---------- Forwarded message ----------
Date: Mon, 07 Sep 1998 00:43:55 -0600
From: Carolyn Meinel 
Subject: GTMHH: Part 2, How to Program in C

_________________________________________________________

Guide to (mostly) Harmless Hacking

Vol. 5 Programmers' Series

No. 4: How to Program in C, part 2
_________________________________________________________

Common Problems in Getting C Programs to Compile and Run

	Now, on to some common problems with getting C programs to compile and run.
In the case of exploit programs, there often are references to other
programs on your target computer.  For example, in Leshka's sendmail
exploit, the sendmail program is assumed to exist in /usr/sbin/sendmail.
This works fine for a Linux computer.  However, on the Sun OS computer I
like to use, sendmail is in /usr/lib/sendmail.  So you can see that an
important first check on an exploit is to make sure all the locations of
files match those of the operating system you are targeting.
	His exploit also assumes the command to run the C compiler is "cc".
However, your victim computer may have the GNU C compiler, and it may
require that you give the command "gcc" instead of "cc".
	Another problem is that sometimes hackers purposely cripple their exploit
code in order to keep total idiots from running them.  For example, the syn
flood exploit program written by Daemon9 and released in the fall, 1996
issue of Phrack had a crucial line of code commented out. 

*****************************************************
Newbie note: "Comments" are parts of a program meant for humans to read, not
for the compiler to work on.  Comments help people understand a program.
Sometimes a part of a program might be something that you don't always want
to run, in which case it is "commented out" by marking it as a comment to
make it so the compiler can't compile it.
*****************************************************
	So if you see something that looks like code between a "/*" and "*/" (which
denote comments in C programs) try removing these comment marks and then run
the program. However, a lot of code commented out may be simply debugging
code the programmer used to make sure it was running properly.  You might be
able to use that debugging code to figure out what your problem (bug) is.
	Another reason why many people were unable to run that syn flood program
was that it had to be installed with root permissions.  As mentioned above
when we were discussing the commands "setuid(0); setgid(0", normally you
only have the right to set root permissions on a program when you are root.
A syn flood program needs root permission in order to manipulate the
creation of packets so as to send floods of them out to the victim with only
the syn flag set, never an ack flag.
	Another of your problems may be the include files at the beginning of a C
program.  For example, you might find something like this:

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

	If you try to find the file sys/socket.h, you will see it is not a list of
ports, nor is it a table of active sockets.  It is merely a C header file.
It contains system specific information which is needed to write network
programs.  It varies slightly among different variants of Unix.
	There are many types of files that might need to be included in a C program
before it can run.  You can get an idea of they type of file by the
extension (the character(s) that follow the period).  

.h = header file
.a = archive (library) file
.c = source file
.h = header file
.o = object module (compiled from a .c file)
.sa = shared library stubs linked to your program

	What if your shell account doesn't have all the include files? First, you
have to find the missing library functions.  Don't email me if you don't
know where they are!  First try a search within the computer you are using
with commands such as whereis, which, apropos, man -a and man -k. If that
doesn't work, ask tech support at your ISP. If you have a free shell
account, it probably doesn't offer free tech support.  To do serious
programming, it helps to get a commercial shell account.  Then tech support
can come to your aid.
	If this doesn't work, stand on a street corner holding a sign that reads
"Will work for include files." Whatever you do, DON'T EMAIL ME about this
problem.  I can't help you on this!
	OK, OK, I feel sorry for you.  Meino Christian Cramer has a solution for
the problem of finding where library functions might be.  He has written a
bash shell script to automatically find them in Linux computers. (This
script may not work in other shells on other operating systems.)  Save the
code below in a file named obcheck.sh and remember to make it executable.

#!/bin/sh
#
# scan libraries for a certain function
#
######################################################
if [ -z $1 ]
then
    echos "usage: obcheck 
    exit
fi
for i in $( cat /etc/ld.so.conf )
do
   for j in $( find "$i" -type f -name 'lib*.so.*' )
   do
       if nm -D "$j" | grep "$1" | egrep "^[0-9A-Fa-f]"
           then
               echo "$j"
           fi      
   done
done

---------------------------------------------------------

	How do you use this script? For example, if you are searching for "printf"
call the script by giving the command:

-> obcheck ' printf '

	Reports Cramer, "This will display a couple of messages. Because this only
works on shared libraries, all other libraries are printed with an error
message. Why use ' printf ' instead of simply printf? Cause there are more
functions, all with a "printf" inside their names. But you are only
searching for THE printf."

	Now suppose you have found each and every include file your C program needs
to run.  The next trick is, you have to tell your compiler where to look for
them.  You will use a shell command such as this:

cc -o myhardprogram myhardprogram.c -L/library1/lib -lmylibrary

	Where "/mylibrary" is where you put those include files that your compiler
didn't automatically find in the standard libraries of your computer.  Be
sure to have this command all on one line without a return, or it won't work!

How to Program C Securely

	Probably the largest class of computer break-in techniques is C programs
running on Unix type operating systems that suffer from buffer overflows.
Even if you are just beginning to learn how to program in C, it may be wise
to get an early understanding of this major weakness in the language.
	Is your goal to break into computers?  The single most important thing
about C is that it allows buffer overflows.  "Segmentation fault,"
anyone?;^)  OK, OK, you nitpickers, I know not all buffer overflows cause a
"segmentation fault" error messages, but give me a break, I'm trying to make
this chapter funny.  Trust me on this, there will be days when you will need
every bit of humor you can muster to endure sorting out why your C program
won't compile.

**********************************************************
Newbie note:  Buffer overflow?  Here's the easy explanation. A buffer is a
place in memory where data is briefly stored while a program is running.  A
buffer overflow is when a program tries to put data into a place in the
victim computer's memory where there isn't enough room for it.  It's like
pouring two liters of water into a one liter container.  The extra water
overflows.
	If data that overflows a buffer in a C program contains the right commands
-- in assembly language -- and if it leaks into the right place, voila!  You
get a root shell!
**********************************************************

	Here's the technical explanation of a buffer overflow exploit.  A buffer is
a contiguous block of computer memory that, while a program is running,
holds a given type of data.  The problem comes with "dynamically allocated
variables" (a variable is a name in a program that holds data that may
vary).  In order to not use up too much memory, a program with dynamically
allocated variables does not decide how much memory to give to these
variables until it is already running.
	What happens if a program pours too much data into this dynamically
allocated buffer?  It overflows, leaking out somewhere else.  A buffer
overflow exploit uses this leaking data to put assembly language code
elsewhere into the victim computer's memory -- often somewhere that will
create a root shell.
	The C programming language allows buffer overflow exploits because some of
its functions for copying or appending strings fail to check whether doing
so would overflow a buffer.  These include sprintf(), strcat(), strcpy(),and
vsprintf().  
	A buffer overflow alone is not enough to take over a computer.  It must be
in a program that would send the overflow to a location that would enable it
to run a command to create a shell with root privileges.  Then an exploit
program must be run that will pour into that buffer the exact number of bits
needed to insert these instructions, which may be in assembly language, into
the right memory location.
	Assembly languages are the commands that the central processing units (CPU)
of computers understand.  Because there are many different kinds of CPUs
(SPARCs for Suns, MIPS for SGIs etc.), you may have to make sure the exploit
you want to run will work on that kind of CPU.

**********************************************************
Wizard tip: Do you want to become an Uberhacker?  Do you want to become one
of those almost mythological beings who are said to flow through cyberspace
as if there were no walls?  Write your own buffer overflow exploits!  
	For a detailed explanation of how to search for these security holes and
design code to exploit them, see "Smashing the Stack," by Aleph One, at
http://www.netspace.org/lsv-archive/bugtraq.html.
	Better yet, don't write buffer overflow exploits. As my secret super hacker
friend says, "Overflows have become annoying. Since the screen exploit for
Linux (almost 3 years ago) that's most of what's been coming out.  It's
boring!  It's the same damn bug over and over again.  WE GET THE POINT
ALREADY!  Seriously, if someone came up with
three overflow bugs and someone else came up with 1 non-overflow root
exploit, I'd have more respect for the second person."
**********************************************************

	It can be embarrassing, however, if you are the programmer who writes
software that someone else uses to create a buffer overflow exploit.  How
can you learn to write C code that avoids this nasty problem?
	Aleph One , who runs the Bugtraq computer security list,
has come up with a list of references for those of us who want to learn how
to write secure C code.  (Our apologies if these links go out of date.)

http://www.sun.com/sunworldonline/swol-04-1998/swol-04-unixsecurity.html
http://www.sun.com/sunworldonline/swol-04-1998/swol-04-security.html
http://www.homeport.org/~adam/review.html
http://olympus.cs.ucdavis.edu/~bishop/secprog.html
http://www.research.att.com/~smb/talks/odds.[ps|pdf]
http://www.pobox.com/~kragen/security-holes.txt

	Chapter 22 in the book Practical UNIX & Internet Security by Simson
Garfinkel, Gene Spafford (O'Reilly & Associates, 1996) is called "Writing
Secure SUID and Network Programs".
	Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C
Programs, by Steve Maguire, (Microsoft Press, 1993).  The book focuses on
writing bug-free software.
	Take the SANS course  "Writing Secure Programs," taught by Matt Bishop.
http://www.sans.org

Conclusion

	Honest, C programming really is easy and fun.  You just have to have the
ability to look at it as an adventure when your !@#$@##$% program doesn't
compile!  Joker can tell you that's true, right, Joker?:^)

**********************************************************
You can go to jail warning:  It is illegal to break into a computer even if
you do no harm.  The only Uberhackers I know of are so talented, and also so
careful to do no harm, that only another Uberhacker would ever know one had
broken into a computer.  But if you are reading this to find out how to
break into computers, you probably aren't good enough to keep from getting
caught.  Leshka's sendmail exploit program only does a tiny bit of cleanup,
so you still are likely to get caught if you run it against a computer whose
owner has not given you permission to break in.  You also are likely to
accidentally do damage while root on the victim computer.  Do this to your
own computer so you are the one who has to figure out what you did as root, OK?
*********************************************************
_______________________________________________________________________
Where are those back issues of GTMHHs and Happy Hacker Digests? Check out
the official Happy Hacker Web page at http://www.happyhacker.org.
We are against computer crime. We support good, old-fashioned hacking of the
kind that led to the creation of the Internet and a new era of freedom of
information. But we hate computer crime.  So don't email us about any crimes
you have committed!  
To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless
Hacking, please email hacker@techbroker.com with message "subscribe
happy-hacker" in the body of your message. 
Copyright 1998 Carolyn Meinel.  You may forward, print out or post this
GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave
this notice at the end.
_________________________________________________________
Carolyn Meinel
M/B Research -- The Technology Brokers
http://techbroker.com