Assignments of day 4 in week #2

More examples of remote root exploit through buffer overflow

Last Updated : Friday, 12-Apr-2002 15:30:47 HKT
  1. QPOP 3.0beta AUTH remote root stack overflow

    1. At your host, tcpdump the port 110 traffic
       tcpdump -s 2000 -w pop3dump port 110

    2. Temporary install the un-patched popper 
       cp /usr/local2/wsh/bo/popper.vul /usr/sbin/popper
    3. Edit /etc/inetd.conf to add the following line. 
      pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd  popper

    4. Reload the inet by 
       /etc/rc.d/init.d/inet reload

    5. Try to hack into a your host from your partner host

      1. ssh your partner host and try to break into your host via the QPOP AUTH remote root stack overflow vulnerability 
         /usr/local2/wsh/bo/bopop yourhost

        type "whoami" and "hostname" command to confirm your break-in after you get a root shell at your host.

        Type some commands in the root shell, says "cat /etc/shadow"

      2. Edit the /etc/inetd.conf to comment the pop-3 line so as to shutdown the pop3 port

      3. Reload the inet again by 
         /etc/rc.d/init.d/inet reload

      4. Stop the tcpdump and review the dump file by snort
         /usr/local2/bin/snort -devr pop3dump |more

        Save this dump file. You may need it for later assignment

    6. Analyses your break-in

      1. Identify the hacking pattern and signature of the POP3 AUTH remote root stack overflow attack
      2. What brute-forcing offset did the attack program use?
      3. Where did the attack program inject the root shell code? (in what pop3 command input?)
      4. Where did the attack program overflow buffer? (in what pop3 command input?)
      5. Trace all the commands that you had typed in the root shell during your break-in at your host. Compare them with what you found in the /root/.bash_history file.
      6. What do you discover from /var/log/messages?

      Post all your findings on your web page.
  2. BIND 8.2 - 8.2.2 remote root exploit

    1. At your host, tcpdump the port 53 traffic
       tcpdump -s 2000 -w binddump port 53

    2. Edit /etc/named.conf to add the following lines. 
      zone "hacker.captured.com" {
        type forward;
        forwarders {your_partner_host_IP;};
};
    3. Temporary start up the un-patched named 
       /usr/local2/wsh/bo/named.vul

      tail /var/log/messages to see if you start up the named successfully.

    4. Try to hack into a your host from your partner host

      1. Ask your partner to start up a bind buffer overflow program as root at his/her host 
         /usr/local2/wsh/bo/bonamed 1
        The program will hang there and wait for the victim to query. Watch closely to this terminal, you will get a root shell of your host later.

      2. ssh your partner host and run the nslookup to make your host named to query the www.hacker.captured.com 
        > nslookup
Default Server:  fortress.fox.hkntec.net
Address:  192.168.128.230

> server your_host_IP

> www.hacker.captured.com

      3. Your partner terminal in step 1 should get a root shell of your host now. Ask your partner to type "whoami" and "hostname" command to confirm the break-in after your partner terminal get a root shell at your host. Ask your partner to type some un-harmful commands too. Then make sure your partner has terminated the bind buffer overflow program in step 1 by typing "exit" or hit CRTL-C.

      4. Stop the tcpdump and review the dump file by snort
         /usr/local2/bin/snort -devr binddump |more

        Save this dump file. You may need it for later assignment

    5. Analyses the break-in

      1. Identify the hacking pattern and signature of the BIND NXT buffer overflow attack
      2. Where did the attack program inject the root shell code?
      3. Where did the attack program overflow buffer?
      4. Trace all the commands that your partner had typed in the root shell during the break-in at your host. Compare them with what you found in the /root/.bash_history file.
      5. What do you discover from /var/log/messages?

      Post all your findings on your web page.

References: