- Page 6 and 7:
A Bug Hunter’s Diary. Copyright
- Page 10 and 11:
Chapter 3: Escape from the WWW Zone
- Page 12 and 13:
B.2 The Windows Debugger (WinDbg) .
- Page 15 and 16:
IntroductionWelcome to A Bug Hunter
- Page 17 and 18:
1Bug HuntingBug hunting is the proc
- Page 19 and 20:
After I’ve found a bug, I want to
- Page 21 and 22:
Table 1-1: Debuggers Used in This B
- Page 23:
2Back to the ’90sSunday, October
- Page 26 and 27:
16361637 /* clear the SEQ table */1
- Page 28 and 29:
If a TiVo file is loaded by VLC, th
- Page 30 and 31:
Get the →vulnerableWindows versio
- Page 32 and 33:
EIP = 41414141 . . . Mission EIP co
- Page 34 and 35:
NoteTo configure Process Explorer t
- Page 36 and 37:
See the following excerpt from the
- Page 38 and 39:
3. Immunity Debugger is a great Win
- Page 40 and 41:
NoteInput/output controls (IOCTLs)
- Page 42 and 43:
msgbb_datapdatabb_rptrdb_basedatabu
- Page 44 and 45:
8180 /*8181 * Null terminate the st
- Page 46 and 47:
26736 /*26737 * SIOC[GS]TUNPARAM ap
- Page 48 and 49:
19165 * are also rejected as they i
- Page 50 and 51:
01 #include 02 #include 03 #include
- Page 52 and 53:
fffffe8000f7e4b0 unix:die+da ()ffff
- Page 54 and 55:
zero pagenot mappedzero pageis mapp
- Page 56 and 57:
gaining full control over EIP/RIP a
- Page 58 and 59:
112 return 1;113 }114115 printf ("O
- Page 60 and 61:
solaris$ isainfo -b64I then compile
- Page 62 and 63:
ip_output+0x10()ip_wput+0x37()putne
- Page 64 and 65:
Notes1. The source code of OpenSola
- Page 66 and 67:
4.1 Vulnerability DiscoveryTo find
- Page 68 and 69:
167 if (current_track + 1 > fourxm-
- Page 71 and 72:
Step 1: Find a Sample 4X Movie File
- Page 73 and 74:
Next, I modified the values of trac
- Page 75 and 76: Table 4-2: List of the Assembler In
- Page 77 and 78: 63 #elif defined (HAVE_MEMALIGN)64
- Page 79 and 80: linux$ gdb -q ./ffmpeg_g(gdb) run -
- Page 81 and 82: (UINT_MAX / sizeof(AudioTrack) - 1)
- Page 83 and 84: 7ebe000-b7ec0000 r--p 0015c000 08:0
- Page 85 and 86: 5Browse and You’re OwnedSunday, A
- Page 87 and 88: {SWI.ClassId_q.ClassId clsid = new
- Page 89 and 90: 27 except KeyboardInterrupt:28 prin
- Page 91 and 92: Figure 5-4: Defining a breakpoint a
- Page 93 and 94: Figure 5-7: User-controlled argumen
- Page 95 and 96: Next, I tried to retrieve the size
- Page 97 and 98: 05 06 arg = String(232, "A") + Stri
- Page 99: iDefense VCPnotifiedVulnerability d
- Page 102 and 103: 6.1 Vulnerability DiscoveryI used t
- Page 104 and 105: Step 3: Check the Device Security S
- Page 106 and 107: Below, the elements of the MajorFun
- Page 108 and 109: At address .text:00010748, a pointe
- Page 110 and 111: [..][..]//// Current stack location
- Page 112 and 113: The transfer type is specified usin
- Page 114 and 115: If the requested IOCTL code matches
- Page 116 and 117: Figure 6-5: Graph view of the vulne
- Page 118 and 119: .text:00010DBA push 1 ; _DWORD.text
- Page 120 and 121: 99 // .text:00010DEF cmp dword ptr
- Page 122 and 123: nt!RtlpBreakWithStatusInstruction:8
- Page 124 and 125: After I gained control over EIP, I
- Page 128 and 129: 7.1 Vulnerability DiscoveryFirst I
- Page 130 and 131: DESCRIPTIONThe ioctl() function man
- Page 132 and 133: 30 caddr_t data = "\xff\xff\xff\xff
- Page 134 and 135: 01 #include 0203 int04 main (void)0
- Page 136 and 137: I then started the Mac OS X target
- Page 138 and 139: The OS X system froze immediately,
- Page 140 and 141: If 0x10203040 pointed to the value
- Page 142 and 143: adjusted the MEMLOC defined in line
- Page 144 and 145: 7.4 Lessons LearnedAs a programmer:
- Page 147 and 148: 8The Ringtone MassacreSaturday, Mar
- Page 149 and 150: 08 int09 main (int argc, char *argv
- Page 151 and 152: 22 let "off+=1"23 let "cnt+=1"24 do
- Page 153 and 154: 22 do23 if [ $i -eq 10 ];24 then25
- Page 155 and 156: iphone# uname -aDarwin localhost 9.
- Page 157 and 158: (gdb) info registers r0 r1 r2r0 0x6
- Page 159 and 160: I printed the current call stack:(g
- Page 161 and 162: sl 0xf40100 15991040fp 0x80808005 -
- Page 163 and 164: AHints for HuntingThis appendix des
- Page 165 and 166: the buffer, the SFP, the RET, and a
- Page 167 and 168: This was only a short introduction
- Page 169 and 170: [..]char cbuf[] = "AAAA";signed int
- Page 171 and 172: unsigned intsigned int00 00 00 0000
- Page 173 and 174: the stack, and execution is redirec
- Page 175: linux$ objdump -R gotWe have achiev
- Page 178 and 179:
General CommandsCommand::run argume
- Page 180 and 181:
General CommandsCommandgDescription
- Page 182 and 183:
Figure B-1: Output to named pipeFig
- Page 184 and 185:
Figure B-4: New boot menu optionSte
- Page 186 and 187:
BreakpointsCommandbreak functionbr
- Page 188 and 189:
Step 2: Get the Necessary Software
- Page 190 and 191:
78 //typedef union {79 // char __mb
- Page 193 and 194:
CMitigationThis appendix contains i
- Page 195 and 196:
Detecting Exploit Mitigation Techni
- Page 197 and 198:
To check the system-wide configurat
- Page 199 and 200:
I then tried to overwrite the GOT a
- Page 201 and 202:
confined to the restricted set of a
- Page 203 and 204:
solaris# mkdir /export/homesolaris#
- Page 205 and 206:
IndexNumbers4.4BSD, 1304X movie fil
- Page 207 and 208:
input/output controls (IOCTL),26, 8
- Page 209 and 210:
UpdatesVisit http://nostarch.com/bu
- Page 212:
“Give a man an exploit and you ma