customers can connect to AlertPay at an alternate location:

https://67.205.87.226

Ferhan

Several hours later, after the attack was done, they posted another message saying:

We have finally mitigated the massive DDOS attack that started at 6:00am EST. Unfortunately it took almost all day to resolve. The site is operational now, and hopefully we'll continue to tweak it more tomorrow to ensure this doesn't happen again.

We sincerely apologize for the inconvenience and we understand that this outage affects each of you personally. We’re sorry for that. We will continue to put measures in place so that outages like this do not occur again.

Ferhan

There is no doubt that such attacks will never stop. Of course, DDoS is unstoppable. But the sysadmins can without a doubt take precautionary measures like reducing waiting time etc. A similar incident happened in 2004 with Wordpay. DDoS attacks against payment processors have become very common nowadays. Is it competition of the companies, or just script kiddies playing around? Only they know for sure.

Wednesday, November 26, 2008

Call for hackers

This is an open call for all hackers worldwide.

k0r0pt The all new hacker ezine requires articles for the first edition. If you are a hacker, and you are interested in sharing your research and/or experiences with other hackers of the world, then do write.

To take a look at the Editorial Policy, visit http://k0r0pt.co.cc/main.htm.

Wednesday, November 19, 2008

Blog shifted back.

This blog has been shifted back here. I landed into this decision, because I rarely write about hacking and exploration anymore, because I do not get much time. Also, I have started another hacker ezine, which is called k0r0pt. Information about this can be found at http://k0r0pt.co.cc. The magazine needs writers. So, if anyone is reading this blog entry and is willing to write for the magazine, please be directed by the Editorial Policy there.

And about this blog, I will still continue to write here, probably more about explored sections of hacking, that I come to know. About my further research in those fields, well you can see them in the magazine.

Till then, enjoy exploring and remember, hacking is fun!

Thursday, October 23, 2008

We have moved

This blog has been shifted to the new official k0r0pt website's blog at http://k0r0pt.co.cc/blog. Do check it out, because the new posts and all my research from now on, will be posted on this new blog.

Sunday, October 12, 2008

New blog and podcast

It seems that my research has taken a break. Seems a long one to me. But when I do start my explorations again, I shall upload them here. Till then, I have started another blog about Open Source softwares, hardwares and their tweaks. The blog is located at: http://opensourcethefuture.blog.co.in. It accompanies a Podcast with it. I shall be more than happy if you could visit that and enjoy. I'll continue with this blog again, very soon.

Monday, September 8, 2008

Unicode revisited

Okay I didn't get any better topic today to discuss about. This one is another post about the UTF-8. Unicode is a powerful tool. Indeed. I figured out one more great way to type what I want in Hindi or Bangla, without actually installing a program for that. I installed language supports in Ubuntu. The same can be done from somewhere called "Regional Settings" in control panel if you're using windows. I am using phonetic Hindi keyboard option (whatever you call it).



I am going to type the same thing in English, Hindi and Bangla.



I am Sudipto. I study in NIT Raipur in Computer Science.


मेरा नाम सुदीप्तो है। मै एन आई टी रायपुर मे पढता हू।


অামার নাম সুদীপ্ত। অামি এন অাই টী রায়পুরে পরি।



So you see, UTF-8 standard is so powerful, and here I am once again, demonstrating what all we can do with it. We can even chat in our language, provided the application does support UTF-8. Gtalk and Pidgin and Yahoo messenger do support it.

Wednesday, August 27, 2008

Proxies, Wingates and Routers: An overview of 0wn1ng th3 w0r1d


Disclaimer: The information presented here is solely for educational purposes. Any misuse of this information is not the author's intent and neither is it the author's responsibility. I hereby disclaim any responsibility for any kind of damage this information may cause in any way or any manner, to any individual, organization or government. The author shall not be responsible for any damage this information may cause.

Proxies and wingates have been long been heavily used means for privacy in the Internetwork. Today, we find them with a simple google search. You may try some in the above search box. Here, I shall describe in brief how these work.

Proxies:

Proxies are used for the web. In l33t terms, for port 80. That is, proxies will help us forge our IP by forwarding all the traffic through the proxy server. Most proxy servers will allow only simple HTML. Others however help to forward all traffic including asp, php etc, thus making the user totally secure.

There are various kinds of proxies. The ones that provide proxies through their webpages are cgi proxies. They use a cgi(Central Gateway Interface) script in the cgi-bin directory of their web server. That script takes our request, then contacts the web server that we requested, and then forwards the data in a webpage, with their address box at the top. One very good example of cgi proxy would be http://www.anonymizer.ru. This one is a russian website. If you don't know aware of russian, you probably won't understand what's written (neither do I), but there's an address box at the top, and that's what we're looking for. I'd write, suppose www.google.com there, and I'd get the google.ru and it will not forward me to google.co.in, which it will do if I use no proxy. Similarly, if it is a proxy server in Belgium, google.com would forward me to google.be. For china, it would be google.cn. You get the pattern now. Now these cgi proxies are not good enough, when it comes to php or asp based sites. The solution is simple. I'd rather use socks proxy. Socks is a protocol, that creates a secure connection between me and the proxy server. It usually runs on port 8080. So, if you have to search for your own proxies, you'd write a program, that would search throughout networks for open 8080 ports.

NB: A word of warning: Most of the proxies log their traffic and will leak your information out if they have to (as in legal problems). So, if you're trying to do something stealthy or something that may lead you to trouble, be sure either to use anonymous proxies (most of them, that claim to be anonymous and storing no logs, may actually log your data), or to somehow login to the box, and delete the logs. But again, if they have a centralized logging system, you're in trouble.

Now I'd come to how to setup the proxies. You have a settings box in your web browser. No matter what browser you use, it has to have one, where you can setup your proxy, which asks for the IP and port of the proxy, and maybe, the type of proxy server it is. In firefox, it is View>Preferences>Network>Proxy. In case of IE, it is in Tools>Internet Options.

What if you'd want to use multiple proxies? You'd want to do something like this:

http://proxy1:port1-_-proxy2:port2-_-proxy3:port3-_-url

Although many manuals do say it is that way (in case of socks proxies), but I've never found this working. If you have a solution to this, do leave a comment.

Wingates:

Wingates is the solution, when it is not the web. For ports other than 80, what we use is wingates. Wingates have long been exploited for purposes, that aren't considered good everywhere (you know what I mean). Wingates are available from many companies, if you use an account there, but if you are a person like me, for whom money matters, you'd do what I do. Just search for port 23 open, and see if there is a prompt on connection, which says something like '>'. If the wingate is left to default settings, it would be "WinGate>", but if the admin changes the wingate to something else, you know what would happen. But if there is that '>', there is a prompt and it is not asking for passwords. So, just write a program, and scan networks, searching for a prompt. But if you are not hard working (unlike me), you'd get hundreds of scanners out there. Go to http://www.packetstormsecurity.org and scan for "wingate scanner".

What I'd do if I get a wingate:

I'd connect to another through that, and then to another, and then to a few more, before I actually do the hack. This will give me more security, and my chances of getting caught will be lesser. But again there are these logs, which may not be able to delete, depending on the settings in the server.

NB: Wingates, due to their lack of security till date, are not always online, so you have to keep searching for them, and when online, they will be online for about a few hours or so.

Routers:

Routers are the most insecure computers that exist on the Internet. There are so many routers in this world, that you can 0wn as many as you want. The most predominant reason for this lack of security of routers, is that most are not configured at all. They are left with their default passwords (I know this from personal experience). Because of this, routers are very easy to exploit. All you need to do is find out which Operating System it is using, and then just grep out the default passwords list for that. How to find the OS? Go read about nmap, stupid boy!

As routers have to work all the times, they are always on, but again they may log your data, and you may not be able to delete it. But since routers get so huge an amount of traffic everyday, that your chances to escape, literally increases very much. When you decide to exploit a router, use a wingate first, and then connect to it. Why take chances?

How to find them:

Finding routers is easy. I'll tell the most easy way. One that I had incorporated to find routers. Go to google, and search anything, then traceroute all the sites that show up. All the computers that come between yours and theirs, are routers. Then you have to scan each one for the operating system. It's that easy.

NB: Many routers belong to governments for setting up the national internet backbone, as they call it here (NIB). So, when trying to do something with those, try being extra careful. You don't want to get into some serious trouble.

Thursday, June 5, 2008

A GUIDE TO NETWORK PACKET FORGING

Packet forging has long been a desire of all of us network hackers. It gives us control over the network, and control obviously means feeling of power (whether it actually be there or not).

In today's world of connectivity, you'd find thousands of tutorials on the Internet about packet forging, both for winsock and *nix sockets. I shall not cover winsock, as I do not consider it worth the work. Rather, the libraries needed are not free, and require a lot of money, that I don't have, to be spared on things like winsock, that definitely wastes my valuable time.

Although most of the tutorials will have TCP packet forging, I shall start with UDP packet forging. Those of you, that are new to network hacking, but have enough enthusiasm to learn, I suggest reading the rfc 768 (udp) and rfc 791 (ip), in order to be able to understand whatever is written in this article. A working knowledge of the C programming language and linux network system calls is required. If you don't know that, fret not 'cause you can simply google 'em out. I shall use the standard linux library to work on this.

As an introductory note, I'd explain the various fields of IP header and UDP header. Now, what's a header? A header is a sequence of bytes or octets, whatever you're more comfortable with, that defines various options in the packet. This particular packet we will forge here will have two headers. The IP header and the UDP header. The UDP header will follow the IP header. If it were a TCP packet, there would have been no UDP header, and the TCP header would have followed the IP header.

THE IP HEADER

The IP header is the most important header, as IP is the base protocol on the Network layer. Though there are other protocols that are used in the network layer, but on the Internet, IP is used. The IP header has the following format:



0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I shall not go into the details of all the fields up here, as you can get those in the rfcs, but will explain those that we are going to use in the following program.

The Version is a 4 bit field is used to specify the version of IP we shall use. As of the time of this writing, two versions of IP exist 4 and 6. We shall be using 4, as it is more prevalent, and 6 will take some more time to take over.

Type of Service is a 1 byte field and will specify how the routers have to pass it on, whether it should be treated as a normal packet, or a high priority packet and should be passed with low delay.

Total Length will contain the total length of the packet, including the TCP or in this case UDP header and the payload, which is also called data. Its maximum value can be 65535, as it is 16 bits long.

Flags specify other options, and we shall set it to zero here.

Fragment offset is what is used, when a single packet has to be broken in different parts, when network medium cannot handle it in one go. The offset will specify which octet marks the beginning of that particular packet.

Time to Live spcifies how many hops the packet will survive. After that many hops (gateways or routers), the packet will die, and the corresponding router, will send the sender and ICMP message that the packet expired in the way. It is 1 octet long, and so, has a maximum value of 255.

Protocol of course specifies the protocol being used underneath. 6 is used for TCP, 17 for UDP. In Linux, we have predefined constants for those in
. We shall use them, and you will know which means what.

Header checksum is the checksum generated taking into consideration, the size of the total packet. The algorithm for that is specified in the rfc, and corresponding algorithm in C is given below.

Source address is of course the originating source IP address, that we are going to mess with here. It is 32 bits long, and has the usual four different octets. It's a long story and I won't get into it here. Read rfcs for those too.

Destination address is the destination IP address.


NOTE: Before I go any further, I shall explain the octet arrangement issue. The byte arrangement in the network is always BIG ENDIAN. For those that don't know what this means, BIG ENDIAN byte arrangement is that, where the least significant byte comes last. In LITTLE ENDIAN, exactly the opposite happens. The MSB comes last, and that's exactly the byte representation on our Intel mocroprocessors. All the fields must be changed in the network byte order for further processing etc. There are functions for that, like htons() host to network short, htonl() host to network long, ntohs() network to host short, ntohl() network to host long.

For address conversion, from a string like “65.34.223.4” to the corresponding numeric format, we have function like inet_addr() and inet_aton(). For the opposite, we have the function inet_ntoa(). The inet_aton() will convert into network byte order, so that you don't have to worry about the byte order. But the inet_ntoa() requires the argument to be in network byte order.

THE UDP HEADER

The UDP header is simple, (one of the reasons I chose it here) as it has only four fields.


0 7 8 15 16 23 24 31
+--------+--------+--------+--------+
| Source | Destination |
| Port | Port |
+--------+--------+--------+--------+
| | |
| Length | Checksum |
+--------+--------+--------+--------+
|
| data octets ...
+---------------- ...

The fields given here are self explanatory, and I believe they need no further explanation. But you'd need to change the PORT numbers to network byte order with inet_ntoa.

Okay, so here we are, having done with the tedious work of knowing the theory of the network packets, now we'll delve into the program. As you have noticed, I have not included enough comments in the code. I have a special reason behind that. Figuring out what's happening inside, is upto you. If you're unable to understand what the hell is going on, do leave me a comment and I'll explain. Also, I have included a server program, that tells UTC time, so that you can test the packet forging program. The server also runs on UDP (without a doubt).

THE CODE



/*
* rawudp.c
*
* The raw UDP packet forging utility
* Author: Xtreme Great
* Disclaimer:
* This program is for educational purposes only
* Any misuse of this program is not the author's
* intent. I hereby disclaim any responsibility
* for any kind of damage this program may cause
* in any way or any manner. The author shall not
* be responsible for any damage this program may
* cause.
*/


#define __USE_BSD
#include<sys/socket.h>
#include<sys/types.h>
#include<netinet/ip.h>
#include<netinet/in.h>
#include<arpa/inet.h>
#define __FAVOR_BSD
#include<netinet/udp.h>
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<strings.h>

#define SRC "3.3.3.3"
#define DEST "127.0.0.1"
#define PORT 7000
#define PAYLOAD "hello me msg"

unsigned short
csum(unsigned short *buf, int nwords){
unsigned long
sum;
for
(sum=0; nwords>0; nwords--)
sum += *buf++;
sum = (sum >> 16) + (sum &0xffff);
sum += (sum >> 16);
return
(unsigned short)(~sum);
}


int
main(){
struct
sockaddr_in srvr_addr;
unsigned char
buffer[4096], x, *data = PAYLOAD;
struct
ip *iphdr = (struct ip *)buffer;
struct
udphdr *udphead = (struct udphdr *)(buffer + sizeof(struct ip));
int
sockfd, one =1, i;
const
int *val = &one;

if
((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP)) == -1){
perror("socket() failed");
exit(-1);
}


srvr_addr.sin_family = AF_INET;
srvr_addr.sin_addr.s_addr = inet_addr(DEST);
srvr_addr.sin_port = htons(PORT);
memset(&(srvr_addr.sin_zero), 0, 8);
bzero(buffer, 4096);

iphdr->ip_v = 4;
iphdr->ip_hl = 5;
iphdr->ip_id = htonl(54321);
iphdr->ip_tos = 0;
iphdr->ip_off = 0;
iphdr->ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + strlen(data));
iphdr->ip_ttl = 255;
iphdr->ip_p = 17;
iphdr->ip_src.s_addr = inet_addr(SRC);
iphdr->ip_dst.s_addr = srvr_addr.sin_addr.s_addr;


udphead->uh_sport = htons(46544);
udphead->uh_dport = htons(PORT);
udphead->uh_ulen = htons(sizeof(struct udphdr)+strlen(data));
udphead->uh_sum = htons(csum((unsigned short *)buffer, sizeof(struct ip) + sizeof(struct udphdr) + strlen(data)));
iphdr->ip_sum = htons(csum((unsigned short *)buffer, sizeof(struct ip) + sizeof(struct udphdr) + strlen(data)));

if
(setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, val, sizeof(one)) < 0){
perror("setsockopt() error");
exit(-1);
}


memcpy((char *)(buffer + sizeof(struct ip) + sizeof(struct udphdr)), data, strlen(data));

if
(sendto(sockfd, buffer, ntohs(iphdr->ip_len), 0, (struct sockaddr *)&srvr_addr, sizeof(srvr_addr)) < 0){
perror("sendto() error");
exit(-1);
}


printf("0x\tPrinting hex dump of the packet.\tx0\n");

for
(i=0; i<ntohs(iphdr->ip_len); i++){
x = buffer[i];
printf("%x", x);
}


printf("\nPacket sent.\n");
close(sockfd);
exit(0);
}









/*
* udpdaytimeserver.c
*
* The UDP day time server
* Author: Xtreme Great
* Written as a part of the summer holidays self training.
* This is a day time server based on the UDP protocol,
* which is an iterative and concurrent server.
* when given any arbitrary message in UDP on the specified
* PORT, the server will provide the current Greenwich Mean
* Time.
* Disclaimer:
* This program is for educational purposes only
* Any misuse of this program is not the author's
* intent. I hereby disclaim any responsibility
* for any kind of damage this program may cause
* in any way or any manner. The author shall not
* be responsible for any damage, or any consequences
* thereof, this program may cause.
*/


#include<sys/socket.h>
#include<sys/types.h>
#include<netinet/in.h>
#include<unistd.h>
#include<stdio.h>
#include<string.h>
#include<stdlib.h>

#define PORT 7000

int
main(){
int
sockfd, size, f;
struct
sockaddr_in my_addr, clnt_addr;
char
*address, *cnow, buf[20];
time_t now;

printf("All systems up and running.\nInitiating server setup sequence.\n");

if
((sockfd=socket(AF_INET, SOCK_DGRAM, 0))==-1){
printf("socket() error ");
exit(-1);
}


my_addr.sin_family = AF_INET;
my_addr.sin_addr.s_addr = INADDR_ANY;
my_addr.sin_port = htons(PORT);
memset(&(my_addr.sin_zero), 0, 8);

if
(bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1){

perror("bind() failed");
exit(-1);
}


printf("UDP Day time server listening on port number %d\nPress Ctrl+C to quit.\n\n", ntohs(my_addr.sin_port));

wait4conn:

clnt_addr.sin_family = AF_INET;
clnt_addr.sin_addr.s_addr = INADDR_ANY;
clnt_addr.sin_port = htons(0);
memset(&(clnt_addr.sin_zero), 0, 8);
memset(buf, 0, 20);
size = sizeof(struct sockaddr);

if
(recvfrom(sockfd, (char *)buf, 20, 0, (struct sockaddr *)&clnt_addr, &size) == -1){
perror("recvfrom() failed.");
exit(-1);
}


if
((f = fork()) == -1){
perror("fork() failed.");
exit(-1);
}


if
(f == 0){
printf("Received %s from %s\n", buf, inet_ntoa(clnt_addr.sin_addr.s_addr));
time(&now);
now -= 19800;
cnow = (char *)ctime(&now);
printf("Sending time.\n%s", cnow);
sendto(sockfd, cnow, strlen(cnow), 0, (struct sockaddr *)&clnt_addr, sizeof(struct sockaddr));
printf("Time sent.\n\n");
}


goto
wait4conn;

close(sockfd);

exit(0);
}


NEXT UP

Next up would be a udp and a tcp packet sniffer, that is two packet sniffers, followed by a brief theory of packet sniffing. But that's going to take about a few more hours (maybe 24 or so). Keep checking.



Tuesday, May 6, 2008

Encryption to the rescue


Privacy has been the prime requirement for the modern day man. We ofter hear - Privacy is dead. Is it? To some extent though it is, but the reason is not those that made it die, but those that left their privacy wide open to all. Privacy is there, as long as you let it be.

Today's cyber world is filled with prying eyes, with people trying to know about you. The information they will try to gather ranges from your email id, passwords, your emails etc. This post will try and concentrate on the email privacy stuff.

Email privacy has been a concern, ever since email became reality. Emails started back in the eighties. The thing that concerns us is that whenever we send mail, it passes through a number of routers, that come in between the smtp server and the pop server. Many routers will make a local copy of these data, and store them for further retrieval. In many places, in cyber cafes, keyloggers would be common, that not only log your passwords, but whatever you type in the keyboard. In short, it will monitor your site visits, your passwords, your emails and what not. Most of this is done due to Government implementations, others for private misuse purposes. But we can actually prevent all this, if we take certain measures.

Email encryption has been around for a long time now, but still there are many that would prefer to send unencrypted messages, unknowing that they can be sniffed in between, used for various other purposes like privacy theft, identity theft etc. But with 4096 bits encryption around, if the misuser does not possess a set of a few supercomputers, there is no way to break the encryption.

One can use the various applications for the encryption and then use a mailer to send the mails through smtp servers. In present date, most mail servers are free and most of them won't allow pop access to mails, unless you upgrade to premium accounts, for which you'd have to pay. Gmail is the only provider, that I know, provides POP as well as IMAP access for free. As for the encryption application, one can use GNU's Privacy Guard the GNUpg and for the mailer application, one can use the MS Outlook, if one uses windows, or the Mozilla Thunderbird or Sea Monkey. I'd suggest Thunderbird, for it's free and it has less bugs as compared to the "MICROSOFT" Outlook. If using Thunderbird, one can use the Enigma Add-On, available on mozilla's site (www.mozilla.org).

All the encryption algorithms will have two keys. One will be the Private key, and the other will be the Public key. While they are generated, the application may ask you to move your mouse or type random things on the keyboard or surf the internet or do disk intensive tasks. This is, so that it can generate random key, that is hard to guess. The public key is used to encrypt the message and the private key is used to decrypt it. After the generation, you will need to distribute the public key, or store it in some website or something. Keep the Private key secure with you.

If you have any problem regarding the setting up of the mailer or regarding the encryption algorithms, mail me and I'd be more than happy to help.

If you have some sensitive mail, that may harm mine or your privacy, consider encrypting your message using my public key available here.

Monday, March 10, 2008

Talking with your dial up modem

Written by
Xtreme Great
(for k0r0pt)

::=::Introduction::=::

Have you EVER wondered about controlling your dial up modem with your own two hands and ten fingers? If not, then it is the right time to plug in your telephone wire in your modem port, and get started in an adventure, that you’ll never forget.

Well, that was the starting lines of some dumb TV serial. This one is way more than a sucking adventure.

::=::The modem::=::

The modem, as we all must know, is a device that is used to connect to the Internet. You connect your telephone line in the modem port, start up some dialer, and dial right to your ISP, and hurray, you’re connected to the Internet, and you start wondering what to do next.

In this article, it is good to start thinking how all this dialing and stuff takes place, because that is what this entire article is about.

The modem, like any other thing connected as your peripherals is a piece of circuitry and nothing more. Well, it’s a bit more than that, if taken into consideration, its uses. The connecting to the Internet is the most obvious use today, but in olden days, it was used in other purposes as well. One would be, well, to chat. You dial to your friend’s telephone number, and that is connected to his computer. He accepts the call, and you two start chatting with your keyboards.

::=::The working::=::

The modem accepts what we call commands. I have been dying to know about the details of this thing. After a lot of research, I could figure out a lot about this piece of shit I checked out the device manager on a windows machine, where querying the modem was supported. I built logs from the queries, (whose option was available there. So, don't get heralded over how I did it) and got into the details of the commands there. I tried to interpret all the details from the conversation between my OS and my hardware and figured out the following:

Every command started with the alphabets AT, except for the abort command, which is a simple character return <cr> (ASCII character 15).

The modem responds as follows:

<cr>RESPONSE<cr>

And best of all, the modem can be directly controlled from your programs, if you know which port it resides in. Also, you’ve got to know a bit of programming (How do you think you are going to program, if you don't know it?), and most importantly, the commands relating to the modem. At the end of this document, I have appended a small basic program, which demonstrates how you can use the modem directly from your programs.

AT Initialize the modem. I have also seen ATZ here.

ATM1 Turns on the modem speaker

ATH# Hang up the modem. The # is a number. Don't know its purpose. Seen a 0 there, while reading about the ATH0 DoS.

at#ud Enable diagnostic info

ATDT###### Dial a number. #es being the phone number. A blocking signal can be given to the modem, if a *67 is refixed to the phone number. Don't know what it does. The T in the end specifies that dialling is to be done in tone mode. If the T is replaced by a P, then the modem will dial in pulse mode.

ATL# Set the loudness of the modem speaker. Hash being a number. 5, prrobably, the loudest.

<cr> Abort some given command. Typically useful in hanging up, when already dialing.

-----Unresolved commands-----

Well, the following are the commands, which I was unable to figure out:

AT&FE0V1S0=0&C1&D2+MR=2;+DR=1;+ER=1;W2 ATS7=60S30=0L2M1+ES=3,0,2;+DS=3;+DS44=3;+IFC=2,2;X4

at+vcid=1

ATS0=0

::=::The program::=::

The key to control the device is to treat is like a port. In my machine, it is on the COM3 port. In your machine it would be something else. To know which port it is on, just check out your device manager in windows. In case of Linux, it would be in the /dev folder. I don’t know much about it in Linux. My modem is not supported in any distro, and I had Ethernet connectivity, so I didn’t think much about it.

I give a simple basic program here. You can make the same program in any language, if you understand how I am doing it here. Just use the device port as a file.

To compile and run it, just get quick basic(windows) and Free Basic(windows and *nix) from somewhere, and get started. This one here is to dial in to a computer only. To make a full fledged chat program, you need to spend about half of an hour. I leave that on to you. The following program is for Windows. You can infer that because I am using a COM port.


CLS
PRINT "Opening a path to your modem..."
OPEN "COM1:9600,N,8,1,RB7048,TB7048" FOR RANDOM AS #1
PRINT "Please enter the phone number you wish to call"
INPUT PhoneNumber$
PRINT "Talking to your modem..."
PRINT #1, "ATDP"; PhoneNumber$
PRINT "There you go, pick up the phone and talk! Or type something out"
PRINT "Press the ESC key to hang up!"
DO
LOOP UNTIL INKEY$ = CHR$(27)
PRINT #1, "ATZ"

I have used Pulse Dialing, as my telephone line didn’t support Tone dialing. If your line supports Tone dialing, do that. It’s faster.

::=::Epilogue::=::

This concludes the end of the article. If you have any doubts, I’d be more than happy to help you. Just leave a comment. If you like that, leave a comment, and that will help me write more interesting articles like this. If you don’t like this, leave a comment, and that will help me correct my mistakes.

Sunday, March 9, 2008

A Unicode chart generator

Written by
Xtreme Great
(for k0r0pt)

For those of you, that want a complete unicode chart, well why not just generate your own, that will have all possible unicode characters. Here goes a simple C program, that will generate an HTML file showing all unicode characters that can be.

#include<stdio.h>

int main(){
unsigned long i;
printf("<html><head><title>The complete character chart"
"<body><font size=13>");
for(i=0; i<=65535; i++)
printf("%ld: &#%ld <br>", i, i);
printf("</span></body></html>");
return 0;
}

Make this file and then execute it from the command line. While execution, just pipe out the output to an external file, say ucc.htm. This will generate a 1.16MB html file. If you don't know how to pipe out the output to a file, just leave a comment. This html file will contain all possible unicode charaters. If it shows question marks or Boxes, just change the encoding to Unicode(UTF-8), as directed in the previous post.

This however shows abnormal behavior after 8238, in the sense that the numbers are written from right to left rather than left to right. That is after 8238, comes 9328. Read that in the other direction. In many, the character is written first and the number after that. I believe this is caused due to some cr or lf or something.

Before I finish, I'd give one more advice. Don't get freaked out, if your browser stops responding. Instead wait for some time. It will get okay. It's doing that because of the huge size of the file, that it normally doesn't encounter in normal cases. Happy unicoding...

Saturday, March 8, 2008

The character power unleashed

Written by
Xtreme Great
(for k0r0pt)

Introduction


The ASCII characters were invented, to give the world a way to write. But, soon it was realized, that a more vast and varied character set has to be incorporated, in order to meet the needs of various scripts around the globe. So, the UNICODE came into picture.

Tech details

Whereas the ASCII character is one byte long, the Unicode is two bytes long. That means, where the ASCII can store 256 characters at max, Unicode can store 65536 characters. This gives enough space to incorporate all the possible characters in any language.

More details


Here, I shall use Unicode characters to display some bangla characters. If you don't see them or see some boxes or question marks, try changing the character encoding of your browser to Unicode (UTF-8). In Firefox, it will be under the View menu. In Internet Explorer, it will be in the right click menu.


আমার নাম সুদীপ্ত

That of course means, my name is "you know what...". Now I am not going to tell you how I did that. If you really want to know, check out the page source. All I can tell here, is that I directly used the codes for the characters. You can possibly create any kind of character using Unicode. Just use your imagination. You of course, do need to have the Character chart. You can print, say, chess characters, or even a chess board, using Unicode.















So you see, Unicode gives us the ultimate power needed to write anything we want.


For Programmers

Unicode has been utilized in programming languages as well. The wide character functions like wprintf(), wscanf() etc would carry out operations in wide characters, of which Unicode is the most prevalent type. I won't go into details of those here. It will a long one that way. If you really need to know, just Google it out. You'd find answers. In Windows, Unicode is supported in many applications. All browsers of present day are Unicode compatible. So the next time you need to write out something regional in your program, do use these functions.

Epilogue

Well, that's all folks! Happy Unicoding.

Sunday, March 2, 2008

The ATM card



Written by
Xtreme Great
(for k0r0pt)
(no copying please)

Disclaimer

This document is for informational purposes only. I do not condone any form of fraud or deceit or any exploit carried out as a result of this document. So, I cannot be held responsible for any act carried out by you or the consequences thereof. Use this document to learn. To explore and not to exploit. And beware if you land doing any shit with this, you're gonna land your ass in trouble. And also remember, that it is the case with banks, so if you do something really stupid and serious, the cops will definitely ram your ass. Better look out.

Introduction

How often, in your life have you thought about cracking into someone's bank account? How much have you wondered about the infinite possibilities of doing so. How deep have you delved into the sea of "possibilities"?

I'm going to tell you one aspect of the securities of bank accounts in present day life. Remember, NOTHING is foolproof. Everything can be broken. In today's world of cyber banking, nothing is safe. There is no security. No privacy. Everything is publicized, without of course, the prior knowledge of the VICTIMS. We expose our information, every time we buy something from the Internet, or give our Credit card numbers. What is the guarantee that the credit card database won't be cracked? There is no guarantee. There is only HOPE, and trust me, HOPES never work out. So, the end users are the ultimate losers.

In this post, I'll shed some light on ATM card hacking.

ATM's are the most widely used cash money machines around. They'd handle thousands of transactions every single day. A single card holds the key to all of your money. And that card is protected by only one key - The PIN, and that too is only 4 digits long, and if we'd calculate the permutation, there are only 10^4 possible combinations, which can be cracked "very" easily, provided we have the card. Now, how the fuck would someone crack the PIN from a card, you may ask, and I say, why not? Broaden your point of view. The answer lies right in front of you. You're not noticing it though. Every magnetic card, in today's world, works on a single basis - Magnet. Magnets are all around - in your hard disk, your cassette tapes, your DATs, your Floppy disks, Your Debit card, your ATM card. Not only is it possible to read out and crack PINs from ATM cards, but also, it is possible to MAKE your own ATM card, with a card writer, which is of course quite costly. Now, we'd delve a bit more deeper into the world of magnetic cards.

But before I go any further, I'll assure you that there are thousands of other articles out there, that will tell you the same thing. I will only tell you what to do to do what they say, in addition.

Techstuff

All the magnetic cards have what "they" (the makers) call tracks. Tracks are nothing, but tracks (don't ask me again), of magnets that contain data. There are three standard tracks. Track one, track two and (you guessed it) track three. These tracks contain different kinds of information.
The information is stored in different formats. But first, I'd tell how to read all those 1's and 0's from the cards. After all, that's what we're upto. These 1's and 0's are our business... When we read a card with a card reader (when I say card, I mean magnetic card, so don't get confused again) we get voltages. High voltage obviously means a 1, and low means 0. These voltages would be produced due to electromagnetic induction. If you don't know what this is, try googling it. After this, you'd get some voltages. When you stripe your card against the read head (I used a tape player read head. Search for them, and you'd definitely get one around. If not, try going to some radio shack store), remember that in the ATMs, the card get read, when you pull the card outside, not when you push it inside. So, if your magstripe is facing upwards and away from you, you stripe it right to left. Here, you'd get two types of frequencies. Remember, when I mean frequency, I mean the width between two waves, that you'd get, not the height of the waves, which is the amplitude. The frequency for a one, will always be double the frequency for a 0. Thus, we can read either of the three tracks. But how do we know which track we've read? The positions of tracks is standardized, with respect to the edge of the card.

As you can see the positions of the three tracks, with respect to the edge of the card, you can easily construct a card reader, and start reading your card right away. Now, we get to the nitty gritty details of the hardware and software parts. This is where the Computer comes into play.

The Hardware

For the hardware part, as I already said, all you need to get is a card reader, lying around somewhere in your basement or something. Then solder that thing's end terminals to a copper wire and attach it to a mono jack, that can be inserted in your computer microphone slot.

The software

Assuming you've got the hardware, Let's leap to the software. There are two ways for all hackers, when it comes to softwares. Either fetch some software made by some other person, or make your own. Well, the former is the case with most of the people around. But believe me. The true hacker, will go to every nitty gritty detail of everything, spend night after night, reading out man pages, and make the software him/herself (in case there are female hackers around). With the details I've given and that I am about to give, anyone could build that program to read magnetic stripes and dig out information. There are two ways. Either you make a microphone reader program, or you can make a program, that will read out a wave file, that contains the information of the card recorded in it, and give out the information.

Getting back to the main discussion, the magnetic card does have three tracks, the tracks have information coded as 1's and 0's. Now we get to interpreting those information. There are two standard formats used to encode data on cards The ANSI/ISO BCD Data Format and ANSI/ISO Alpha Data Format.

You must find the information regarding these standards yourself. C'mon if I give you all the details, what would you do?

The last two tracks are encoded by the BCD format, and the First one, by the Alpha standard. The second track is generally used to store information regarding the account thing. The first track contains information about the owner's name. The densities and number of characters per track are:

1st track: 210 bpi 79 characters
2nd track: 75 bpi 40 characters
3rd track: 210 bpi 107 characters

The 3rd track is generally, rarely used in any type of card. These standards also apply to all sorts of Credit cards, Debit cards, Metro Cards and whatever cards you can imagine. The deviation from the standards can also be there in particular case, for example, in case of Hotel room cards, that give you access to hotel rooms.

Epilogue

Well then, that's all the information I could give you. It's not enough, but still more than enough. Happy exploring, and remember not to do anything stupid. Till next time...

Wednesday, February 27, 2008

Title changed stuff all the same

All visitors, The HCl is now k0r0pt. Well, it means nothing, but that's what I am now.
:)
A new member is about to join me soon.

Tuesday, February 26, 2008

Playing with the stack


Flaws in a connected world

-Xtreme

Introduction

Look around you. You’ll probably see a computer somewhere. No? Well, keep looking, you’ll get one. It is needless to say that the world of computers is a vast one. What I shall describe here is a drop of water in a huge ocean. The computer world, although has improved our lives to some extent, but has on the other hand, taken away our privacy and security.

Here, I am about to describe flaws in any computer program. Programs are the real working components of the computers. Now, without any more crap, I shall jump to the main section. Whatever I shall describe here, is meant with GNU/Linux. So, a minimal idea of GNU/Linux is required. Knowledge of C and Linux assembly will be helpful in understanding this text.

To read the best article of all times, in stack smashing, read Aleph One’s Smashing the Stack

The computer program

The computer program is stored in what is called computer memory. The computer memory is nothing but flip-flops integrated in a single small circuit. A recent memory circuit is capable of storing up to 8*(1024)^3 bits, and that’s 8589934592 1’s and 0’s. Huge indeed.

The computer program structure

A computer program, when executed, is loaded into the memory of the computer memory, and every instruction is executed with the help of registers like PC, AC, BI, IC … oh there are so many, I can’t even remember them :)

The memory allocated to a certain program is mainly divided into four parts

  1. Stack: The stack is that part of the memory of the program, where all local variables are stored. The parameters of function calls are also stored in this very place of memory. It is, as a matter of fact, my personal favorite memory area. You’ll know why.

  1. Data segment: This area contains all constants initialized by the programmer. As an example, a constant declared by

char *s = “Hello”;

will be stored in the data segment.

  1. BSS segment: The term BSS stands for Block Started By Symbol and contains all uninitialized and declared variables. This segment starts at the end of Data segment, and contains all global uninitialized variables. For example, a global declared by static int x; will be stored in the BSS segment.

  1. Heap: The heap starts after that, and grows to higher memories. It is managed by functions like malloc, calloc, realloc and free, which use the brk and sbrk system calls, to adjust its size.

The complete discussion is out of the scope of this document. We shall concentrate on the Stack. This is the memory location, which can actually be exploited. Yes, now I am going to tell how those exploit writers write those elusive exploits and make any computer do anything they want. The amount of power these exploits can give is enormous. These give us power to control anything around the globe, as everything is computerized nowadays.

Function calls

When a function is called in a program, first, it pushes all the arguments in the reverse order. This means, that the last argument is pushed in the stack first, as the stack follows the LIFO technique. Then, to actually make the control jump to the memory where the function is stored, the call instruction is used. The call instruction automatically pushes the return address onto the stack. So, now the structure of the memory is as given below

_____________ <----------- %esp

|_return address_|

|__argument1___|

|__argument2___|

|__argument3___|

| . |

| . |

| . |

|__argumentn___|

The function, which is called, then pops out those arguments. But first, it pushes the %ebp register into the stack. That is, it saves the %ebp register to the stack. It is done, because it is in the Intel architecture, that a function can change any register, but it must save the %ebp register. The %ebp register is the Extended Base Pointer register. It is called extended, because in modern machines, these registers are 32 bit long. So, they are called extended. Similarly the Accumulator would be designated by %eax instead of the traditional ax. The % sign is used to tell the assembler, that it is a register. The next instruction makes the program, save the %esp to %ebp, so that %ebp now points to the place, where the old %ebp is stored. This is done, because the %esp changes its position, and so it is hard to reference memory locations with that.

The stack pointer register %esp “always” points to the top of the stack. The function then allocates space for local variables, by subtracting a certain number of bytes from the current stack pointer's location. So, now, the stack looks somewhat like this:

______________ <----------- %esp

|_localvariables_|

.

.

.

______ . ______

|___old %ebp___| <----------- %ebp

|_return address_|

|__argument1___|

|__argument2___|

|__argument3___|

| . |

| . |

| . |

|__argumentn___|

Examples

Example1:

In the first example, I shall show how to access the return address, and eventually, change that to execute any other code.

/*

*example3.c

*/

#include

void function(int a, int b, int c) {

char buffer1[5];

char buffer2[10];

int *ret;

ret = buffer1 + 13;

(*ret) += 7;

}

int main() {

int x;

x = 0;

function(1,2,3);

x = 1;

printf("%d\n",x);

}

xtreme@linux-cr15:~/bufferoverflow> gcc example3.c -o example

example3.c: In function ‘function’:

example3.c:8: warning: assignment from incompatible pointer type

In this program, all I am doing, is making the program skip the x=1; assignment statement.

xtreme@linux-cr15:~/bufferoverflow> ./example3

0

Looks like it works! Here's how I do this: the assignment statement is actually 7 bytes long (don't ask how I knew that. It was a lot of pain ... to get to know that). What I am doing, is making the buffer1 pointer, point to the return address. Now, why did I add 13 to buffer1? The answer follows. The stack, after the function call, would look like this in this program:

93 |_unused memory|

109 |_buffer2_______|

119 |_buffer1_______|

124 |__empty_______|

128 |__old %ebp____|

132 |_return address_|

Now, you'd ask where did I know it from? Well, I just disassembled it using the GNU Debugger.

xtreme@linux-cr15:~/bufferoverflow> gdb example3

GNU gdb 6.5

Copyright (C) 2006 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i586-suse-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) disas function

Dump of assembler code for function function:

0x080483b4 : push %ebp

0x080483b5 : mov %esp,%ebp

0x080483b7 : sub $0x20,%esp

0x080483ba : lea 0xfffffff7(%ebp),%eax

0x080483bd : add $0xd,%eax

0x080483c0 : mov %eax,0xfffffffc(%ebp)

0x080483c3 : mov 0xfffffffc(%ebp),%eax

0x080483c6 : mov (%eax),%eax

0x080483c8 : lea 0x7(%eax),%edx

0x080483cb : mov 0xfffffffc(%ebp),%eax

0x080483ce : mov %edx,(%eax)

0x080483d0 : leave

0x080483d1 : ret

End of assembler dump.

The lea instruction is loading the address %ebp-9, which stores the buffer1. That is, we load the address of buffer1 into the accumulator and then add 0xd to it. Why 0xd? because, this is where the return address is stored. The buffer1 array is 5 bytes long, the old %ebp is one word long (the word length in a 32 bit computer is 32 bits long). And the empty word (the empty word is kept, due to security considerations). So, the offset of the return address from buffer1 is 5+4+4=13=0xd. We make ret point to this place. Then, we increment the value at ret, by 7, so that the return address is the address of the printf function's calling instructions, in which we are pushing in the arguments. So, x is never set to 1, and 0 is printed, when we print x.

Example 2:

Now we jump to some real l33t stuff. We shall jump to raw hex codes, which is the hex representation of the binary code, the way it is all stored in the computer – My favorite form. :)

Here is where I shall introduce “thou” to the SHELLCODES - The potential threat software security in my world. SHELLCODES are codes in raw hex form. For this, we shall do two things, first, we shall make a program in assembly, that will exit the program. The return statement does the same thing in C. We'll set the return code to 0, which will be equivalent to return 0;. And second, we shall make a program, which will jump control to a string. That is, which will edit the return address to the address of a string. This string will actually store the code we shall construct in the first step. This code is what we call shellcode.

#exit.asm

.section .data

.section .text

.globl _start

_start:

mov $1, %eax

mov $0, %ebx

int $0x80

xtreme@linux-cr15:~/bufferoverflow> as exit.asm -o exit.o

xtreme@linux-cr15:~/bufferoverflow> ld exit.o -o exit

xtreme@linux-cr15:~/bufferoverflow> ./exit

xtreme@linux-cr15:~/bufferoverflow> echo $?

0

xtreme@linux-cr15:~/bufferoverflow>

What we do here is something like this. The # is used to specify that it is a comment. The .data is the representator of the data segment. Here we normally declare the global variables. We don't have any here. The real stuff start in the _start label. We move the value 1 to %eax, which is the register used to specify what operation we want to execute, when we call the interrupt 0x80. Then, we move 0 to %ebx, which is the return code here. And after that, call the interrupt 0x80. The bla-bla after the file is what I have done in the terminal. I first assemble exit.asm to exit.o, which is the object code. Then I link the exit.o to exit. Then I execute the program exit with the ./ to specify that it is the exit program in the current directory, and not the normal exit command, which exits me out of the terminal. The echo is a function in the shell, which is used to print things. The $? is a variable, that stores the return code of a program, that recently exited. We see it's 0. So, we know, that it is working well. Well, this is how things work in linux, and I really like it this way ;)

Now, we proceed to obtain the hex code of the executable. We use the objdump utility for this, with the -d option, which tells it that the file argument has to be disassembled.

xtreme@linux-cr15:~/bufferoverflow> objdump -d exit

exit: file format elf32-i386

Disassembly of section .text:

08048054 <_start>:

8048054: b8 01 00 00 00 mov $0x1,%eax

8048059: bb 00 00 00 00 mov $0x0,%ebx

804805e: cd 80 int $0x80

xtreme@linux-cr15:~/bufferoverflow>

Now, you'd ask, how do we represent all this in the string. The hex numbers at the left side of the assembly code, is the equivalent hex code for the instruction. The mov $0x1, %eax has the hex code b8 01 00 00 00. Every hex number is a nibble long, as all must know, so the b8 is a byte long, and the instruction is 5 bytes long. The whole hex code is thus b801000000bb00000000cd80. To represent the hex code in a string, there are two ways. First, find out an ascii table lying around somewhere in your room, and then find the ascii characters from the table for b8, 01 etc. It's a tiresome way. The other method is to write out the hex code in the string itself using \x prefix, to specify that it is a hex code, and it is how it has to be stored in the memory. So, the string would be “\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80”.

But hey, did you notice something? We have 0's in the code, but 0's mark the end of strings in the machine. It won't take anything after the 0. It's not going to work. So, we need to find some alternative to all this, so that we can take care of all these 0's. What do we do? We develop better code.

Now, it's thinking time...

If we xor a number with itself, we get 0. xor yields 1, if and only if the two numbers are different.

So, we xor out eax and ebx and put a 1 in the lowermost byte of accumulator register, to make %eax 1, and then call the interrupt.

#exit.asm

.section .data

.section .text

.globl _start

_start:

xorl %eax, %eax

mov $1, %al

xorl %ebx, %ebx

int $0x80

Notice, that here we have used mov and not movl. The movl instruction stands for move a long value, while mov, here will move a byte. The xorl similarly means xor out two long values. The long is 4 bytes long, independent of what the bus width is in the computer. That is, it is 32 bits in a 16 bit computer or in a 32 bit computer. Now, we assemble and link the program and then execute it.

xtreme@linux-cr15:~/bufferoverflow> as exit.asm -o exit.o

xtreme@linux-cr15:~/bufferoverflow> ld exit.o -o exit

xtreme@linux-cr15:~/bufferoverflow> ./exit

xtreme@linux-cr15:~/bufferoverflow> echo $?

0

xtreme@linux-cr15:~/bufferoverflow>

Okay, it works! Now, we get the hex code.

xtreme@linux-cr15:~/bufferoverflow> objdump -d exit

exit: file format elf32-i386

Disassembly of section .text:

08048054 <_start>:

8048054: 31 c0 xor %eax,%eax

8048056: b0 01 mov $0x1,%al

8048058: 31 db xor %ebx,%ebx

804805a: cd 80 int $0x80

xtreme@linux-cr15:~/bufferoverflow>

See, the 0 bytes are gone. Now, we can safely frame a string, that will contain the shellcode, and then execute it. The string now becomes “\x31\xc0\xb0\x01\x31\xdb\xcd\x80”. Much smaller and much better than the previous.

Now, we move on to the second step, where, we create a program, that returns control to a string, which actually contains the code we just generated. But, before I go any further, I'd like to tell, why I have used the trick in a function, when I could have done it in the main function as well. This is because, after getting wary of the security flaws of this type, compiler developers have come up with method to change the memory of the stack in case of main, in such a way, that the return address is somewhere totally separate from the location of the variables. It is done, so that we cannot access the return address directly. But the functions are still made the same old way. The millions of other manuals that you'll find out there are the classic one's written in olden times. So, don't get frustrated or angry, when they don't work on your computer. They aren't wrong. They're just “old”. One such is the “Smashing the stack” by Aleph One, written out in 1996, for an underground magazine. So, here's the program.

/*

* xxx.c

*/

char shellcode[] = “\x31\xc0\xb0\x01\x31\xdb\xcd\x80”;

void func(){

int *ret;

ret = (int *)&ret + 2;

(*ret) = (int)shellcode;

}

int main() {

func();

return 1;

}

Here, the main trick is being executed in the func function, where we access the return address. Let's delve deeper in this. We declare a pointer in here. Remember, that the pointer is also in the stack. What I mean to say, is that the address of the pointer is in the stack itself. This pointer again stores some other address and thus, “points” to that particular address. The pointer is of integer type, so that it consumes one word, that is 32 bits. “Why 32 bits”, you may ask, “when I know that integers are 16 bits long?” Well, my dear friend, what you have studied is DOS based C. It's the turbo C stuff, which was used in old computers, and generated 16 bit executables. That was used in 16 bit computers. Nowadays, what we use are 32 bit computers. Here, integers are 32 bits long. In AMD Athlon processors or the Intel Xeon processors, which are 64 bit processors, the integer or the word length is 64 bits. So, when we add 2 to ret, we are actually adding 8 bytes to it. Why 8? Because this is where the return address is stored. When we declare a pointer, it points to itself. Now, after the pointer, we have the old %ebp, immediately after which, we have the return address stored. So adding 8 to the current location of ret will get us to the return address. Then we make the value at the address ret the address of the string shellcode. So, when this function returns, control jumps to the string, rather than, back to main.

Now, we shall compile and execute this piece of code. If it works, then we should get a return code of 0. And if not, we should get a return code 1.

xtreme@linux-cr15:~/bufferoverflow> gcc xxx.c -o xxx

xtreme@linux-cr15:~/bufferoverflow> ./xxx

xtreme@linux-cr15:~/bufferoverflow> echo $?

0

xtreme@linux-cr15:~/bufferoverflow>

So, we see, that the shellcode has worked after all! We have made it return 0.

Well, this is all of my research. This, I must say is what you will find in many articles lying out there. The only difference being my own research. The fact that main's address is changed being one of them. This is only the beginning of the work. It is only the tip of the iceberg, the real culprit is still not visible. A lot more has already been done in the fields of shellcodes. With time and research, more and more powerful shellcodes will be developed. I shan't write any longer due to the limitations of our magazine's size. Any more discussion would simply mean a whole book!