- •Exploiting Software How to Break Code
- •Table of Contents
- •Copyright
- •Praise for Exploiting Software
- •Attack Patterns
- •Foreword
- •Preface
- •What This Book Is About
- •How to Use This Book
- •But Isn't This Too Dangerous?
- •Acknowledgments
- •Greg's Acknowledgments
- •Gary's Acknowledgments
- •Bad Software Is Ubiquitous
- •The Trinity of Trouble
- •The Future of Software
- •What Is Software Security?
- •Conclusion
- •Chapter 2. Attack Patterns
- •A Taxonomy
- •An Open-Systems View
- •Tour of an Exploit
- •Attack Patterns: Blueprints for Disaster
- •An Example Exploit: Microsoft's Broken C++ Compiler
- •Applying Attack Patterns
- •Attack Pattern Boxes
- •Conclusion
- •Into the House of Logic
- •Should Reverse Engineering Be Illegal?
- •Reverse Engineering Tools and Concepts
- •Approaches to Reverse Engineering
- •Methods of the Reverser
- •Writing Interactive Disassembler (IDA) Plugins
- •Decompiling and Disassembling Software
- •Decompilation in Practice: Reversing helpctr.exe
- •Automatic, Bulk Auditing for Vulnerabilities
- •Writing Your Own Cracking Tools
- •Building a Basic Code Coverage Tool
- •Conclusion
- •Chapter 4. Exploiting Server Software
- •The Trusted Input Problem
- •The Privilege Escalation Problem
- •Finding Injection Points
- •Input Path Tracing
- •Exploiting Trust through Configuration
- •Specific Techniques and Attacks for Server Software
- •Conclusion
- •Chapter 5. Exploiting Client Software
- •Client-side Programs as Attack Targets
- •In-band Signals
- •Cross-site Scripting (XSS)
- •Client Scripts and Malicious Code
- •Content-Based Attacks
- •Conclusion
- •Chapter 6. Crafting (Malicious) Input
- •The Defender's Dilemma
- •Intrusion Detection (Not)
- •Partition Analysis
- •Tracing Code
- •Reversing Parser Code
- •Misclassification
- •Audit Poisoning
- •Conclusion
- •Chapter 7. Buffer Overflow
- •Buffer Overflow 101
- •Injection Vectors: Input Rides Again
- •Buffer Overflows and Embedded Systems
- •Database Buffer Overflows
- •Buffer Overflows and Java?!
- •Content-Based Buffer Overflow
- •Audit Truncation and Filters with Buffer Overflow
- •Causing Overflow with Environment Variables
- •The Multiple Operation Problem
- •Finding Potential Buffer Overflows
- •Stack Overflow
- •Arithmetic Errors in Memory Management
- •Format String Vulnerabilities
- •Heap Overflows
- •Buffer Overflows and C++
- •Payloads
- •Payloads on RISC Architectures
- •Multiplatform Payloads
- •Prolog/Epilog Code to Protect Functions
- •Conclusion
- •Chapter 8. Rootkits
- •Subversive Programs
- •A Simple Windows XP Kernel Rootkit
- •Call Hooking
- •Trojan Executable Redirection
- •Hiding Files and Directories
- •Patching Binary Code
- •The Hardware Virus
- •Low-Level Disk Access
- •Adding Network Support to a Driver
- •Interrupts
- •Key Logging
- •Advanced Rootkit Topics
- •Conclusion
- •References
- •Index
Key Logging
Key logging is one of the most powerful spyware techniques. Using a hook on the keyboard handler within the kernel, the rootkit can sniff pass phrases, including those used to unlock private keys in a cryptographic system. A keystroke log does not take up much space and can
• |
Table of Contents |
log activity for days or weeks before the attacker needs to pick up the log file. The key stroke |
|
• |
Index |
logger can detect control key combinations as well as normal characters in upper or
ExploitinglowercaseSoftware. TypicallyHoweachto BreakkeystrokeCode is referred to as a scancode. A scancode is the numerical
representation of the keystroke in memory.
ByGreg Hoglund,Gary McGraw
Key loggers have taken many forms over the last decade, and the technique depends on the
Publisher: Addison Wesley
OS being infected. On many older Windows and DOS machines, hooking interrupt 9 was
Pub Date: February 17, 2004
enough to gather keystrokes. On Windows NT and beyond, the keystroke monitor must be
ISBN: 0-201-78695-8
installed as a driver. Similar conditions exist under Linux.
Pages: 512
From the attacker's perspective, the following two issues remain: how the data are stored in the file, and who they are sent to over the network. If keystrokes are stored in plain text, then those keystrokes are available to all rogue interlopers. If they are sent to someone's e- mail address, then that person will be interrogated. These issues can be resolved using
cryptography. The keystrokes can be stored in public key-encrypted form, and they are How does software break? How do attackers make software break on purpose? Why are
broadcast over a publically readable yet obscure channel. A cryptotrojan attack that uses this firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
approach was published by Young and Yung at IEEE Security and Privacy. What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
LinuxtechniquesKeyusedLoggerby bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
A couple of Linux key loggers have been published and the source code is available. These This must-have book may shock you—and it will certainly educate you.Getting beyond the
programs typically operate as loadable kernel modules (lkms). Under a UNIX system, the script kiddie treatment found in many hacking books, you will learn about
rootkit is usually already implemented as an lkm, so keystroke monitoring is just an
extension of the code. A Linux rootkit can hook into the character stream via the existing
keyboard driver or it can hook the interrupt handler for the keyboard directly. Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Windows NT/2000/XP Key Logger
Attack patterns
Windows NT/2000/XP supports a special type of device driver called a filter driver. Most Reverse engineering
drivers under Windows are placed into chains. That is, each driver passes data to the next
driverClassicin hainattacks.A filteragainstdriverserversimplysoftwareinserts itself into a chain and siphons data or modifies
data in transit before passing control. There is already a keyboard driver chain into which a
itself
Surprising at acks against client software
rootkit can insert . Of course, the keyboard interrupt can also be hooked directly. Either
way, keystrokes can be captured and logged to a file, or sent over the network. Techniques for crafting malicious input
The technical details of buffer overflows
The Keyboard Controller Chip
Rootkits
On the system motherboard there are many hardware controller chips. These chips contain
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break registers that can be read or written to. Typically, read/write registers on controller chips are
software.
calledports. A keyboard will usually contain an 8048 microprocessor. The motherboard will usually have an additional 8042 microprocessor. The 8042 will be programmed to convert scancodes from the keyboard. Sometimes the 8042 will also be handling PS/2 mouse input and possibly the reset switch for the CPU.
For the keyboard controller, we are interested in the following ports:
Port 0x60: 8048 chip, keyboard data register
Port 0x64: 8042, keyboard status register
To read characters from the keyboard, you must hook the keyboard interrupt. This will change depending on your OS. For a Windows system, the hook will most likely be int 0x31. Once IRQ 1 has fired, the data must be read from 0x60 before any more keyboard interrupts will occur.
Here is a simple handler for the keyboard interrupt:
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
KEY_INT:
push eax
in |
al, 60h |
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion// do somethingd ection systems,with characterand antivinrusalsoftware not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
pop eax
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniquesjmpused by badDWORDguysPTRto break[old_KEYsoftwareINT]. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
Advanced Rootkit Topics
There isn't enough room in this book to cover all the advanced tricks that can be performed by rootkits. Fortunately, there are many resources and articles available on the Internet that cover this subject. One great resource is Phrack Magazine (http://www.phrack.com). Another
• |
Table of Contents |
is the BlackHat security conference (http://www.blackhat.com). We briefly describe a small |
|
• |
Index |
set of advanced techniques here, providing references to more information when applicable.
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Using a Rootkit as a Debugger
Publisher: Addison Wesley
A kernelPub Date:rootkitFebruarydoesn't17, 2004have to be malicious. You can use one to keep watch on a system you own. OneISBN:great0-201-use78695of-8a rootkit is to replicate the functions of a debugger. A rootkit with a shell andPages:some512 debugging functions is really no different than a debugger like SoftIce. You can add a decompiler, the ability to read and write memory, and break point support.
Disabling Windows System File Protection
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? Thewinlogon.exe process loads a few DLLs that are responsible for implementing system
What tools can be used to break software? This book provides the answers.
file protection. The file sfc.dll is loaded, followed by sfcfiles.dll. The list of files to be
protected is loaded into a memory buffer. A simple patch can be made to the code within
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and sfc.dll that will disable all file protection. The patch can be made using standard Windows
techniques used by bad guys to break software. If you want to protect your software from debugging APIs.[10]
attack, you must first learn how real attacks are really carried out.
[10] For more on this issue, see 29/A Labs publications for work by Benny and Ratter.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
Writing Directly to Physical Memory
Why software exploit will continue to be a serious problem
A rootkit does not need to use a loadable module or Windows device driver. A rootkit can be
When network security mechanisms do not work
installed by simply writing to data structures in the kernel. An excellent article on windows
objects and physical memory is available in Phrack Magazine, Issue 59, Article 16: "Playing
Attack patterns
with Windows /dev/(k)mem" by crazylord.
Reverse engineering
KernelClassicBufferattacksOverflowsagainst server software
Surprising attacks against client software
Code in the kernel is subject to the same bugs that affect all other software. Just because
code is running in the kernel doesn't mean it's immune to stack overflows and other
Techniques for crafting malicious input
standard-issue exploits. In fact, several kernel-level overflows have been made public.
The technical details of buffer overflows
Exploiting a buffer overflow in the kernel is a bit tricky because exceptions in the kernel tend
to crash the machine or cause a "blue screen of death." Exploits of the kernel are especially Rootkits
noteworthy because they can directly infect a machine with a rootkit and they bypass all
security mechanisms. An attacker does not need administrative privileges or the ability to Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
load a device driver if they can simply overflow the kernel stack. An article on kernel software.
overflows can be found in Phrack Magazine, issue 60, article 6: "Smashing The Kernel Stack
For Fun And Profit" by Sinan "noir" Eren.
Infecting the Kernel Image
Another way to get code into the kernel is to patch the kernel image itself. We illustrate in
this chapter a simple patch to remove security controls from the NT kernel. Any piece of code
can be modified in such a way. One needs to be sure to correct any integrity checks in the code, such as the file check sum. An article on patching the Linux kernel can be found in
Phrack Magazine, Issue 60, Article 8: "Static Kernel Patching" by jbtzhm.
Execute Redirection
• |
Table of Contents |
We also illustrate how to redirect execution under Windows. For a good discussion on how to |
|
• |
Index |
perform execute redirection under Linux, see "Advances in Kernel Hacking II" in Phrack
Exploiting Software How to Break Code
Magazine, Issue 59, Article 5, by palmers.
ByGreg Hoglund,Gary McGraw
DetectingPublisher: AddisRootkitsn Wesley
Pub Date: February 17, 2004
There areISBN:several0-201-78695methods-8 to detect rootkits, all of which can be circumvented if the rootkit itself isPages:aware512of the trick. Patched memory can be detected by reading the call tables or functions and checking their values. Instructions can be counted during runtime and compared with a baseline. Any sort of behavior changes can, in theory, be detected. The key weakness is when the code that performs this sort of check lives on the same machine that has been compromised. At this point, the rootkit can subvert the code that performs the
check. An interesting trick to detect a rootkit is discussed in Phrack Magazine, Issue 59, How does software break? How do attackers make software break on purpose? Why are
Article 10, "Execution Path Analysis: Finding Kernel Based Rootkits" by Jan K. Rutkowski. A firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
tool to detect rootkits in the Solaris kernel can be downloaded from
What tools can be used to break software? This book provides the answers. http://www.immunitysec.com.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about
Why software exploit will continue to be a serious problem
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.