- Page 6 and 7: A Bug Hunter’s Diary. Copyright
- Page 10 and 11: Chapter 3: Escape from the WWW Zone
- Page 12 and 13: B.2 The Windows Debugger (WinDbg) .
- Page 15 and 16: IntroductionWelcome to A Bug Hunter
- Page 17 and 18: 1Bug HuntingBug hunting is the proc
- Page 19 and 20: After I’ve found a bug, I want to
- Page 21 and 22: Table 1-1: Debuggers Used in This B
- Page 23: 2Back to the ’90sSunday, October
- Page 27 and 28: TiVo FileStack beforeoverflowTiVo F
- Page 29 and 30: 1851 stream_Read( p_demux->s, NULL,
- Page 31 and 32: egister) was pointing to an invalid
- Page 33 and 34: } else {+ stream_Read(p_demux->s, m
- Page 35 and 36: There are different ways to opt a p
- Page 37 and 38: NoteAccording to the documentation
- Page 39 and 40: 3Escape from the WWW ZoneThursday,
- Page 41 and 42: I now had a list of IOCTL names sup
- Page 43 and 44: Source code file uts/common/inet/ip
- Page 45 and 46: 19165 * are also rejected as they i
- Page 47 and 48: But why is it possible to trigger t
- Page 49 and 50: [..]26788 err = (*ipip->ipi_func)(c
- Page 51 and 52: solaris$ uname -aSunOS bob 5.10 Gen
- Page 53 and 54: Source code fileuts/common/inet/ip/
- Page 55 and 56: 9444 if (success) {9445 ip1dbg(("se
- Page 57 and 58: 54 *(unsigned long long *)0x30 = 0x
- Page 59 and 60: The left-hand side of Figure 3-6 sh
- Page 61 and 62: Loading modules: [ unix krtld genun
- Page 63 and 64: To fix the bug, Sun introduced the
- Page 65 and 66: 4NULL Pointer FTWSaturday, January
- Page 67 and 68: takes a parameter of the type AVFor
- Page 69: The expected behavior of FFmpeg is
- Page 72 and 73: To exploit this vulnerability, I kn
- Page 74 and 75:
ebx 0xaaaaaaaa -1431655766esp 0xbf8
- Page 76 and 77:
So, what library function is called
- Page 78 and 79:
07 #define SEARCH_START 0x800000000
- Page 80 and 81:
process ofFFmpeg(3)fourxm->tracks[c
- Page 82 and 83:
libavformat 52.23. 1 / 52.23. 1liba
- Page 84 and 85:
FFmpeg maintainersnotifiedPatch dev
- Page 86 and 87:
• Step 3: Find the object methods
- Page 88 and 89:
Step 2: Test the Exported Methods i
- Page 90 and 91:
Step 3: Find the Object Methods in
- Page 92 and 93:
Step 4: Find the User-Controlled In
- Page 94 and 95:
In sub_1000767F the user-provided w
- Page 96 and 97:
Stack beforethe overflowStack after
- Page 98 and 99:
As usual, German laws prevent me fr
- Page 101 and 102:
6One Kernelto Rule Them AllSaturday
- Page 103 and 104:
After IDA disassembled the driver,
- Page 105 and 106:
Figure 6-3: Viewing the security se
- Page 107 and 108:
description of the following debugg
- Page 109 and 110:
__in struct _IRP *Irp){ ... }The se
- Page 111 and 112:
.text:000109C1 mov [ebp+var_3C], ed
- Page 113 and 114:
So the driver uses the METHOD_BUFFE
- Page 115 and 116:
If the data length equals 0x878, th
- Page 117 and 118:
Aavmker4.sys(2)input data length ==
- Page 119 and 120:
41 if (!strncmp (szDriver, driverna
- Page 121 and 122:
Directly after the call of the memc
- Page 123 and 124:
Exploit processIRP.dataSystemBuffer
- Page 125:
Notes1. See SANS Top 20 Internet Se
- Page 128 and 129:
7.1 Vulnerability DiscoveryFirst I
- Page 130 and 131:
DESCRIPTIONThe ioctl() function man
- Page 132 and 133:
30 caddr_t data = "\xff\xff\xff\xff
- Page 134 and 135:
01 #include 0203 int04 main (void)0
- Page 136 and 137:
I then started the Mac OS X target
- Page 138 and 139:
The OS X system froze immediately,
- Page 140 and 141:
If 0x10203040 pointed to the value
- Page 142 and 143:
adjusted the MEMLOC defined in line
- Page 144 and 145:
7.4 Lessons LearnedAs a programmer:
- Page 147 and 148:
8The Ringtone MassacreSaturday, Mar
- Page 149 and 150:
08 int09 main (int argc, char *argv
- Page 151 and 152:
22 let "off+=1"23 let "cnt+=1"24 do
- Page 153 and 154:
22 do23 if [ $i -eq 10 ];24 then25
- Page 155 and 156:
iphone# uname -aDarwin localhost 9.
- Page 157 and 158:
(gdb) info registers r0 r1 r2r0 0x6
- Page 159 and 160:
I printed the current call stack:(g
- Page 161 and 162:
sl 0xf40100 15991040fp 0x80808005 -
- Page 163 and 164:
AHints for HuntingThis appendix des
- Page 165 and 166:
the buffer, the SFP, the RET, and a
- Page 167 and 168:
This was only a short introduction
- Page 169 and 170:
[..]char cbuf[] = "AAAA";signed int
- Page 171 and 172:
unsigned intsigned int00 00 00 0000
- Page 173 and 174:
the stack, and execution is redirec
- Page 175:
linux$ objdump -R gotWe have achiev
- Page 178 and 179:
General CommandsCommand::run argume
- Page 180 and 181:
General CommandsCommandgDescription
- Page 182 and 183:
Figure B-1: Output to named pipeFig
- Page 184 and 185:
Figure B-4: New boot menu optionSte
- Page 186 and 187:
BreakpointsCommandbreak functionbr
- Page 188 and 189:
Step 2: Get the Necessary Software
- Page 190 and 191:
78 //typedef union {79 // char __mb
- Page 193 and 194:
CMitigationThis appendix contains i
- Page 195 and 196:
Detecting Exploit Mitigation Techni
- Page 197 and 198:
To check the system-wide configurat
- Page 199 and 200:
I then tried to overwrite the GOT a
- Page 201 and 202:
confined to the restricted set of a
- Page 203 and 204:
solaris# mkdir /export/homesolaris#
- Page 205 and 206:
IndexNumbers4.4BSD, 1304X movie fil
- Page 207 and 208:
input/output controls (IOCTL),26, 8
- Page 209 and 210:
UpdatesVisit http://nostarch.com/bu
- Page 212:
“Give a man an exploit and you ma