how find 0 days in port services ?

[gh0st]

well guys Ive been wondering how is the architecture of this kinds of attacks as this:
http://www.zerodayinitiative.com/advisories/ZDI-11-279/

Code: [Select]

Vulnerability Details
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Witness Systems eQuality Suite. This application is
bundled with Nortel Contact Recording and Quality Monitoring Suite.
Authentication is not required to exploit this vulnerability.
The flaw exists within the Unify2.exe component which listens by default on
TCP port 6821. When handling a packet type the process trusts a remaining packet
length value provided by the user and blindly copies user supplied data into a
fixed-length buffer on the stack. A remote attacker can exploit this
vulnerability to execute arbitrary code under the context of the SYSTEM
user.
so I underestand that an attacker sends a packet of data with like a bufferoverflow right? then its executed into the system ?
my first question is if I want to develop an exploit like this my steps would be :
1-.create a tool that ports that service target
2-.send a packet of data with the exploit
so I could do porting with any language right? and the exploit part Id need to insert the bufferoverflow into that packet of data?
thats my question Ive been interested onto this kinds of attacks since a long time so any guidance please? thanks
-gh0st

[Stackprotector]

guidance???,    u know the exact working behind BoF ?,

[gh0st]

Im wondering how does it works Ive been reading about network packet http://en.wikipedia.org/wiki/Network_packet so the attacker sends a packet with the exploit the exploit would be data with the remote access request hidden? thats my question

[Kulverstukas]

Let's not say "exploit" too much... in this context it's a request with malicious payload.
I think I would go by determining what kind of data should I need to send and send a system command in the format. If the buffer is fixed length, then send more shit than it can accept and it will crash

dunno, it's 8.40AM, school after 10km ride by bike, brain is just booting up

[gh0st]

would I need to do reverse engieneer the ports?
@kulverstukas: topic name changed

[Kulverstukas]

The topic name was fine, as it describes the topic discussed, finding 0days is completely different to what you write here
But yeah I think that you would need to reverse the ports to see what data they can accept and send, what format etc.

[ande]

Evilzone mirror: http://evilzone.org/docs/smashstack.txt
Original link: http://www.phrack.org/issues.html?id=14&issue=49

[gh0st]

whats a shellcode can someone give me an example its something that you execute and the attacker has remote access ? Ive never seen one

[ca0s]

Come on gh0st. Read some tutorials. Start with Smashing the stack, as ande said. It explains it quite well.
I think you aren't understanding how this works. You don't find a bug in a port. You find a bug in a program which is listening in a port (tl;dr: a service).
It is not "a packet" with the exploit. This is not about networking.
Learn C. Learn what a buffer overflow is (going back to ande's text...).
And this is a shellcode: \x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80
Read the fucking tut.

[gh0st]

wait dude I got it
the payload has to be delivered to the victim computer by a port service which is exploited by a 0 day
now my question is the bufferoverflow enough to accomplish the attack? or the payload has to have a 0 day too?
btw now I underestand what is a bufferoverflow not coded it yet but I know the theory
http://metasploit.com/about/penetration-testing-basics/payload.jsp

[gh0st]

guys can some1 give me an example about sending patckets with any language ? I dont get how to send the payload with the packet

[xzid]

guys can some1 give me an example about sending patckets with any language ? I dont get how to send the payload with the packet

Uhh.. I wouldn't exactly consider this a packet. Your OP sent to TCP port 6821. From what I understand:

When handling a packet type the process trusts a remaining packet length value provided by the user and blindly copies user supplied data into a fixed-length buffer on the stack.

Somewhere in this protocol is length field which the program will accept as factual, and will copy that length of data(provided by you) into a fixed-size buffer... Leading to overflow.

Due to the small number of installations using this software the risk of potential exploitation has been determined to be very low and therefore this issue will not be addressed.

Out of curiosity do you actually have a target system?

To send data to a port look into "sockets". Available in most languages, easiest example is using netcat:

Code: [Select]

$ nc evilzone.org 80
GET / HTTP/1.1
Host: evilzone.org

<< Reply + HTML code of http://evilzone.org/ >>

Congrats you sent a packet... actually you sent several, not important. If you think to simply send your shellcode to the target system on that port, you're mistaken.

If you're sure about your packet thing, then look into "raw sockets". Available in fewer, nontheless alot, of languages. Raw sockets is kinda of a C thing though.

[gh0st]

@xzid, I think that its about raw packets Ive found a tool that does the sending http://nemesis.sourceforge.net/ +1 and have you ever found a 0 day vuln?

[xzid]

Nothing I'd brag about.

I have my doubts about the raw packets, although holy crap does that nemesis thing you posted look awesome!!#! ARPspoofing, SYN flooding, etc.. ALL IN BASH!!!.. What I wish netcat could do. dsniff can go sniff itself. I'll be sure to check it out in more detail sometime.

[Z3R0]

@gh0st watch all of these video tutorials that I have made. It will help you understand how exploits are developed.

To answer your question directly, refer to Part 3 of my exploit series. The topic covered in Part 3 is Fuzzing.

Code: [Select]

http://evilzone.org/video-tutorials/exploit-series-part-1-(intro)/
http://evilzone.org/video-tutorials/exploit-series-part-2-(1st-segment)/
http://evilzone.org/video-tutorials/exploit-series-part-2-(2nd-segment)/
http://evilzone.org/video-tutorials/exploit-series-part-3/
http://evilzone.org/video-tutorials/exploit-series-part-4/
http://evilzone.org/video-tutorials/exploit-series-part-5-(1st-segment)/
http://evilzone.org/video-tutorials/exploit-series-part-5/