- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Trojan Executable Redirection
Once an attacker has gained root access to a system, all active monitoring and integrity assess systems are also compromised. Even if audit data and cryptographic checksums are stored in a hardware-secure location, the ability to monitor the target is completely compromised. The only
• |
Table of Contents |
exception to this rule is in the case of secure hardware, in which the auditing or integrity system |
|
• |
Index |
in a separate, compartmented hardware subsystem. This, of course, is almost never the case
Exploiting(especiallySoftwarewith standardHow to BreakissueCodePCs). The closest most systems will be to compartmented may h
when the administrator pulls a hard drive and runs an integrity assessment on a separate close
ByGreg Hoglund,Gary McGraw
system. In fact, this is the only way to use a program like Tripwire securely (a popular, but
fundamentally flawed, integrity assessment package).
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Redirection and the Problem with Tripwire
Pages: 512
Call hooks of the sort we show in this chapter can be used to hide facts about a system. What h when you want to replace one file with another or to execute a Trojan program in place of the o Call hooks can alter the logic of the call and provide additional functions, backdoors, and even r
the target of a request.
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? Consider Tripwire, a popular security program that monitors systems for rootkits and Trojans. T
What tools can be used to break software? This book provides the answers.
Tripwire program reads the contents of every file on a system and makes a cryptographic hash
file data. The idea is that any alteration to the file contents will result in a new hash being gene Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
This means the next time the security administrator audits the file with Tripwire, the new hash techniques used by bad guys to break software. If you want to protect your software from
detected and the file will be flagged as altered. This is a good idea in principle, but it doesn't wo attack, you must first learn how real attacks are really carried out.
all in practice (at least against attackers in the know).
This must-have book may shock you—and it will certainly educate you.Getting beyond the
Let's explore what happens when a hacker installs a kernel rootkit on the target system. This ex script kiddie treatment found in many hacking books, you will learn about
will illustrate a hacker replacing a target executable program with a Trojan version. The hacker
defeat Tripwire so that the security administrator doesn't detect the backdoor. The target OS is
Windows 2000.
Why software exploit will continue to be a serious problem
For the sake of brevity, assume the attacker has found a command execution vulnerability in a When network security mechanisms do not work
script on a Windows 2000 Web server. The first task in attacking the system will be the constru
an executableAttack patternsusing this vulnerability. The attacker compiles a device driver for Windows 2000
includes code that will hook the following system calls:
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
ZwOpenFile
Rootkits
ZwCreateSection
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
The driver is set up to hook these two calls and, on startup, opens a handle to the Trojan execu
For our example, let's assume the attacker wants to replace the command shell cmd.exe with a
version called evil_cmd.exe. When a program or the administrator attempts to launch cmd.ex
will get the Trojan instead. Unfortunately, the use of Tripwire will not detect the Trojan behavio
Once compiled and tested, the device driver/launcher is converted into hex code and is delivere remote system using the debug program as explained in Chapter 4 (or by some other means). Trojanevil_cmd.exe is also transferred to the target system. Once on the target system, the dr loaded into memory in the usual way.
The Redirection Driver
• |
Table of Contents |
• |
Index |
The redirection driver defeats Tripwire only by affecting the execution of programs (and not the
Exploiting Software How to Break Code
programs themselves). The driver doesn't replace the original program. Programs like Tripwire alwaysByGreg Hoglundsee the,GarycorrectMcGrawdata because they always open the correct, unmodified file. Our call hoo ZwOpenFile checks the filename of every file being opened and simply tracks the open file hand
subsequent request is made to execute that file, then the driver will play switch-a-roo with the
Publisher: Addison Wesley
handle. The driver in this way switches the handle of the original file with the handle of the Troj
Pub Date: February 17, 2004
This only effects the creation of a new process and not the image on disk! Clueless Tripwire is n
wiser. ISBN: 0-201-78695-8 Pages: 512
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
ExploitingNTSTATUS NewZwOpenFile(Softwareis oaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack,PHANDLEyou mustphFile,f rst learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
ACCESS_MASK DesiredAccess,
script kiddie treatment found in many hacking books, you will learn about
POBJECT_ATTRIBUTES ObjectAttributes,
Why software exploit will continue to be a serious problem
PIO_STATUS_BLOCK pIoStatusBlock,
When network security mechanisms do not work
ULONG ShareMode,
Attack patterns
ULONG OpenMode
Reverse engineering
)
Classic attacks against server software
{
Surprising attacks against client software
int rc;
Techniques for crafting malicious input
CHAR aProcessName[PROCNAMELEN];
The technical details of buffer overflows
Rootkits
GetProcessName( aProcessName );
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
DbgPrint("rootkit: NewZwOpenFile() from %s\n", aProcessName);
DumpObjectAttributes(ObjectAttributes);
rc=((ZWOPENFILE)(OldZwOpenFile)) (
phFile,
DesiredAccess,
ObjectAttributes,
pIoStatusBlock,
•Table of Contents
•Index
ShareMode,
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw |
OpenMode); |
|
Publisher: Addison Wesley
Pub Date: February 17, 2004
if(*phFile)
ISBN: 0-201-78695-8
Pages: 512
{
DbgPrint("rootkit: file handle is 0x%X\n", *phFile);
/* ___________________________________________________
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
. TESTING ONLY
What tools can be used to break software? This book provides the answers.
. If name starts w/ cmd.exe lets redirect to a Trojan
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
. ___________________________________________________ */ attack, you must first learn how real attacks are really carried out.
if( !wcsncmp(
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
ObjectAttributes->ObjectName->Buffer,
L"\\??\\C:\\WINNT\\SYSTEM32\\cmd.exe",
Why software exploit will continue to be a serious problem
29))
When network security mechanisms do not work
Attack patterns{
Reverse engineeringWatchProcessHandle(*phFile);
Classic attacks against server software
}
Surprising attacks against client software
}
Techniques for crafting malicious input
DbgPrint("rootkit: ZwOpenFile : rc = %x\n", rc);
The technical details of buffer overflows return rc;
Rootkits
}
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
Our hook of ZwOpenFile checks the name of the file being opened to determine whether it's the we are interested in. If so, the file handle is saved for later use. The call hook simply calls the o
ZwOpenFile and allows execution to continue.
If an attempt is made to create a process using this file handle, our code will redirect to a Troja Before a process can be created, a memory section must first be set up. A memory section is lik
memory-mapped file in the NT kernel. A memory section is created using a file handle. The me mapped to the file, and then a subsequent ZwCreateProcess call can be made. Our driver mon memory section creations for our target file handle. If the target file is being mapped, then the are that it's about to be executed. This is when the driver will swap file handles. Instead of map the correct file, the driver will swap in a memory section, mapping the Trojan executable. This very nicely and we end up executing the Trojan. Our replacement for ZwCreateSection follows
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
NTSTATUS NewZwCreateSection (
ISBN: 0-201-78695-8
Pages: 512
OUT PHANDLE phSection,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
IN PLARGE_INTEGER MaximumSize OPTIONAL,
What tools can be used to break software? This book provides the answers.
IN ULONG SectionPageProtection,
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
IN ULONG AllocationAttributes,
attack, you must first learn how real attacks are really carried out.
IN HANDLE hFile OPTIONAL
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
|
) |
|
{ |
Why software exploit will continue to be a serious problem |
|
|
When network securityint mechanismsrc; |
do not work |
Attack patterns CHAR aProcessName[PROCNAMELEN];
Reverse engineering
Classic attacks against server software
GetProcessName( aProcessName );
Surprising attacks against client software
DbgPrint("rootkit: NewZwCreateSection() from %s\n", aProces
Techniques for crafting malicious input
The technical details of buffer overflows
DumpObjectAttributes(ObjectAttributes);
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software. |
if(AllocationAttributes & SEC_FILE) |
DbgPrint("AllocationAttributes & SEC_FILE\n");
if(AllocationAttributes & SEC_IMAGE)
DbgPrint("AllocationAttributes & SEC_IMAGE\n");
if(AllocationAttributes & SEC_RESERVE)
DbgPrint("AllocationAttributes & SEC_RESERVE\n");
if(AllocationAttributes & SEC_COMMIT)
DbgPrint("AllocationAttributes & SEC_COMMIT\n");
if(AllocationAttributes & SEC_NOCACHE)
•Table of Contents
• Index DbgPrint("AllocationAttributes & SEC_NOCACHE\n");
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
DbgPrint("ZwCreateSection hFile == 0x%X\n", hFile);
Publisher: Addison Wesley
#ifPub1 Date: February 17, 2004
ISBN: 0-201-78695-8
if(hFile)
Pages: 512
{
HANDLE newFileH = CheckForRedirectedFile( hFile );
How does software break? How do attackers make software break on purpose? Why are if(newFileH){
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. hFile = newFileH;
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
}
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
}
This must-have book may shock you—and it will certainly educate you.Getting beyond the
#endif
script kiddie treatment found in many hacking books, you will learn about
rc=((ZWCREATESECTION)(OldZwCreateSection)) (
Why software exploit will continue to be a serious problem
phSection,
When network security mechanisms do not work
DesiredAccess,
Attack patterns
ObjectAttributes,
Reverse engineering
MaximumSize,
Classic attacks against server software
SectionPageProtection,
Surprising attacks against client software
AllocationAttributes,
Techniques for crafting malicious input
hFile);
The technical details of buffer overflows
Rootkits if(phSection)
Exploiting Softwareis {filled with the tools, concepts, and knowledge necessary to break
software.
DbgPrint("section handle 0x%X\n", *phSection);
}
DbgPrint("rootkit: ZwCreateSection : rc = %x\n", rc);
return rc;
}
A Trojan file can be mapped into memory using the following code. What follows are the suppor functions called from the code just displayed. Note the path to the Trojan executable on the roo
C drive:
•
•
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
HANDLE gFileHandle = 0;
HANDLE gSectionHandle = 0;
HANDLE gRedirectSectionHandle = 0;
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
HANDLE gRedirectFileHandle = 0;
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from void WatchProcessHandle( HANDLE theFileH )
attack, you must first learn how real attacks are really carried out.
{
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
NTSTATUS rc;
HANDLE hProcessCreated, hProcessOpened, hFile, hSection;
Why software exploit will continue to be a serious problem
OBJECT_ATTRIBUTES ObjectAttr;
When network security mechanisms do not work
UNICODEAttack patternsSTRING ProcessName;
UNICODEReverse_engineeringSTRING SectionName;
Classic attacks against server software
UNICODE_STRING FileName;
Surprising attacks against client software
LARGE_INTEGER MaxSize;
Techniques for crafting malicious input
ULONG SectionSize=8192;
The technical details of buffer overflows
Rootkits
IO_STATUS_BLOCK ioStatusBlock;
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
ULONG allocsize = 0; software.
DbgPrint("rootkit: Loading Trojan File Image\n");
/* first open file w/ NtCreateFile
. this works for a Win32 image.
. calc.exe is just for testing.
*/
•Table of Contents
RtlInitUnicodeString(&FileName, L"\\??\\C:\\evil_cmd.exe");
• Index
Exploiting Software How to Break Code
InitializeObjectAttributes( &ObjectAttr,
ByGreg Hoglund,Gary McGraw
&FileName,
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
How does software break? How do attackers make software break on purpose? Why are rc = ZwCreateFile(
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
&hFile,
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
GENERIC_READ | GENERIC_EXECUTE,
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
&ObjectAttr,
This must-have book may shock you—and it will certainly educate you.Getting beyond the
&ioStatusBlock,
script kiddie treatment found in many hacking books, you will learn about
&allocsize,
Why software exploit will continue to be a serious problem
FILE_ATTRIBUTE_NORMAL,
When network security mechanisms do not work
FILE_SHARE_READ,
Attack patterns
FILE_OPEN,
Reverse engineering
0,
Classic attacks against server software
NULL,
Surprising attacks against client software
0);
Techniques for crafting malicious input
if (rc!=STATUS_SUCCESS) {
The technical details of buffer overflows
Rootkits DbgPrint("Unable to open file, rc=%x\n", rc);
Exploiting Softwarereturnis 0;filled with the tools, concepts, and knowledge necessary to break
software.
}
SetTrojanRedirectFile( hFile );
gFileHandle = theFileH;
}
HANDLE CheckForRedirectedFile( HANDLE hFile )
{
if(hFile == gFileHandle)
{
•Table of Contents
DbgPrint("rootkit: Found redirected filehandle - from %x to %x\n",
•Index
Exploiting Software How to Break Code
gRedirectFileHandle);
ByGreg Hoglund,Gary McGraw
return gRedirectFileHandle;
Publisher: Addison Wesley
}
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
return NULL;
Pages: 512
}
void SetTrojanRedirectFile( HANDLE hFile )
How does software break? How do attackers make software break on purpose? Why are
{
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers. gRedirectFileHandle = hFile;
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
}
techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.