- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Heap Overflows
Heap memory consists of large blocks of allocated memory. Each block has a small header that describes the size of the block and other details. If a heap buffer suffers from overflow, an attack overwrites the next block in the heap, including the header. If you overwrite the
• |
Table of Contents |
header of the next block in memory, you can cause arbitrary data to be written to memory. |
|
• |
Index |
Each exploit and software target has unique results, making this attack difficult. Depending
Exploitingon the code,Softwarethe pointsHow to Breakat whichCodememory can be corrupted will change. This isn't bad, it just
means that the exploit that you craft must be unique to the target.
ByGreg Hoglund,Gary McGraw
Heap overflows have been understood and exploited in the computer underground for several
Publisher: Addison Wesley
years, but the technique remains fairly esoteric. Unlike stack overflows (which have by now
Pub Date: February 17, 2004
been almost hunted to extinction), heap overflow vulnerabilities are still very prevalent.
ISBN: 0-201-78695-8
Typically,Pages:heap512 structures are placed contiguously in memory. The direction of buffer growth is shown in Figure 7-14.
Figure 7-14. Heap buffer growth in a typical platform.
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be
Exploiting Software |
tools, and |
techniques used |
software from |
attack, you must |
|
This must-have |
beyond the |
script kiddie |
|
Why software |
|
When network |
|
Attack patterns
Each OS and compiler uses different methods for managing the heap. Even different Reverse engineering
applications on the same platform may use different methods for heap management. The best thingClassictoattacksdo whenagainstworkingserveran exploitsoftwareis to reverse engineer the heap system in use, keeping in mind that each target application is likely to use slightly different methods.
Surprising attacks against client software
Figure 7-15 shows how Windows 2000 organizes heap header information.
Techniques for crafting malicious input
The technical details of buffer overflows
Figure 7-15. Under Windows 2000, this pattern is used to represent
Rootkits
the heap header.
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Consider the following code:
•Table of Contents
•Index
Exploiting Software How to Break Code
BycharGreg*cHoglund= (char,Gary McGraw*) HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, 10);
char *d = (char *) HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, 32);
Publisher: Addison Wesley
Pub Date: February 17, 2004
char *e = (char *) HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, 10);
ISBN: 0-201-78695-8
Pages: 512
strcpy(c, "Hello!");
strcpy(d, "Big!");
How does software break? How do attackers make software break on purpose? Why are firewalls,strcpy(e,intrusion"World!");detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
HeapFree( GetProcessHeap(), 0, e);
attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
and the heap
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
...
Surprising attacks against client software
00142ADC 00 00 00 00 ....
Techniques for crafting malicious input
00142AE0 07 00 05 00 ....
The technical details of buffer overflows
00142AE4 00 07 18 00 ....
Rootkits
00142AE8 42 69 67 21 Big! <- we control this buffer
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
00142AEC 00 00 00 00 .... <-
00142AF0 00 00 00 00 .... <- ...
00142AF4 00 00 00 00 ....
...
00142B10 |
00 |
00 |
00 |
00 |
.... <- this gets read |
into |
EAX |
||||
00142B14 |
00 |
00 |
00 |
00 |
.... <- this gets read |
into |
ECX |
||||
00142B18 |
05 |
00 |
07 |
00 |
.... <- |
this |
can |
be |
corrupted |
||
00142B1C |
00 |
07 |
1E |
00 |
.... <- |
this |
can |
be |
corrupted |
•Table of Contents
00142B20 57 6F 72 6C Worl
•Index
Exploiting Software How to Break Code
00142B24 64 21 00 00 d!..
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
With this somewhat cryptic memory dump, we're trying to illustrate that we control the buffer
ISBN: 0-201-78695-8
directly above the heap header for the third buffer (the one that contains "World!").
Pages: 512
By corrupting header fields, an attacker can cause the logic of the heap manager to read the wrong locations after a HeapFree.[11] The offending code is listed here, from NTDLL:
[11] For more, see Halvar Flake's information posted at Blackhat.com.
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script001B:77F5D830kiddie treatmentLEAVEfound in many hacking books, you will learn about
001B:77F5D831 |
RET |
0004 |
|
Why software exploit will continue to be a serious problem |
|||
001B:77F5D834 |
LEA |
EAX,[ESI-18] |
|
When network security mechanisms do not work |
|
||
001B:77F5D837 |
MOV |
[EBP-7C],EAX |
|
Attack patterns |
|
|
|
001B:77F5D83AReverse engineeringMOV |
[EBP-80],EAX |
|
|
001B:77F5D83DClassic attacksMOVagainst serverECX,[EAX]software |
<- loads our data |
||
001B:77F5D83FSurprising attacksMOV against[EBPclient-0084],ECXsoftware |
|
||
001B:77F5D845Techniques forMOVcrafting maliciousEAX,[EAX+04]input |
<- loads our data |
||
The technical details of buffer overflows |
|
||
001B:77F5D848 |
MOV |
[EBP-0088],EAX |
|
Rootkits |
MOV |
[EAX],ECX |
<- moves our data |
001B:77F5D84E |
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
001B:77F5D850 MOV [ECX+04],EAX software.
001B:77F5D853 CMP |
BYTE PTR [EBP-1D],00 |
001B:77F5D857 JNZ |
77F5D886 |
Malloc and the Heap
Malloc uses a slightly different header format, but the technique is the same. Two records are storednear one another in memory and one can overwrite the other. Consider the following code:
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
int main(int argc, char* argv[])
ISBN: 0-201-78695-8
{Pages: 512
char *c = (char *)malloc(10);
char *d = (char *)malloc(32);
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
strcpy(c, "Hello!");
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniquesstrcpy(d,used by"World!");bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the scriptfree(d);kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
return 0;
Attack patterns
} Reverse engineering
Classic attacks against server software
Surprising attacks against client software
After executing the two strcpys, the heap looks like this:
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
00320FF0 |
0A |
00 |
00 |
00 .... |
|
00320FF4 |
01 |
00 |
00 |
00 .... |
|
00320FF8 |
34 |
00 |
00 |
00 |
4... |
00320FFC FD FD FD FD |
|
||||
00321000 |
48 |
65 |
6C |
6C |
Hell |
00321004 |
6F |
21 |
00 |
CD |
o!.Í |
00321008 |
CD CD FD FD |
ÍÍ |
•Table of Contents
• |
Index |
-º |
0032100C |
FD FD AD BA |
Exploiting Software How to Break Code
00321010ByGreg HoglundAB,GaryAB McGrawAB AB |
«««« |
||||
00321014Publisher: AddisonAB ABWesleyAB AB |
«««« |
||||
Pub Date: February 17, 2004 |
|
||||
00321018 |
00 |
00 |
00 |
00 .... |
|
ISBN: 0-201-78695-8 |
|
||||
Pages: 512 |
00 |
00 |
00 .... |
||
0032101C |
00 |
||||
00321020 |
0D |
00 |
09 |
00 .. . |
|
00321024 |
00 |
07 |
18 |
00 .... |
How does software break? How do attackers make software break on purpose? Why are
00321028 E0 0F 32 00 à.2. <- this value is used as an address
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
0032102C 00 00 00 00 ....
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and 00321030techniques used00 00by00bad00guys....to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
00321034 00 00 00 00 ....
This must-have book may shock you—and it will certainly educate you.Getting beyond the script00321038kiddie20treatment00 00 00found...in many<hacking- size books, you will learn about
0032103C 01 00 00 00 ....
Why software exploit will continue to be a serious problem
00321040 35 00 00 00 5...
When network security mechanisms do not work
00321044 FD FD FD FD
Attack patterns
00321048 57 6F 72 6C Worl
Reverse engineering
0032104CClassic64attacks21 00againstCD d!server.Í software
00321050SurprisingCD CDattacksCD CDagainstÍÍÍÍclient software
Techniques for crafting malicious input
00321054 CD CD CD CD ÍÍÍÍ
The technical details of buffer overflows
00321058 CD CD CD CD ÍÍÍÍ
Rootkits
0032105C CD CD CD CD ÍÍÍÍ
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
00321060 CD CD CD CD ÍÍÍÍ
software.
00321064 |
CD CD CD CD |
ÍÍÍÍ |
|||
00321068 |
FD FD FD FD |
|
|||
0032106C |
0D |
F0 |
AD |
BA |
. –º |
00321070 |
0D |
F0 |
AD |
BA |
. –º |
00321074 0D F0 AD BA .–º
00321078 AB AB AB AB ««««
0032107C AB AB AB AB ««««
•Table of Contents
•Index
Exploiting Software How to Break Code
You can plainly see the buffers in the heap. Also notable are the heap headers that specify theByGregsizeHoglundof the,GaryheapMcGrawblocks. We want to overwrite the address because it gets used in a later operation once free() is called:
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
00401E6CHow does softwaremov break? Howeax,dworddo attackeptrs[pHead]make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
00401E6FWhat tools canmovbe used to breakecx,dwordsoftware?ptrThis[eax]book provides<- ecxthehasanswersour value.
Exploiting00401E71 Softwaremov is loadededx,dwordwith examplesptr [pHead]of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack,00401E74you mustmov first learn eax,dwordhow real attacksptr [edx+4]are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
00401E77 mov dword ptr [ecx+4],eax <- memory overwrite script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
Because values that we control in the header are being used in the free() operation, we
When network security mechanisms do not work
have the ability to overwrite any location in memory as we see fit. The memory overwrite
that is noted uses whatever is stored in the eax register. We also control that value, because Attack patterns
it's taken from the heap header as well. In other words, we have complete control over
writing a single 4 DWORD value to memory at any location. Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.