LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-29-2009, 10:49 AM   #1
nbodorik
LQ Newbie
 
Registered: May 2009
Posts: 5

Rep: Reputation: 0
Systrace and application exploit problem! Help!


Is there anyone experienced with systrace who might be able to answer the follow question?!

I am looking to run an exploit under systrace. The exploit is a ctorrent exploit
and it is found at http://www.milw0rm.com/exploits/8470. ctorrent is a torrent
application and the exploit is a python script which coverts a torrent file to
a malicious torrent which, when run by ctorrent, causes a buffer overflow
attack and a Segmentation fault message appears. I have successfully run the
exploit using ctorrent and get the appropriate message, however, when I run it
using systrace while enforcing a policy I don't get the Segmentation fault
message, and I don't get any log errors, but a multitude of system calls are
being performed and the actions completes.

I have also changed the policy to remove permissions of a system call which the
exploit requires, and when run under systrace -a, it logs this error and an
error messages comes up saying the operation can not be performed. It seems to
me as if the action is taking place, however the Segmentation fault message
simply isn't being displayed... but this doesn't make sense to me...

Is there any information or help that you could provide me with to help me
conclude whether or not the exploit is being properly executed, and a message
just isn't being displayed?
 
Old 05-29-2009, 01:33 PM   #2
David1357
Senior Member
 
Registered: Aug 2007
Location: South Carolina, U.S.A.
Distribution: Ubuntu, Fedora Core, Red Hat, SUSE, Gentoo, DSL, coLinux, uClinux
Posts: 1,302
Blog Entries: 1

Rep: Reputation: 107Reputation: 107
Quote:
Originally Posted by nbodorik View Post
I am looking to run an exploit under systrace.
Your post might violate a forum rule:
  • Posts containing information about cracking, piracy, warez, fraud or any topic that could be damaging to either LinuxQuestions.org or any third party will be immediately removed.

Click here to read a complete list of forum rules.
 
Old 05-29-2009, 01:38 PM   #3
jamescondron
Member
 
Registered: Jul 2007
Location: Scunthorpe, UK
Distribution: Ubuntu 8.10; Gentoo; Debian Lenny
Posts: 961

Rep: Reputation: 70
Really? It sounds more to me the guy is trying to do a trace of what the code is doing, see what the code is exploiting. This is a security question, not a leet d00d haxx0r question.
 
Old 05-29-2009, 01:59 PM   #4
nbodorik
LQ Newbie
 
Registered: May 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Help!

Actually, I am trying to do research for a vulnerability analysis tool which is used to test the vulnerabilities of IDSs (intrusion detection systems) so it would be considered white-hat hacking. The vulnerability analysis tool tries to alter the system calls of the exploit to decrease the anomaly rate of the IDS and thus identifying the IDS weakness...

And, I am a not a guy, I am a girl...

But really, any help would be greatly appreciated.
 
Old 05-29-2009, 02:13 PM   #5
jamescondron
Member
 
Registered: Jul 2007
Location: Scunthorpe, UK
Distribution: Ubuntu 8.10; Gentoo; Debian Lenny
Posts: 961

Rep: Reputation: 70
I'd love to know who wrote that 'exploit'- not even my students write python that poorly.

So break this down; you essentially need to know whether the exploit is being run or not? Why not check it's exist status? Just modify the code to use exit statuses.

Of course, and this may be a stupid question, you are trying this on a 2.4 kernel with python 1.5, right?

(Sorry for the gender confusion, its often a safe assumption, for what its worth)
 
Old 05-29-2009, 03:10 PM   #6
nbodorik
LQ Newbie
 
Registered: May 2009
Posts: 5

Original Poster
Rep: Reputation: 0
Hi! Thanks for replying, and unfortunately, it is often a safe assumption.

I am using a RHL9.0 with a 2.4.20 kernel rather than 27, but I made an assumption that because it is an older version that it would be OK. I am also using the correct version of python and the ctorrent application.

The exploit works by changing the contents of the torrent file, so writing an exit status in the python code itself wouldn't be helpful as it is the torrent file itself which executes the exploit... So, I am rather stuck.
 
Old 05-29-2009, 03:41 PM   #7
jamescondron
Member
 
Registered: Jul 2007
Location: Scunthorpe, UK
Distribution: Ubuntu 8.10; Gentoo; Debian Lenny
Posts: 961

Rep: Reputation: 70
Ah, I thought you meant the python ought to be seg faulting. Well, can't you trace it's completion based upon whether or not the expected result happens? That is to say, is port 4444 listening?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Systrace and application exploit problem! Help! nbodorik Linux - Software 1 05-31-2009 04:31 AM
Problem in writing exploit code under linux ! *Mafia* Programming 11 03-25-2007 08:52 PM
LXer: Add an extra layer of security with systrace LXer Syndicated Linux News 0 01-25-2006 12:46 AM
What exploit is this? Boss Hoss Linux - Security 6 06-11-2004 07:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration