- Page 6 and 7:
A Bug Hunter’s Diary. Copyright
- Page 10 and 11:
Chapter 3: Escape from the WWW Zone
- Page 12 and 13:
B.2 The Windows Debugger (WinDbg) .
- Page 15 and 16:
IntroductionWelcome to A Bug Hunter
- Page 17 and 18:
1Bug HuntingBug hunting is the proc
- Page 19 and 20: After I’ve found a bug, I want to
- Page 21 and 22: Table 1-1: Debuggers Used in This B
- Page 23: 2Back to the ’90sSunday, October
- Page 26 and 27: 16361637 /* clear the SEQ table */1
- Page 28 and 29: If a TiVo file is loaded by VLC, th
- Page 30 and 31: Get the →vulnerableWindows versio
- Page 32 and 33: EIP = 41414141 . . . Mission EIP co
- Page 34 and 35: NoteTo configure Process Explorer t
- Page 36 and 37: See the following excerpt from the
- Page 38 and 39: 3. Immunity Debugger is a great Win
- Page 40 and 41: NoteInput/output controls (IOCTLs)
- Page 42 and 43: msgbb_datapdatabb_rptrdb_basedatabu
- Page 44 and 45: 8180 /*8181 * Null terminate the st
- Page 46 and 47: 26736 /*26737 * SIOC[GS]TUNPARAM ap
- Page 48 and 49: 19165 * are also rejected as they i
- Page 50 and 51: 01 #include 02 #include 03 #include
- Page 52 and 53: fffffe8000f7e4b0 unix:die+da ()ffff
- Page 54 and 55: zero pagenot mappedzero pageis mapp
- Page 56 and 57: gaining full control over EIP/RIP a
- Page 58 and 59: 112 return 1;113 }114115 printf ("O
- Page 60 and 61: solaris$ isainfo -b64I then compile
- Page 62 and 63: ip_output+0x10()ip_wput+0x37()putne
- Page 64 and 65: Notes1. The source code of OpenSola
- Page 66 and 67: 4.1 Vulnerability DiscoveryTo find
- Page 68 and 69: 167 if (current_track + 1 > fourxm-
- Page 72 and 73: To exploit this vulnerability, I kn
- Page 74 and 75: ebx 0xaaaaaaaa -1431655766esp 0xbf8
- Page 76 and 77: So, what library function is called
- Page 78 and 79: 07 #define SEARCH_START 0x800000000
- Page 80 and 81: process ofFFmpeg(3)fourxm->tracks[c
- Page 82 and 83: libavformat 52.23. 1 / 52.23. 1liba
- Page 84 and 85: FFmpeg maintainersnotifiedPatch dev
- Page 86 and 87: • Step 3: Find the object methods
- Page 88 and 89: Step 2: Test the Exported Methods i
- Page 90 and 91: Step 3: Find the Object Methods in
- Page 92 and 93: Step 4: Find the User-Controlled In
- Page 94 and 95: In sub_1000767F the user-provided w
- Page 96 and 97: Stack beforethe overflowStack after
- Page 98 and 99: As usual, German laws prevent me fr
- Page 101 and 102: 6One Kernelto Rule Them AllSaturday
- Page 103 and 104: After IDA disassembled the driver,
- Page 105 and 106: Figure 6-3: Viewing the security se
- Page 107 and 108: description of the following debugg
- Page 109 and 110: __in struct _IRP *Irp){ ... }The se
- Page 111 and 112: .text:000109C1 mov [ebp+var_3C], ed
- Page 113 and 114: So the driver uses the METHOD_BUFFE
- Page 115 and 116: If the data length equals 0x878, th
- Page 117 and 118: Aavmker4.sys(2)input data length ==
- Page 119 and 120: 41 if (!strncmp (szDriver, driverna
- Page 121 and 122:
Directly after the call of the memc
- Page 123 and 124:
Exploit processIRP.dataSystemBuffer
- Page 125:
Notes1. See SANS Top 20 Internet Se
- Page 128 and 129:
7.1 Vulnerability DiscoveryFirst I
- Page 130 and 131:
DESCRIPTIONThe ioctl() function man
- Page 132 and 133:
30 caddr_t data = "\xff\xff\xff\xff
- Page 134 and 135:
01 #include 0203 int04 main (void)0
- Page 136 and 137:
I then started the Mac OS X target
- Page 138 and 139:
The OS X system froze immediately,
- Page 140 and 141:
If 0x10203040 pointed to the value
- Page 142 and 143:
adjusted the MEMLOC defined in line
- Page 144 and 145:
7.4 Lessons LearnedAs a programmer:
- Page 147 and 148:
8The Ringtone MassacreSaturday, Mar
- Page 149 and 150:
08 int09 main (int argc, char *argv
- Page 151 and 152:
22 let "off+=1"23 let "cnt+=1"24 do
- Page 153 and 154:
22 do23 if [ $i -eq 10 ];24 then25
- Page 155 and 156:
iphone# uname -aDarwin localhost 9.
- Page 157 and 158:
(gdb) info registers r0 r1 r2r0 0x6
- Page 159 and 160:
I printed the current call stack:(g
- Page 161 and 162:
sl 0xf40100 15991040fp 0x80808005 -
- Page 163 and 164:
AHints for HuntingThis appendix des
- Page 165 and 166:
the buffer, the SFP, the RET, and a
- Page 167 and 168:
This was only a short introduction
- Page 169 and 170:
[..]char cbuf[] = "AAAA";signed int
- Page 171 and 172:
unsigned intsigned int00 00 00 0000
- Page 173 and 174:
the stack, and execution is redirec
- Page 175:
linux$ objdump -R gotWe have achiev
- Page 178 and 179:
General CommandsCommand::run argume
- Page 180 and 181:
General CommandsCommandgDescription
- Page 182 and 183:
Figure B-1: Output to named pipeFig
- Page 184 and 185:
Figure B-4: New boot menu optionSte
- Page 186 and 187:
BreakpointsCommandbreak functionbr
- Page 188 and 189:
Step 2: Get the Necessary Software
- Page 190 and 191:
78 //typedef union {79 // char __mb
- Page 193 and 194:
CMitigationThis appendix contains i
- Page 195 and 196:
Detecting Exploit Mitigation Techni
- Page 197 and 198:
To check the system-wide configurat
- Page 199 and 200:
I then tried to overwrite the GOT a
- Page 201 and 202:
confined to the restricted set of a
- Page 203 and 204:
solaris# mkdir /export/homesolaris#
- Page 205 and 206:
IndexNumbers4.4BSD, 1304X movie fil
- Page 207 and 208:
input/output controls (IOCTL),26, 8
- Page 209 and 210:
UpdatesVisit http://nostarch.com/bu
- Page 212:
“Give a man an exploit and you ma