- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Multiplatform Payloads
A more sophisticated payload can be designed to work on multiple hardware platforms. This is useful if you expect to be using the payload in a heterogeneous environment. The downside to this approach is that a payload will have code specific to each platform, something that
• |
Table of Contents |
necessarily increases the size. Because of size restrictions, a multiplatform payload will |
|
• |
Index |
usually be limited in scope, doing something such as throwing an interrupt to halt the system
Exploitingor somethingSoftwareequallyHow toeasyBreak. Code
ByGreg Hoglund,Gary McGraw
As an example, assume that there are four different operating environments in a strike zone.
Three of the systems are older HP9000 systems. The other system is newer and based on an
Publisher: Addison Wesley
Intel x86 platform. Each system takes a slightly different injection vector, but you want to
Pub Date: February 17, 2004
use the same payload for all of them. You need a payload that will shut down both the HP
ISBN: 0-201-78695-8
systems and the Intel system.
Pages: 512
Consider the machine language for HP and Intel systems. If we design a payload that will branch on one system, and continue past the branch on another system, we can split the payload into two sections, as shown in Figure 7-23.
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
Figure 7-23. Building a payload for two target platforms at once.
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis |
patterns, tools, and |
techniques used by bad |
your software from |
attack, you must first |
|
This must-have book may |
.Getting beyond the |
script kiddie treatment |
about |
Why software exploit |
|
When network security mechanisms do not work |
|
Attack patterns
The cross-platform code must either branch or continue forward, depending on the platform. Reverse engineering
For the HP9000 system, the following code is a conditional branch that only jumps two words
ahead. On an Intel platform, the following code is a jmp that jumps 64 bytes ahead. These 4 Classic attacks against server software
bytes are thus useful for the multiplatform branch we are after.
Surprising attacks against client software
malicious input
The technical details of buffer overflows
Consider another example in which the target machines are using MIPS and Intel platforms. The followingRootkits bytes will provide a cross-platform header for a MIPS/Intel combination:
with the tools, concepts, and knowledge necessary to break
On the Intel, the first word, 0x240F, is treated as a single harmless instruction:
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
and al,0Fh
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? The second word, 0x7350, is treated as a jmp by Intel, jumping 80 bytes ahead. We can
What tools can be used to break software? This book provides the answers.
begin our Intel-specific shell code at 80 bytes offset. For the MIPS processor, on the other
hand, the entire 4 bytes are consumed as a harmless li instruction:
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
li register[15],When network security0x1750 mechanisms do not work
Attack patterns
Reverse engineering
Thus, the MIPS shell code can begin immediately after the cross-platform header. These are
Classic attacks against server software good tricks to know for multiplatform exploits.
Surprising attacks against client software
MultiplatformTechniques for craftingSled malicious input nop
The technical details of buffer overflows
When using nop sleds, we must choose a sled that works for both platforms. The actual nop
instruction (0x90) for x86 chips translates to a harmless instruction on the HP. Thus, a
Rootkits
standardnop sled works for both platforms. On the MIPS, because we are dealing with 32-bit
instructions, we have to be a bit more clever. The cross-platform nop sled for x86 and MIPS Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
could be a variation of the following code bytes: software.
This set loads register 15 on a MIPS repeatedly with 0x9090, but translates to a harmless add
followed by two nops on an Intel. Clearly, cross-platform nop sleds are not that hard to
design either.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Prolog/Epilog Code to Protect Functions
Several years ago system architects including Crispin Cowan and others tried to solve the probl
buffer overflows by adding code to watch the program stack. Many implementations of this idea
prolog/epilog functions. A number of compilers have an option that allows a specific function to
• |
Table of Contents |
called before every function call. This was typically used for debug purposes, such as profiling c |
|
• |
Index |
clever use of this feature, however, was to make a function that would watch the stack and mak
Exploitingthat all otherSoftwarefunctionsHow towereBreak behavingCode properly.
ByGreg Hoglund,Gary McGraw
Unfortunately, buffer overflows have many unanticipated results. An overflow causes memory
corruption and memory is the key that makes a program run the way it does. This ultimately m
Publisher: Addison Wesley
that any amount of additional code meant to protect a program from itself is meaningless. Placi
Pub Date: February 17, 2004
barriers and tricks into a program only further obfuscates the methods required to break the so
ISBN: 0-201-78695-8
but do nothing to obviate such methods. (See Chapter 2 for a discussion of how this went wron
MicrosoftPages:.) 512
One could argue that such techniques lower the risk of a fault. On the other hand, one could arg
that such techniques create a false sense of security because there will always be an attacker w
find a way in. Buffer overflows, if they yield control of a pointer, can be used to overwrite other
function pointers and even directly alter code (recall our trampolining technique). Another possi How does software break? How do attackers make software break on purpose? Why are
is that an overflow will alter some critical structure in memory. As we have shown, values in me firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
structures control access permissions and system call parameters. Altering any of these data ca What tools can be used to break software? This book provides the answers.
result in a security breach, and little can be done dynamically to stop such exploits.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
Defeatingattack, you mustCanaryfirst learnValueshow real(akaattacksStackGuard)are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
A well-known trick to defeat stack overflows is to place a value called a canary value on the sta script kiddie treatment found in many hacking books, you will learn about
This was invented by Crispin Cowan. If someone tries to overflow the stack, they end up overwr
the canary. If the canary is killed, then the program is considered in violation and it is immedia
terminated. Overall, the idea was very clever. The problem with trying to guard a stack is that, Why software exploit will continue to be a serious problem
essence, buffer overflows are not a stack problem. Buffer overflows depend on pointers but poin
can liveWhenin thnetworkheap,securityon the stack,mechanismsin tables,doornotinworkfile headers. Buffer overflows are really about
getting control of a pointer. Sure, it's nice to get direct control of the instruction pointer, which
viatheAttackstackpatterns. But, if a canary value is in the way of this, a different path can and will be taken.
fact is that buffer overflows are solved by writing better code, not by adding additional security
Reverse engineering
and whistles to the program. With legacy systems in abundance, however, post development so
like this provide definite value.
Classic attacks against server software
InFigure 7-25 we can see that if we overflow a local variable we end up stomping on the canary
Surprising attacks against client software
value. This defeats our attack. If we cannot run our buffer past the canary value, then this leav
other local variables and the frame pointer for us to control. The good news is that control of an
Techniques for crafting malicious input
pointer, regardless of where it is, is enough to leverage into a decent exploit.
The technical details of buffer overflows
Rootkits
Figure 7-25. A canary-protected stack. The canary is "killed" when lo
Exploiting Softwarevariablesis filledgrowwith theuptotowardls, concepts,the andtargetedknowledgereturnnecessaddressry to break.
software.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
Consider a function with several local variables. At least one of the local variables is a pointer. I How does software break? How do attackers make software break on purpose? Why are
can overflow the local pointer variable, we may have something.
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
As we can see in Figure 7-26, if we overflow buffer B, it can alter the value in pointer A. With co
of the pointer, we are only part way there. The next question is how the pointer we just change Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
used by the code? If it's a function pointer, we're done. The function will be called sometime, an techniques used by bad guys to break software. If you want to protect your software from
we alter the address, it will call our code.
attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
Figure 7-26. A pointer in the local variables area above our target bu
can be used to "trampoline." Any function pointer will do.
Why software exploit will continue to be a serious problem
When network security
Attack patterns
Reverse engineering
Classic attacks against server
Surprising attacks against
Techniques for crafting
The technical details of buffer overflows
Rootkits
Another possibility is that the pointer is used for data (more likely). If another local variable hol
source data for the pointer operation, we might be able to overwrite arbitrary data over any ad
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
in the program space. This can be used to defeat the canary, take control of the return address,
software.
alter function pointers elsewhere in the program. To defeat the canary, we would set pointer A t point to the stack, and set the source buffer to the address we want to place on the stack (Figur 27).
Figure 7-27. "Trampolining" back into the stack.
•Table of Contents
•Index
Exploiting Software How to
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Overwriting the return address without altering the canary value is a standard technique (Figur
Pub Date: February 17, 2004
28).
ISBN: 0-201-78695-8
Pages: 512
Figure 7-28. Trampolining over the poor, hopeless canary.
How does software break? |
Why are |
firewalls, intrusion detection |
the bad guys? |
What tools can be used |
|
Exploiting Softwareis |
tools, and |
techniques used by bad |
software from |
attack, you must first learn |
|
This must-have book may |
beyond the |
script kiddie treatment |
|
Why software exploit |
|
When network security |
|
Attack patterns |
|
Reverse engineering |
|
Classic attacks against |
|
Surprising attacks |
|
Techniques for crafting |
|
The technical details of buffer overflows |
|
Rootkits
The idea of altering pointers other than the return address holds a great deal of merit. This idea Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
used in heap-based overflows and the exploitation of C++ objects. Consider a structure that ho software.
function pointers. Structures of function pointers exist everywhere in a system. Using our previo example, we can point to one of these structures and overwrite an address there. We can then one of these back into our buffer. If the function gets called and our buffer is still around, we wi obtained control (see Figure 7-29).
Figure 7-29. Using a C++ technique to trampoline. First we jump out,
we jump back in.
•
•
Exploiting Software
ByGreg Hoglund,
Publisher:
Pub Date:
ISBN: 0-201-78695-8
Pages: 512
Of course, the real problem with this technique is making sure our buffer is still around. Many programs use jump tables for any library function calls. If the subroutine that you are overflowi contains library calls, then these make a natural choice. Overwrite the function pointers for any
calls that are used after the overflow operation, but before the subroutine returns. How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
Defeating Nonexecutable Stacks
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
We have shown that there are many ways to get code to execute on the stack. But what happen attack, you must first learn how real attacks are really carried out.
the stack is nonexecutable?
This must-have book may shock you—and it will certainly educate you.Getting beyond the There are options in the hardware and OS environment that control what memory can be used script kiddie treatment found in many hacking books, you will learn about
code (that is, for data that run). If the stack cannot be used for code, we may be temporarily se
back, but we are left with lots of other options. To get control of the system we don't have to in
code, we could settle for something less dramatic. There are a multitude of data structures and Why software exploit will continue to be a serious problem
function calls that, if under our control, we could use to leverage control of the system. Conside
following code:
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
void debug_log(const char *untrusted_input_data)
The technical details of buffer overflows
{
Rootkits
char *_p = new char[8];
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
// pointer lives above _t software.
char _t[24];
strcpy(_t, untrusted_input_data);
// _t overwrites _p
memcpy(_p, &_t[10], 8);
//_t[10] has the new address we are overwriting over puts()
_t[10]=0;
•Table of Contents
char _log[255];
• Index
Exploiting Software How to Break Code
sprintf(_log, "%s - %d", &_t[0], &_p[4]);
ByGreg Hoglund,Gary McGraw
// we control the first 10 characters of _log
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
fnDebugDispatch (_log);
Pages: 512
//we have the address of fnDebugDispatch () changed to address of system()
//which calls a shell...
How does software break? How do attackers make software break on purpose? Why are
...
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
This example performs a few unsafe buffer operations along with a pointer. We can control the attack, you must first learn how real attacks are really carried out.
of_p by overflowing _t. The target of our exploit is the fnDebugDispatch() call. The call takes
single buffer as a parameter and, as it happens, we control the first ten characters of this buffer This must-have book may shock you—and it will certainly educate you.Getting beyond the
assembly code that performs this call looks like this:
script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
24:fnDebugDispatch(_log);
Classic attacks against server software
004010A6Surprising8B F4attacks against clientmovsoftware |
esi,esp |
||
004010A8Techniques8D 85forE4craftingFE FF maliciousFF leainput |
eax,[ebp-11Ch] |
||
004010AEThe technical50 |
details of buffer overflowspush |
eax |
|
004010AFRootkitsFF 15 8C 51 41 00 |
call |
dword ptr [__imp_?fnDebugDispatch@@YA |
Exploiting(00415150)]Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
The code calls the function address stored at location 0x00415150. The memory looks like this:
00415150 |
F0 |
B7 |
23 |
10 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
·#............ |
0041515F |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 ............... |
|
• |
Table of Contents |
|
|
|
|
|
|
|
|
|
|
|
||||
• |
Index |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 |
00 . |
|
|
0041516E |
00 |
00 |
|
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
If we alter the address that is stored there, we can make the code call a different function. The
Pub Date: February 17, 2004
function address that is currently stored in memory is 0x1023B7F0 (this looks like it is written
ISBN: 0-201-78695-8
backward in the memory dump).
Pages: 512
There are always many functions loaded into a program space. The function we are using takes single buffer parameter. It so happens that another function, system(), also takes a single buff parameter. What would happen if we changed the function pointer to point to system()? We w in effect, have a system call completely under our control. In our example program, the system
function lives at address 0x1022B138. All we need to do is overwrite the memory at 0x0041515 How does software break? How do attackers make software break on purpose? Why are
the address 0x1022B138. Thus, we have created our own call to system() with a parameter we firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
control.
What tools can be used to break software? This book provides the answers.
Alternatively, if we don't want to alter the memory at 0x00415150, we can take another approa Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
The original code for fnDebugDispatch(), as we can see, lives at 0x1023B7F0. If we look at the techniques used by bad guys to break software. If you want to protect your software from
at this location, we see
attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
@ILT+15(?fnDebugDispatch@@YAHPAD@Z):
Reverse engineering |
jmp |
fnDebugDispatch (100010b0) |
10001014 E9 97 00 00 00 |
Classic attacks against server software
Surprising attacks against client software
The program is itself using a jump table. If we alter the jump instruction, we can cause the jmp Techniques for crafting malicious input
targetsystem() instead. The current jump goes to fnDebugDispatch (0x100010b0). We want it tosystemThe(technical0x1022B138details). Theof bufferopcodesoverflowsfor the jump are currently e9 97 00 00 00. If we alter th opcodes to e9 1F A1 22 00, we now have a jmp that will take us to system(). The end result i
Rootkits
we can run a command like
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
system("del /s c:");
In conclusion, a buffer overflow is really a deadly problem. Simple hacks to fix it can be avoided some amount of extra work. Buffer overflows can be used to alter code, change function pointer corrupt critical data structures.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.