Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200613494
HistoryDec 30, 2006 - 12:00 a.m.

Hack tell your network“overrun attack”offense and Defense recorded-vulnerability warning-the black bar safety net

2006-12-3000:00:00
佚名
www.myhack58.com
13
JSON

As the network popularity, a large number of public Shellcode(“overflow”code)and overflow attacks principle in the security web site to find, thus derived a series of security problems, many know a little about network security knowledge people can use ready-made attack software to easily launch an overflow attack to get the Server Permissions.

1. What is the“overrun attack”it?

“Overrun attack”is like a lot of sand poured into a water-filled container, the water will overflow to the same. Currently, most of the overflow attacks are targeting a buffer overflow. When the buffer overflows, the excess of information on the computer memory of the original content to be completely replaced, such as not for backup, your content will be lost forever.

Now posted online of the attack program has not only damaged the file function, the General will give the system permission to CMDSHELL(command line), then it is also how to achieve it?“ Overflow attacks”in the buffer of the file to be replaced at the same time, will also perform some illegal program, thereby to obtain the command line under the administrator privileges, then the attacker and then through the command line establish an administrator account for the computer control.

2.“ Overflow attacks”

Generally intruders in the online understand or found can overflow attack vulnerability, using a defect scanner(such as full SCAN X-SCAN for a single Vulnerability Scan of the IIS WEBDAV and other tools)to find and confirm the presence of a remote overflow vulnerability computer, and then they use the use of attack code programming successful Exploit(attack program)to send Shellcode attacks, confirming the remote overflow after the success of using NC or TELNET program to connect to is the overflow of the host port to thereby obtain a CMDSHELL on.

For example, some time ago harm especially large MS05039 overflow vulnerability, is the first to use MS05039Scan to scan a vulnerable computer, and then open two command prompt window, one to get the CMDSHELL of the NC, an Executive overflow attack program that, when executed attack after you get the system permissions of the CMDSHELL to.

3. How-to-overflow attack is the shield for?

Speaking of protection, the first timing update effective patch. But if the attacker is not yet released patches of the attack program? So the patch is valid, but not the only method. Here’s a look at how to manually set the overflow to attack to defense.

The first step: in Windows 2000/2003, you can create a user, such as the boxer, the password preferably with greater than 8-bit numbers with letters mixed mode, and if there is not enough strong, can be in the user’s name preceded by a$. the Thus, you can create a hidden account, the time of the invasion, the attacker cannot use the“net user box password”command to modify this user’s password. Further emphasizing the point, that user must be a USER group.

The second step: for Windows 2000/2003, create a user, open the C:\WINNT\System32(system is installed on C disk), 找到cmd.exe with right-click and select“Properties”item in the“Security”tab to modify the cmd. exe of the access, leaving only just the new boxer user for cmd. exe the Full Control permission to other users to delete all, especially Everyone. After that, find the net. exe file, according to cmd. exe method to be set, if the on find net. exe at the same time, 还发现了net1.exe also want to together set up the same permissions, the completion of the above limitations, the most basic of defensive measures is complete.

In Windows XP, cmd. exe“Properties”tab has no“Security”tab, you can click“Start→Run”, enter gpedit. msc, open the“Group Policy”window. In Group Policy, expand“Computer Configuration→Windows Settings→Software Restriction Policies”, right-click, Select“Create new policies”. Then, continue to expand“Software Restriction Policies→additional rules”, right-click the item, select“New hash rule”. In the pop-up window, click“Browse”button, select the C:\WINNT\System32 under cmd. exe file, set the“security level”to“not allowed”. On the net. exe file to perform the same operation, to be limiting.

In Windows XP, after set up, any user will not be able to call cmd. exe and net. exe command. This method is only suitable in the overflow program is after the release of no related patch case for emergency protection If the user does not need to use cmd. exe and net. exe command. Recommend this use prohibits operation.

In addition there is a situation that some of the attackers may be other ways to get the user on the computer and on some software control privileges, such as FTP service, WEB service, etc., in this case it is possible to use the Windows system itself and of the TFTP service for the Trojan to upload or a local overflow program. So, finally explain to prevent the attacker using TFTP:enter C:\WINNT\System32\Drivers\Etc and use Notepad to open the file services, the TFTP port instead of 0. Thus, the attacker will not be able by using the TFTP command transmission overflow program. Of course, in order to better security, you can also TFTP. EXE file, according to the method described above, Add to only allow boxer before a user can use the command. Through the above operation, the General users of the computer will be able to defense most for individual users overflow attacks.

JSON