Shortly after the September 11, 2001 terrorist attacks, the US government passed the PATRIOT act and told us it was needed to keep us safer from terrorism. PATRIOT stands for “Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism”. After the attacks was a very vulnerable time for our population, and Bush was able to use our fear against us to pass the bill. I find it depressingly ironic that the bill was named “Patriot Act” yet was mainly composed of laws restricting our freedom, rather than advancing or even preserving the state of national security like it’s name implies. Provisions changed the law surrounding computer crimes and hacking.

Assessing the Vulnerability

Let’s try exploiting a known vulnerability in Ability FTP 2.34. This is a File Transfer Protocol (FTP) Server program made by code-crafters.com. Let’s take a look at the cve (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1626). Here’s the description of the vulnerability in the software.

Buffer overflow in Ability Server 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long STOR command.

This is an extremely accurate CVE. Most CVE’s do not contain specifics on how the attack works, just that one exists. Here they even tell us what command we need to fuzz. Open up a windows XP box. For this example I will be using Win XP Professional version 2002 Service Pack 3. Unless you are comfortable computing the offsets and other things yourself, you need this version. Open up Ability FTP 2.34. You can close the initial screen that pops up to reveal the main window. Activate the FTP server. You should now have something like this:

Counting bits

Determining the number of bits set to 1 in a particular value is an interesting problem, commonly referred to as a population count, and often referred to in assembly language simply as pop. My favorite approach to this problem, and the way it is often implemented in cpu hardware is a recursive approach, and is almost like the reverse of a binary search in the way it accomplishes counting the bits set to 1 in a register value.

Suppose that our registers are n-bit registers. Divide the problem into two halves, and we now need to count the number of one bits in two n/2 bit values. We continue onto four n/4 bit values, eight n/8 bit values, etc. until the number of bits in each value we are counting is two, a trivially easy problem.

Introduction

Bits and Bytes need to be reversed quite often. Some computers store data in a little-endian format and some in a big-endian format. In order for communication between these two hosts to work, these conversions must be done with extreme precision. When coding at a high level, such as using the Socket object in a Java program, one doesn’t need to worry about these issues. As the data flows down the OSI model from the Application layer to the Physical layer, our operating system kernel will do all the endian conversions as necessary.

But this may not always be the case. And even when it is, having a good understanding of whats going on under the hood can be very beneficial for debugging. A few examples of which you may be interested in endianness and the flipping of bits/bytes are: - Raw Sockets in C - Writing exploits - Cryptography - Assembly Language

Understanding the difference

Distinguishing between flipping bits and flipping bytes is a must for hackers. Let’s take the example 0xdeadbeef. For the sake of simplicity, we’ll assume an atomic variable size of 2 bytes or 16 bits. This is standard on Linux kernel 2.6.39.* and Windows XP SP3.