4040-840 Security and Trust

all-inOne, section 4.

4. Intruders

The issue 1: https://buildsecurityin.us-cert.gov/swa/presentations_032011/CharlesHenderson-2011GlobalSecurityStatsAndTrends.pdf

The issue 2: http://www.cert.org/research/2010research-report.pdf

Page 111

CERT" The goal is to execute code, which was not intended to execute?

How do you know that your system is not compromised?

--: Before a break in
--: After a break in

4.1. After a Break in

Files could have been modified

--: User files
--: System files

What could have been changed?

--: s-bit
--: libs
--: start up files
--: Configuration files

Can we find out what has changed?

--: Comparison to an un-compromised system?

4.2. Solution - Maybe Not

Re-install: System files

--: system files
--: system libraries
--: system configuration files

What is happening to user files?
Local Libraries
Local tools, etc
Hash Values?

4.3. Example

Assumption: User is using X Window System
The X Window Systems Idea:

From: (Mon Jan 15 10:33:29 EST 2007) Hr -url http://en.wikipedia.org/wiki/X_Window_System http://en.wikipedia.org/wiki/X_Window_System

xrdb (X resource database manager) is used for accessing the X resources of a server.
Resources are:

--: Color
--: Font
--: Icons
--: Functionality

,Ip editres - resource tree structure

4.4. Xt - Motif - Athena - et all

From X11 man Page

RESOURCE_MANAGER root window property: Any global resources that should be available to clients on all machines should be stored in the RESOURCE_MANAGER property on the root window of the first screen using the xrdb program. This is frequently taken care of when the user starts up X through the display manager or xinit.
SCREEN_RESOURCES root window property: Any resources specific to a given screen (e.g. colors) that should be available to clients on all machines should be stored in the SCREEN_RESOURCES property on the root window of that screen. The xrdb program will sort resources automatically and place them in RESOURCE_MANAGER or SCREEN_RESOURCES, as appropriate.
application-specific files: Directories named by the environment variable XUSERFILESEARCHPATH or the environment variable XAPPLRESDIR (which names a single directory and should end with a '/' on POSIX systems), plus directories in a standard place (usually under /usr/X11R6/lib/X11/, but this can be overridden with the XFILESEARCHPATH environment variable) are searched for for application-specific resources. For example, application default resources are usually kept in /usr/X11R6/lib/X11/app-defaults/. See the X Toolkit Intrinsics - C Language Interface manual for details.
XENVIRONMENT: Any user- and machine-specific resources may be specified by setting the XENVIRONMENT environment variable to the name of a resource file to be loaded by all applications. If this variable is not defined, a file named $HOME/.Xdefaults-hostname is looked for instead, where hostname is the name of the host where the application is executing.
-xrm resourcestring: Resources can also be specified from the command line. The resourcestring is a single resource name and value as shown above. Note that if the string contains characters interpreted by the shell (e.g., asterisk), they must be quoted. Any number of -xrm arguments may be given on the command line.

4.5. Examples

Example 1:

--

C source code:

 1      #include <X11/Intrinsic.h>
 2      #include <X11/StringDefs.h>     
 3      #include <X11/Xaw/Command.h>
 4      #include <X11/Xaw/Form.h>
 5      
 6      void main(int argc, char ** argv) {     Widget topLevel, button, knopf;
 7                                              /* Klassenname: Ex_1            */
 8              topLevel = XtInitialize(argv[0], "Ex_1", NULL, 0,
 9                                     &argc, argv);
10              button       = XtCreateManagedWidget("button", formWidgetClass, 
11                                                   topLevel, NULL,    0);
12              knopf       = XtCreateManagedWidget("this is the button",
13                                                   commandWidgetClass,        
14                                                   button, NULL,      0);
15              XtRealizeWidget(topLevel);
16                                              /*  Loop for events.            */
17              XtMainLoop();
18      }

Source Code: Src/7/ex_1.c

--

Resource file

 1      !
 2      ! Resource file for ex_1
 3      ! 
 4      #ifdef Class
 5              Ex_1.title:  class: ex_1
 6      #else
 7              Ex_1.title:  program: ex_1
 8      #endif
 9      Ex_1.width:  300
10      Ex_1.height: 300
11      Ex_1.box.this is the button.bitmap: mensetmanus
12      Ex_1.box.this is the button.label:  Press Me
13      Ex_1.box.this is the button.x:      10
14      Ex_1.box.this is the button.y:      10
15      Ex_1.box.this is the button.width:  100
16      Ex_1.box.this is the button.height: 50

Source Code: Src/7/Ex_1.rdb

--

Use:

% ex_1
% xrdb -load Ex_1.rdb
% ex_1

Example 2:

--

Add xhost + to .bashrc or eq.

--

Was:

 1      XTerm*VT100*translations: #override \n\
 2       Shift <KeyPress> Prior:        scroll-back(1,halfpage) \n\
 3        Shift <KeyPress> Next:        scroll-forw(1,halfpage) \n\
 4      Shift <KeyPress> Select:        select-cursor-start() \n\
 5      Shift <KeyPress> Insert:        insert-selection(PRIMARY, CUT_BUFFER0) \n\
 6              ~Meta<KeyPress>:        insert-seven-bit() \n\
 7               Meta<KeyPress>:        insert-eight-bit() \n\
 8              Ctrl <Btn1Down>:        popup-menu(mainMenu) \n\
 9         Lock Ctrl <Btn1Down>:        popup-menu(mainMenu) \n\
10             ~Meta <Btn1Down>:        select-start() \n\
11           ~Meta <Btn1Motion>:        select-extend() \n\
12              Ctrl <Btn2Down>:        popup-menu(vtMenu) \n\
13         Lock Ctrl <Btn2Down>:        popup-menu(vtMenu) \n\
14       ~Ctrl ~Meta <Btn2Down>:        ignore() \n\
15         ~Ctrl ~Meta <Btn2Up>:        insert-selection(PRIMARY, CUT_BUFFER0) \n\
16              Ctrl <Btn3Down>:        popup-menu(fontMenu) \n\
17         Lock Ctrl <Btn3Down>:        popup-menu(fontMenu) \n\
18       ~Ctrl ~Meta <Btn3Down>:        start-extend() \n\
19           ~Meta <Btn3Motion>:        select-extend() \n\
20                      <BtnUp>:        select-end(PRIMARY, CUT_BUFFER0) \n\
21                    <BtnDown>:        bell(0)

Source Code: Src/7/Xterm

--

Is:

 1      !
 2      ! Resource file for funny things
 3      ! 
 4      *title: nicht wundern
 5      *bitmap: tie_fighter

Source Code: Src/7/myXterm

4.6. Before a Break in

Physical Attacks
Social Engineering
Sniffing
Spoofing and Session Hijacking
Denial-of-Service (DoS) Attacks

4.7. Input Paths

Hardware: Network, Blue Tooth, Keyboard, and Mouse
Software: Servers, Services, Mail reader, opening von files
Social Engineering
http://www.spiegel.de/netzwelt/tech/0,1518,461827,00.html
Worm:

--: self-replicating computer program
--: does not need to attach itself to an existing program

Virus

--: reproduce
--: hide themselves inside other programs to be executed

4.8. Virus

Boot sector viruses

--: 1. sector on a disk

Email viruses

e-mail messages as a mode of transport

Logic bombs and time bombs

--: until specific conditions are met

Macro viruses

--: scripting languages for programs such as Word and Excel
--: is spread by infecting documents and spreadsheets

Sentinels

--: sleeper
--: remote access

4.9. Hardware - Drivers

Possible Attacks: Hard to do, because most drivers are extensively tested
If successful, the code can be executed in the OS, this means everything is open

4.10. Software

Attachments and opening of files

--: Most Files are having programs in them - evaluated
--: Can a PDF file open a file?
--: Can a ps file open a file?

4.11. System Calls versus Library Calls

Library calls can be substituted
Library calls can be substituted during run time

--: Dynamic linking

Library Calls can be substituted during compile time

--: Static linking

System Calls can not be substituted

--: System Call are parts of the OS
--: System calls can not be modified
--: Arguments to system calls can be modified

4.12. System call

[picture]

A system call creates an interrupt.

The following happens, if a trap statement will be executed:

1.   The process mode changes from user to kernel mode.
2.   The user process will be changed into a kernel process.
3.   The process get special privileges:
     a.) to modify kernel memory pages.
     b.) to change the priority.

Questions:

Can you create a new system call?
What happens if the OS is executing a system call and a second system call arrives?

The syscall function inside the OS:

#include "../port/systab.h"

long
syscall(Ureg *aur)
{
    long ret;
    ulong sp;
    Ureg *ur;

    ur = aur;
    if(ur->psr & PSRPSUPER)
        panic("recursive system call");
    u->p->insyscall = 1;
    u->p->pc = ur->pc;

    ...
    splhi();

    u->scallnr = ur->r7;
    sp = ur->usp;

    ...

        if(sp<(USTKTOP-BY2PG) || sp>(USTKTOP-sizeof(Sargs)))
            validaddr(sp, sizeof(Sargs), 0);

        u->s = *((Sargs*)(sp+1*BY2WD));
        u->p->psstate = sysctab[u->scallnr];

        ret = (*systab[u->scallnr])(u->s.args);

    spllo();

    return ret;
}

4.13. A System Call Picture

4.14. Exploit: Morris Worm

http://ftp.cerias.purdue.edu/pub/doc/morris_worm/worm.paper http://ftp.cerias.purdue.edu/pub/doc/morris_worm/
1988
~ 6000 major VAX' affected (internet had ~ 60.000 computers connected)
GAO put the cost of the damage at $10M-100M. http://www.morrisworm.com/GAO-rpt.txt
The code: http://www.foo.be/docs-free/morris-worm/worm/
the appeal
The Helminthiasis of the Internet
Robert Tappan Morris is now an associate professor at MIT
MIT -> Cornell

4.15. What did it do?

The worm:

--: modifies argc/argv -> ps does not show password
--: Open's files and deletes them -> continue to exists
--: Connects to telnet port and terminates immedietly -> /usr/adm/messages leaves a trace (was attacked)
--: Connects to other hosts
--: If the system reboots, rm -rf /usr/tmp, /tmp;mkdir /usr/tmp, /tmp;

Sendmail attack
Fingerd attack
Rsh/Rexec attack

4.16. Buffer Overflow

Buffer Overflow: a process stores data in a buffer outside the memory the programmer reserved for it.
The buffer overflow is 'stolen' from: Smashing The Stack For Fun And Profit, by Aleph One, (the page does not exist anymore ...) http://reactor-core.org/stack-smashing.html
This technique works with other processors too, but the examples need to get adjusted.
The question is, how can a process execute unintended code.

4.17. Standard Problem Issue

One:

 1      #include <stdio.h>
 2      
 3      int main() {
 4         char buffer[2];
 5         scanf("%s", buffer);
 6         printf("buffer= -%s-\n", buffer);
 7      }

Source Code: Src/7_1/readIn_1.c

Two:

 1      #include <stdio.h>
 2      
 3      int main() {
 4         char buffer[2];
 5         int n;
 6         if ( (n = scanf("%s", buffer)) > sizeof(buffer) )
 7              printf("bad things may happen\n");
 8         printf("buffer= -%s-\n", buffer);
 9         printf("sizeof(buffer)= -%d-\n", sizeof(buffer));
10         printf("n= -%d-\n", n);
11      }

Source Code: Src/7_1/readIn_2.c Three:

 1      #include <stdio.h>
 2      
 3      int main() {
 4         char buffer[2];
 5         int index = 0;
 6      
 7         while ( index <= sizeof(buffer) ) {
 8                 printf("index= -%d-\n", index);
 9                 if ( index >= sizeof(buffer) )       {
10                      printf("something bad will happen");
11                      exit(1);
12                 }
13                 scanf("%c", &buffer[index++]);
14         }
15         printf("buffer= -%s-\n", buffer);
16      }

Source Code: Src/7_1/readIn_3.c

4.18. Process Memory Organization

Each process on a modern operating system has its own memory
A process cannot access the memory of an other process

4.19. Stack Frames

Stack

A standard frame layout allows many different languages to work together (terrible wording).
A typical stack layout:
The frame has a set of incoming arguments.
return address
local variables
outgoing argument space if a function should be called.
All locations beyond the stack pointer are considered as garbage.
The stack grows when a function is called and shrinks when the function exits.
The area devoted to the local variables, etc is called a stack frame.
How do the stack frame changes?

Parameter Passing:
--
On most machines whose calling conventions were designed in the 1970s function arguments were passed on the stack. This causes memory traffic.
--
Modern parameter passing conventions specify that the first k (k = { 4,6 }) arguments are passed in registers, the rest in memory.

Return Addresses:
When g calls f, f must eventually return. The runtime system needs to know where to go back. ( g called f at address a, the right place to return is a+1).
On 1970 machines the return address was pushed on the stack. On modern machines the return address is stored in a register.
What is the attack strategy?

4.20. Use of the Stack During Execution

The C code:

 1      void hpb_f(int a, int b, int c) {
 2         int buffer1[32];
 3         char buffer2[32];
 4         a = 5 + c;
 5         buffer1[0] = 555;
 6         buffer2[0] = 'a';
 7      }
 8      
 9      int main() {
10        hpb_f(1,2,3);
11      }

Source Code: Src/7_1/example1.c

Converted via gcc -S.

 1              .file   "example1.c"
 2              .section        ".text"
 3              .align 4
 4              .global hpb_f
 5              .type   hpb_f, #function
 6              .proc   020
 7      hpb_f:
 8              !#PROLOGUE# 0
 9              save    %sp, -272, %sp
10              !#PROLOGUE# 1
11              st      %i0, [%fp+68]
12              st      %i1, [%fp+72]
13              st      %i2, [%fp+76]
14              ld      [%fp+76], %g1
15              add     %g1, 5, %g1
16              st      %g1, [%fp+68]
17              mov     555, %g1
18              st      %g1, [%fp-144]
19              mov     97, %g1
20              stb     %g1, [%fp-176]
21              ret
22              restore
23              .size   hpb_f, .-hpb_f
24              .align 4
25              .global main
26              .type   main, #function
27              .proc   04
28      main:
29              !#PROLOGUE# 0
30              save    %sp, -112, %sp
31              !#PROLOGUE# 1
32              mov     1, %o0
33              mov     2, %o1
34              mov     3, %o2
35              call    hpb_f, 0
36               nop
37              mov     %g1, %i0
38              ret
39              restore
40              .size   main, .-main
41              .ident  "GCC: (GNU) 3.4.5"

Source Code: Src/7_1/example1.s

Stack after calling hpb_f():

4.21. Buffer Overflows

The C code:

 1      void function(char *str) {
 2         char buffer[0];
 3      
 4         strcpy(buffer,str);
 5      }
 6      
 7      int main() {
 8        char large_string[256];
 9        int i;
10      
11        for( i = 0; i < 255; i++)
12          large_string[i] = 'A';
13      
14        function(large_string);
15      }

Source Code: Src/7_1/example2.c

Execution

gcc -o example2 example2.c
tiger 7_1 103 example2
Bus Error (core dumped)
tiger 7_1 104 adb
adb: cannot modify read-only variable 'fprs'
core file = core -- program ``a.out'' on platform SUNW,A70
SIGBUS: Bus Error
$v
f8 = ffffffff
f50 = ffffffff
f9 = ffffffff
f51 = ffffffff
f52 = ffffffff
f53 = ffffffff
f54 = ffffffff
 ...

Image:

4.22. The Idea

The code:

 1      void function(int a)    {
 2      int firstV;
 3      int *ret;
 4      
 5                ret = &firstV ; /* example3.c:5: warning: assignment from incompatible pointer type   */
 6                (*ret) = 22;
 7                printf("%d\n",firstV);
 8      
 9                ret = &firstV - 8; /* this is it */
10                (*ret) = 22;
11      }
12      
13      int main() {
14      int x;
15      
16                x = 0;
17                function(42);
18                x = 1;
19                printf("%d\n",x);
20      }

Source Code: Src/7_1/example3.c

Image:
RET is 4 bytes pass the end of buffer1[].
buffer1[] is really 2 word so its 8 bytes long
4 + 8 = 12
We'll modify the return value in such a way that the assignment statement 'x = 1;' after the function call will be jumped.
when calling function() the RET will be 0x8004a8,
we want to jump past the assignment at 0x80004ab
next instruction we want to execute is the at 0x8004bb

To do so we add 8 bytes to the return address.

% gcc -S example3.c
% more example3.s
	.file	"example3.c"
	.section	".text"
	.align 4
	.global function
	.type	function, #function
	.proc	020
function:
	!#PROLOGUE# 0
	save	%sp, -144, %sp
	!#PROLOGUE# 1
	st	%i0, [%fp+68]
	st	%i1, [%fp+72]
	st	%i2, [%fp+76]
	add	%fp, -40, %g1
	add	%g1, 12, %g1
	st	%g1, [%fp-44]
	ld	[%fp-44], %i5
	ld	[%fp-44], %g1
	ld	[%g1], %g1
	add	%g1, 22, %g1
	st	%g1, [%i5]
	ret
	restore
	.size	function, .-function
	.section	".rodata"
	.align 8
	.asciz	"%d0
	.section	".text"
	.align 4
	.global main
	.type	main, #function
	.proc	020
main:
	!#PROLOGUE# 0
	save	%sp, -120, %sp
	!#PROLOGUE# 1
	st	%g0, [%fp-20]
	mov	11, %o0
	mov	222, %o1
	mov	3333, %o2
	call	function, 0
	 nop
	mov	1, %g1
	st	%g1, [%fp-20]
	sethi	%hi(.LLC0), %g1
	or	%g1, %lo(.LLC0), %o0
	ld	[%fp-20], %o1
	call	printf, 0
	 nop
	nop
	ret
	restore
	.size	main, .-main
	.ident	"GCC: (GNU) 3.4.5"

This allows to jump to execute code at any address

4.23. Execute Code -I

Execute a Shell

C code:

 1      #include <stdio.h>
 2      
 3      int main() {
 4         char *name[2];
 5      
 6         name[0] = "/bin/sh";
 7         name[1] = NULL;
 8         execve(name[0], name, NULL);
 9      }

Source Code: Src/7_1/shellCode.c

gcc -o shellCode shellCode.c 
spiegel.cs.rit.edu 7_1 153 shellCode
sh-2.05b$ exit
exit

4.24. Execute Code -II

We know how to modify the return address and flow of execution
What de we want to execute?
A shell would be a good idea for startes
How:

--: placing the code which should be execcuted in the buffer which we will overflow
--: overwrite the return address so it points back into the buffer.

We need to put code in place which we can execute

The Code is something like:

name[0] = "/bin/sh";
name[1] = NULL;
execve(name[0], name, NULL);

4.25. Finding the Bits to execute

gdb shellcode
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (i586-unknown-linux), Copyright 1995 Free Software Foundation, Inc...
(gdb) disassemble main
Dump of assembler code for function main:
0x8000130 <main>:       pushl  %ebp
0x8000131 <main+1>:     movl   %esp,%ebp
0x8000133 <main+3>:     subl   $0x8,%esp
0x8000136 <main+6>:     movl   $0x80027b8,0xfffffff8(%ebp)
0x800013d <main+13>:    movl   $0x0,0xfffffffc(%ebp)
0x8000144 <main+20>:    pushl  $0x0
0x8000146 <main+22>:    leal   0xfffffff8(%ebp),%eax
0x8000149 <main+25>:    pushl  %eax
0x800014a <main+26>:    movl   0xfffffff8(%ebp),%eax
0x800014d <main+29>:    pushl  %eax
0x800014e <main+30>:    call   0x80002bc <__execve>
0x8000153 <main+35>:    addl   $0xc,%esp
0x8000156 <main+38>:    movl   %ebp,%esp
0x8000158 <main+40>:    popl   %ebp
0x8000159 <main+41>:    ret
End of assembler dump.
(gdb) disassemble __execve
Dump of assembler code for function __execve:
0x80002bc <__execve>:   pushl  %ebp
0x80002bd <__execve+1>: movl   %esp,%ebp
0x80002bf <__execve+3>: pushl  %ebx
0x80002c0 <__execve+4>: movl   $0xb,%eax
0x80002c5 <__execve+9>: movl   0x8(%ebp),%ebx
0x80002c8 <__execve+12>:        movl   0xc(%ebp),%ecx
0x80002cb <__execve+15>:        movl   0x10(%ebp),%edx
0x80002ce <__execve+18>:        int    $0x80
0x80002d0 <__execve+20>:        movl   %eax,%edx
0x80002d2 <__execve+22>:        testl  %edx,%edx
0x80002d4 <__execve+24>:        jnl    0x80002e6 <__execve+42>
0x80002d6 <__execve+26>:        negl   %edx
0x80002d8 <__execve+28>:        pushl  %edx
0x80002d9 <__execve+29>:        call   0x8001a34 <__normal_errno_location>
0x80002de <__execve+34>:        popl   %edx
0x80002df <__execve+35>:        movl   %edx,(%eax)
0x80002e1 <__execve+37>:        movl   $0xffffffff,%eax
0x80002e6 <__execve+42>:        popl   %ebx
0x80002e7 <__execve+43>:        movl   %ebp,%esp
0x80002e9 <__execve+45>:        popl   %ebp
0x80002ea <__execve+46>:        ret
0x80002eb <__execve+47>:        nop
End of assembler dump.

4.26. The Explanation

0x8000130 <main>:       pushl  %ebp
0x8000131 <main+1>:     movl   %esp,%ebp
0x8000133 <main+3>:     subl   $0x8,%esp

This is the procedure prelude. It first saves the old frame pointer, makes the current stack pointer the new frame pointer, and leaves space for the local variables. In this case its:

char *name[2];

or 2 pointers to a char. Pointers are a word long, so it leaves space for two words (8 bytes).

0x8000136 <main+6>:     movl   $0x80027b8,0xfffffff8(%ebp)

We copy the value 0x80027b8 (the address of the string "/bin/sh") into the first pointer of name[]. This is equivalent to:

name[0] = "/bin/sh";

0x800013d <main+13>:    movl   $0x0,0xfffffffc(%ebp)

We copy the value 0x0 (NULL) into the seconds pointer of name[]. This is equivalent to:

name[1] = NULL;

The actual call to execve() starts here.

0x8000144 <main+20>:    pushl  $0x0

We push the arguments to execve() in reverse order onto the stack. We start with NULL.

0x8000146 <main+22>:    leal   0xfffffff8(%ebp),%eax

We load the address of name[] into the EAX register.

0x8000149 <main+25>:    pushl  %eax

We push the address of name[] onto the stack.

0x800014a <main+26>:    movl   0xfffffff8(%ebp),%eax

We load the address of the string "/bin/sh" into the EAX register.

0x800014d <main+29>:    pushl  %eax

We push the address of the string "/bin/sh" onto the stack.

0x800014e <main+30>:    call   0x80002bc <__execve>

Call the library procedure execve(). The call instruction pushes the IP onto the stack.

Now execve(). Keep in mind we are using a Intel based Linux system. The syscall details will change from OS to OS, and from CPU to CPU. Some will pass the arguments on the stack, others on the registers. Some use a software interrupt to jump to kernel mode, others use a far call. Linux passes its arguments to the system call on the registers, and uses a software interrupt to jump into kernel mode.

0x80002bc <__execve>:   pushl  %ebp
0x80002bd <__execve+1>: movl   %esp,%ebp
0x80002bf <__execve+3>: pushl  %ebx

The procedure prelude.

0x80002c0 <__execve+4>: movl   $0xb,%eax

Copy 0xb (11 decimal) onto the stack. This is the index into the syscall table. 11 is execve.

0x80002c5 <__execve+9>: movl   0x8(%ebp),%ebx

Copy the address of "/bin/sh" into EBX.

0x80002c8 <__execve+12>:movl   0xc(%ebp),%ecx

Copy the address of name[] into ECX.

0x80002cb <__execve+15>:movl   0x10(%ebp),%edx

Copy the address of the null pointer into %edx.

0x80002ce <__execve+18>:int    $0x80

Change into kernel mode.

4.27. Overview

Have the null terminated string "/bin/sh" somewhere in memory.
Have the address of the string "/bin/sh" somewhere in memory followed by a null long word.
Copy 0xb into the EAX register.
Copy the address of the address of the string "/bin/sh" into the EBX register.
Copy the address of the string "/bin/sh" into the ECX register.
Copy the address of the null long word into the EDX register.
Execute the int $0x80 instruction

4.28. Excec may Be Unsucessful

What is happening if execv fails?
Execution of random data
This will be noticed

 1      #include <stdlib.h>
 2      
 3      int main() {
 4              exit(0);
 5      }

Source Code: Src/7_1/exit.c

[aleph1]$ gcc -o exit -static exit.c
[aleph1]$ gdb exit
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.15 (i586-unknown-linux), Copyright 1995 Free Software Foundation, Inc...
(no debugging symbols found)...
(gdb) disassemble _exit
Dump of assembler code for function _exit:
0x800034c <_exit>:      pushl  %ebp
0x800034d <_exit+1>:    movl   %esp,%ebp
0x800034f <_exit+3>:    pushl  %ebx
0x8000350 <_exit+4>:    movl   $0x1,%eax
0x8000355 <_exit+9>:    movl   0x8(%ebp),%ebx
0x8000358 <_exit+12>:   int    $0x80
0x800035a <_exit+14>:   movl   0xfffffffc(%ebp),%ebx
0x800035d <_exit+17>:   movl   %ebp,%esp
0x800035f <_exit+19>:   popl   %ebp
0x8000360 <_exit+20>:   ret
0x8000361 <_exit+21>:   nop
0x8000362 <_exit+22>:   nop
0x8000363 <_exit+23>:   nop
End of assembler dump.

4.29. In Short

Have the null terminated string "/bin/sh" somewhere in memory.
Have the address of the string "/bin/sh" somewhere in memory followed by a null long word.
Copy 0xb into the EAX register.
Copy the address of the address of the string "/bin/sh" into the EBX register.
Copy the address of the string "/bin/sh" into the ECX register.
Copy the address of the null long word into the EDX register.
Execute the int $0x80 instruction.
Copy 0x1 into the EAX register.
Copy 0x0 into the EBX register.
Execute the int $0x80 instruction.

4.30. The End

It is clear what to do from here

4.31. Monitoring

Standard user standard execution of system calls/libraries
After break in: this will changes
Train a NN

See Leon Reznik's research area

4.32. Conclusion

This is one small aspect
How much moeny does it cost to secure a network?
How much do you protect?
What do you protect?

--: Take CS as an example
--: Take RIT as an example
--: Take president Simone as an example