{"product_id":"the-shellcoders-handbook-isbn-9780470080238","title":"The Shellcoder's Handbook","description":"\u003cul\u003e \u003cli\u003eThis much-anticipated revision, written by the ultimate group of top security experts in the world, features 40 percent new content on how to find security holes in any operating system or application\u003c\/li\u003e \u003cli\u003eNew material addresses the many new exploitation techniques that have been discovered since the first edition, including attacking \"unbreakable\" software packages such as McAfee's Entercept, Mac OS X, XP, Office 2003, and Vista\u003c\/li\u003e \u003cli\u003eAlso features the first-ever published information on exploiting Cisco's IOS, with content that has never before been explored\u003c\/li\u003e \u003cli\u003eThe companion Web site features downloadable code files\u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003eAbout the Authors vii\u003c\/p\u003e \u003cp\u003eAcknowledgments xi\u003c\/p\u003e \u003cp\u003eIntroduction to the Second Edition xxiii\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart I Introduction to Exploitation: Linux on X 86\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 1 Before You Begin 3\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eBasic Concepts 3\u003c\/p\u003e \u003cp\u003eMemory Management 4\u003c\/p\u003e \u003cp\u003eAssembly 6\u003c\/p\u003e \u003cp\u003eRecognizing C and C++ Code Constructs in Assembly 7\u003c\/p\u003e \u003cp\u003eConclusion 10\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 2 Stack Overflows 11\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eBuffers 12\u003c\/p\u003e \u003cp\u003eThe Stack 13\u003c\/p\u003e \u003cp\u003eFunctions and the Stack 15\u003c\/p\u003e \u003cp\u003eOverflowing Buffers on the Stack 18\u003c\/p\u003e \u003cp\u003eControlling EIP 22\u003c\/p\u003e \u003cp\u003eAn Interesting Diversion 23\u003c\/p\u003e \u003cp\u003eUsing an Exploit to Get Root Privileges 25\u003c\/p\u003e \u003cp\u003eThe Address Problem 27\u003c\/p\u003e \u003cp\u003eThe NOP Method 33\u003c\/p\u003e \u003cp\u003eDefeating a Non-Executable Stack 35\u003c\/p\u003e \u003cp\u003eReturn to libc 35\u003c\/p\u003e \u003cp\u003eConclusion 39\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 3 Shellcode 41\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eUnderstanding System Calls 42\u003c\/p\u003e \u003cp\u003eWriting Shellcode for the exit() Syscall 44\u003c\/p\u003e \u003cp\u003eInjectable Shellcode 48\u003c\/p\u003e \u003cp\u003eSpawning a Shell 50\u003c\/p\u003e \u003cp\u003eConclusion 59\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 4 Introduction to Format String Bugs 61\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003ePrerequisites 61\u003c\/p\u003e \u003cp\u003eWhat Is a Format String? 61\u003c\/p\u003e \u003cp\u003eWhat Is a Format String Bug? 63\u003c\/p\u003e \u003cp\u003eFormat String Exploits 68\u003c\/p\u003e \u003cp\u003eCrashing Services 69\u003c\/p\u003e \u003cp\u003eInformation Leakage 70\u003c\/p\u003e \u003cp\u003eControlling Execution for Exploitation 75\u003c\/p\u003e \u003cp\u003eWhy Did This Happen? 84\u003c\/p\u003e \u003cp\u003eFormat String Technique Roundup 85\u003c\/p\u003e \u003cp\u003eConclusion 88\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 5 Introduction to Heap Overflows 89\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWhat Is a Heap? 90\u003c\/p\u003e \u003cp\u003eHow a Heap Works 91\u003c\/p\u003e \u003cp\u003eFinding Heap Overflows 91\u003c\/p\u003e \u003cp\u003eBasic Heap Overflows 93\u003c\/p\u003e \u003cp\u003eIntermediate Heap Overflows 98\u003c\/p\u003e \u003cp\u003eAdvanced Heap Overflow Exploitation 105\u003c\/p\u003e \u003cp\u003eConclusion 107\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart II other Platforms—windows, Solaris, OS\/X, and Cisco\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 6 The Wild World of Windows 111\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eHow Does Windows Differ from Linux? 111\u003c\/p\u003e \u003cp\u003eWin32 API and PE-COFF 112\u003c\/p\u003e \u003cp\u003eHeaps 114\u003c\/p\u003e \u003cp\u003eThreading 115\u003c\/p\u003e \u003cp\u003eThe Genius and Idiocy of the Distributed Common Object Model and DCE-RPC 116\u003c\/p\u003e \u003cp\u003eRecon 118\u003c\/p\u003e \u003cp\u003eExploitation 120\u003c\/p\u003e \u003cp\u003eTokens and Impersonation 120\u003c\/p\u003e \u003cp\u003eException Handling under Win 32 122\u003c\/p\u003e \u003cp\u003eDebugging Windows 124\u003c\/p\u003e \u003cp\u003eBugs in Win 32 124\u003c\/p\u003e \u003cp\u003eWriting Windows Shellcode 125\u003c\/p\u003e \u003cp\u003eA Hacker’s Guide to the Win32 API 126\u003c\/p\u003e \u003cp\u003eA Windows Family Tree from the Hacker’s Perspective 126\u003c\/p\u003e \u003cp\u003eConclusion 127\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 7 Windows Shellcode 129\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eSyntax and Filters 129\u003c\/p\u003e \u003cp\u003eSetting Up 131\u003c\/p\u003e \u003cp\u003eParsing the PEB 132\u003c\/p\u003e \u003cp\u003eHeapoverflow.c Analysis 132\u003c\/p\u003e \u003cp\u003eSearching with Windows Exception Handling 148\u003c\/p\u003e \u003cp\u003ePopping a Shell 153\u003c\/p\u003e \u003cp\u003eWhy You Should Never Pop a Shell on Windows 153\u003c\/p\u003e \u003cp\u003eConclusion 154\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 8 Windows Overflows 155\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eStack-Based Buffer Overflows 156\u003c\/p\u003e \u003cp\u003eFrame-Based Exception Handlers 156\u003c\/p\u003e \u003cp\u003eAbusing Frame-Based Exception Handling on Windows 2003 Server 161\u003c\/p\u003e \u003cp\u003eA Final Note about Frame-Based Handler Overwrites 166\u003c\/p\u003e \u003cp\u003eStack Protection and Windows 2003 Server 166\u003c\/p\u003e \u003cp\u003eHeap-Based Buffer Overflows 173\u003c\/p\u003e \u003cp\u003eThe Process Heap 173\u003c\/p\u003e \u003cp\u003eDynamic Heaps 173\u003c\/p\u003e \u003cp\u003eWorking with the Heap 173\u003c\/p\u003e \u003cp\u003eHow the Heap Works 174\u003c\/p\u003e \u003cp\u003eExploiting Heap-Based Overflows 178\u003c\/p\u003e \u003cp\u003eOverwrite Pointer to RtlEnterCriticalSection in the PEB 178\u003c\/p\u003e \u003cp\u003eOverwrite Pointer to Unhandled Exception Filter 185\u003c\/p\u003e \u003cp\u003eRepairing the Heap 191\u003c\/p\u003e \u003cp\u003eOther Aspects of Heap-Based Overflows 193\u003c\/p\u003e \u003cp\u003eWrapping Up the Heap 194\u003c\/p\u003e \u003cp\u003eOther Overflows 194\u003c\/p\u003e \u003cp\u003e.data Section Overflows 194\u003c\/p\u003e \u003cp\u003eTEB\/PEB Overflows 196\u003c\/p\u003e \u003cp\u003eExploiting Buffer Overflows and Non-Executable Stacks 197\u003c\/p\u003e \u003cp\u003eConclusion 203\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 9 Overcoming Filters 205\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWriting Exploits for Use with an Alphanumeric Filter 205\u003c\/p\u003e \u003cp\u003eWriting Exploits for Use with a Unicode Filter 209\u003c\/p\u003e \u003cp\u003eWhat Is Unicode? 210\u003c\/p\u003e \u003cp\u003eConverting from ASCII to Unicode 210\u003c\/p\u003e \u003cp\u003eExploiting Unicode-Based Vulnerabilities 211\u003c\/p\u003e \u003cp\u003eThe Available Instruction Set in Unicode Exploits 212\u003c\/p\u003e \u003cp\u003eThe Venetian Method 213\u003c\/p\u003e \u003cp\u003eAn ASCII Venetian Implementation 214\u003c\/p\u003e \u003cp\u003eDecoder and Decoding 218\u003c\/p\u003e \u003cp\u003eThe Decoder Code 219\u003c\/p\u003e \u003cp\u003eGetting a Fix on the Buffer Address 220\u003c\/p\u003e \u003cp\u003eConclusion 221\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 10 Introduction to Solaris Exploitation 223\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eIntroduction to the SPARC Architecture 224\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRegisters and Register Windows 224\u003c\/p\u003e \u003cp\u003eThe Delay Slot 227\u003c\/p\u003e \u003cp\u003eSynthetic Instructions 228\u003c\/p\u003e \u003cp\u003eSolaris\/SPARC Shellcode Basics 228\u003c\/p\u003e \u003cp\u003eSelf-Location Determination and SPARC Shellcode 228\u003c\/p\u003e \u003cp\u003eSimple SPARC exec Shellcode 229\u003c\/p\u003e \u003cp\u003eUseful System Calls on Solaris 230\u003c\/p\u003e \u003cp\u003eNOP and Padding Instructions 231\u003c\/p\u003e \u003cp\u003eSolaris\/SPARC Stack Frame Introduction 231\u003c\/p\u003e \u003cp\u003eStack-Based Overflow Methodologies 232\u003c\/p\u003e \u003cp\u003eArbitrary Size Overflow 232\u003c\/p\u003e \u003cp\u003eRegister Windows and Stack Overflow Complications 233\u003c\/p\u003e \u003cp\u003eOther Complicating Factors 233\u003c\/p\u003e \u003cp\u003ePossible Solutions 234\u003c\/p\u003e \u003cp\u003eOff-By-One Stack Overflow Vulnerabilities 234\u003c\/p\u003e \u003cp\u003eShellcode Locations 235\u003c\/p\u003e \u003cp\u003eStack Overflow Exploitation In Action 236\u003c\/p\u003e \u003cp\u003eThe Vulnerable Program 236\u003c\/p\u003e \u003cp\u003eThe Exploit 238\u003c\/p\u003e \u003cp\u003eHeap-Based Overflows on Solaris\/SPARC 241\u003c\/p\u003e \u003cp\u003eSolaris System V Heap Introduction 242\u003c\/p\u003e \u003cp\u003eHeap Tree Structure 242\u003c\/p\u003e \u003cp\u003eBasic Exploit Methodology (t_delete) 263\u003c\/p\u003e \u003cp\u003eStandard Heap Overflow Limitations 266\u003c\/p\u003e \u003cp\u003eTargets for Overwrite 267\u003c\/p\u003e \u003cp\u003eOther Heap-Related Vulnerabilities 270\u003c\/p\u003e \u003cp\u003eOff-by-One Overflows 270\u003c\/p\u003e \u003cp\u003eDouble Free Vulnerabilities 270\u003c\/p\u003e \u003cp\u003eArbitrary Free Vulnerabilities 271\u003c\/p\u003e \u003cp\u003eHeap Overflow Example 271\u003c\/p\u003e \u003cp\u003eThe Vulnerable Program 272\u003c\/p\u003e \u003cp\u003eOther Solaris Exploitation Techniques 276\u003c\/p\u003e \u003cp\u003eStatic Data Overflows 276\u003c\/p\u003e \u003cp\u003eBypassing the Non-Executable Stack Protection 276\u003c\/p\u003e \u003cp\u003eConclusion 277\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 11 Advanced Solaris Exploitation 279\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eSingle Stepping the Dynamic Linker 281\u003c\/p\u003e \u003cp\u003eVarious Style Tricks for Solaris SPARC Heap Overflows 296\u003c\/p\u003e \u003cp\u003eAdvanced Solaris\/SPARC Shellcode 299\u003c\/p\u003e \u003cp\u003eConclusion 311\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 12 OS X Shellcode 313\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eOS X Is Just BSD, Right? 314\u003c\/p\u003e \u003cp\u003eIs OS X Open Source? 314\u003c\/p\u003e \u003cp\u003eOS X for the Unix-aware 315\u003c\/p\u003e \u003cp\u003ePassword Cracking 316\u003c\/p\u003e \u003cp\u003eOS X PowerPC Shellcode 316\u003c\/p\u003e \u003cp\u003eOS X Intel Shellcode 324\u003c\/p\u003e \u003cp\u003eExample Shellcode 326\u003c\/p\u003e \u003cp\u003eret2libc 327\u003c\/p\u003e \u003cp\u003eret2str(l)cpy 329\u003c\/p\u003e \u003cp\u003eOS X Cross-Platform Shellcode 332\u003c\/p\u003e \u003cp\u003eOS X Heap Exploitation 333\u003c\/p\u003e \u003cp\u003eBug Hunting on OS X 335\u003c\/p\u003e \u003cp\u003eSome Interesting Bugs 335\u003c\/p\u003e \u003cp\u003eEssential Reading for OS X Exploits 337\u003c\/p\u003e \u003cp\u003eConclusion 338\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 13 Cisco IOS Exploitation 339\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eAn Overview of Cisco IOS 339\u003c\/p\u003e \u003cp\u003eHardware Platforms 340\u003c\/p\u003e \u003cp\u003eSoftware Packages 340\u003c\/p\u003e \u003cp\u003eIOS System Architecture 343\u003c\/p\u003e \u003cp\u003eVulnerabilities in Cisco IOS 346\u003c\/p\u003e \u003cp\u003eProtocol Parsing Code 347\u003c\/p\u003e \u003cp\u003eServices on the Router 347\u003c\/p\u003e \u003cp\u003eSecurity Features 348\u003c\/p\u003e \u003cp\u003eThe Command-Line Interface 348\u003c\/p\u003e \u003cp\u003eReverse Engineering IOS 349\u003c\/p\u003e \u003cp\u003eTaking the Images Apart 349\u003c\/p\u003e \u003cp\u003eDiffing IOS Images 350\u003c\/p\u003e \u003cp\u003eRuntime Analysis 351\u003c\/p\u003e \u003cp\u003eExploiting Cisco IOS 357\u003c\/p\u003e \u003cp\u003eStack Overflows 357\u003c\/p\u003e \u003cp\u003eHeap Overflows 359\u003c\/p\u003e \u003cp\u003eShellcodes 364\u003c\/p\u003e \u003cp\u003eConclusion 373\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 14 Protection Mechanisms 375\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eProtections 375\u003c\/p\u003e \u003cp\u003eNon-Executable Stack 376\u003c\/p\u003e \u003cp\u003eW^X (Either Writable or Executable) Memory 381\u003c\/p\u003e \u003cp\u003eStack Data Protection 388\u003c\/p\u003e \u003cp\u003eAAAS: ASCII Armored Address Space 394\u003c\/p\u003e \u003cp\u003eASLR: Address Space Layout Randomization 396\u003c\/p\u003e \u003cp\u003eHeap Protections 399\u003c\/p\u003e \u003cp\u003eWindows SEH Protections 407\u003c\/p\u003e \u003cp\u003eOther Protections 411\u003c\/p\u003e \u003cp\u003eImplementation Differences 413\u003c\/p\u003e \u003cp\u003eWindows 413\u003c\/p\u003e \u003cp\u003eLinux 417\u003c\/p\u003e \u003cp\u003eOpenBSD 421\u003c\/p\u003e \u003cp\u003eMac OS X 422\u003c\/p\u003e \u003cp\u003eSolaris 423\u003c\/p\u003e \u003cp\u003eConclusion 425\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart III Vulnerability Discovery\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 15 Establishing a Working Environment 429\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWhat You Need for Reference 430\u003c\/p\u003e \u003cp\u003eWhat You Need for Code 430\u003c\/p\u003e \u003cp\u003egcc 430\u003c\/p\u003e \u003cp\u003egdb 430\u003c\/p\u003e \u003cp\u003eNASM 431\u003c\/p\u003e \u003cp\u003eWinDbg 431\u003c\/p\u003e \u003cp\u003eOllyDbg 431\u003c\/p\u003e \u003cp\u003eVisual C++ 431\u003c\/p\u003e \u003cp\u003ePython 432\u003c\/p\u003e \u003cp\u003eWhat You Need for Investigation 432\u003c\/p\u003e \u003cp\u003eUseful Custom Scripts\/Tools 432\u003c\/p\u003e \u003cp\u003eAll Platforms 434\u003c\/p\u003e \u003cp\u003eUnix 434\u003c\/p\u003e \u003cp\u003eWindows 435\u003c\/p\u003e \u003cp\u003eWhat You Need to Know 436\u003c\/p\u003e \u003cp\u003ePaper Archives 438\u003c\/p\u003e \u003cp\u003eOptimizing Shellcode Development 439\u003c\/p\u003e \u003cp\u003ePlan the Exploit 439\u003c\/p\u003e \u003cp\u003eWrite the Shellcode in Inline Assembler 439\u003c\/p\u003e \u003cp\u003eMaintain a Shellcode Library 441\u003c\/p\u003e \u003cp\u003eMake It Continue Nicely 441\u003c\/p\u003e \u003cp\u003eMake the Exploit Stable 442\u003c\/p\u003e \u003cp\u003eMake It Steal the Connection 443\u003c\/p\u003e \u003cp\u003eConclusion 443\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 16 Fault Injection 445\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eDesign Overview 447\u003c\/p\u003e \u003cp\u003eInput Generation 447\u003c\/p\u003e \u003cp\u003eFault Injection 450\u003c\/p\u003e \u003cp\u003eModification Engines 450\u003c\/p\u003e \u003cp\u003eFault Delivery 455\u003c\/p\u003e \u003cp\u003eNagel Algorithm 455\u003c\/p\u003e \u003cp\u003eTiming 455\u003c\/p\u003e \u003cp\u003eHeuristics 456\u003c\/p\u003e \u003cp\u003eStateless versus State-Based Protocols 456\u003c\/p\u003e \u003cp\u003eFault Monitoring 456\u003c\/p\u003e \u003cp\u003eUsing a Debugger 457\u003c\/p\u003e \u003cp\u003eFaultMon 457\u003c\/p\u003e \u003cp\u003ePutting It Together 458\u003c\/p\u003e \u003cp\u003eConclusion 459\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 17 The Art of Fuzzing 461\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eGeneral Theory of Fuzzing 461\u003c\/p\u003e \u003cp\u003eStatic Analysis versus Fuzzing 466\u003c\/p\u003e \u003cp\u003eFuzzing Is Scalable 466\u003c\/p\u003e \u003cp\u003eWeaknesses in Fuzzers 468\u003c\/p\u003e \u003cp\u003eModeling Arbitrary Network Protocols 469\u003c\/p\u003e \u003cp\u003eOther Fuzzer Possibilities 469\u003c\/p\u003e \u003cp\u003eBit Flipping 469\u003c\/p\u003e \u003cp\u003eModifying Open Source Programs 470\u003c\/p\u003e \u003cp\u003eFuzzing with Dynamic Analysis 470\u003c\/p\u003e \u003cp\u003eSpike 471\u003c\/p\u003e \u003cp\u003eWhat Is a Spike? 471\u003c\/p\u003e \u003cp\u003eWhy Use the SPIKE Data Structure to Model Network Protocols? 472\u003c\/p\u003e \u003cp\u003eOther Fuzzers 480\u003c\/p\u003e \u003cp\u003eConclusion 480\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 18 Source Code Auditing: Finding Vulnerabilities in C-Based Languages 481\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eTools 482\u003c\/p\u003e \u003cp\u003eCscope 482\u003c\/p\u003e \u003cp\u003eCtags 483\u003c\/p\u003e \u003cp\u003eEditors 483\u003c\/p\u003e \u003cp\u003eCbrowser 484\u003c\/p\u003e \u003cp\u003eAutomated Source Code Analysis Tools 484\u003c\/p\u003e \u003cp\u003eMethodology 485\u003c\/p\u003e \u003cp\u003eTop-Down (Specific) Approach 485\u003c\/p\u003e \u003cp\u003eBottom-Up Approach 485\u003c\/p\u003e \u003cp\u003eSelective Approach 485\u003c\/p\u003e \u003cp\u003eVulnerability Classes 486\u003c\/p\u003e \u003cp\u003eGeneric Logic Errors 486\u003c\/p\u003e \u003cp\u003e(Almost) Extinct Bug Classes 487\u003c\/p\u003e \u003cp\u003eFormat Strings 487\u003c\/p\u003e \u003cp\u003eGeneric Incorrect Bounds-Checking 489\u003c\/p\u003e \u003cp\u003eLoop Constructs 490\u003c\/p\u003e \u003cp\u003eOff-by-One Vulnerabilities 490\u003c\/p\u003e \u003cp\u003eNon-Null Termination Issues 492\u003c\/p\u003e \u003cp\u003eSkipping Null-Termination Issues 493\u003c\/p\u003e \u003cp\u003eSigned Comparison Vulnerabilities 494\u003c\/p\u003e \u003cp\u003eInteger-Related Vulnerabilities 495\u003c\/p\u003e \u003cp\u003eDifferent-Sized Integer Conversions 497\u003c\/p\u003e \u003cp\u003eDouble Free Vulnerabilities 498\u003c\/p\u003e \u003cp\u003eOut-of-Scope Memory Usage Vulnerabilities 499\u003c\/p\u003e \u003cp\u003eUninitialized Variable Usage 499\u003c\/p\u003e \u003cp\u003eUse After Free Vulnerabilities 500\u003c\/p\u003e \u003cp\u003eMultithreaded Issues and Re-Entrant Safe Code 500\u003c\/p\u003e \u003cp\u003eBeyond Recognition: A Real Vulnerability versus a Bug 501\u003c\/p\u003e \u003cp\u003eConclusion 501\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 19 Instrumented Investigation: A Manual Approach 503\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003ePhilosophy 503\u003c\/p\u003e \u003cp\u003eOracle extproc Overflow 504\u003c\/p\u003e \u003cp\u003eCommon Architectural Failures 508\u003c\/p\u003e \u003cp\u003eProblems Happen at Boundaries 508\u003c\/p\u003e \u003cp\u003eProblems Happen When Data Is Translated 509\u003c\/p\u003e \u003cp\u003eProblems Cluster in Areas of Asymmetry 511\u003c\/p\u003e \u003cp\u003eProblems Occur When Authentication and Authorization Are Confused 512\u003c\/p\u003e \u003cp\u003eProblems Occur in the Dumbest Places 512\u003c\/p\u003e \u003cp\u003eBypassing Input Validation and Attack Detection 513\u003c\/p\u003e \u003cp\u003eStripping Bad Data 513\u003c\/p\u003e \u003cp\u003eUsing Alternate Encodings 514\u003c\/p\u003e \u003cp\u003eUsing File-Handling Features 515\u003c\/p\u003e \u003cp\u003eEvading Attack Signatures 517\u003c\/p\u003e \u003cp\u003eDefeating Length Limitations 517\u003c\/p\u003e \u003cp\u003eWindows 2000 SNMP DOS 520\u003c\/p\u003e \u003cp\u003eFinding DOS Attacks 521\u003c\/p\u003e \u003cp\u003eSQL-UDP 522\u003c\/p\u003e \u003cp\u003eConclusion 523\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 20 Tracing for Vulnerabilities 525\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eOverview 526\u003c\/p\u003e \u003cp\u003eA Vulnerable Program 527\u003c\/p\u003e \u003cp\u003eComponent Design 529\u003c\/p\u003e \u003cp\u003eBuilding VulnTrace 538\u003c\/p\u003e \u003cp\u003eUsing VulnTrace 543\u003c\/p\u003e \u003cp\u003eAdvanced Techniques 546\u003c\/p\u003e \u003cp\u003eConclusion 548\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 21 Binary Auditing: Hacking Closed Source Software 549\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eBinary versus Source-Code Auditing: The Obvious Differences 550\u003c\/p\u003e \u003cp\u003eIDA Pro—The Tool of the Trade 550\u003c\/p\u003e \u003cp\u003eFeatures: A Quick Crash Course 551\u003c\/p\u003e \u003cp\u003eDebugging Symbols 552\u003c\/p\u003e \u003cp\u003eBinary Auditing Introduction 552\u003c\/p\u003e \u003cp\u003eStack Frames 552\u003c\/p\u003e \u003cp\u003eCalling Conventions 554\u003c\/p\u003e \u003cp\u003eCompiler-Generated Code 556\u003c\/p\u003e \u003cp\u003ememcpy-Like Code Constructs 560\u003c\/p\u003e \u003cp\u003estrlen-Like Code Constructs 560\u003c\/p\u003e \u003cp\u003eC++ Code Constructs 561\u003c\/p\u003e \u003cp\u003eThe this Pointer 561\u003c\/p\u003e \u003cp\u003eReconstructing Class Definitions 562\u003c\/p\u003e \u003cp\u003evtables 562\u003c\/p\u003e \u003cp\u003eQuick but Useful Tidbits 563\u003c\/p\u003e \u003cp\u003eManual Binary Analysis 563\u003c\/p\u003e \u003cp\u003eQuick Examination of Library Calls 564\u003c\/p\u003e \u003cp\u003eSuspicious Loops and Write Instructions 564\u003c\/p\u003e \u003cp\u003eHigher-Level Understanding and Logic Bugs 565\u003c\/p\u003e \u003cp\u003eGraphical Analysis of Binaries 566\u003c\/p\u003e \u003cp\u003eManual Decompilation 566\u003c\/p\u003e \u003cp\u003eBinary Vulnerability Examples 566\u003c\/p\u003e \u003cp\u003eMicrosoft SQL Server Bugs 566\u003c\/p\u003e \u003cp\u003eLSD’s RPC-DCOM Vulnerability 567\u003c\/p\u003e \u003cp\u003eIIS WebDAV Vulnerability 568\u003c\/p\u003e \u003cp\u003eConclusion 570\u003c\/p\u003e \u003cp\u003e\u003cb\u003ePart IV Advanced Materials\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 22 Alternative Payload Strategies 573\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eModifying the Program 574\u003c\/p\u003e \u003cp\u003eThe SQL Server 3-Byte Patch 575\u003c\/p\u003e \u003cp\u003eThe MySQL 1-Bit Patch 578\u003c\/p\u003e \u003cp\u003eOpenSSH RSA Authentication Patch 580\u003c\/p\u003e \u003cp\u003eOther Runtime Patching Ideas 581\u003c\/p\u003e \u003cp\u003eGPG 1.2.2 Randomness Patch 583\u003c\/p\u003e \u003cp\u003eUpload and Run (or Proglet Server) 584\u003c\/p\u003e \u003cp\u003eSyscall Proxies 584\u003c\/p\u003e \u003cp\u003eProblems with Syscall Proxies 587\u003c\/p\u003e \u003cp\u003eConclusion 596\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 23 Writing Exploits that Work in the Wild 597\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eFactors in Unreliability 597\u003c\/p\u003e \u003cp\u003eMagic Numbers 597\u003c\/p\u003e \u003cp\u003eVersioning 598\u003c\/p\u003e \u003cp\u003eShellcode Problems 599\u003c\/p\u003e \u003cp\u003eCountermeasures 601\u003c\/p\u003e \u003cp\u003ePreparation 602\u003c\/p\u003e \u003cp\u003eBrute Forcing 602\u003c\/p\u003e \u003cp\u003eLocal Exploits 603\u003c\/p\u003e \u003cp\u003eOS\/Application Fingerprinting 603\u003c\/p\u003e \u003cp\u003eInformation Leaks 605\u003c\/p\u003e \u003cp\u003eConclusion 606\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 24 Attacking Database Software 607\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eNetwork Layer Attacks 608\u003c\/p\u003e \u003cp\u003eApplication Layer Attacks 618\u003c\/p\u003e \u003cp\u003eRunning Operating System Commands 619\u003c\/p\u003e \u003cp\u003eMicrosoft SQL Server 619\u003c\/p\u003e \u003cp\u003eOracle 620\u003c\/p\u003e \u003cp\u003eIBM DB 2 621\u003c\/p\u003e \u003cp\u003eExploiting Overruns at the SQL Level 623\u003c\/p\u003e \u003cp\u003eSQL Functions 623\u003c\/p\u003e \u003cp\u003eConclusion 625\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 25 Unix Kernel Overflows 627\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eKernel Vulnerability Types 627\u003c\/p\u003e \u003cp\u003e0day Kernel Vulnerabilities 636\u003c\/p\u003e \u003cp\u003eOpenBSD exec_ibcs2_coff_prep_zmagic() Stack Overflow 636\u003c\/p\u003e \u003cp\u003eThe Vulnerability 638\u003c\/p\u003e \u003cp\u003eSolaris vfs_getvfssw() Loadable Kernel Module Traversal Vulnerability 642\u003c\/p\u003e \u003cp\u003eThe sysfs() System Call 644\u003c\/p\u003e \u003cp\u003eThe mount() System Call 645\u003c\/p\u003e \u003cp\u003eConclusion 646\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 26 Exploiting Unix Kernel Vulnerabilities 647\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe exec_ibcs2_coff_prep_zmagic() Vulnerability 647\u003c\/p\u003e \u003cp\u003eCalculating Offsets and Breakpoints 652\u003c\/p\u003e \u003cp\u003eOverwriting the Return Address and Redirecting Execution 654\u003c\/p\u003e \u003cp\u003eLocating the Process Descriptor (or the Proc Structure) 655\u003c\/p\u003e \u003cp\u003eKernel Mode Payload Creation 658\u003c\/p\u003e \u003cp\u003eReturning Back from Kernel Payload 659\u003c\/p\u003e \u003cp\u003eGetting root (uid=0) 665\u003c\/p\u003e \u003cp\u003eSolaris vfs_getvfssw() Loadable Kernel Module Path Traversal Exploit 672\u003c\/p\u003e \u003cp\u003eCrafting the Exploit 673\u003c\/p\u003e \u003cp\u003eThe Kernel Module to Load 674\u003c\/p\u003e \u003cp\u003eGetting root (uid=0) 678\u003c\/p\u003e \u003cp\u003eConclusion 678\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 27 Hacking the Windows Kernel 681\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWindows Kernel Mode Flaws—An Increasingly Hunted Species 681\u003c\/p\u003e \u003cp\u003eIntroduction to the Windows Kernel 682\u003c\/p\u003e \u003cp\u003eCommon Kernel-Mode Programming Flaws 683\u003c\/p\u003e \u003cp\u003eStack Overflows 684\u003c\/p\u003e \u003cp\u003eHeap Overflows 688\u003c\/p\u003e \u003cp\u003eInsufficient Validation of User-Mode Addresses 688\u003c\/p\u003e \u003cp\u003eRepurposing Attacks 689\u003c\/p\u003e \u003cp\u003eShared Object Attacks 689\u003c\/p\u003e \u003cp\u003eWindows System Calls 690\u003c\/p\u003e \u003cp\u003eUnderstanding System Calls 690\u003c\/p\u003e \u003cp\u003eAttacking System Calls 692\u003c\/p\u003e \u003cp\u003eCommunicating with Device Drivers 693\u003c\/p\u003e \u003cp\u003eI\/O Control Code Components 693\u003c\/p\u003e \u003cp\u003eFinding Flaws in IOCTL Handlers 694\u003c\/p\u003e \u003cp\u003eKernel-Mode Payloads 695\u003c\/p\u003e \u003cp\u003eElevating a User-Mode Process 696\u003c\/p\u003e \u003cp\u003eRunning an Arbitrary User-Mode Payload 699\u003c\/p\u003e \u003cp\u003eSubverting Kernel Security 701\u003c\/p\u003e \u003cp\u003eInstalling a Rootkit 703\u003c\/p\u003e \u003cp\u003eEssential Reading for Kernel Shellcoders 703\u003c\/p\u003e \u003cp\u003eConclusion 704\u003c\/p\u003e \u003cp\u003eIndex 705\u003c\/p\u003e  \u003cb\u003eChris Anley\u003c\/b\u003e is a founder and director of NGSSoftware, a security software, consultancy, and research company based in London, England. He is actively involved in vulnerability research and has discovered security flaws in a wide variety of platforms including Microsoft Windows, Oracle, SQL Server, IBM DB2, Sybase ASE, MySQL, and PGP.  \u003cp\u003e\u003cb\u003eJohn Heasman\u003c\/b\u003e is the Director of Research at NGSSoftware. He is a prolific security researcher and has published many security advisories in enterprise level software. He has a particular interest in rootkits and has authored papers on malware persistence via device firmware and the BIOS. He is also a co-author of \u003ci\u003eThe Database Hacker’s Handbook: Defending Database Servers\u003c\/i\u003e (Wiley 2005).\u003c\/p\u003e \u003cp\u003e\u003cb\u003eFelix “FX” Linder\u003c\/b\u003e leads SABRE Labs GmbH, a Berlin-based professional consulting company specializing in security analysis, system design creation, and verification work. Felix looks back at 18 years of programming and over a decade of computer security consulting for enterprise, carrier, and software vendor clients. This experience allows him to rapidly dive into complex systems and evaluate them from a security and robustness point of view, even in atypical scenarios and on arcane platforms. In his spare time, FX works with his friends from the Phenoelit hacking group on different topics, which have included Cisco IOS, SAP, HP printers, and RIM BlackBerry in the past.\u003c\/p\u003e \u003cp\u003e\u003cb\u003eGerardo Richarte\u003c\/b\u003e has been doing reverse engineering and exploit development for more than 15 years non-stop. In the past 10 years he helped build the technical arm of Core Security Technologies, where he works today. His current duties include developing exploits for Core IMPACT, researching new exploitation techniques and other low-level subjects, helping other exploit writers when things get hairy, and teaching internal and external classes on assembly and exploit writing. As result of his research and as a humble thank you to the community, he has published some technical papers and open source projects, presented in a few conferences, and released part of his training material. He really enjoys solving tough problems and reverse engineering any piece of code that falls in his reach just for the fun of doing it.\u003c\/p\u003e  \u003cb\u003eThe black hats have kept up with security enhancements. Have you?\u003c\/b\u003e  \u003cp\u003eIn the technological arena, three years is a lifetime. Since the first edition of this book was published in 2004, built-in security measures on compilers and operating systems have become commonplace, but are still far from perfect. Arbitrary-code execution vulnerabilities still allow attackers to run code of their choice on your system—with disastrous results.\u003c\/p\u003e \u003cp\u003eIn a nutshell, this book is about code and data and what happens when the two become confused. You'll work with the basic building blocks of security bugs—assembler, source code, the stack, the heap, and so on. You'll experiment, explore, and understand the systems you're running—and how to better protect them.\u003c\/p\u003e \u003cul\u003e \u003cli\u003eBecome familiar with security holes in Windows, Linux, Solaris, Mac OS X, and Cisco's IOS\u003c\/li\u003e \u003cli\u003e \u003cp\u003eLearn how to write customized tools to protect your systems, not just how to use ready-made ones\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eUse a working exploit to verify your assessment when auditing a network\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eUse proof-of-concept exploits to rate the significance of bugs in software you're developing\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eAssess the quality of purchased security products by performing penetration tests based on the information in this book\u003c\/p\u003e \u003c\/li\u003e \u003cli\u003e \u003cp\u003eUnderstand how bugs are found and how exploits work at the lowest level\u003c\/p\u003e \u003c\/li\u003e \u003c\/ul\u003e","brand":"Wiley","offers":[{"title":"Default Title","offer_id":47990339895525,"sku":"NP9780470080238","price":52.0,"currency_code":"USD","in_stock":false}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/1842\/7735\/files\/9780470080238.jpg?v=1761787422","url":"https:\/\/k12savings.com\/es\/products\/the-shellcoders-handbook-isbn-9780470080238","provider":"K12savings","version":"1.0","type":"link"}