- Page 1:
CD INside 2nd Edition Hacking the a
- Page 5 and 6:
® San Francisco
- Page 7:
BRIEF CONTENTS Preface ............
- Page 10 and 11:
0x300 EXPLOITATION 115 0x310 Genera
- Page 12 and 13:
0x6a0 Hardening Countermeasures....
- Page 14 and 15:
ACKNOWLEDGMENTS I would like to tha
- Page 16 and 17:
2 0x100 The rules for this problem
- Page 18 and 19:
4 0x100 overly simplistic encryptio
- Page 20 and 21:
can be written to accomplish any gi
- Page 22 and 23:
0x230 Control Structures Without co
- Page 24 and 25:
lest it continue into infinity. A w
- Page 26 and 27:
called constants. Returning to the
- Page 28 and 29:
Quite often in programs, variables
- Page 30 and 31:
0x244 Functions Sometimes there wil
- Page 32 and 33:
void turn(variable_direction, targe
- Page 34 and 35:
library, a function prototype is ne
- Page 36 and 37:
Like a row of houses on a local str
- Page 38 and 39:
Below, GDB is used to show the stat
- Page 40 and 41:
There are also operations that are
- Page 42 and 43:
The display format also uses a sing
- Page 44 and 45:
The first four bytes are shown both
- Page 46 and 47:
(gdb) x/10i $eip 0x804838b : cmp DW
- Page 48 and 49:
022 18 12 DC2 122 82 52 R 023 19 13
- Page 50 and 51:
familiar address of EBP minus 4 int
- Page 52 and 53:
the English language, knowledge of
- Page 54 and 55:
Function "strcpy" not defined. Make
- Page 56 and 57:
only be in one of 2 32 possible bit
- Page 58 and 59:
pointer.c #include #include int m
- Page 60 and 61:
addressof.c #include int main() {
- Page 62 and 63:
0x264 Format Strings The printf() f
- Page 64 and 65:
The final line just shows the addre
- Page 66 and 67:
As discussed earlier, dividing the
- Page 68 and 69:
} } printf("[char pointer] points t
- Page 70 and 71:
Naturally, it is far easier just to
- Page 72 and 73:
This is rather hacky, but since thi
- Page 74 and 75:
eader@hacking:~/booksrc $ ./a.out '
- Page 76 and 77:
0x267 Variable Scoping Another inte
- Page 78 and 79:
[in func1] i = 5, j = 42 [in func2]
- Page 80 and 81:
10 (gdb) break 7 Breakpoint 1 at 0x
- Page 82 and 83:
Notice that the static_var retains
- Page 84 and 85:
70 0x200 The heap segment is a segm
- Page 86 and 87:
End of assembler dump (gdb) disass
- Page 88 and 89:
0x804836f : mov DWORD PTR [esp+8],0
- Page 90 and 91:
int global_initialized_var = 5; voi
- Page 92 and 93:
int main(int argc, char *argv[]) {
- Page 94 and 95:
errorchecked_heap.c #include #incl
- Page 96 and 97:
The bar code on the back of this bo
- Page 98 and 99:
eader@hacking:~/booksrc $ ./simplen
- Page 100 and 101:
} printf("\n"); display_flags("O_WR
- Page 102 and 103:
eader@hacking:~/booksrc $ chmod 731
- Page 104 and 105:
uid_demo.c #include int main() { p
- Page 106 and 107:
} void fatal(char *); // A function
- Page 108 and 109:
#define FILENAME "/var/notes" int p
- Page 110 and 111:
[DEBUG] found a 34 byte note for us
- Page 112 and 113:
of current_time, an empty tm struct
- Page 114 and 115:
While struct memory can be accessed
- Page 116 and 117:
815015288 1315541117 2080969327 450
- Page 118 and 119:
printf("6 - Reset your account at 1
- Page 120 and 121:
int fd; } printf("\n===============
- Page 122 and 123:
} } // This function is the Pick a
- Page 124 and 125:
invalid_choice = 1; while(invalid_c
- Page 126 and 127:
Would you like to play again? (y/n)
- Page 128 and 129:
114 0x200 Play around with this pro
- Page 130 and 131:
A program can only do what it’s p
- Page 132 and 133:
don’t say exactly what their crea
- Page 134 and 135:
By now, you should be able to read
- Page 136 and 137:
eader@hacking:~/booksrc $ gcc explo
- Page 138 and 139:
11 if(strcmp(password_buffer, "bril
- Page 140 and 141:
auth_overflow2.c #include #include
- Page 142 and 143:
As expected, the overflow cannot di
- Page 144 and 145:
(gdb) c Continuing. Breakpoint 2, c
- Page 146 and 147:
Notice the two lines shown in bold
- Page 148 and 149:
eader@hacking:~/booksrc $ perl -e '
- Page 150 and 151: 0x0804848d : mov eax,DWORD PTR [eax
- Page 152 and 153: 20 offset = atoi(argv[1]); (gdb) 21
- Page 154 and 155: called the NOP sled, that can assis
- Page 156 and 157: The function of the for loop should
- Page 158 and 159: \x2f\x2f\x73\x68\x68\x2f\x62\x69\x6
- Page 160 and 161: eader@hacking:~/booksrc $ ./notesea
- Page 162 and 163: int main(int argc, char *argv[]) {
- Page 164 and 165: char *buffer = (char *) malloc(160)
- Page 166 and 167: 7e99000-b7e9a000 rw-p b7e99000 00:0
- Page 168 and 169: for that user. Using the salt value
- Page 170 and 171: 0x342 Overflowing Function Pointers
- Page 172 and 173: 7 - Quit [Name: Jon Erickson] [You
- Page 174 and 175: 0804b630 A _edata 0804b6d4 A _end 0
- Page 176 and 177: n 5 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
- Page 178 and 179: 6 - Reset your account at 100 credi
- Page 180 and 181: [Name: Jon Erickson] [You have 1230
- Page 182 and 183: Parameter Input Type Output Type %d
- Page 184 and 185: This is an interesting detail that
- Page 186 and 187: 0x353 Reading from Arbitrary Memory
- Page 188 and 189: The wrong way to print user-control
- Page 190 and 191: The addresses and junk data at the
- Page 192 and 193: eader@hacking:~/booksrc $ reader@ha
- Page 194 and 195: 0x355 Direct Parameter Access Direc
- Page 196 and 197: Since the stack doesn’t need to b
- Page 198 and 199: 0x357 Detours with .dtors In binary
- Page 202 and 203: Since the .dtors section is writabl
- Page 204 and 205: [DEBUG] found a 34 byte note for us
- Page 206 and 207: eader@hacking:~/booksrc $ objdump -
- Page 209 and 210: 0x400 NETWORKING Communication and
- Page 211 and 212: For example, whenever you browse th
- Page 213 and 214: Datagram sockets and UDP are common
- Page 215 and 216: From /usr/include/bits/socket.h /*
- Page 217 and 218: htons(short value) Host-to-Network
- Page 219 and 220: fatal("in socket"); if (setsockopt(
- Page 221 and 222: When compiled and run, the program
- Page 223 and 224: This reveals that the webserver is
- Page 225 and 226: From /usr/include/netdb.h /* Descri
- Page 227 and 228: } while(recv_line(sockfd, buffer))
- Page 229 and 230: } /* This function handles the conn
- Page 231 and 232: Accepting web requests on port 80 G
- Page 233 and 234: the two addressing schemes. In the
- Page 235 and 236: also exist on this layer. ICMP pack
- Page 237 and 238: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3
- Page 239 and 240: Interrupt:16 Base address:0x2024 re
- Page 241 and 242: u_char buffer[9000]; if ((sockfd =
- Page 243 and 244: pcap_handle = pcap_open_live(device
- Page 245 and 246: eader@hacking:~/booksrc $ $ grep -R
- Page 247 and 248: The compiler padding, as mentioned
- Page 249 and 250: Now that the headers are defined as
- Page 251 and 252:
The caught_packet() function gets c
- Page 253 and 254:
With the headers decoded and separa
- Page 255 and 256:
Due to timeout values, the victim m
- Page 257 and 258:
eader@hacking:~/booksrc $ sudo neme
- Page 259 and 260:
data structures for the packet head
- Page 261 and 262:
if (pd->file_mem == NULL) pd->file_
- Page 263 and 264:
only builds ethernet/IP ARP packets
- Page 265 and 266:
The remaining libnet functions get
- Page 267 and 268:
dest_ip = libnet_name_resolve(argv[
- Page 269 and 270:
In the example above, the host 192.
- Page 271 and 272:
0x454 Ping Flooding Flooding DoS at
- Page 273 and 274:
The host machine will receive the s
- Page 275 and 276:
char errbuf[PCAP_ERRBUF_SIZE]; // S
- Page 277 and 278:
TH_RST, // Control flags (RST flag
- Page 279 and 280:
Christmas tree), and the Null scan
- Page 281 and 282:
0x475 Proactive Defense (shroud) Po
- Page 283 and 284:
char errbuf[PCAP_ERRBUF_SIZE]; // S
- Page 285 and 286:
NULL, // Payload (none) 0, // Paylo
- Page 287 and 288:
} while(recv(sockfd, ptr, 1, 0) ==
- Page 289 and 290:
$1 = 540 (gdb) p /x 0xbffff5c0 + 20
- Page 291 and 292:
" 90 90 90 90 90 90 90 90 90 90 90
- Page 293 and 294:
When this exploit is compiled and r
- Page 295 and 296:
0x500 SHELLCODE So far, the shellco
- Page 297 and 298:
mmap2(0xb7ee4000, 9596, PROT_READ|P
- Page 299 and 300:
#define __NR_stime 25 #define __NR_
- Page 301 and 302:
In shellcode, the bytes for the str
- Page 303 and 304:
eader@hacking:~/booksrc $ export SH
- Page 305 and 306:
which means that a small value like
- Page 307 and 308:
Instruction inc dec Description I
- Page 309 and 310:
After assembling this shellcode, he
- Page 311 and 312:
exec_shell.s BITS 32 jmp short two
- Page 313 and 314:
eader@hacking:~/booksrc $ nasm tiny
- Page 315 and 316:
int setresuid(uid_t ruid, uid_t eui
- Page 317 and 318:
push BYTE 11 pop eax push ecx push
- Page 319 and 320:
So, to make socket system calls usi
- Page 321 and 322:
push BYTE 16 ; argv: { sizeof(serve
- Page 323 and 324:
00000030 80 b0 66 43 52 52 56 89 e1
- Page 325 and 326:
This loop iterates ECX from 0 to 2,
- Page 327 and 328:
push edx ; Build sockaddr struct: I
- Page 329 and 330:
pop eax inc ebx ; ebx = 2 (needed f
- Page 331 and 332:
the return address uses multiple by
- Page 333 and 334:
0x600 COUNTERMEASURES The golden po
- Page 335 and 336:
0x620 System Daemons To have a real
- Page 337 and 338:
} printf("Caught signal %d\t", sign
- Page 339 and 340:
tinywebd.c #include #include #inc
- Page 341 and 342:
if(fd == -1) { // If file is not fo
- Page 343 and 344:
In previous chapters, we’ve writt
- Page 345 and 346:
63 if (listen(sockfd, 20) == -1) 64
- Page 347 and 348:
message. Shell variables are used f
- Page 349 and 350:
There’s a simple mistake in the t
- Page 351 and 352:
any program to show every system ca
- Page 353 and 354:
0x080487ee : mov DWORD PTR [esp+8],
- Page 355 and 356:
0x08048f5f : call 0x08048f64 : nop
- Page 357 and 358:
push BYTE 0x6 ; Close () pop eax in
- Page 359 and 360:
A quick glance at the function prol
- Page 361 and 362:
push edx ; Build arg array: { proto
- Page 363 and 364:
This program can be used to inject
- Page 365 and 366:
Then, from another terminal, the ne
- Page 367 and 368:
strace is used with the -p command-
- Page 369 and 370:
ig red flag. We could change the po
- Page 371 and 372:
of new_sockfd will still be correct
- Page 373 and 374:
00000020 b0 3f cd 80 49 79 f9 b0 0b
- Page 375 and 376:
push ebx mov ecx, esp int 0x80 ; pu
- Page 377 and 378:
Instruction Hex ASCII inc eax 0x40
- Page 379 and 380:
eader@hacking:~/booksrc $ gcc -o up
- Page 381 and 382:
Amazingly, these instructions, comb
- Page 383 and 384:
ESP up (toward lower memory address
- Page 385 and 386:
eader@hacking:~/booksrc $ gcc -o pr
- Page 387 and 388:
At the end, the shellcode has been
- Page 389 and 390:
esp 0xbffffa2c 0xbffffa2c eax 0x0 0
- Page 391 and 392:
functions are shared, so any progra
- Page 393 and 394:
A quick binary search shows that th
- Page 395 and 396:
eginning of the buffer. When a prog
- Page 397 and 398:
The breakpoint is set at the last i
- Page 399 and 400:
Bouncing off linux-gate refers to a
- Page 401 and 402:
matrix@loki /hacking $ for i in `se
- Page 403 and 404:
manual page for execve() for detail
- Page 405:
for(i=0; i < 90; i+=4) // Fill buff
- Page 408 and 409:
encryption, credit card transaction
- Page 410 and 411:
through the incorrect filter, its p
- Page 412 and 413:
This means that, in general, the gr
- Page 414 and 415:
Without some way to manipulate the
- Page 416 and 417:
With a little bit of basic algebra,
- Page 418 and 419:
Since this is all done modulo N, th
- Page 420 and 421:
0x750 Hybrid Ciphers A hybrid crypt
- Page 422 and 423:
[:] - Static route to port on host
- Page 424 and 425:
communication channel with the atta
- Page 426 and 427:
e asked to add the new fingerprint.
- Page 428 and 429:
to be a bit hazy. The goal behind t
- Page 430 and 431:
---[Current State]-----------------
- Page 432 and 433:
0x760 Password Cracking Passwords a
- Page 434 and 435:
crypt_crack.c #define _XOPEN_SOURCE
- Page 436 and 437:
Custom dictionary files are often m
- Page 438 and 439:
possible hashes for a single plaint
- Page 440 and 441:
Of course, there are downsides. Fir
- Page 442 and 443:
charval = (k-32)*95 + (l-32); // La
- Page 444 and 445:
} /* Print the plaintext pairs that
- Page 446 and 447:
printf("Building probability vector
- Page 448 and 449:
Of course, if WEP is turned on, onl
- Page 450 and 451:
Now when keystream data is needed,
- Page 452 and 453:
After an IV collision is discovered
- Page 454 and 455:
is really quite amazing. It takes a
- Page 456 and 457:
Seed = IV concatenated with the key
- Page 458 and 459:
int key[13] = {1, 2, 3, 4, 5, 66, 7
- Page 460 and 461:
and the key is hard-coded into the
- Page 462 and 463:
9 0 | 41 1 | 73 0 | 105 0 | 137 1 |
- Page 465 and 466:
0x800 CONCLUSION Hacking tends to b
- Page 467 and 468:
CNET News. “40-Bit Crypto Proves
- Page 469 and 470:
INDEX Symbols & Numbers & (ampersan
- Page 471 and 472:
uffer overrun, 119 buffers, 38 prog
- Page 473 and 474:
dtors_sample.c program, 184 dump()
- Page 475 and 476:
declaring as void, 17 for error che
- Page 477 and 478:
Internet Protocol (IP), 220 address
- Page 479 and 480:
nemesis_arp() function, 245 nemesis
- Page 481 and 482:
pointer_types4.c program, 56 pointe
- Page 483 and 484:
session layer (OSI), 196 for web br
- Page 485 and 486:
text segment, of memory, 69 then ke
- Page 488 and 489:
More No-Nonsense Books from NO STAR
- Page 490:
UPDATES Visit http://www.nostarch.c
Change language