The Shellcoders Handbook Book Review : Shellcode Explained : Poised Solutions Library

The Shellcoders Handbook Book Review

The Shellcoders Handbook

Author:: Chris Anley
John Heasman
Felix FX Linder
Gerardo Richarte
Publisher:: Wiley
Published:: 2007
Pages:: 239

The Shellcoders Handbook

The Shellcoders Handbook Chapters

Before You Begin
- Basic Concepts
  - Memory Management
  - Assembly
- Recognizing C and C++ Code Constructs in Assembly
- Conclusion
Stack Overflows
- Buffers
- The Stack
  - Functions and the Stack
- Overflowing Buffers on the Stack
  - Controlling EIP
- An Interesting Diversion
- Using an Exploit to Get Root Privileges
  - The Address Problem
  - The NOP Method
- Defeating a Non-Executable Stack
  - Return to libc
- Conclusion
Shellcode
- Understanding System Calls
- Writing Shellcode for the exit() Syscall
- Injectable Shellcode
- Spawning a Shell
- Conclusion
Introduction to Format String Bugs
- Prerequisites
- What is a Format String?
- What is a Format String Bug?
- Format String Exploits
  - Crashing Services
  - Information Leakage
- Controlling Execution for Exploitation
- Why Did this Happen?
- Format String Technique Roundup
- Conclusion
Introduction to Heap Overflows
- What is a Heap?
  - How a Heap Works
- Finding Heap Overflows
  - Basic Heap Overflows
  - Intermediate Heap Overflows
  - Advanced Heap Overflow Exploitation
- Conclusion
The Wild World of Windows
- How Does Windows Differ from Linux?
  - Win32 API and PE-COFF
- Heaps
  - Threading
- The Genius and the Idiocy of the Distributed Common Object Model and DCE-RPC
  - Recon
  - Exploitation
  - Tokens and Impersonation
  - Exception Handling under Win32
- Debugging Windows
  - Bugs in Win32
  - Writing Windows Shellcode
  - A Hacker's Guide to the Win32 API
  - A Windows Family Tree from the Hacker's Perspective
- Conclusion
Windows Shellcode
- Syntax and Filters
- Setting Up
- Popping a Shell
- Why You Should Never Pop a Shell on Windows
- Conclusion
Windows Overflows
- Stack-Based Buffer Overflows
- Frame Based Exception Handlers
- Abusing Frame Based Exception Handling on Windows 2003 Server
  - A Final Note About Frame-Based Handler Overwrites
- Stack Protection and Windows 2003 Server
- hepa-Based Buffer Overflows
- The Process Heap
  - Dynamic Heaps
  - Working with the Heap
  - How the Heap Works
- Exploiting Heap-Based Overflows
  - Overwrite Pointer to RtlEnterCriticalSection in the PEB
  - Overwrite Pointer to Unhandled Exception Filter
  - Repairing the Heap
  - Other Aspects of Heap-Based Overflows
  - Wrapping Up the Heap
- Other Overflows
  - .data Section Overflows
  - TEB/PEB Overflows
- Exploiting Buffer Overflows and Non-Executable Stacks
- Conclusion
Overcoming Filters
- Writing Exploits for Use with an Alphanumeric Filter
- Writing Exploits for Use with a Unicode Filter
  - What is Unicode?
  - Converting from ASCII to Unicode
- Exploiting Unicode-Based Vulnerabilities
  - The Available Instruction Set in Unicode Exploits
- The Venetian Method
  - An ASCII Venetian Implementation
- Decoder and Decoding
  - The Decoder Code
  - Generating a Fix on the Buffer Address
- Conclusion
Introduction to Solaris Exploitation
- Introduction to the SPARC Architecture
  - Registers and Register Windows
  - The Delay Slot
  - Synthetic Instructions
- Solaris / SPARC Shellcode Basics
  - Self-Location Determination and SPARC Shellcode
  - Simple SPARC exec Shellcode
  - Useful System Calls on Solaris
  - NOP and Padding Instructions
- Solaris / SPARC Stack Frame Introduction
- Stack-Based Overflow Methodologies
  - Arbitrary Size Overflow
  - Register Windows and Stack Overflow Complications
  - Other Complicating Factors
  - Possible Solutions
  - Off-By-One Stack Overflow Vulnerabilities
  - Shellcode Locations
- Stack Overflow Exploitation in Action
  - The Vulnerable Program
  - The Exploit
- Heap-Based Overflows on Solaris / SPARC
  - Solaris System V Heap Introduction
  - Heap Tree Structure
- Basic Exploit Methodology (t_delete)
  - Standard Heap Overflow Limitations
  - Targets for Overwrite
- Other Heap-Related Vulnerabilities
  - Off-by-One Overflows
  - Double Free Vulnerabilities
  - Arbitrary Free Vulnerabilities
- Heap Overflow Example
  - The Vulnerable Program
- Other Solaris Exploitation Techniques
  - Static Data Overflows
  - Bypassing the Non-Executable Stack Protection
- Conclusion
Advanced Solaris Exploitation
- Single Stepping the Dynamic Linker
- Various Style Tricks for Solaris SPARC Heap Overflows
- Advanced Solaris / SPARC Shellcode
- Conclusion
OS X Shellcode
- OS X is Just BSD, Right?
- Is OS X Open Source?
- OS X for the Unix-aware
  - Password Cracking
- OS X PowerPC Shellcode
- OS X Intel Shellcode
  - Example Shellcode
  - ret2libc
  - ret2str(l)cpy
- OS X Cross-Platform Shellcode
- OS X Heap Exploitation
- Bug Hunting on OS X
- Some Interesting Bugs
- Essential Reading for OS X Exploits
- Conclusion
Cisco IOS Exploitation
- An Overview of Cisco IOS
  - Hardware Platforms
  - Software Packages
  - IOS System Architecture
- Vulnerabilities in Cisco IOS
  - Protocol Parsing Code
  - Services on the Router
  - Security Features
  - The Command-Line Interface
- Reverse Engineering IOS
  - Taking the Images Apart
  - Diffing IOS Images
  - Runtime Analysis
- Exploiting Cisco IOS
  - Stack Overflows
  - Heap Overflows
  - Shellcodes
- Conclusion
Protection Mechanisms
- Protections
  - Non-Executable Stack
  - W^X (either Writable or Executable) Memory
  - Stack Data Protection
  - AAAS: ASCII Armored Address-Space
  - ASLR: Address Space Layout Randomization
  - Heap Protections
  - Windows SEH Protections
  - Other Protections
- Implementation Differences
  - Windows
  - Linux
  - OpenBSD
  - Mac OS X
  - Solaris
- Conclusion
Establishing a Working Environment
- What You Need for Reference
- What You Need for Code
  - gcc
  - gdb
  - NASM
  - Windbg
  - OllyDbg
  - Visual C++
  - Python
- What You Need for Investigation
  - Useful Custom Script / Tools
  - All Platforms
  - Unix
  - Windows
- What You Need to Know
  - Paper Archives
- Optimizing Shellcode Development
  - Plan the Exploit
  - Write the Shellcode in Inline Assembler
  - Maintain a Shellcode Library
  - Make it Continue Nicely
  - Make the Exploit Stable
  - Make it Steal the Connection
- Conclusion
Fault Injection
- Design Overview
  - Input Generation
  - Fault Injection
  - Modification Engines
  - Fault Delivery
  - Nagel Algorithm
  - Timing
  - Heuristics
  - Stateless versus State-Based Protocols
- Fault Monitoring
  - Using a Debugger
  - FaultMon
- Putting it Together
- Conclusion
The Art of Fuzzing
- General Theory of Fuzzing
  - Static Analysis versus Fuzzing
  - Fuzzing is Scalable
- Weaknesses in Fuzzers
- Modeling Arbitrary Network Protocols
- Other Fuzzer Possibilities
  - Bit Flipping
  - Modifying Open Source Programs
  - Fuzzing with Dynamic Analysis
- SPIKE
  - What is a Spike?
  - Why Use the SPIKE Data Structure to Model Network Protocols?
- Other Fuzzers
- Conclusion
Source Code Auditing: Finding Vulnerabilities in C-Based Languages
- Tools
  - Cscope
  - Ctags
  - Editors
  - Cbrowser
- Automated Source Code Analysis Tools
- Methodology
  - Top-Down (Specific) Approach
  - Bottom-Up Approach
  - Selective Approach
- Vulnerability Classes
  - Generic Logic Errors
  - (Almost) Extinct Bug Classes
  - Format String
  - Generic Incorrect Bounds-Checking
  - Loop Constructs
  - Off-by-One Vulnerabilities
  - Non-Null Termination Issues
  - Skipping Null-Termination Issues
  - Signed Comparison Vulnerabilities
  - Different Sized Integer Conversions
  - Double Free Vulnerabilities
  - Out-of-Scope Memory Usage Vulnerabilities
  - Uninitialized Variable Usage
  - Use After Free Vulnerabilities
  - Multithreaded Issues and Re-Entrant Safe Code
- Beyond Recognition: A Real Vulnerability versus a Bug
- Conclusion
Instrumented Investigation: A Manual Approach
- Philosophy
- Oracle extproc Overflow
- Common Architectural Failures
  - Problems Happen At Boundaries
  - Problems Happen When Data is Translated
  - Problems Cluster in Areas of Asymmetry
  - Problems Occur When Authentication and Authorization are Confused
  - Problems Occur in the Dumbest Places
- Bypassing Input Validation and Attack Detection
  - Stripping Bad Data
  - Using Alternate Encodings
  - Using File-Handling Features
  - Evading Attack Signatures
  - Defeating Length Limitations
- Windows 2000 SNMP DOS
- Finding DOS Attacks
- SQL-UDP
- Conclusion
Tracing for Vulnerabilities
- Overview
  - A Vulnerable Program
  - Component Design
  - Building VulnTrace
  - using VulnTrace
  - Advanced Techniques
- Conclusion
Binary Auditing: Hacking Closed Source Software
- Binary versus Source Code Auditing: The Obvious Differences
- IDA Pro - The Tool of the Trade
  - Features: A Quick Crash Course
  - Debugging Symbols
- Binary Auditing Introduction
  - Stack Frames
  - Calling Conventions
  - Compiler-Generated Code
  - memcpy-Like Code Constructs
  - strlen-Like code Constructs
  - C++ Code Constructs
  - The this Pointer
- Reconstructing Class Definitions
  - vtables
  - Quick but Useful Tidbits
- Manual Binary Analysis
  - Quick Examination of Library Calls
  - Suspicious Loops and Write Instructions
  - Higher-Level Understanding and Logic Bugs
  - Graphical Analysis of Binaries
  - Manual Decompilation
- Binary Vulnerability Examples
  - Microsoft SQL Server Bugs
  - LSD's RPC-DCOM Vulnerability
  - IIS WebDAV Vulnerability
- Conclusion
Alternative Payload Strategies
- Modifying the Program
- The SQL Server 3-Byte Patch
- The MySQL 1-Bit Patch
- OpenSSH RSA Authentication Patch
- Other Runtime Patching Ideas
  - GPG 1.2.2 Randomness Patch
- Upload and Run (or Proglet Server)
- Syscall Proxies
- Problems with Syscall Proxies
- Conclusion
Writing Exploits that Work in the Wild
- Factoring in Unreliability
  - Magic Numbers
  - Versioning
  - Shellcode Problems
- Countermeasures
  - Preparation
  - Brute Forcing
  - Local Exploits
  - OS/Application Fingerprinting
  - Information Leaks
- Conclusion
Attacking Database Software
- Network Layer Attacks
- Application Layer Attacks
- Running Operating System Commands
  - Microsoft SQL Server
  - Oracle
  - IBM DB2
- Exploiting Overruns at the SQL Level
  - SQL Functions
- Conclusion
Unix Kernel Overflows
- Kernel Vulnerability Types
- 0day Kernel Vulnerabilities
  - OpenBSD exec_ibcs2_coff_prep_zmagic() Stack Overflow
- Solaris vfs_getvfssw() Loadable Kernel Module
  - Traversal Vulnerability
    - The sysfs() System Call
    - The mount() System Call
- Conclusion
Exploiting Unix Kernel Vulnerabilities
- The exec_ibcs2_coff_prep_zmagic() Vulnerability
  - Calculating Offsets and Breakpoints
  - Overwriting thre Return Address and Redirecting Execution
  - Locating the Process Descriptor (or the Proc Structure)
  - Kernel Mode Payload Creation
  - Returning Back from Kernel Payload
  - Getting root (uid=0)
- Solaris vfs_getvfssw() Loadable Kernel
  - Module Path Traversal Exploit
    - Crafting the Exploit
    - The Kernel Module to Load
    - Getting root (uid=0)
- Conclusion
Hacking the Windows Kernel
- Windows Kernel Mode Flaws - An Increasingly Hunted Species
- Introduction to the Windows Kernel
- Common Kernel-Mode Programming Flaws
  - Stack Overflows
  - Heap Overflows
  - Insufficient Validation of User-Mode Addresses
  - Repurposing Attacks
  - Shared Object Attacks
- Windows System Calls
  - Understanding System Calls
  - Attacking System Calls
- Communicating with Device Drivers
  - I/O Control Code Components
  - Finding Flaws in IOCTL Handlers
- Kernel-Mode Payloads
  - Elevating a User-Mode Process
  - running an Arbitrary User-Mode Payload
  - Subverting Kernel Security
  - Installing a Rootkit
- Essential Reading for Kernel Shellcoders
- Conclusion