Details

<p>About the Authors vii</p> <p>Acknowledgments xi</p> <p>Introduction to the Second Edition xxiii</p> <p><b>Part I Introduction to Exploitation: Linux on X 86</b></p> <p><b>Chapter 1 Before You Begin 3</b></p> <p>Basic Concepts 3</p> <p>Memory Management 4</p> <p>Assembly 6</p> <p>Recognizing C and C++ Code Constructs in Assembly 7</p> <p>Conclusion 10</p> <p><b>Chapter 2 Stack Overflows 11</b></p> <p>Buffers 12</p> <p>The Stack 13</p> <p>Functions and the Stack 15</p> <p>Overflowing Buffers on the Stack 18</p> <p>Controlling EIP 22</p> <p>An Interesting Diversion 23</p> <p>Using an Exploit to Get Root Privileges 25</p> <p>The Address Problem 27</p> <p>The NOP Method 33</p> <p>Defeating a Non-Executable Stack 35</p> <p>Return to libc 35</p> <p>Conclusion 39</p> <p><b>Chapter 3 Shellcode 41</b></p> <p>Understanding System Calls 42</p> <p>Writing Shellcode for the exit() Syscall 44</p> <p>Injectable Shellcode 48</p> <p>Spawning a Shell 50</p> <p>Conclusion 59</p> <p><b>Chapter 4 Introduction to Format String Bugs 61</b></p> <p>Prerequisites 61</p> <p>What Is a Format String? 61</p> <p>What Is a Format String Bug? 63</p> <p>Format String Exploits 68</p> <p>Crashing Services 69</p> <p>Information Leakage 70</p> <p>Controlling Execution for Exploitation 75</p> <p>Why Did This Happen? 84</p> <p>Format String Technique Roundup 85</p> <p>Conclusion 88</p> <p><b>Chapter 5 Introduction to Heap Overflows 89</b></p> <p>What Is a Heap? 90</p> <p>How a Heap Works 91</p> <p>Finding Heap Overflows 91</p> <p>Basic Heap Overflows 93</p> <p>Intermediate Heap Overflows 98</p> <p>Advanced Heap Overflow Exploitation 105</p> <p>Conclusion 107</p> <p><b>Part II other Platforms—windows, Solaris, OS/X, and Cisco</b></p> <p><b>Chapter 6 The Wild World of Windows 111</b></p> <p>How Does Windows Differ from Linux? 111</p> <p>Win32 API and PE-COFF 112</p> <p>Heaps 114</p> <p>Threading 115</p> <p>The Genius and Idiocy of the Distributed Common Object Model and DCE-RPC 116</p> <p>Recon 118</p> <p>Exploitation 120</p> <p>Tokens and Impersonation 120</p> <p>Exception Handling under Win 32 122</p> <p>Debugging Windows 124</p> <p>Bugs in Win 32 124</p> <p>Writing Windows Shellcode 125</p> <p>A Hacker’s Guide to the Win32 API 126</p> <p>A Windows Family Tree from the Hacker’s Perspective 126</p> <p>Conclusion 127</p> <p><b>Chapter 7 Windows Shellcode 129</b></p> <p>Syntax and Filters 129</p> <p>Setting Up 131</p> <p>Parsing the PEB 132</p> <p>Heapoverflow.c Analysis 132</p> <p>Searching with Windows Exception Handling 148</p> <p>Popping a Shell 153</p> <p>Why You Should Never Pop a Shell on Windows 153</p> <p>Conclusion 154</p> <p><b>Chapter 8 Windows Overflows 155</b></p> <p>Stack-Based Buffer Overflows 156</p> <p>Frame-Based Exception Handlers 156</p> <p>Abusing Frame-Based Exception Handling on Windows 2003 Server 161</p> <p>A Final Note about Frame-Based Handler Overwrites 166</p> <p>Stack Protection and Windows 2003 Server 166</p> <p>Heap-Based Buffer Overflows 173</p> <p>The Process Heap 173</p> <p>Dynamic Heaps 173</p> <p>Working with the Heap 173</p> <p>How the Heap Works 174</p> <p>Exploiting Heap-Based Overflows 178</p> <p>Overwrite Pointer to RtlEnterCriticalSection in the PEB 178</p> <p>Overwrite Pointer to Unhandled Exception Filter 185</p> <p>Repairing the Heap 191</p> <p>Other Aspects of Heap-Based Overflows 193</p> <p>Wrapping Up the Heap 194</p> <p>Other Overflows 194</p> <p>.data Section Overflows 194</p> <p>TEB/PEB Overflows 196</p> <p>Exploiting Buffer Overflows and Non-Executable Stacks 197</p> <p>Conclusion 203</p> <p><b>Chapter 9 Overcoming Filters 205</b></p> <p>Writing Exploits for Use with an Alphanumeric Filter 205</p> <p>Writing Exploits for Use with a Unicode Filter 209</p> <p>What Is Unicode? 210</p> <p>Converting from ASCII to Unicode 210</p> <p>Exploiting Unicode-Based Vulnerabilities 211</p> <p>The Available Instruction Set in Unicode Exploits 212</p> <p>The Venetian Method 213</p> <p>An ASCII Venetian Implementation 214</p> <p>Decoder and Decoding 218</p> <p>The Decoder Code 219</p> <p>Getting a Fix on the Buffer Address 220</p> <p>Conclusion 221</p> <p><b>Chapter 10 Introduction to Solaris Exploitation 223</b></p> <p><b>Introduction to the SPARC Architecture 224</b></p> <p>Registers and Register Windows 224</p> <p>The Delay Slot 227</p> <p>Synthetic Instructions 228</p> <p>Solaris/SPARC Shellcode Basics 228</p> <p>Self-Location Determination and SPARC Shellcode 228</p> <p>Simple SPARC exec Shellcode 229</p> <p>Useful System Calls on Solaris 230</p> <p>NOP and Padding Instructions 231</p> <p>Solaris/SPARC Stack Frame Introduction 231</p> <p>Stack-Based Overflow Methodologies 232</p> <p>Arbitrary Size Overflow 232</p> <p>Register Windows and Stack Overflow Complications 233</p> <p>Other Complicating Factors 233</p> <p>Possible Solutions 234</p> <p>Off-By-One Stack Overflow Vulnerabilities 234</p> <p>Shellcode Locations 235</p> <p>Stack Overflow Exploitation In Action 236</p> <p>The Vulnerable Program 236</p> <p>The Exploit 238</p> <p>Heap-Based Overflows on Solaris/SPARC 241</p> <p>Solaris System V Heap Introduction 242</p> <p>Heap Tree Structure 242</p> <p>Basic Exploit Methodology (t_delete) 263</p> <p>Standard Heap Overflow Limitations 266</p> <p>Targets for Overwrite 267</p> <p>Other Heap-Related Vulnerabilities 270</p> <p>Off-by-One Overflows 270</p> <p>Double Free Vulnerabilities 270</p> <p>Arbitrary Free Vulnerabilities 271</p> <p>Heap Overflow Example 271</p> <p>The Vulnerable Program 272</p> <p>Other Solaris Exploitation Techniques 276</p> <p>Static Data Overflows 276</p> <p>Bypassing the Non-Executable Stack Protection 276</p> <p>Conclusion 277</p> <p><b>Chapter 11 Advanced Solaris Exploitation 279</b></p> <p>Single Stepping the Dynamic Linker 281</p> <p>Various Style Tricks for Solaris SPARC Heap Overflows 296</p> <p>Advanced Solaris/SPARC Shellcode 299</p> <p>Conclusion 311</p> <p><b>Chapter 12 OS X Shellcode 313</b></p> <p>OS X Is Just BSD, Right? 314</p> <p>Is OS X Open Source? 314</p> <p>OS X for the Unix-aware 315</p> <p>Password Cracking 316</p> <p>OS X PowerPC Shellcode 316</p> <p>OS X Intel Shellcode 324</p> <p>Example Shellcode 326</p> <p>ret2libc 327</p> <p>ret2str(l)cpy 329</p> <p>OS X Cross-Platform Shellcode 332</p> <p>OS X Heap Exploitation 333</p> <p>Bug Hunting on OS X 335</p> <p>Some Interesting Bugs 335</p> <p>Essential Reading for OS X Exploits 337</p> <p>Conclusion 338</p> <p><b>Chapter 13 Cisco IOS Exploitation 339</b></p> <p>An Overview of Cisco IOS 339</p> <p>Hardware Platforms 340</p> <p>Software Packages 340</p> <p>IOS System Architecture 343</p> <p>Vulnerabilities in Cisco IOS 346</p> <p>Protocol Parsing Code 347</p> <p>Services on the Router 347</p> <p>Security Features 348</p> <p>The Command-Line Interface 348</p> <p>Reverse Engineering IOS 349</p> <p>Taking the Images Apart 349</p> <p>Diffing IOS Images 350</p> <p>Runtime Analysis 351</p> <p>Exploiting Cisco IOS 357</p> <p>Stack Overflows 357</p> <p>Heap Overflows 359</p> <p>Shellcodes 364</p> <p>Conclusion 373</p> <p><b>Chapter 14 Protection Mechanisms 375</b></p> <p>Protections 375</p> <p>Non-Executable Stack 376</p> <p>W^X (Either Writable or Executable) Memory 381</p> <p>Stack Data Protection 388</p> <p>AAAS: ASCII Armored Address Space 394</p> <p>ASLR: Address Space Layout Randomization 396</p> <p>Heap Protections 399</p> <p>Windows SEH Protections 407</p> <p>Other Protections 411</p> <p>Implementation Differences 413</p> <p>Windows 413</p> <p>Linux 417</p> <p>OpenBSD 421</p> <p>Mac OS X 422</p> <p>Solaris 423</p> <p>Conclusion 425</p> <p><b>Part III Vulnerability Discovery</b></p> <p><b>Chapter 15 Establishing a Working Environment 429</b></p> <p>What You Need for Reference 430</p> <p>What You Need for Code 430</p> <p>gcc 430</p> <p>gdb 430</p> <p>NASM 431</p> <p>WinDbg 431</p> <p>OllyDbg 431</p> <p>Visual C++ 431</p> <p>Python 432</p> <p>What You Need for Investigation 432</p> <p>Useful Custom Scripts/Tools 432</p> <p>All Platforms 434</p> <p>Unix 434</p> <p>Windows 435</p> <p>What You Need to Know 436</p> <p>Paper Archives 438</p> <p>Optimizing Shellcode Development 439</p> <p>Plan the Exploit 439</p> <p>Write the Shellcode in Inline Assembler 439</p> <p>Maintain a Shellcode Library 441</p> <p>Make It Continue Nicely 441</p> <p>Make the Exploit Stable 442</p> <p>Make It Steal the Connection 443</p> <p>Conclusion 443</p> <p><b>Chapter 16 Fault Injection 445</b></p> <p>Design Overview 447</p> <p>Input Generation 447</p> <p>Fault Injection 450</p> <p>Modification Engines 450</p> <p>Fault Delivery 455</p> <p>Nagel Algorithm 455</p> <p>Timing 455</p> <p>Heuristics 456</p> <p>Stateless versus State-Based Protocols 456</p> <p>Fault Monitoring 456</p> <p>Using a Debugger 457</p> <p>FaultMon 457</p> <p>Putting It Together 458</p> <p>Conclusion 459</p> <p><b>Chapter 17 The Art of Fuzzing 461</b></p> <p>General Theory of Fuzzing 461</p> <p>Static Analysis versus Fuzzing 466</p> <p>Fuzzing Is Scalable 466</p> <p>Weaknesses in Fuzzers 468</p> <p>Modeling Arbitrary Network Protocols 469</p> <p>Other Fuzzer Possibilities 469</p> <p>Bit Flipping 469</p> <p>Modifying Open Source Programs 470</p> <p>Fuzzing with Dynamic Analysis 470</p> <p>Spike 471</p> <p>What Is a Spike? 471</p> <p>Why Use the SPIKE Data Structure to Model Network Protocols? 472</p> <p>Other Fuzzers 480</p> <p>Conclusion 480</p> <p><b>Chapter 18 Source Code Auditing: Finding Vulnerabilities in C-Based Languages 481</b></p> <p>Tools 482</p> <p>Cscope 482</p> <p>Ctags 483</p> <p>Editors 483</p> <p>Cbrowser 484</p> <p>Automated Source Code Analysis Tools 484</p> <p>Methodology 485</p> <p>Top-Down (Specific) Approach 485</p> <p>Bottom-Up Approach 485</p> <p>Selective Approach 485</p> <p>Vulnerability Classes 486</p> <p>Generic Logic Errors 486</p> <p>(Almost) Extinct Bug Classes 487</p> <p>Format Strings 487</p> <p>Generic Incorrect Bounds-Checking 489</p> <p>Loop Constructs 490</p> <p>Off-by-One Vulnerabilities 490</p> <p>Non-Null Termination Issues 492</p> <p>Skipping Null-Termination Issues 493</p> <p>Signed Comparison Vulnerabilities 494</p> <p>Integer-Related Vulnerabilities 495</p> <p>Different-Sized Integer Conversions 497</p> <p>Double Free Vulnerabilities 498</p> <p>Out-of-Scope Memory Usage Vulnerabilities 499</p> <p>Uninitialized Variable Usage 499</p> <p>Use After Free Vulnerabilities 500</p> <p>Multithreaded Issues and Re-Entrant Safe Code 500</p> <p>Beyond Recognition: A Real Vulnerability versus a Bug 501</p> <p>Conclusion 501</p> <p><b>Chapter 19 Instrumented Investigation: A Manual Approach 503</b></p> <p>Philosophy 503</p> <p>Oracle extproc Overflow 504</p> <p>Common Architectural Failures 508</p> <p>Problems Happen at Boundaries 508</p> <p>Problems Happen When Data Is Translated 509</p> <p>Problems Cluster in Areas of Asymmetry 511</p> <p>Problems Occur When Authentication and Authorization Are Confused 512</p> <p>Problems Occur in the Dumbest Places 512</p> <p>Bypassing Input Validation and Attack Detection 513</p> <p>Stripping Bad Data 513</p> <p>Using Alternate Encodings 514</p> <p>Using File-Handling Features 515</p> <p>Evading Attack Signatures 517</p> <p>Defeating Length Limitations 517</p> <p>Windows 2000 SNMP DOS 520</p> <p>Finding DOS Attacks 521</p> <p>SQL-UDP 522</p> <p>Conclusion 523</p> <p><b>Chapter 20 Tracing for Vulnerabilities 525</b></p> <p>Overview 526</p> <p>A Vulnerable Program 527</p> <p>Component Design 529</p> <p>Building VulnTrace 538</p> <p>Using VulnTrace 543</p> <p>Advanced Techniques 546</p> <p>Conclusion 548</p> <p><b>Chapter 21 Binary Auditing: Hacking Closed Source Software 549</b></p> <p>Binary versus Source-Code Auditing: The Obvious Differences 550</p> <p>IDA Pro—The Tool of the Trade 550</p> <p>Features: A Quick Crash Course 551</p> <p>Debugging Symbols 552</p> <p>Binary Auditing Introduction 552</p> <p>Stack Frames 552</p> <p>Calling Conventions 554</p> <p>Compiler-Generated Code 556</p> <p>memcpy-Like Code Constructs 560</p> <p>strlen-Like Code Constructs 560</p> <p>C++ Code Constructs 561</p> <p>The this Pointer 561</p> <p>Reconstructing Class Definitions 562</p> <p>vtables 562</p> <p>Quick but Useful Tidbits 563</p> <p>Manual Binary Analysis 563</p> <p>Quick Examination of Library Calls 564</p> <p>Suspicious Loops and Write Instructions 564</p> <p>Higher-Level Understanding and Logic Bugs 565</p> <p>Graphical Analysis of Binaries 566</p> <p>Manual Decompilation 566</p> <p>Binary Vulnerability Examples 566</p> <p>Microsoft SQL Server Bugs 566</p> <p>LSD’s RPC-DCOM Vulnerability 567</p> <p>IIS WebDAV Vulnerability 568</p> <p>Conclusion 570</p> <p><b>Part IV Advanced Materials</b></p> <p><b>Chapter 22 Alternative Payload Strategies 573</b></p> <p>Modifying the Program 574</p> <p>The SQL Server 3-Byte Patch 575</p> <p>The MySQL 1-Bit Patch 578</p> <p>OpenSSH RSA Authentication Patch 580</p> <p>Other Runtime Patching Ideas 581</p> <p>GPG 1.2.2 Randomness Patch 583</p> <p>Upload and Run (or Proglet Server) 584</p> <p>Syscall Proxies 584</p> <p>Problems with Syscall Proxies 587</p> <p>Conclusion 596</p> <p><b>Chapter 23 Writing Exploits that Work in the Wild 597</b></p> <p>Factors in Unreliability 597</p> <p>Magic Numbers 597</p> <p>Versioning 598</p> <p>Shellcode Problems 599</p> <p>Countermeasures 601</p> <p>Preparation 602</p> <p>Brute Forcing 602</p> <p>Local Exploits 603</p> <p>OS/Application Fingerprinting 603</p> <p>Information Leaks 605</p> <p>Conclusion 606</p> <p><b>Chapter 24 Attacking Database Software 607</b></p> <p>Network Layer Attacks 608</p> <p>Application Layer Attacks 618</p> <p>Running Operating System Commands 619</p> <p>Microsoft SQL Server 619</p> <p>Oracle 620</p> <p>IBM DB 2 621</p> <p>Exploiting Overruns at the SQL Level 623</p> <p>SQL Functions 623</p> <p>Conclusion 625</p> <p><b>Chapter 25 Unix Kernel Overflows 627</b></p> <p>Kernel Vulnerability Types 627</p> <p>0day Kernel Vulnerabilities 636</p> <p>OpenBSD exec_ibcs2_coff_prep_zmagic() Stack Overflow 636</p> <p>The Vulnerability 638</p> <p>Solaris vfs_getvfssw() Loadable Kernel Module Traversal Vulnerability 642</p> <p>The sysfs() System Call 644</p> <p>The mount() System Call 645</p> <p>Conclusion 646</p> <p><b>Chapter 26 Exploiting Unix Kernel Vulnerabilities 647</b></p> <p>The exec_ibcs2_coff_prep_zmagic() Vulnerability 647</p> <p>Calculating Offsets and Breakpoints 652</p> <p>Overwriting the Return Address and Redirecting Execution 654</p> <p>Locating the Process Descriptor (or the Proc Structure) 655</p> <p>Kernel Mode Payload Creation 658</p> <p>Returning Back from Kernel Payload 659</p> <p>Getting root (uid=0) 665</p> <p>Solaris vfs_getvfssw() Loadable Kernel Module Path Traversal Exploit 672</p> <p>Crafting the Exploit 673</p> <p>The Kernel Module to Load 674</p> <p>Getting root (uid=0) 678</p> <p>Conclusion 678</p> <p><b>Chapter 27 Hacking the Windows Kernel 681</b></p> <p>Windows Kernel Mode Flaws—An Increasingly Hunted Species 681</p> <p>Introduction to the Windows Kernel 682</p> <p>Common Kernel-Mode Programming Flaws 683</p> <p>Stack Overflows 684</p> <p>Heap Overflows 688</p> <p>Insufficient Validation of User-Mode Addresses 688</p> <p>Repurposing Attacks 689</p> <p>Shared Object Attacks 689</p> <p>Windows System Calls 690</p> <p>Understanding System Calls 690</p> <p>Attacking System Calls 692</p> <p>Communicating with Device Drivers 693</p> <p>I/O Control Code Components 693</p> <p>Finding Flaws in IOCTL Handlers 694</p> <p>Kernel-Mode Payloads 695</p> <p>Elevating a User-Mode Process 696</p> <p>Running an Arbitrary User-Mode Payload 699</p> <p>Subverting Kernel Security 701</p> <p>Installing a Rootkit 703</p> <p>Essential Reading for Kernel Shellcoders 703</p> <p>Conclusion 704</p> <p>Index 705</p>

<b>Chris Anley</b> is a founder and director of NGSSoftware, a security software, consultancy, and research company based in London, England. He is actively involved in vulnerability research and has discovered security flaws in a wide variety of platforms including Microsoft Windows, Oracle, SQL Server, IBM DB2, Sybase ASE, MySQL, and PGP. <p><b>John Heasman</b> is the Director of Research at NGSSoftware. He is a prolific security researcher and has published many security advisories in enterprise level software. He has a particular interest in rootkits and has authored papers on malware persistence via device firmware and the BIOS. He is also a co-author of <i>The Database Hacker’s Handbook: Defending Database Servers</i> (Wiley 2005).</p> <p><b>Felix “FX” Linder</b> leads SABRE Labs GmbH, a Berlin-based professional consulting company specializing in security analysis, system design creation, and verification work. Felix looks back at 18 years of programming and over a decade of computer security consulting for enterprise, carrier, and software vendor clients. This experience allows him to rapidly dive into complex systems and evaluate them from a security and robustness point of view, even in atypical scenarios and on arcane platforms. In his spare time, FX works with his friends from the Phenoelit hacking group on different topics, which have included Cisco IOS, SAP, HP printers, and RIM BlackBerry in the past.</p> <p><b>Gerardo Richarte</b> has been doing reverse engineering and exploit development for more than 15 years non-stop. In the past 10 years he helped build the technical arm of Core Security Technologies, where he works today. His current duties include developing exploits for Core IMPACT, researching new exploitation techniques and other low-level subjects, helping other exploit writers when things get hairy, and teaching internal and external classes on assembly and exploit writing. As result of his research and as a humble thank you to the community, he has published some technical papers and open source projects, presented in a few conferences, and released part of his training material. He really enjoys solving tough problems and reverse engineering any piece of code that falls in his reach just for the fun of doing it.</p>

<b>The black hats have kept up with security enhancements. Have you?</b> <p>In the technological arena, three years is a lifetime. Since the first edition of this book was published in 2004, built-in security measures on compilers and operating systems have become commonplace, but are still far from perfect. Arbitrary-code execution vulnerabilities still allow attackers to run code of their choice on your system—with disastrous results.</p> <p>In a nutshell, this book is about code and data and what happens when the two become confused. You'll work with the basic building blocks of security bugs—assembler, source code, the stack, the heap, and so on. You'll experiment, explore, and understand the systems you're running—and how to better protect them.</p> <ul> <li>Become familiar with security holes in Windows, Linux, Solaris, Mac OS X, and Cisco's IOS</li> <li> <p>Learn how to write customized tools to protect your systems, not just how to use ready-made ones</p> </li> <li> <p>Use a working exploit to verify your assessment when auditing a network</p> </li> <li> <p>Use proof-of-concept exploits to rate the significance of bugs in software you're developing</p> </li> <li> <p>Assess the quality of purchased security products by performing penetration tests based on the information in this book</p> </li> <li> <p>Understand how bugs are found and how exploits work at the lowest level</p> </li> </ul>

US