_________________________________________________________ How to Program in C, part 1 _________________________________________________________ Top two places to get computer break-in programs: http://www.rootshell.com http://www.netspace.org/lsv-archive/bugtraq.html. ********************************************************** In this Chapter you will: * Learn how to link and compile C programs * Write your first C program * Discover that C can be fun and easy * See a C exploit program explained * Learn basics of porting C exploit programs so they will compile and run successfully on your particular computer. ********************************************************** ********************************************************** Newbie note: A socket is a round-trip or two-way network connection. For example, when you telnet into another computer's login sequence, you connect to port 23 on that computer. It completes a round-trip connection by assigning some high number port, for example port 3587, to complete the socket. If you have a shell account on a good ISP, you can see everyone's sockets by giving the "last" or "netstat" commands. ********************************************************** How to Turn C code into a Working Program One of the great character flaws -- or is it strengths? -- of most hackers is a burning desire to make something work RIGHT NOW, DARN IT! Are you ready to become a C programmer? How about becoming one NOW! The first thing you need is a C compiler. While in your shell account, give the command "cc". If you get the message "command not found," try the command "gcc" If these don't work, try "whereis cc" , "whereis gcc", "which cc" (in Linux), "locate cc" or "locate gcc". If none of those work, complain to tech support at your ISP. Don't email us, because we can't help you with this problem! If you have a free shell account, and it doesn't offer a C compiler, maybe you should consider paying for a good shell account. If these commands tell you where the C compiler is, try either changing to that directory or including a path statement to that directory in your login script. So, are you ready to write your first C program? At the prompt in your shell account, type "pico hello.c". The command "pico" brings up a super easy editing program. All the commands are listed at the bottom of the screen. Even I could learn how to use pico in a few minutes without help. If you can't find pico, or if you are one of the rare people who hasn't learned yet to program in C, yet who knows how to use a more advanced editor, try "man vi" or "man emacs" to learn how to use a more powerful, but harder to understand, editor. At the prompt in your editor, type in these lines exactly the way they are here. #include void main() { printf( "Hello, hackers!\n" ); } Next, save this program with the command "control-X". Now give the command "ls". This will reveal that you now have a file named "hello.c". The "c" at the end of this file name identifies this as a file containing C commands. Congratulations, you are already halfway to making your own C program. However, at this point, if you type in the command "hello" or even "hello.c", just like you would to run a shell script (program), nothing will happen. That is because this file is still just "source code," a listing of commands that your computer doesn't understand. This is different from shell programs which only have commands that your computer already understands without having to compile them first. Shell programs are called "interpreted" languages, meaning your computer can automatically interpret the shell commands you give it. By contrast, C is a language that must be compiled before you computer understands what you are asking it to do. So our next step must be to compile hello.c. Give the command: cc hello.c Or, if this doesn't work, give the command "gcc hello.c". Throughout the rest of this chapter we will assume "cc" is the correct command, so if you need to give the command "gcc", please replace cc with gcc in everything below. ******************************** Wizard tip: Your system may offer a choice of C compilers. On some systems "cc" will run a compiler written by the company that also wrote the operating system for your computer, while "gcc" will run the GNU C compiler. Every C programmer I know says the GNU compiler is best. ******************************* What this does is 1) start your C compiler running with the "cc" command 2) with the 'hello.c" part of the command you tell the compiler where to find the source code you just wrote. 3) the compiled program is, in most cases, automatically stored as a.out. (If it wasn't stored as a.out in your case, you will get the solution to your problem in a few more paragraphs.) Now -- the big event. Let's run your first program. Simply give the command "a.out". Your computer should say back to you, "Hello, hackers!" Congratulations! You are now a C programmer. Did your program not run? Let's do some trouble shooting. First, say over and over again, "I love Unix. I swear I do! Honest! I love C, too!" Now try to compile and run this program another way. You start with the same code as before, which is saved in the file "hello.c". However, this time, give the command: cc -o hello hello.c What this does is: 1) start your C compiler running with the "cc" command using the -o switch. A quick use of the command "man cc" tells us that the switch "-o" after the "cc" tells your compiler to output the compiled version as a file with the name of your choice. 2) the "hello" part of the command tells the compiler that this is what you want to name your compiled program 3) with the 'hello.c" part of the command you tell the compiler where to find the source code you just wrote which you input into the compiler. Now -- simply give the command "hello". Your computer should say back to you, "Hello, hackers!" Congratulations! You are now a C programmer. Still doesn't work? Try giving the command "chmod 700 hello". STILL doesn't work? This is a long shot, but maybe it will solve your problem. If your shell account is set up like mine, no program can execute from the home directory. It's a precaution I take against Trojans. (Imagine this, sometimes meanies put surprises in my account.) However, I have a directory named "bin" in my account. Normally on Unix systems we name directories that hold programs "bin". On my account, that's where I put the programs I write. So look for a directory "bin" under the home directory in your shell account. If it doesn't exist, create it with the command "mkdir bin". Don't forget to give the command "chmod 700 ~/bin" afterwards! Move "hello" into it with the command "mv hello bin/hello". STILL DOESN'T WORK??? Here's the bad news. There are so many kinds of Unix, and so many shells to interpret your commands, and so many ways to configure Unixes -- I may not be able to solve your problem. As the C bible that we like to call simply "K&R" (The C Programming Language by Kernighan and Ritchie) warns, "Just how to run this program depends on the system you are using." So don't phone or email me for help. Call tech support at your ISP! That's what you are paying them for, right? They WILL get your C program working -- if they allow users to compile C programs. You may even make friends with the tech support guy you call, as it is really rare and usually makes tech support guys happy when a customer asks a programming question instead of the usual lame stuff. However, before calling tech support, maybe you had better rewrite your program first to say "Hello, world" instead of "Hello, hackers!" just in case the tech guy you talk to is paranoid enough to kick you off for trying to be a hacker. "Hello, hackers!" Program Explained So how did this program work? Let's look it over line by line. The first line is "#include". This simply tells the computer how to accept input and make output ("stdio" is short for "standard input and output.") If you were to leave this line out, the computer wouldn't know how to output the message "Hello, hackers!." The second line is "void main()". It tells the computer this is the main function under which all other C functions will run. "Main" might use many other functions (programs) while it is running, in this case the stdio program. The "void" tells the program that it doesn't have to pass a value to any other program when it is done running. You don't have to write "void" in front of "main()," but it's good programming practice. The third line is just one character: "{". This tells your computer to expect the beginning of the main function. The fourth line is "printf( "Hello, hackers!\n" );". The "printf" command tells the computer to use the stdio program to figure out how to print something to your monitor screen. "( "Hello, hackers!\n")" tells it what to print: the words "Hello, hackers!" followed by \n, which means "enter" (or "new line"). You have to have a new line command so your program will give a prompt back to you after it has run. The ";" tells the C compiler that this is the end of this command, that whatever it sees next is the start of a new command. The last character is "}" which simply means it is the end of the main function. Why C Exploit Programs Might not Work Now comes the big question. You download a bunch of exploit programs and try to compile them and they don't work. Aha, you have just discovered why hacker gangs are so popular. There are many groups of criminal hackers out there who help each other out by figuring out how to compile exploits. That is how Kevin Mitnick got as far as he did -- he had his buddies compile programs for him. However, I presume you are reading this not to become a criminal, but because you are willing to do a little work, and learn enough to not only break into computers -- but learn how to defend them, too. For this you must become good at C programming. Here's how to get good. 1) Buy the book The C Programming Language by Brian W. Kernighan and Dennis M. Ritchie (Prentice Hall, second edition, 1988). This is the Bible of C programming. Real hackers simply call it "K&R." You can get eliteness points by responding to guys who talk reverently about "K&R" by saying, "Oh, yes, Kernighan and Ritchie. Brilliant book." The reason this book is so good is that one of the authors, Dennis Ritchie, is the creator of the C language. Valerie Henson adds, "K&R is almost magical in the way it explains C. I have strong feelings about this book. :)" You can buy it from anywhere in the world at http://www.amazon.com. 2) You will quickly discover that no one book on C will tell you all the possible commands. If you want to learn as much as possible about C, you need to study the source code of C programs you admire. With each line, use the "man 2" command while in your shell account to learn about it, for example, "man 2 write". (This presumes your sysadmin has installed the man pages for C.) Then try writing some small programs to test each command to make sure you understand what it does. For examples of elegant C program source code complete with explanations, get Internetworking with TCP/IP Volumes 1,2 and 3, by Douglas Comer and David L. Stevens (Prentice Hall, 1995). Volumes 2 and 3 are almost all C source code. 3) You will absolutely hate this. Just as there are many kinds of Unix and many different Unix shells, there is more than one version of C out there. But help is on the way. There is a version of C called ANSI C (for the ANSI standards board) which is coming to be widely accepted. All we have to do now is persuade the people who write programs to break into computers to adopt the ANSI C standard! 4) You might need to find some new friends who will help you figure out what to do to successfully compile and run some obstreperous C program. Try enrolling in a course on C at a GOOD college or university. However, talk to the other students or the professors before you spend money signing up for a course. I swear this is true, one college teaches C using C for Dummies as a textbook. While that book may be helpful for home study -- surely a college professor can show his or her students enough respect to teach from K&R! However, if you can get a good college course, don't expect to learn how to compile exploits from it! What you can do is hang out with students and teaching assistants and professors and meet people who can give you help on how to modify programs so they will compile on your computer. If you can't find a good college nearby, another possibility is to join a Linux Users Group (LUG). To find one in your neighborhood, see (http://sunsite.unc.edu/LDP/). Cramer suggests, "try to post question to newsgroups and mailing lists (that discuss C programming). But ... Posting a question like "My hello.c prints 'Hello, good bye' instead of 'hello hackers -- what should I do?' to a mailing list -- say -- the Linux kernel developers list, will give you -- hrmmm -- some interesting results..." Or get a job doing tech support at a local Internet Service Provider. Usually there will be some talented C programmers working there. Whatever you do, don't join a gang of computer criminals! They usually know much less about C programming than do computer science students, Linux User Group members, and employees of ISPs. 5) Read Meino Christian Cramer's Guide to C programming at the Wargames page on http://www.happyhacker.org. Try emailing questions to him at the address on that Web page. He gives a great overview of the most important concepts in C programming, with some example programs for you to write. _________________________________________________________ How to Program in C, part 2 _________________________________________________________ Common Problems in Getting C Programs to Compile and Run Now, on to some common problems with getting C programs to compile and run. In the case of exploit programs, there often are references to other programs on your target computer. For example, in Leshka's sendmail exploit, the sendmail program is assumed to exist in /usr/sbin/sendmail. This works fine for a Linux computer. However, on the Sun OS computer I like to use, sendmail is in /usr/lib/sendmail. So you can see that an important first check on an exploit is to make sure all the locations of files match those of the operating system you are targeting. His exploit also assumes the command to run the C compiler is "cc". However, your victim computer may have the GNU C compiler, and it may require that you give the command "gcc" instead of "cc". Another problem is that sometimes hackers purposely cripple their exploit code in order to keep total idiots from running them. For example, the syn flood exploit program written by Daemon9 and released in the fall, 1996 issue of Phrack had a crucial line of code commented out. ***************************************************** Newbie note: "Comments" are parts of a program meant for humans to read, not for the compiler to work on. Comments help people understand a program. Sometimes a part of a program might be something that you don't always want to run, in which case it is "commented out" by marking it as a comment to make it so the compiler can't compile it. ***************************************************** So if you see something that looks like code between a "/*" and "*/" (which denote comments in C programs) try removing these comment marks and then run the program. However, a lot of code commented out may be simply debugging code the programmer used to make sure it was running properly. You might be able to use that debugging code to figure out what your problem (bug) is. Another reason why many people were unable to run that syn flood program was that it had to be installed with root permissions. As mentioned above when we were discussing the commands "setuid(0); setgid(0", normally you only have the right to set root permissions on a program when you are root. A syn flood program needs root permission in order to manipulate the creation of packets so as to send floods of them out to the victim with only the syn flag set, never an ack flag. Another of your problems may be the include files at the beginning of a C program. For example, you might find something like this: #include #include #include #include #include #include #include #include If you try to find the file sys/socket.h, you will see it is not a list of ports, nor is it a table of active sockets. It is merely a C header file. It contains system specific information which is needed to write network programs. It varies slightly among different variants of Unix. There are many types of files that might need to be included in a C program before it can run. You can get an idea of they type of file by the extension (the character(s) that follow the period). .h = header file .a = archive (library) file .c = source file .h = header file .o = object module (compiled from a .c file) .sa = shared library stubs linked to your program What if your shell account doesn't have all the include files? First, you have to find the missing library functions. Don't email me if you don't know where they are! First try a search within the computer you are using with commands such as whereis, which, apropos, man -a and man -k. If that doesn't work, ask tech support at your ISP. If you have a free shell account, it probably doesn't offer free tech support. To do serious programming, it helps to get a commercial shell account. Then tech support can come to your aid. If this doesn't work, stand on a street corner holding a sign that reads "Will work for include files." Whatever you do, DON'T EMAIL ME about this problem. I can't help you on this! OK, OK, I feel sorry for you. Meino Christian Cramer has a solution for the problem of finding where library functions might be. He has written a bash shell script to automatically find them in Linux computers. (This script may not work in other shells on other operating systems.) Save the code below in a file named obcheck.sh and remember to make it executable. #!/bin/sh # # scan libraries for a certain function # ###################################################### if [ -z $1 ] then echos "usage: obcheck exit fi for i in $( cat /etc/ld.so.conf ) do for j in $( find "$i" -type f -name 'lib*.so.*' ) do if nm -D "$j" | grep "$1" | egrep "^[0-9A-Fa-f]" then echo "$j" fi done done --------------------------------------------------------- How do you use this script? For example, if you are searching for "printf" call the script by giving the command: -> obcheck ' printf ' Reports Cramer, "This will display a couple of messages. Because this only works on shared libraries, all other libraries are printed with an error message. Why use ' printf ' instead of simply printf? Cause there are more functions, all with a "printf" inside their names. But you are only searching for THE printf." Now suppose you have found each and every include file your C program needs to run. The next trick is, you have to tell your compiler where to look for them. You will use a shell command such as this: cc -o myhardprogram myhardprogram.c -L/library1/lib -lmylibrary Where "/mylibrary" is where you put those include files that your compiler didn't automatically find in the standard libraries of your computer. Be sure to have this command all on one line without a return, or it won't work! How to Program C Securely Probably the largest class of computer break-in techniques is C programs running on Unix type operating systems that suffer from buffer overflows. Even if you are just beginning to learn how to program in C, it may be wise to get an early understanding of this major weakness in the language. Is your goal to break into computers? The single most important thing about C is that it allows buffer overflows. "Segmentation fault," anyone?;^) OK, OK, you nitpickers, I know not all buffer overflows cause a "segmentation fault" error messages, but give me a break, I'm trying to make this chapter funny. Trust me on this, there will be days when you will need every bit of humor you can muster to endure sorting out why your C program won't compile. ********************************************************** Newbie note: Buffer overflow? Here's the easy explanation. A buffer is a place in memory where data is briefly stored while a program is running. A buffer overflow is when a program tries to put data into a place in the victim computer's memory where there isn't enough room for it. It's like pouring two liters of water into a one liter container. The extra water overflows. If data that overflows a buffer in a C program contains the right commands -- in assembly language -- and if it leaks into the right place, voila! You get a root shell! ********************************************************** Here's the technical explanation of a buffer overflow exploit. A buffer is a contiguous block of computer memory that, while a program is running, holds a given type of data. The problem comes with "dynamically allocated variables" (a variable is a name in a program that holds data that may vary). In order to not use up too much memory, a program with dynamically allocated variables does not decide how much memory to give to these variables until it is already running. What happens if a program pours too much data into this dynamically allocated buffer? It overflows, leaking out somewhere else. A buffer overflow exploit uses this leaking data to put assembly language code elsewhere into the victim computer's memory -- often somewhere that will create a root shell. The C programming language allows buffer overflow exploits because some of its functions for copying or appending strings fail to check whether doing so would overflow a buffer. These include sprintf(), strcat(), strcpy(),and vsprintf(). A buffer overflow alone is not enough to take over a computer. It must be in a program that would send the overflow to a location that would enable it to run a command to create a shell with root privileges. Then an exploit program must be run that will pour into that buffer the exact number of bits needed to insert these instructions, which may be in assembly language, into the right memory location. Assembly languages are the commands that the central processing units (CPU) of computers understand. Because there are many different kinds of CPUs (SPARCs for Suns, MIPS for SGIs etc.), you may have to make sure the exploit you want to run will work on that kind of CPU. ********************************************************** Wizard tip: Do you want to become an Uberhacker? Do you want to become one of those almost mythological beings who are said to flow through cyberspace as if there were no walls? Write your own buffer overflow exploits! For a detailed explanation of how to search for these security holes and design code to exploit them, see "Smashing the Stack," by Aleph One, at http://www.netspace.org/lsv-archive/bugtraq.html. Better yet, don't write buffer overflow exploits. As my secret super hacker friend says, "Overflows have become annoying. Since the screen exploit for Linux (almost 3 years ago) that's most of what's been coming out. It's boring! It's the same damn bug over and over again. WE GET THE POINT ALREADY! Seriously, if someone came up with three overflow bugs and someone else came up with 1 non-overflow root exploit, I'd have more respect for the second person." ********************************************************** It can be embarrassing, however, if you are the programmer who writes software that someone else uses to create a buffer overflow exploit. How can you learn to write C code that avoids this nasty problem? Aleph One , who runs the Bugtraq computer security list, has come up with a list of references for those of us who want to learn how to write secure C code. (Our apologies if these links go out of date.) http://www.sun.com/sunworldonline/swol-04-1998/swol-04-unixsecurity.html http://www.sun.com/sunworldonline/swol-04-1998/swol-04-security.html http://www.homeport.org/~adam/review.html http://olympus.cs.ucdavis.edu/~bishop/secprog.html http://www.research.att.com/~smb/talks/odds.[ps|pdf] http://www.pobox.com/~kragen/security-holes.txt Chapter 22 in the book Practical UNIX & Internet Security by Simson Garfinkel, Gene Spafford (O'Reilly & Associates, 1996) is called "Writing Secure SUID and Network Programs". Writing Solid Code: Microsoft's Techniques for Developing Bug-Free C Programs, by Steve Maguire, (Microsoft Press, 1993). The book focuses on writing bug-free software. Take the SANS course "Writing Secure Programs," taught by Matt Bishop. http://www.sans.org Conclusion Honest, C programming really is easy and fun. You just have to have the ability to look at it as an adventure when your !@#$@##$% program doesn't compile! Joker can tell you that's true, right, Joker?:^) ********************************************************** You can go to jail warning: It is illegal to break into a computer even if you do no harm. The only Uberhackers I know of are so talented, and also so careful to do no harm, that only another Uberhacker would ever know one had broken into a computer. But if you are reading this to find out how to break into computers, you probably aren't good enough to keep from getting caught. Leshka's sendmail exploit program only does a tiny bit of cleanup, so you still are likely to get caught if you run it against a computer whose owner has not given you permission to break in. You also are likely to accidentally do damage while root on the victim computer. Do this to your own computer so you are the one who has to figure out what you did as root, OK? ********************************************************* _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. But we hate computer crime. So don't email us about any crimes you have committed! To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 Carolyn Meinel. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________ Carolyn Meinel M/B Research -- The Technology Brokers http://techbroker.com