- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Building a Basic Code Coverage Tool
As we mentioned early in the chapter, all the available coverage tools, commercial or otherwise, lack significant features and data visualization methods that are important to the attacker. Instead of fighting with expensive and deficient tools, why not write your own? In
• |
Table of Contents |
this section we present one of the jewels of this book—a simple code coverage tool that can |
|
• |
Index |
be designed using the debugging API calls that are described elsewhere in this book. The tool
Exploitingshould trackSoftwareall conditionalHow BreakbranchesCode in the code. If the conditional branch can be controlled
by user-supplied input, this should be noted. Of course, the goal is to determine whether the
ByGreg Hoglund,Gary McGraw
input set has exercised all possible branches that can be controlled.
Publisher: Addison Wesley
For the purposes of this example, the tool will run the processor in single-step mode and will
Pub Date: February 17, 2004
track each instruction using a disassembler. The core object we are tracking is a code
ISBN: 0-201-78695-8
location. A location is a single continuous block of instructions with no branches. Branch instructionsPages: 512connect all the code locations together. That is, one code location branches to another code location. We want to track all the code locations that have been visited and determine whether user-supplied input is being processed in the code location. The structure we are using to track code locations is as follows:
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
//ThisAmustcode-havelocationbook may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
struct item
{ Why software exploit will continue to be a serious problem
When network security mechanisms do not work item()
Attack patterns
{
Reverse engineering subroutine=FALSE;
Classic attacks against server software is_conditional=FALSE;
Surprising attacks against client software
isret=FALSE;
Techniques for crafting malicious input
boron=FALSE;
The technical details of buffer overflows
address=0;
Rootkits
length=1;
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.x=0;
y=0;
column=0;
m_hasdrawn=FALSE;
}
|
bool |
subroutine; |
|
|
bool |
is_conditional; |
|
|
bool |
isret; |
|
• |
|
Table of Contents |
|
• |
bool |
Index |
|
|
boron; |
|
|
Exploiting Software How to Break Code |
|
||
ByGregboolH glund,Garym hasdrawn;McG aw |
// To stop circular references |
Publisher: Addison Wesley
Pub Date: February 17, 2004
int address;
ISBN: 0-201-78695-8
Pages: 512
int length;
int column;
int x;
How does software break? How do attackers make software break on purpose? Why are firewalls,int intrusiony;detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniquesstd::stringused bymbaddisasm;guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
std::string m_borons;
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
std::list<struct item *> mChildren;
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
struct item * lookup(DWORD addr)
Attack patterns
{Reverse engineering
Classtd::list<itemic attacks against*>::iteratorserver softwarei = mChildren.begin();
Surpriswhile(ing attacks!= mChildrenagainst client.end())software
Techniques for crafting malicious input
{
The technical details of buffer overflows struct item *g = *i;
Rootkits
if(g->address == addr) return g;
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
i++;
software.
}
return NULL;
}
};
Each location has a list of pointers to all branch targets from the location. It also has a string that represents the assembly instructions that make up the location. The following code executes on each single-step event:
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
struct item *anItem = NULL;
ISBN: 0-201-78695-8
Pages: 512
// Make sure we have a fresh context.
theThread->GetThreadContext();
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
// Disassemble the target instruction.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from m_disasm.Disasm( theThread );
attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
// Determine if this is the target of a branch instruction.
if(m_next_is_target || m_next_is_calltarget)
Why software exploit will continue to be a serious problem
{ When network security mechanisms do not work
anItemAttack patterns= OnBranchTarget( theThread );
SetCurrentItemForThread(Reverse engin ering theThread->m_thread_id, anItem);
Classic attacks against server software m_next_is_target = FALSE;
Surprising attacks against client software m_next_is_calltarget = FALSE;
Techniques for crafting malicious input
The technical details of buffer overflows
// We have branched, so we need to set the parent/child
Rootkits
// lists.
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
if(old_item) software.
{
// Determine if we are already in the child.
if(NULL == old_item->lookup(anItem->address))
{
old_item->mChildren.push_back(anItem);
}
}
}
•Table of Contents
else
• Index
Exploiting Software How to Break Code
{
ByGreg Hoglund,Gary McGraw
anItem = GetCurrentItemForThread( theThread->m_thread_id );
Publisher: Addison Wesley
} Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
if(anItem)
{
How does software break? How do attackers make software break on purpose? Why are anItem->m_disasm += m_disasm.m_instruction;
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. anItem->m_disasm += '\n';
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
}
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out. char *_c = m_disasm.m_instruction;
This must-have book may shock you—and it will certainly educate you.Getting beyond the
if(strstr(_c, "call"))
script kiddie treatment found in many hacking books, you will learn about
{
Why software exploit will continue to be a serious problem
m_next_is_calltarget = TRUE;
When network security mechanisms do not work
}
Attack patterns
else if(strstr(_c, "ret"))
Reverse engineering
{
Classic attacks against server software
m_next_is_target = TRUE;
Surprising attacks against client software
if(anItem) anItem->isret = TRUE;
Techniques for crafting malicious input
} The technical details of buffer overflows
else Rootkitsif(strstr(_c, "jmp"))
Exploiting{ Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
m_next_is_target = TRUE;
}
else if(strstr(_c, "je"))
{
m_next_is_target = TRUE;
if(anItem)anItem->is_conditional=TRUE;
}
else if(strstr(_c, "jne"))
•Table of Contents
{
•Index
Exploiting Software How to Break Code
m_next_is_target = TRUE;
ByGreg Hoglund,Gary McGraw
if(anItem)anItem->is_conditional=TRUE;
Publisher: Addison Wesley
}Pub Date: February 17, 2004
ISBN: 0-201-78695-8
else if(strstr(_c, "jl"))
Pages: 512
{
m_next_is_target = TRUE;
How does software break? How do attackers make software break on purpose? Why are if(anItem)anItem->is_conditional=TRUE;
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
}
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and else if(strstr(_c, "jle"))
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
{
This must-have book may shock you—and it will certainly educate you.Getting beyond the m_next_is_target = TRUE;
script kiddie treatment found in many hacking books, you will learn about
if(anItem)anItem->is_conditional=TRUE;
Why software exploit will continue to be a serious problem
}
When network security mechanisms do not work else if(strstr(_c, "jz"))
Attack patterns
{
Reverse engineering
m_next_is_target = TRUE;
Classic attacks against server software
if(anItem)anItem->is_conditional=TRUE;
Surprising attacks against client software
}
Techniques for crafting malicious input
else if(strstr(_c, "jnz"))
The technical details of buffer overflows
{ Rootkits
m_next_is_target = TRUE;
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
if(anItem)anItem->is_conditional=TRUE;
}
else if(strstr(_c, "jg"))
{
m_next_is_target = TRUE;
if(anItem)anItem->is_conditional=TRUE;
}
else if(strstr(_c, "jge"))
•Table of Contents
{
•Index
Exploiting Software How to Break Code
m_next_is_target = TRUE;
ByGreg Hoglund,Gary McGraw
if(anItem)anItem->is_conditional=TRUE;
Publisher: Addison Wesley
}Pub Date: February 17, 2004
ISBN: 0-201-78695-8
else
Pages: 512
{
// Not a branching instruction,
How does software break? How do attackers make software break on purpose? Why are
// so add one to the current item length.
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. if(anItem) anItem->length++;
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
}
techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
//////////////////////////////////////////////
script kiddie treatment found in many hacking books, you will learn about
// Check for boron tag.
Why software exploit will continue to be a serious problem
//////////////////////////////////////////////
When network security mechanisms do not work
if(anItem && mTagLen)
Attack patterns
{
Reverse engineering
if(check_boron(theThread, _c, anItem)) anItem->boron = TRUE;
Classic attacks against server software
}
Surprising attacks against client software
Techniques for crafting malicious input
old_item = anItem;
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
First, we see the code gets a fresh context structure for the thread that just single stepped. software.
The instruction pointed to by the instruction pointer is disassembled. If the instruction is the beginning of a new code location, the list of currently mapped locations is queried so that we don't make double entries. The instruction is then compared with a list of known branching instructions, and appropriate flags are set in the item structure. Finally, a check is made for boron tags. The code for a boron tag check is presented in the following paragraph.
Checking for Boron Tags
When a breakpoint or single-step event has occurred, the debugger may wish to query memory for boron tags (that is, substrings that are known to be user supplied). Using the memory query routines introduced earlier in the book, we can make some fairly intelligent queries for boron tags. Because CPU registers are used constantly to store pointers to data, it makes sense to check all the CPU registers for valid memory pointers when the breakpoint or single step has occurred. If the register points to valid memory, we can then query that memory and look for a boron tag. The fact is that any code location that is using user-
•Table of Contents
supplied data typically has a pointer to these data in one of the registers. To check the
•Index
registers, you can use a routine like this:
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
bool check_boron( CDThread *theThread, char *c, struct item *ip )
{
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
// If any of the registers point to the user buffer, tag this.
What tools can be used to break software? This book provides the answers.
DWORD reg;
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
if(strstr(c, "eax"))
This must-have book may shock you—and it will certainly educate you.Getting beyond the script{kiddie treatment found in many hacking books, you will learn about
reg = theThread->m_ctx.Eax;
Why software exploit will continue to be a serious problem
if(can_read( theThread, (void *)reg ))
When network security mechanisms do not work
Attack{ patterns
Reverse engineeringSIZE T lpRead;
Classic attacks against server software char string[255];
Surprising attacks against client software string[mTagLen]=NULL;
Techniques for crafting malicious input
// Read the target memory.
The technical details of buffer overflows if(ReadProcessMemory( theThread->m_hProcess,
Rootkits
(void *)reg, string, mTagLen, &lpRead))
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software. {
if(strstr( string, mBoronTag ))
{
// Found the boron string.
ip->m_borons += "EAX: ";
ip->m_borons += c;
ip->m_borons += " —> ";
ip->m_borons += string;
ip->m_borons += '\n';
•Table of Contents
•Index
Exploiting Software How to Break Code
return TRUE;
ByGreg Hoglund,Gary McGraw
}
Publisher: Addison Wesley
Pub Date: February} 17, 2004
ISBN: 0-201-78695-8
}
Pages: 512
}
....
How does software break? How do attackers make software break on purpose? Why are
// Repeat this call for all the registers EAX, EBX, ECX, EDX, ESI, and EDI. firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
return FALSE;
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
}
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
To saveWhyroom,softwarewe didn'texploitpastewill thecontinuecod forto beallaregisters,serious problemjust the EAX register. The code should query all registers listed in the comment. The function returns TRUE if the supplied boronWhentag isnetworkfound behindsecurityonemechanismsof the memorydo notpointerswork .
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.