# hacking into your own pc

## blommethomas

Hi,

I read some things about hardened gentoo, merely PaX.

Instead of installing the PaX kernel modules without knowing what they do, I'd like to try to hack my system myself first.

Are there secure ways(in which the code does not harm the system) to do this?

AS I read in PaX documentation, there are 3 sorts:

(1) introduce/execute arbitrary code

(2) execute existing code out of original program order

(3) execute existing code in original program order with arbitrary data

I'd like to test all of them in which for example I gain root access through shellcode injection

Can I find good documentation on this(which I did not find yet) or are their community members who have experience?

This whole idea will hopefully lead me to have abeeter view on what hardened gentoo is trying to do and what I should install for it.  If I'm able to cause an attack I can test if the protection works fully.

Is it possible to perform these actrions on a gentoo system with a new kernel to boot from without having to affect the other kernels and only a small part of the programms.  This would prevent my whole system to be broken down if I make a fault somewhere

----------

## madchaz

I'd personaly recomend building a box for the single purpoce of breaking into it. Any time you are learning about breaking security, you rish breaking a lot of other things. You can use an older computer for this (as old as a 486 if you have to), but it'll be a lot less dangerous then trying to break into your main box

----------

## celestialwizard

Virtualisation is perfect for this type of task.

You can create a "gold" install and attack it without having to worry about what state it is in, data integrity, etc...

To begin with, get vmware-player and some sample VMs from http://www.vmware.com/vmtn/appliances/

----------

## fleed

colinux is probably a good option too, faster than vmware and open source!

----------

## blommethomas

http://www.vmware.com/vmtn/appliances/directory/348

looks perfect for the goal I wan't it to be used for, but it's size is 1800MB

Furthermore I'm searching for a system which has no extra functions and it should be in fact very ordinary.

That's how I came to Fedora Core:

http://www.vmware.com/vmtn/appliances/directory/472

Too bad, there is no gentoo in this list

----------

## sgarcia

Install your own Gentoo.

Pick ANY prebuilt VMWare image.  Download it.  Boot it from the install CD and install Gentoo over the top of whatever was there.

You can't create your own virtual machine with VMWare Player (that means you can't change the hardware), but you CAN do whatever you want with any virtual machine you have, including installing new OSes.

Keep a copy of the VM you download and make it a base for any number of VMs with different OSes that you want to attack.  Your main limitation will be how much room you have to store the images.

----------

## a7thson

 *sgarcia wrote:*   

> 
> 
> You can't create your own virtual machine with VMWare Player (that means you can't change the hardware), but you CAN do whatever you want with any virtual machine you have, including installing new OSes.
> 
> 

 

This is both true and not true, as can be seen in this thread on using VMplayer.  More details are given here outside the gentoo forums, this was a hot topic a few months ago and the methods are all over the blogosphere.  An even simpler method is to use an online VMX generator like this one.  Any and all of these methods are legal and authorized by VMware, you are breaking no laws by creating your own VMX image.  Then use vmplayer to boot an install cd with that config file set up for the machine etc.

 *Quote:*   

> 
> 
> I'd like to test all of them in which for example I gain root access through shellcode injection
> 
> Can I find good documentation on this(which I did not find yet) or are their community members who have experience?
> ...

 

The easiest solution of all would be to use vmware-server ("emerge vmware-server"), which is free and allows you to create your own images.  Best bet, though, as mentioned, is probably to find some pre-built appliances - unless you have a special requirement/target in mind.  There are people here (including me) who would be interested to see your results against the various platforms.  You may also want to use the pax-utils to check your own assessment (just "emerge pax-utils" in Gentoo, or find the package in whatever distro you're using), as they are designed to quickly test your system in all the areas that PaX is intended to protect against, thus you can check your assessment work against theirs.

btw-also consider hardened toolchain versus vanilla compiler, as it adds stack smashing protection among other things; stack-smashing attacks are one of the more common exploits of [Li/U]nix boxen, check for example the classic Phrack 49 article smashing the stack for fun and profit for a decent (and highly technical) introduction to the topic.  Good luck!

----------

## gentleman

Hi folk,

concnerning the original title of this topic, I have another question. I am system administrator for a department in my university. I read books about server security and think I have good knowledge about the topic, BUT: I have damn no imagination HOW an execution of "arbitrary code" - like it is called in alle the gentoo announces - can be done. All books tell about it and to therefore keep the software fresh, but nowhere is said, how i can test execution of such code by myself. So I would - like the auther of this thread - like to set one of my own machines under "stress" (to simulate a DoS) and then go on, using e.g. a buffer overflow for a program i wrote by myself.

I did not find anything according this, so perhaps someone give me a hint.

----------

## Akkara

 *Quote:*   

> I have damn no imagination HOW an execution of "arbitrary code" - like it is called in all the gentoo announces - can be done.

 

Well, to do it successfully, requires one or more bugs in an application that exposes vulnerability.

A very common class of bugs is the buffer-overflow, which is simply a buffer that lacks bounds checking and is too small to hold the data that is presented to it.  That data ends up overwriting other data causing the program to malfunction.  Occasionally the malfunction is so severe that by carefully crafting the data sent to it, can cause the program to do almost anything at all.

For example, this simple program:

```
#include <stdio.h>

void    message(void)

{

    printf("Hi there!\n");

}

int     main(int ac, char **av)

{

    char        buf[16];  /* <== BAD CODE do not do this */

    gets(buf);  /* <== BAD CODE do not do this */

    printf("You entered: %s\n", buf);

    return 0;

}
```

If you run it and type something longer than 15 characters, you'll likely get a "Segmentation fault".  With carefully-crafted input that overwrites main's return address on the stack, one might get it to print "Hi! there" even though that function was never explicitly called.

Another class of bugs of the so-called script-injection type.  This type is easy to illustrate. For example, here is a short shell-script that lists directories:

```
#!/bin/sh

echo -n "Directory you wish to see (ctrl-D to exit): "

while read PLACE; do

    ls $PLACE

    echo -n "Directory you wish to see (ctrl-D to exit): "

done

echo
```

If you put that in a file and run it, and type /tmp, it'll list /tmp for you.  But what if you type -l /tmp.  Now it gives a long listing, which might not have been what the script-writer intended and it could mess up subsequent processing if this was a part of something larger.  If this is web-accessible in some way, the vulnerability is magnified because now anyone can try to poke at it.

(The fix here is to replace the ls line with ls -- "$PLACE")

----------

## user124

 *Akkara wrote:*   

> 
> 
> Another class of bugs of the so-called script-injection type.  This type is easy to illustrate. For example, here is a short shell-script that lists directories:
> 
> ```
> ...

 

hmm..i wonder what happens if you input "$(rm -r /)" for $PLACE ^^

----------

## gentleman

 *Akkara wrote:*   

> 
> 
> ```
> #include <stdio.h>
> 
> ...

 

Hey, thanks for replies. But is it therefore not necessary to know the exact program code to know where memory is taken? Oh no, let me guess. If you once have the binary you can execute strace on it to get memory positions or even get the due decompiling the binary??

----------

## mzet

blommethomas,

If you want to hack gentoo boxes I recommend trying out excellent wargames http://pulltheplug.org/wargames/index.html . Vortex is about hacking "normal" system wheres Blacksun is about hacking Gentoo Hardened system. From Blacksun you can learn what "hardened" really means from attacker point of view, I guess.

Regards,

mzet

----------

