Skip to content

Remote Exploit Overview

links: ED TOC - Remote Exploit - Index


Intro

Remote exploits target applications on another computer via a network. Unlike local exploits, which involve program arguments, files, or environment variables on the same machine, remote exploits work through network packets. While theoretically similar to local exploits, remote exploits involve practical differences due to the network component. These attacks involve sending malicious data to the target server, often aiming to execute arbitrary code or disrupt service.

Key Takeaways:

  • For exploiting purposes, the target process behaves consistently.
  • Exploitation is deterministic, meaning repeated actions yield the same results.
  • Making a server crash can make it restart, providing multiple attempts to exploit.

Architecture

Remote exploit architecture generally follows a client-server model:

  • Client-Server Interaction: The server listens on a network port for incoming connections. Upon receiving a connection (finished TCP handshake), it forks a child process to handle the client while the parent process continues to listen for new connections. This setup allows multiple clients to be served simultaneously.

Parent Process and Child Process

Parent Process: The main server process that waits for client connections. When a client connects, the parent process accepts the connection and forks a child process.

int newServerSocket;
listen(serverSocket, 5);
while (1) { 
    newServerSocket = accept(serverSocket, &cli_addr, &clilen); 
    pid = fork(); 
    if (pid == 0) {    
        /* This is the client process */ 
        close(serverSocket); 
        doprocessing(newServerSocket); 
        exit(0); 
    } else { 
        close(newServerSocket); 
    }
}

In this code, fork() creates an exact copy of the parent process. If pid == 0, it means we are in the child process.

Child Process: The forked process that handles the client connection. It performs the necessary processing and then exits.

void doprocessing (int clientSocket) { 
    char buffer[1024];
    int n;
    printf("Client connected\n"); 
    n = read(clientSocket, buffer, 1024); 
    handleData(buffer); 
}

Payload Delivery

Remote exploits deliver payloads through network packets. Common payloads include:

  • Local server with shell: The server listens for connections on a specified port, and when the client connects, a shell is executed.
  • Connect-back shell: The client listens for incoming connections, and the server connects back to the client to execute a shell.

Execution Methods:

Local Server: The target server runs a shell listening on a port. The attacker connects to this port to interact with the shell.

local_server_shell.png

Connect-Back: The attacker’s machine listens on a port, and the target server connects back, establishing a shell session.

connect-back_shell.png

Connection Reuse: The existing connection is reused to execute shellcode directly.

cennection-reuse_shell.png

Example Implementations:

  • Netcat: A versatile networking tool that can connect to sockets and transfer data. It is commonly used to send and receive payloads.
  • Scripts: Languages like Python, Perl, and Ruby can be used to write custom exploits that connect to the target server and deliver payloads.

links: ED TOC - Remote Exploit - Index