- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Input Path Tracing
Input tracing is a very complete but tedious technique for tracking what is happening with user involves setting breakpoints at the locations where user data are accepted in a program, and th forward. To save some time you can use call tracing tools, control flow tools, and memory brea
• |
Table of Contents |
techniques are described in more detail in Chapter 3. For the following exercise we use path-tra |
|
• |
Index |
trace input into a vulnerable file system call.
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Using GDB and IDA-Pro Together on a Solaris SPARC Binary
Publisher: Addison Wesley
AlthoughPub Date:IDAFebruary-Pro is17,a2004Windows-based tool, the professional version can be used to decompile b varietyISBN:of hardware0-201-78695platforms-8 . In this example, we use IDA-Pro to decompile one of the main e the NetscapePages: 512I-Planet Application Server running on the Solaris 8/Ultra-SPARC 10.
GDB is quite possibly the most powerful debugger available. The advanced features such as con breakpoints and expressions put GDB in the same class with SoftIce. GDB, of course, will also d code, so technically IDA is not required. However, IDA is the best choice for tackling a large dis
project.
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
Setting Breakpoints and Expressions
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from Breakpoints are crucial when reversing a target. A breakpoint allows us to stop the program in
attack, you must first learn how real attacks are really carried out.
Once stopped, we can examine memory and can then single step through function calls. With a
disassembly open in one window, it's possible to single step in another window and take notes.
This must-have book may shock you—and it will certainly educate you.Getting beyond the IDA so handy is the ability to take notes while performing a running disassembly. Using a disas
script kiddie treatment found in many hacking books, you will learn about
the resulting dead listing) and a running debugger at the same time is a variety of gray box tes
There are two basic ways to get started with breakpoints: inside-out or outside-in. Going inside
Why software exploit will continue to be a serious problem
finding an interesting system call or API function, such as a file operation, then setting a breakp
function and beginning to work backward to determine whether any user-supplied data are bein
When network security mechanisms do not work
call. This is a powerful way to reverse a program, but should be automated as much as possible
outside-in involves finding the precise function where user data are first introduced into the pro Attack patterns
begin single stepping and mapping the execution of the code forward into the program. This is
determining where code-branching logic is based on user-supplied data. Both methods can be c Reverse engineering
maximum effect.
Classic attacks against server software
Surprising attacks against client software
Mapping Runtime Memory Addresses from IDA
Techniques for crafting malicious input
Unfortunately, memory addresses that are displayed in IDA do not map directly to the runtime
whileTheusingtechnicalGDB. However,details ofitbufferis easyoverflowsto determine the offsets and do the mapping by hand. For
IDA displays the function INTutil_uri_is_evil_internal at address 0x00056140, the followi
Rootkits
can be issued to map the true run time address. IDA displays
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
.text:00056140 ! ||||||||||||||| S U B R O U T I N E ||||||||||||||||||||||||||
.text:00056140
.text:00056140
.text:00056140 |
.global INTutil_uri_is_evil_internal |
•Table of Contents
•Index
Setting a breakpoint with GDB will reveal the true runtime page for this subroutine:
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
(gdb) break *INTutil_uri_is_evil_internal
Breakpoint 1 at 0xff1d6140
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
So, from this we can see that 0x00056140 maps to 0xff1d6140. Note that the offset within the
techniques used by bad guys to break software. If you want to protect your software from is0x6140 in both addresses. A rough mapping simply involves substituting the upper 2 bytes in
attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the Attachingscript kiddie treatmentto a Runningfound Processmany hacking books, you will learn about
A nice feature of GDB is the ability to attach and detach from a currently running process. Beca
Why software exploit will continue to be a serious problem
server software has a complex startup cycle it is often very difficult or inconvenient to start the
within a debugger. The ability to attach to an already running process is a great time-saver. Fir
When network security mechanisms do not work
find the PID of the process to debug. In the case of Netscape I-Planet, locating the correct proc
tries and some trial and error. Attack patterns
To attach to a running process with GDB, start gdb and then type the following command at the Reverse engineering
whereprocess-id is the PID of your target:
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
(gdb) attach process-id
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
Once you have attached to the process, type the continue command so the executable will con
You can use ctrl-c to get back to the gdb prompt.
(gdb) continue
•Table of Contents
•Index
Exploiting Software How to Break Code
If the process is multithreaded, you can see a list of all the threads by issuing the info comma
BycommandGreg Hoglundhas,GarymanyMcGrawuses beyond simply listing threads, of course.)
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
(gdb) info threads
How does software break? How do attackers make software break on purpose? Why are firewalls,90 Threadintrusion71 detection0xfeb1a018systems, andin antiviruslwp semasoftwarewait not() fromkeeping/usr/lib/libcout the bad guys?.so.1
What tools can be used to break software? This book provides the answers.
89 Thread 70 (LWP 14) 0xfeb18224 in _poll () from /usr/lib/libc.so.1
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
88 Thread 69 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1 attack, you must first learn how real attacks are really carried out.
87 Thread 68 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
86 Thread 67 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
85 Thread 66 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
Why software exploit will continue to be a serious problem
84 Thread 65 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
When network security mechanisms do not work
83 Thread 64 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
Attack patterns
82 ThreadReverse63engineering 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
81 ThreadClassic attacks62 against0xfeb88014server softwarein cond_wait () from /usr/lib/libthread.so.1
Surprising attacks against client software
80 Thread 61 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
Techniques for crafting malicious input
79 Thread 60 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
The technical details of buffer overflows
78 Thread 59 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
Rootkits
77 Thread 58 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
76 Thread 57 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1 software.
75 Thread 56 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
74 Thread 55 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
73 Thread 54 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
72 Thread 53 0xfeb88014 in cond_wait () from /usr/lib/libthread.so.1
...
To get a list of all the functions on the call stack, issue the following:
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
(gdb) info stack
ISBN: 0-201-78695-8
Pages: 512
#0 0xfedd9490 in _MD_getfileinfo64 ()
from /usr/local/iplanet/servers/bin/https/lib/libnspr4.so
#1 0xfedd5830 in PR_GetFileInfo64 ()
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? from /usr/local/iplanet/servers/bin/https/lib/libnspr4.so
What tools can be used to break software? This book provides the answers.
#2 0xfeb62f24 in NSFC_PR_GetFileInfo ()
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from from /usr/local/iplanet/servers/bin/https/lib/libnsfc.so
attack, you must first learn how real attacks are really carried out.
#3 0xfeb64588 in NSFC_ActivateEntry ()
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about from /usr/local/iplanet/servers/bin/https/lib/libnsfc.so
#4 0xfeb63fa0 in NSFC_AccessFilename ()
Why software exploit will continue to be a serious problem
fromWhen/usr/local/iplanet/servers/bin/https/lib/libnsfcnetwork security mechanisms do not work .so
#5 0xfeb62d24Attack patternsin NSFC_GetFileInfo ()
Reverse engineering
from /usr/local/iplanet/servers/bin/https/lib/libnsfc.so
Classic attacks against server software
#6 0xff1e6cdc in INTrequest_info_path ()
Surprising attacks against client software
from /usr/local/iplanet/servers/bin/https/lib/libns-httpd40.so
Techniques for crafting malicious input
...
The technical details of buffer overflows
Rootkits
InExploitingthis example,SoftwareMD getfileinfo64is filled with theistools,the currentconcepts,function,and knowledgewhich wasnecessarycalled bytoPRbreakGetFIleI wassoftwarecalled. by NSFC_PR_GetFileInfo, and so forth. The call stack can help you backtrack a func determine which code path is being followed.
Using Truss to Model the Target on Solaris
To reverse engineer the I-Planet binaries, we copied the main executable and all the linked libra standard Windows 2000 workstation where IDA-Pro was installed. The goal was to examine the
calls and the URL filtering code to uncover possible ways into the file system remotely. This exa used as a model for finding vulnerabilities in many software packages. Reverse engineering targ on many UNIX plat forms using IDA, and GDB is available for almost every platform out there.
When reversing a Web server, the first task is to locate any routines that are handling uniform r identifier (URI) data. The URI data are supplied by remote users. If there is any weakness, this the easiest to exploit. Among the huge number of API calls that are made every second, it's har down what is important. Fortunately there are some powerful tools that can help you model a r
•Table of Contents
application. For this example, the URI handling routines were tracked down using the excellent
• Index calledTruss. [2]
Exploiting Software How to Break Code
[2] More information about Truss can be found at http://solaris.java.sun.com/articles/multiproc/truss_comp.h ByGreg Hoglund,Gary McGraw
Under Solaris 8, Truss will track the library API calls of a running process. This is useful to deter
Publisher: Addison Wesley
calls are being made when certain behavior is occurring. To figure out where data were being h
Pub Date: February 17, 2004
I-Planet server, we ran Truss against the main process and dumped logs of the calls that were Web requestsISBN: 0-201were-78695handled-8 . (If you are not running under Solaris, you can use a similar tool su ltracePagesis :free,512 open-source tool and it works on many platforms.)
Truss is very easy to use and has the nice feature that it can be attached and detached from a r process. To attach Truss to a process, get the PID of the target and issue the following comman
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
# truss -u *:: -vall -xall -p process_id
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
If you are interested only in certain API calls, you can use Truss with grep: When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
# truss -u *:: -vall -xall -p 2307 2>&1 | grep anon
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
This example will "truss" the process with PID 2307 and will only show calls with the substring
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
You can change the grep slightly to ignore only certain calls. This is useful because you may wa
software.
everything except those annoying poll and read calls:
# truss -u *:: -vall -xall -p 2307 2>&1 | grep –v read | grep –v poll
(Note that the 2>&1 tag is required because Truss does not deliver all its data on the stdout pip
•The output ofTabletheofcommandContents will look something like this:
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
/67: <- libns-httpd40:__0FT_util_strftime_convPciTCc() = 50
/67: -> libns-httpd40:__0FT_util_strftime_convPciTCc(0xff2ed342, 0x2, 0x2,
/67: <- libns-httpd40:__0FT_util_strftime_convPciTCc() = 0xff2ed345
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
/67: <- libns-httpd40:INTutil_strftime() = 20
What tools can be used to break software? This book provides the answers.
/67: -> libns-httpd40:INTsystem_strdup(0xff2ed330, 0x9, 0x41, 0x50)
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
/67: -> libns-httpd40:INTpool_strdup(0x9e03a0, 0xff2ed330, 0x0, 0x0) attack, you must first learn how real attacks are really carried out.
/67:This must-have-> booklibc:strlen(0xff2ed330,may shock you—and it will0x0,certainly0x0, 0x0)educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
/67: <- libc:strlen() = 20
Why software exploit will continue to be a serious problem
/67: <- libns-httpd40:INTpool_strdup() = 0x9f8b10
When network security mechanisms do not work
/67: <- libns-httpd40:INTsystem_strdup() = 0x9f8b10
Attack patterns
/67: <- libns-httpd40:time_cache_curr_strftime_logfmt() = 0x9f8b10
Reverse engineering
/67: -> libc:strcpy(0xf7400710, 0x9f8b10, 0x0, 0x7efefeff)
Classic attacks against server software
/67: <- libc:strcpy() = 0xf7400710
Surprising attacks against client software
/67: -> libc:strlen(0xf7400710, 0x9f8b28, 0xf7400710, 0x0)
Techniques for crafting malicious input
/67: <- libc:strlen() = 20
The technical details of buffer overflows
/67: -> libc:strlen(0x9f4f48, 0x34508f, 0x0, 0x7efefeff)
Rootkits
/67: <- libc:strlen() = 25
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
This example shows the API calls being made by the process (number 2307). Truss indents the nested function calls. Taking samples of the running application while certain requests are being then investigating the call trace is an excellent technique.