Attack patterns
Surprising attacks against client software
The technical details of buffer overflows
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
and al,0Fh
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? The second word, 0x7350, is treated as a jmp by Intel, jumping 80 bytes ahead. We can
What tools can be used to break software? This book provides the answers.
begin our Intel-specific shell code at 80 bytes offset. For the MIPS processor, on the other
hand, the entire 4 bytes are consumed as a harmless li instruction:
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
li 
register[15],When network security0x1750 mechanisms do not work
Attack patterns
Reverse engineering
Thus, the MIPS shell code can begin immediately after the cross-platform header. These are
Classic attacks against server software good tricks to know for multiplatform exploits.
Surprising attacks against client software
MultiplatformTechniques for craftingSled malicious input nop
The technical details of buffer overflows
When using nop sleds, we must choose a sled that works for both platforms. The actual nop
instruction (0x90) for x86 chips translates to a harmless instruction on the HP. Thus, a
Rootkits
standardnop sled works for both platforms. On the MIPS, because we are dealing with 32-bit
instructions, we have to be a bit more clever. The cross-platform nop sled for x86 and MIPS Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
could be a variation of the following code bytes: software.
This set loads register 15 on a MIPS repeatedly with 0x9090, but translates to a harmless add
followed by two nops on an Intel. Clearly, cross-platform nop sleds are not that hard to
design either.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Prolog/Epilog Code to Protect Functions
Several years ago system architects including Crispin Cowan and others tried to solve the probl
buffer overflows by adding code to watch the program stack. Many implementations of this idea
prolog/epilog functions. A number of compilers have an option that allows a specific function to
• |
Table of Contents |
called before every function call. This was typically used for debug purposes, such as profiling c |
|
• |
Index |
clever use of this feature, however, was to make a function that would watch the stack and mak
Exploitingthat all otherSoftwarefunctionsHow towereBreak behavingCode properly.
ByGreg Hoglund,Gary McGraw
Unfortunately, buffer overflows have many unanticipated results. An overflow causes memory
corruption and memory is the key that makes a program run the way it does. This ultimately m
Publisher: Addison Wesley
that any amount of additional code meant to protect a program from itself is meaningless. Placi
Pub Date: February 17, 2004
barriers and tricks into a program only further obfuscates the methods required to break the so
ISBN: 0-201-78695-8
but do nothing to obviate such methods. (See Chapter 2 for a discussion of how this went wron
MicrosoftPages:.) 512
One could argue that such techniques lower the risk of a fault. On the other hand, one could arg
that such techniques create a false sense of security because there will always be an attacker w
find a way in. Buffer overflows, if they yield control of a pointer, can be used to overwrite other
function pointers and even directly alter code (recall our trampolining technique). Another possi How does software break? How do attackers make software break on purpose? Why are
is that an overflow will alter some critical structure in memory. As we have shown, values in me firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
structures control access permissions and system call parameters. Altering any of these data ca What tools can be used to break software? This book provides the answers.
result in a security breach, and little can be done dynamically to stop such exploits.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
Defeatingattack, you mustCanaryfirst learnValueshow real(akaattacksStackGuard)are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
A well-known trick to defeat stack overflows is to place a value called a canary value on the sta script kiddie treatment found in many hacking books, you will learn about
This was invented by Crispin Cowan. If someone tries to overflow the stack, they end up overwr
the canary. If the canary is killed, then the program is considered in violation and it is immedia
terminated. Overall, the idea was very clever. The problem with trying to guard a stack is that, Why software exploit will continue to be a serious problem
essence, buffer overflows are not a stack problem. Buffer overflows depend on pointers but poin
can
liveWhenin thnetworkheap,securityon the stack,mechanismsin tables,doornotinworkfile headers. Buffer overflows are really about
getting control of a pointer. Sure, it's nice to get direct control of the instruction pointer, which
via
theAttackstackpatterns. But, if a canary value is in the way of this, a different path can and will be taken.
fact is that buffer overflows are solved by writing better code, not by adding additional security
Reverse engineering
and whistles to the program. With legacy systems in abundance, however, post development so
like this provide definite value.
Classic attacks against server software
InFigure 7-25 we can see that if we overflow a local variable we end up stomping on the canary
Surprising attacks against client software
value. This defeats our attack. If we cannot run our buffer past the canary value, then this leav
other local variables and the frame pointer for us to control. The good news is that control of an
Techniques for crafting malicious input
pointer, regardless of where it is, is enough to leverage into a decent exploit.
The technical details of buffer overflows
Rootkits
Figure 7-25. A canary-protected stack. The canary is "killed" when lo
Exploiting Softwarevariablesis filledgrowwith theuptotowardls, concepts,the andtargetedknowledgereturnnecessaddressry to break.
software.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
Consider a function with several local variables. At least one of the local variables is a pointer. I How does software break? How do attackers make software break on purpose? Why are
can overflow the local pointer variable, we may have something.
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
As we can see in Figure 7-26, if we overflow buffer B, it can alter the value in pointer A. With co
of the pointer, we are only part way there. The next question is how the pointer we just change Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
used by the code? If it's a function pointer, we're done. The function will be called sometime, an techniques used by bad guys to break software. If you want to protect your software from
we alter the address, it will call our code.
attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
Figure 7-26. A pointer in the local variables area above our target bu
can be used to "trampoline." Any function pointer will do.
Why software exploit will continue to be a serious problem
When network security
Attack patterns
Reverse engineering
Classic attacks against server
Surprising attacks against
Techniques for crafting
The technical details of buffer overflows
Rootkits
Another possibility is that the pointer is used for data (more likely). If another local variable hol
source data for the pointer operation, we might be able to overwrite arbitrary data over any ad
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
in the program space. This can be used to defeat the canary, take control of the return address,
software.
alter function pointers elsewhere in the program. To defeat the canary, we would set pointer A t point to the stack, and set the source buffer to the address we want to place on the stack (Figur 27).
Figure 7-27. "Trampolining" back into the stack.
•Table of Contents
•Index
Exploiting Software How to
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Overwriting the return address without altering the canary value is a standard technique (Figur
Pub Date: February 17, 2004
28).
ISBN: 0-201-78695-8
Pages: 512
Figure 7-28. Trampolining over the poor, hopeless canary.
How does software break? |
Why are |
firewalls, intrusion detection |
the bad guys? |
What tools can be used |
|
Exploiting Softwareis |
tools, and |
techniques used by bad |
software from |
attack, you must first learn |
|
This must-have book may |
beyond the |
script kiddie treatment |
|
Why software exploit |
|
When network security |
|
Attack patterns |
|
Reverse engineering |
|
Classic attacks against |
|
Surprising attacks |
|
Techniques for crafting |
|
The technical details of buffer overflows |
|
Rootkits
The idea of altering pointers other than the return address holds a great deal of merit. This idea Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
used in heap-based overflows and the exploitation of C++ objects. Consider a structure that ho software.
function pointers. Structures of function pointers exist everywhere in a system. Using our previo example, we can point to one of these structures and overwrite an address there. We can then one of these back into our buffer. If the function gets called and our buffer is still around, we wi obtained control (see Figure 7-29).
Figure 7-29. Using a C++ technique to trampoline. First we jump out,
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Classic attacks against server software
Surprising attacks against client software
In conclusion, a buffer overflow is really a deadly problem. Simple hacks to fix it can be avoided some amount of extra work. Buffer overflows can be used to alter code, change function pointer corrupt critical data structures.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.