Yandex Dzen.

What is exploit and how hackers use it

Greetings. Who are hackers and what they have already discussed. We will not repeat, besides, it is openly covered in the network and in cinema. Hacker methods and types of hacker attack are numerous, therefore, to not create from the article "Vinaigrette", we highlight one, which is popular with black hackers and in 2020. I will not try to "save intrigue", we will describe: "Exploits".

For introductory acquaintance, we understand that the exploits are part of the computer code (or compiled program and not only ...), which uses the "victim's vulnerability" and then the goals are branched to: getting access; "hanging" server; Disruption. If the reader came across the words "Dos Atak", then know that 85%, hackers used "exploits". Actually, the name, if translating from English, will mean: "Using something." Or exploiting, hence the roots of the word "exploit".

These programs (we will call for exploits by programs, Although it is not true ) are divided into destinations: for windows, Linux and other operatingers; For other programs and so on. Etc.

I think the readers want to seek to understand how this magic program, able to engage, hang and provide the access "master" on the "strange" server. Let's first figure it out why the agreement is called the program, not true. The fact is that it is exploited not only the compiled file, but also a text (even notepad with a description of how to hack "the system" is already exploit). I understand the easiest misunderstanding of the reading, but it is: if you open a notebook and there in the form of a text to write how to "enjoy" any server, it will also be an exploit. But what would at least like, diversify an article, let's at least sometimes write the word: program. Moreover, such exploits come across in the form of a program on "any" language. Hackers, these are former programmers who in the past were looking for errors in programs Therefore, such people easily own C / C ++, Perl and TD languages. The task of such programs is reduced to the buffer overflow, SQL records, "linden" requests for the site and so on.

What is exploit and how hackers use it

It happens to use the sequence of programs, in case the task is to be "complicated".

Find and download ready-made exploits in open Internet is not legal. And of course, the author does not recommend looking for such programs in Darknet.

So, now when an understanding about the exploits deposited in the head, go to "virtual practice". Suppose the situation: in the city of Voronezh, a man lives who regularly flies to Moscow and there "ours" a married lady. The deceived spouse, unable to catch the lover, is decided on revenge, but remotely. To do this, your husband is needed access to the computer "Scounding". Let's not go into the details, but we state the fact: it became known how the browser uses a "cunning rival". Fortunately for an advanced husband, in this browser there is a "vulnerability". It remains only to force the lover "Run Code", which without the knowledge of the user, loads malware "on the side". Then the husband writes a letter, on behalf of his wife and sends a lover by mail. The result is understandable (opens the letter, and the code is already "in the case").

The famous programs are: "Angler" (complex set (works in RAM)); "Neutrino" (Russian brainchild at Java, cost 34 thousand dollars); "Blackhole Kit" (beats the browsers chrome, "OSLIK", "Firefox") .

Comment ("negative \ positive"). Subscribe. Like. Goodbye.

Hi, Habrovsk. In anticipation of the start of the course "Administrator Linux. Professional » Our expert - Alexander Kolesnikov prepared an interesting article, which we will gladly share with you. Also invite future students and all those wishing to visit an open lesson on the topic "Methods and the ability to debug the scripts of the BASH shell."

The Linux operating system has proven to the world all the power of Open Source projects - thanks to her today, we have the opportunity to look into the source code of the working OS and based on it to assemble your own system to solve certain objectives. Due to its openness, Linux was to become the safest operating system in the world, since the open source code allows to develop and improve the protection subsystems from attacks on the OS and improve the operating system itself. Indeed, at the moment there are a large number of community protection created: today it is no longer so easy to overstertain the vulnerabilities of the type of buffer overflow to obtain elevated privileges just as 20 years ago. However, today you can find exploits in public domain, which even on the latest versions of the kernel can increase user privileges. Consider in this article, as it works and why it turns out. We will go through the main components of the exploit and consider how some of them work.

All information provided was collected exclusively for informational purposes.

Types of exploit

Choose a general term that we will denote what is Exploit - The algorithm that violates the normal functioning of the operating system, namely, the mechanisms of separation of access. We will also introduce the concept Vulnerabilities - This is a software imperfection that can be used by an exploit algorithm. Without vulnerability, the existence of an exploit is impossible.

We introduce the classification of exploits. The basic separation of exploits to the subgroups for any operating system begins at the level of architecture. Today, operating systems include at least 2 levels of privileges that are used for their work. Below is a picture that clearly shows the separation of privileges. Picture taken From here .

The picture very clearly shows that the kernel (Kernel Space) is present in the operating system, it is usually the most privileged mode, it is here that we call the operating system. And the second level is Custom (User Space): regular applications and services that we use every day are launched here.

It historically developed that for each of the above levels, vulnerabilities can be found for which an exploit can be created, but the exploit for each level has its limitations.

At the user level, any exploit that affects the application will have exactly those privileges used by the user who launched a vulnerable application. Therefore, this type of exploit allows you to get full control over the OS only if the application is launched by the system administrator. In contrast to the user level, kernel level If it contains a vulnerable code, it can immediately enable the operating system with maximum privileges. Below will focus on the study of these exploits.


Imagine small statistics on the disclosure of vulnerabilities for the kernel of the Linux operating system Distributions of Debian, Suse, Ubuntu, Arch Linux of the last 4 years.

Data taken From here . The picture does not pretend to be complete, but it shows that there are a lot of vulnerabilities, and even today there is from what to choose to build an exploit. Let's try to describe what is exploit.

Any exploit for any level of the operating system today consists of parts that must be implemented in its code:

  1. Preparatory operations:

    1) Navigate the necessary memory display

    2) Creating the necessary objects in OS

    3) bypassing OS protection mechanisms for vulnerability

  2. Call vulnerable part.

  3. Performs a payload:

    1) to open access to the OS

    2) to change the configuration of the OS

    3) for the output of the system

When performing all items, which are indicated above, you can write a workable exploit. Take several exploits of past years and try to find out whether it is possible to find some regularities or borrowings that are used to violate the separation of access in the Linux operating system. As objects of study, we take exploits that use the following vulnerabilities with CVE identifiers:



Disaster exploit

CVE-2020-8835 рAspasses the kernel of the Linux OS from version 5.5.0. Vulnerability is in technology implementing EBPF. . The technology was designed to ensure that the user can create custom handlers to filter network traffic. As the main component for filtering, a virtual machine with its own set of commands is used. The code that is performed by the virtual machine lives in the kernel: an error in this code brings an attacker to work with memory with maximum privileges. In the case of the described vulnerability, the problem was that the operation processing operations 32 bits were not correctly processed, and the virtual machine could write and read the data in the Nuclear RAM.

As the author of the exploit uses this vulnerability and what a payload is performed, consider further.

Preparatory stage

For this stage, the next part of the code is responsible.

Row 394 - creating an object in memory that will store data on commands for EBPF. . Row 400 loads into the memory code that will be performed in the virtual machine and will violate the conditions for processing 32 bit commands. The memory preparation is over, the following lines will create an object of a socket that will be called uploaded commands for bpf. . After that, the chamber of the vulnerability will begin.

Call vulnerable code

Calling a vulnerable code, or rather, working with the virtual machine commands is carried out from the line 423 to 441. The main task of this code is to obtain the basic address of the structure that is in memory, in this case it is a heap (HEAP) process. As soon as these commands are performed, the exploit will be able to detect the data used by the operating system to control the separation of access. In the Linux operating system, this data is stored in the structure TaskStruct. .


The useful load of this exploit is that after its execution, you can run a process with user rights root . For this, the exploit code produces modification of the Linux operating system kernel field fields - Cred. This is a structure that enters the structure TaskStruct. . Source code structure Cred. Can be found here .

Field Modification Actions Struct Cred. can be seen on rows 472,473,474. . That is, this action is resetting the value UID, GID, SGID Process created. From the point of view, it is set to identifier values ​​that usually use root . The method is very similar to the one that is used for the attacks on the Windows operating system.

You can protect yourself without updating the OS, if you make the following changes to the config: sudo sysctl kernel.unprivileged_bpf_disabled = 1

CVE-2020-27194. - again vulnerability in EBPF. . There is a versions of version 5.8. *. The creators of this technology are joking that bpf. - This is JavaScript for the kernel. In fact, this judgment is not far from the truth. The virtual machine really conducts manipulations over teams using JIT technology, which itself carries all the typical browsers vulnerabilities in the operating system kernel, that is, it is difficult to configure the protection subsystem to protect the code. The vulnerability under consideration is that from the code of the virtual machine, you can modify any area of ​​RAM. Perhaps this is due to the fact that the virtual machine is unsafe working with 64 bit length operations. Fully similar vulnerability of the one we considered above.

Exploit, which is designed to use the described vulnerability, performs the same operations as the exploit CVE-2020-8835. Exploit Algorithm Next:

  1. Download code with processing 64 bit operations

  2. Create a socket and send data to call commands EBPF.

    1. Find in mind the address of the structure TaskStruct. By performing commands in a virtual machine

  3. Modify values UID, GID, SGID and launch an interactive shell.

The author wrote the source code with new chips and additional features. We offer the reader to look at the code yourself. The listed stages of the work of the exploit above will not get confused.

Protection against this vulnerability without using updates is the same: sudo sysctl kernel.unprivileged_bpf_disabled = 1

What is the result?

Based on two exploits, which were considered in the article, it can be assumed that increasing the privileges in the modern Linux OS is no longer dark programming magic, but a fully charged template process that includes re-use of functions and objects in RAM. At the same time, it is not even necessary to write base-dependent (shellcode) code that will perform most of the actions. It is enough to simply change the identifiers that are used to assign privileges for users.

Learn more about the course "Administrator Linux. Professional. "

Sign up for an open lesson "Methods and the ability to debug the scripts of the BASH shell."

Read more:

What is exploit?

At the stage of development in all programs and networks, the mechanisms of protection against hackers in the type of locks, warning unauthorized surveillance, are embedded. The vulnerability is similar to the open window, to get through which will not be much difficult for an attacker. In the case of a computer or network, attackers can establish malicious software by using vulnerability in order to obtain control or infect the system for their mercenary purposes with relevant consequences. The bowl of all this happens without the user's knowledge.

How are the exploit arise?

The exploits are caused by errors in the software development process, as a result of which vulnerabilities are successfully used in the program protection system, which are successfully used by cybercriminals to obtain unlimited access to the program itself, and through it further to the entire computer. Explants are classified in accordance with the type of vulnerability, which is used by a hacker: zero day, DOS, spoofing or XXS. Of course, program developers will soon release security updates to eliminate found defects, however, up to this point, the program is still vulnerable to intruders.

How to recognize exploit?

Since the exploits use bars in program security mechanisms, an ordinary user has almost no chance to determine their presence. That is why it is extremely important to maintain the established programs updated, especially in a timely manner of security updates, manufactured by program developers. In the event that the software developer releases security update to eliminate a certain vulnerability in its software, but the user will not establish it, then, unfortunately, the program will not receive the most recent viral definitions.

How to eliminate exploit?

Due to the fact that the exploits are the consequence of committed defects, their elimination is included in the direct duties of the developers, so the authors will have to prepare and send error correction. However, the obligation to maintain the installed programs updated and timely install the update packages in order not to give a chance of chances to use vulnerabilities, lies completely on the user. One of the possible ways does not miss the latest updates - use the application manager that will ensure that all installed programs are updated, or - what is even better - use the automatic search and installing tool.

How to stop attempts by hackers to use vulnerabilities of third-party programs
  • Make sure you have installed the latest security updates and patches for all programs.
  • To be safe online and stay up to date with events, set all updates immediately after their release.
  • Install and use Premium Anti-Virus, which is capable of automatically updating the installed programs.
Secure yourself from exploits

Rely on common sense and follow the basic rules of safe work on the Internet. Hackers can only take advantage of vulnerability if they manage to access your PC. Do not open the attachments in suspicious messages and do not download files from unknown sources. Support installed programs updated, and also timely install security updates. If you want to maximally simplify this task, download avast antivirus, which will not only provide reliable protection against all types of malware, but also will help with the installation of the most recent updates for third-party programs.

Добавить комментарий