Network penetration-Overflow

Source: Internet
Author: User

Come with me and use tianlu to learn how to overflow.
Overflow definition: overflow, as its name implies, is full. For example, if a cup of water is filled with water, the water may flow out. On the computer, when too much data is executed in the program, the data will "flow" to other running legal programs or our system buffer and be executed. Because of this, buffer overflow is vulnerable to attacks and is extremely harmful. This has become a mainstream attack method. I believe you know more about J's batch overflow, 135, and so on. The principle is similar to this. Let's look at a simple example of overflow:
Here we allow DOS (command prompt) and enter c :\??? The error message is displayed, indicating that the file cannot be found. Normally, your file is not called ??? Okay, let's talk about it later. Then we will? Length extension, and type to return. Here we will see the prompt, the file name is too long, if we will? Is the length extended? We will see the DOS program error prompt, that is, you will see "send error report request" "Do not send", here tianlu I will not do. It can be seen that


The following is a specific example of a well-known port 135 Overflow Vulnerability. The RPC protocol is the protocol used by the win system. It provides normal process interaction communication for the system and allows any program to run on a remote host. All the major multi-function services of the system must run properly by him. This shows the hazards caused by vulnerabilities. Http://baike.baidu.com/view/322.16.htm. next, we will refer to the operation steps of the rpcservice,
On the Control Panel, open administrative tools and double-click Services to open the service window. Locate RPC (Remote Procedure Call) in the list. On the General tab, you can view the Startup Type of the Protocol. Select dependency to view the dependencies of some services in the dialog box.
We can see that there are many affected system components, including the DCOM Service, which is used to send the DCOM object activation request from the client machine to the server, hackers can exploit this vulnerability to execute arbitrary commands with local system permissions, including creating accounts with system administrator permissions.

 
If we perform the following configuration operations on the DCOM interface,
Open the Component Service (you can enter Dcomcnfg in the running state), click "+" before the component service to expand to the DCOM sub-menu project, so that you can view the various configurations. All the systems here will check whether the records are recorded. We can choose any one of them (here tianlu has a reason, because most of the systems specifically refer to Windows to enable port 135 by default, it will cause a lot of losses to the computer, but you don't have to worry about us going on. I will explain it to you later.) Right-click any configuration object and select the SN from the pop-up menu, the XXXXX class attribute dialog box is displayed. Here, XXXXX is the configuration object that you choose. I chose this option. Here we do not need to make too many settings, some of which are default settings. The main point is to look at the label column. My default user is started, it indicates that port 135 is opened (in fact, this is really a nonsense, because most Windows systems are opened by default). We can enter netstat-an in DOS to detect it, my 135 was opened.




Because DCOM can remotely operate the corresponding DCOM Service of other computers, this is used to call the function RPC of other PCs, hackers can exploit this vulnerability to request port 135 of the remote computer in a special form. Otherwise, the attacker may execute any commands with administrator privileges.
I will not mention the remote overflow vulnerability attack examples of the RPC service. I believe that you are more proficient than me, and you have also played against J in the snow series (tianlu, in the early 135 s, it was crazy to catch J, so I didn't do anything about J ). We can see that the RPC vulnerability will cause great losses to our computers. What should we do?
I believe you already know how to prevent it from being full of cups. Let me tell you one by one,
1. Write the correct code. This method fundamentally prevents buffer overflow attacks, especially for complex and error-prone programming like C. Although people know how to write program groups securely and correctly, vulnerabilities are endless, so people develop some tools for checking errors to prevent code compilation errors, the simplest method is to use grep to search for vulnerable library calls in code.
2. Non-execution Buffer
As we mentioned above, the computer's data outflow occupies the operation of other legal programs, as well as the system buffer and execution, which becomes crucial. Because it will be executed automatically, it becomes tricky. If we don't execute it, in fact, similar to the early unix and linux systems, but now they dynamically put executable code in the data segment, it is impossible to maintain program compatibility. The data segments of all programs cannot be executed. However, Windows and linux have released related patches for this issue. In this case, linux must put executable code into the stack, but this method cannot prevent all overflow attacks. Unexecuted stack protection can effectively deal with buffer overflow attacks that Implant code into automatic variables, but it is useless for other forms of attacks. Other attacks can be protected by embedding code into heap or static data segments.
3. array boundary check
This does not introduce the Compaq C compiler too much. inserting code causes buffer overflow, which is another way to disrupt the program execution process. Unlike non-execution buffer protection, the array boundary check does not have any buffer overflow and attacks. In this way, as long as the array cannot be exceeded, the overflow attack will be impossible. To implement array boundary check, all read/write operations on the array should be checked to ensure that the operations on the array are within the correct range. The most direct method is to check all Array Operations, but some optimization techniques can be used to reduce the number of checks.
4. Program pointer integrity check
Unlike the boundary check, to prevent program pointers from being changed, the program pointer integrity check detects changes between program pointer references, even if a hacker changes the program pointer, because the system detects pointer changes in advance, this pointer will not be used.
In fact, for common users, you only need to close the port, kill software, patch, and run less programs.
So this talk about the overflow is here, blindly mechanical operations do not need to be improved, from the principle of understanding the overflow is king ..

Author tianlu

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.