hacking-the-art-of-exploitation

Recommendations

Info

Sequence numbers allow TCP to put unordered packets back into order, to determine whether packets are missing, and to prevent mixing up packets from other connections. When a connection is initiated, each side generates an initial sequence number. This number is communicated to the other side in the first two SYN packets of the connection handshake. Then, with each packet that is sent, the sequence number is incremented by the number of bytes found in the data portion of the packet. This sequence number is included in the TCP packet header. In addition, each TCP header has an acknowledgment number, which is simply the other side’s sequence number plus one. TCP is great for applications where reliability and bidirectional communication are needed. However, the cost of this functionality is paid in communication overhead. UDP has much less overhead and built-in functionality than TCP. This lack of functionality makes it behave much like the IP protocol: It is connectionless and unreliable. Without built-in functionality to create connections and maintain reliability, UDP is an alternative that expects the application to deal with these issues. Sometimes connections aren’t needed, and the lightweight UDP is a much better protocol for these situations. The UDP header, defined in RFC 768, is relatively tiny. It only contains four 16-bit values in this order: source port, destination port, length, and checksum. 0x440 Network Sniffing On the data-link layer lies the distinction between switched and unswitched networks. On an unswitched network, Ethernet packets pass through every device on the network, expecting each system device to only look at the packets sent to its destination address. However, it’s fairly trivial to set a device to promiscuous mode, which causes it to look at all packets, regardless of the destination address. Most packet-capturing programs, such as tcpdump, drop the device they are listening to into promiscuous mode by default. Promiscuous mode can be set using ifconfig, as seen in the following output. reader@hacking:~/booksrc $ ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:0C:29:34:61:65 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17115 errors:0 dropped:0 overruns:0 frame:0 TX packets:1927 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4602913 (4.3 MiB) TX bytes:434449 (424.2 KiB) Interrupt:16 Base address:0x2024 reader@hacking:~/booksrc $ sudo ifconfig eth0 promisc reader@hacking:~/booksrc $ ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:0C:29:34:61:65 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:17181 errors:0 dropped:0 overruns:0 frame:0 TX packets:1927 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4668475 (4.4 MiB) TX bytes:434449 (424.2 KiB) 224 0x400
Interrupt:16 Base address:0x2024 reader@hacking:~/booksrc $ The act of capturing packets that aren’t necessarily meant for public viewing is called sniffing. Sniffing packets in promiscuous mode on an unswitched network can turn up all sorts of useful information, as the following output shows. reader@hacking:~/booksrc $ sudo tcpdump -l -X 'ip host 192.168.0.118' tcpdump: listening on eth0 21:27:44.684964 192.168.0.118.ftp > 192.168.0.193.32778: P 1:42(41) ack 1 win 17316 (DF) 0x0000 4500 005d e065 4000 8006 97ad c0a8 0076 E..].e@........v 0x0010 c0a8 00c1 0015 800a 292e 8a73 5ed4 9ce8 ........)..s^... 0x0020 8018 43a4 a12f 0000 0101 080a 0007 1f78 ..C../.........x 0x0030 000e 0a8a 3232 3020 5459 5053 6f66 7420 ....220.TYPSoft. 0x0040 4654 5020 5365 7276 6572 2030 2e39 392e FTP.Server.0.99. 0x0050 3133 13 21:27:44.685132 192.168.0.193.32778 > 192.168.0.118.ftp: . ack 42 win 5840 (DF) [tos 0x10] 0x0000 4510 0034 966f 4000 4006 21bd c0a8 00c1 E..4.o@.@.!..... 0x0010 c0a8 0076 800a 0015 5ed4 9ce8 292e 8a9c ...v....^...)... 0x0020 8010 16d0 81db 0000 0101 080a 000e 0c56 ...............V 0x0030 0007 1f78 ...x 21:27:52.406177 192.168.0.193.32778 > 192.168.0.118.ftp: P 1:13(12) ack 42 win 5840 (DF) [tos 0x10] 0x0000 4510 0040 9670 4000 4006 21b0 c0a8 00c1 E..@.p@.@.!..... 0x0010 c0a8 0076 800a 0015 5ed4 9ce8 292e 8a9c ...v....^...)... 0x0020 8018 16d0 edd9 0000 0101 080a 000e 0f5a ...............Z 0x0030 0007 1f78 5553 4552 206c 6565 6368 0d0a ...xUSER.leech.. 21:27:52.415487 192.168.0.118.ftp > 192.168.0.193.32778: P 42:76(34) ack 13 win 17304 (DF) 0x0000 4500 0056 e0ac 4000 8006 976d c0a8 0076 E..V..@....m...v 0x0010 c0a8 00c1 0015 800a 292e 8a9c 5ed4 9cf4 ........)...^... 0x0020 8018 4398 4e2c 0000 0101 080a 0007 1fc5 ..C.N,.......... 0x0030 000e 0f5a 3333 3120 5061 7373 776f 7264 ...Z331.Password 0x0040 2072 6571 7569 7265 6420 666f 7220 6c65 .required.for.le 0x0050 6563 ec 21:27:52.415832 192.168.0.193.32778 > 192.168.0.118.ftp: . ack 76 win 5840 (DF) [tos 0x10] 0x0000 4510 0034 9671 4000 4006 21bb c0a8 00c1 E..4.q@.@.!..... 0x0010 c0a8 0076 800a 0015 5ed4 9cf4 292e 8abe ...v....^...)... 0x0020 8010 16d0 7e5b 0000 0101 080a 000e 0f5b ....~[.........[ 0x0030 0007 1fc5 .... 21:27:56.155458 192.168.0.193.32778 > 192.168.0.118.ftp: P 13:27(14) ack 76 win 5840 (DF) [tos 0x10] 0x0000 4510 0042 9672 4000 4006 21ac c0a8 00c1 E..B.r@.@.!..... 0x0010 c0a8 0076 800a 0015 5ed4 9cf4 292e 8abe ...v....^...)... 0x0020 8018 16d0 90b5 0000 0101 080a 000e 10d1 ................ 0x0030 0007 1fc5 5041 5353 206c 3840 6e69 7465 ....PASS.l8@nite 0x0040 0d0a .. 21:27:56.179427 192.168.0.118.ftp > 192.168.0.193.32778: P 76:103(27) ack 27 win 17290 (DF) 0x0000 4500 004f e0cc 4000 8006 9754 c0a8 0076 E..O..@....T...v 0x0010 c0a8 00c1 0015 800a 292e 8abe 5ed4 9d02 ........)...^... Networking 225
Page 1:
CD INside 2nd Edition Hacking the a
Page 5 and 6:
® San Francisco
Page 7:
BRIEF CONTENTS Preface ............
Page 10 and 11:
0x300 EXPLOITATION 115 0x310 Genera
Page 12 and 13:
0x6a0 Hardening Countermeasures....
Page 14 and 15:
ACKNOWLEDGMENTS I would like to tha
Page 16 and 17:
2 0x100 The rules for this problem
Page 18 and 19:
4 0x100 overly simplistic encryptio
Page 20 and 21:
can be written to accomplish any gi
Page 22 and 23:
0x230 Control Structures Without co
Page 24 and 25:
lest it continue into infinity. A w
Page 26 and 27:
called constants. Returning to the
Page 28 and 29:
Quite often in programs, variables
Page 30 and 31:
0x244 Functions Sometimes there wil
Page 32 and 33:
void turn(variable_direction, targe
Page 34 and 35:
library, a function prototype is ne
Page 36 and 37:
Like a row of houses on a local str
Page 38 and 39:
Below, GDB is used to show the stat
Page 40 and 41:
There are also operations that are
Page 42 and 43:
The display format also uses a sing
Page 44 and 45:
The first four bytes are shown both
Page 46 and 47:
(gdb) x/10i $eip 0x804838b : cmp DW
Page 48 and 49:
022 18 12 DC2 122 82 52 R 023 19 13
Page 50 and 51:
familiar address of EBP minus 4 int
Page 52 and 53:
the English language, knowledge of
Page 54 and 55:
Function "strcpy" not defined. Make
Page 56 and 57:
only be in one of 2 32 possible bit
Page 58 and 59:
pointer.c #include #include int m
Page 60 and 61:
addressof.c #include int main() {
Page 62 and 63:
0x264 Format Strings The printf() f
Page 64 and 65:
The final line just shows the addre
Page 66 and 67:
As discussed earlier, dividing the
Page 68 and 69:
} } printf("[char pointer] points t
Page 70 and 71:
Naturally, it is far easier just to
Page 72 and 73:
This is rather hacky, but since thi
Page 74 and 75:
eader@hacking:~/booksrc $ ./a.out '
Page 76 and 77:
0x267 Variable Scoping Another inte
Page 78 and 79:
[in func1] i = 5, j = 42 [in func2]
Page 80 and 81:
10 (gdb) break 7 Breakpoint 1 at 0x
Page 82 and 83:
Notice that the static_var retains
Page 84 and 85:
70 0x200 The heap segment is a segm
Page 86 and 87:
End of assembler dump (gdb) disass
Page 88 and 89:
0x804836f : mov DWORD PTR [esp+8],0
Page 90 and 91:
int global_initialized_var = 5; voi
Page 92 and 93:
int main(int argc, char *argv[]) {
Page 94 and 95:
errorchecked_heap.c #include #incl
Page 96 and 97:
The bar code on the back of this bo
Page 98 and 99:
eader@hacking:~/booksrc $ ./simplen
Page 100 and 101:
} printf("\n"); display_flags("O_WR
Page 102 and 103:
eader@hacking:~/booksrc $ chmod 731
Page 104 and 105:
uid_demo.c #include int main() { p
Page 106 and 107:
} void fatal(char *); // A function
Page 108 and 109:
#define FILENAME "/var/notes" int p
Page 110 and 111:
[DEBUG] found a 34 byte note for us
Page 112 and 113:
of current_time, an empty tm struct
Page 114 and 115:
While struct memory can be accessed
Page 116 and 117:
815015288 1315541117 2080969327 450
Page 118 and 119:
printf("6 - Reset your account at 1
Page 120 and 121:
int fd; } printf("\n===============
Page 122 and 123:
} } // This function is the Pick a
Page 124 and 125:
invalid_choice = 1; while(invalid_c
Page 126 and 127:
Would you like to play again? (y/n)
Page 128 and 129:
114 0x200 Play around with this pro
Page 130 and 131:
A program can only do what it’s p
Page 132 and 133:
don’t say exactly what their crea
Page 134 and 135:
By now, you should be able to read
Page 136 and 137:
eader@hacking:~/booksrc $ gcc explo
Page 138 and 139:
11 if(strcmp(password_buffer, "bril
Page 140 and 141:
auth_overflow2.c #include #include
Page 142 and 143:
As expected, the overflow cannot di
Page 144 and 145:
(gdb) c Continuing. Breakpoint 2, c
Page 146 and 147:
Notice the two lines shown in bold
Page 148 and 149:
eader@hacking:~/booksrc $ perl -e '
Page 150 and 151:
0x0804848d : mov eax,DWORD PTR [eax
Page 152 and 153:
20 offset = atoi(argv[1]); (gdb) 21
Page 154 and 155:
called the NOP sled, that can assis
Page 156 and 157:
The function of the for loop should
Page 158 and 159:
\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6
Page 160 and 161:
eader@hacking:~/booksrc $ ./notesea
Page 162 and 163:
int main(int argc, char *argv[]) {
Page 164 and 165:
char *buffer = (char *) malloc(160)
Page 166 and 167:
7e99000-b7e9a000 rw-p b7e99000 00:0
Page 168 and 169:
for that user. Using the salt value
Page 170 and 171:
0x342 Overflowing Function Pointers
Page 172 and 173:
7 - Quit [Name: Jon Erickson] [You
Page 174 and 175:
0804b630 A _edata 0804b6d4 A _end 0
Page 176 and 177:
n 5 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Page 178 and 179:
6 - Reset your account at 100 credi
Page 180 and 181:
[Name: Jon Erickson] [You have 1230
Page 182 and 183:
Parameter Input Type Output Type %d
Page 184 and 185:
This is an interesting detail that
Page 186 and 187:
0x353 Reading from Arbitrary Memory
Page 188 and 189: The wrong way to print user-control
Page 190 and 191: The addresses and junk data at the
Page 192 and 193: eader@hacking:~/booksrc $ reader@ha
Page 194 and 195: 0x355 Direct Parameter Access Direc
Page 196 and 197: Since the stack doesn’t need to b
Page 198 and 199: 0x357 Detours with .dtors In binary
Page 200 and 201: located. Then the actual bytes are
Page 202 and 203: Since the .dtors section is writabl
Page 204 and 205: [DEBUG] found a 34 byte note for us
Page 206 and 207: eader@hacking:~/booksrc $ objdump -
Page 209 and 210: 0x400 NETWORKING Communication and
Page 211 and 212: For example, whenever you browse th
Page 213 and 214: Datagram sockets and UDP are common
Page 215 and 216: From /usr/include/bits/socket.h /*
Page 217 and 218: htons(short value) Host-to-Network
Page 219 and 220: fatal("in socket"); if (setsockopt(
Page 221 and 222: When compiled and run, the program
Page 223 and 224: This reveals that the webserver is
Page 225 and 226: From /usr/include/netdb.h /* Descri
Page 227 and 228: } while(recv_line(sockfd, buffer))
Page 229 and 230: } /* This function handles the conn
Page 231 and 232: Accepting web requests on port 80 G
Page 233 and 234: the two addressing schemes. In the
Page 235 and 236: also exist on this layer. ICMP pack
Page 237: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3
Page 241 and 242: u_char buffer[9000]; if ((sockfd =
Page 243 and 244: pcap_handle = pcap_open_live(device
Page 245 and 246: eader@hacking:~/booksrc $ $ grep -R
Page 247 and 248: The compiler padding, as mentioned
Page 249 and 250: Now that the headers are defined as
Page 251 and 252: The caught_packet() function gets c
Page 253 and 254: With the headers decoded and separa
Page 255 and 256: Due to timeout values, the victim m
Page 257 and 258: eader@hacking:~/booksrc $ sudo neme
Page 259 and 260: data structures for the packet head
Page 261 and 262: if (pd->file_mem == NULL) pd->file_
Page 263 and 264: only builds ethernet/IP ARP packets
Page 265 and 266: The remaining libnet functions get
Page 267 and 268: dest_ip = libnet_name_resolve(argv[
Page 269 and 270: In the example above, the host 192.
Page 271 and 272: 0x454 Ping Flooding Flooding DoS at
Page 273 and 274: The host machine will receive the s
Page 275 and 276: char errbuf[PCAP_ERRBUF_SIZE]; // S
Page 277 and 278: TH_RST, // Control flags (RST flag
Page 279 and 280: Christmas tree), and the Null scan
Page 281 and 282: 0x475 Proactive Defense (shroud) Po
Page 283 and 284: char errbuf[PCAP_ERRBUF_SIZE]; // S
Page 285 and 286: NULL, // Payload (none) 0, // Paylo
Page 287 and 288: } while(recv(sockfd, ptr, 1, 0) ==
Page 289 and 290:
$1 = 540 (gdb) p /x 0xbffff5c0 + 20
Page 291 and 292:
" 90 90 90 90 90 90 90 90 90 90 90
Page 293 and 294:
When this exploit is compiled and r
Page 295 and 296:
0x500 SHELLCODE So far, the shellco
Page 297 and 298:
mmap2(0xb7ee4000, 9596, PROT_READ|P
Page 299 and 300:
#define __NR_stime 25 #define __NR_
Page 301 and 302:
In shellcode, the bytes for the str
Page 303 and 304:
eader@hacking:~/booksrc $ export SH
Page 305 and 306:
which means that a small value like
Page 307 and 308:
Instruction inc dec Description I
Page 309 and 310:
After assembling this shellcode, he
Page 311 and 312:
exec_shell.s BITS 32 jmp short two
Page 313 and 314:
eader@hacking:~/booksrc $ nasm tiny
Page 315 and 316:
int setresuid(uid_t ruid, uid_t eui
Page 317 and 318:
push BYTE 11 pop eax push ecx push
Page 319 and 320:
So, to make socket system calls usi
Page 321 and 322:
push BYTE 16 ; argv: { sizeof(serve
Page 323 and 324:
00000030 80 b0 66 43 52 52 56 89 e1
Page 325 and 326:
This loop iterates ECX from 0 to 2,
Page 327 and 328:
push edx ; Build sockaddr struct: I
Page 329 and 330:
pop eax inc ebx ; ebx = 2 (needed f
Page 331 and 332:
the return address uses multiple by
Page 333 and 334:
0x600 COUNTERMEASURES The golden po
Page 335 and 336:
0x620 System Daemons To have a real
Page 337 and 338:
} printf("Caught signal %d\t", sign
Page 339 and 340:
tinywebd.c #include #include #inc
Page 341 and 342:
if(fd == -1) { // If file is not fo
Page 343 and 344:
In previous chapters, we’ve writt
Page 345 and 346:
63 if (listen(sockfd, 20) == -1) 64
Page 347 and 348:
message. Shell variables are used f
Page 349 and 350:
There’s a simple mistake in the t
Page 351 and 352:
any program to show every system ca
Page 353 and 354:
0x080487ee : mov DWORD PTR [esp+8],
Page 355 and 356:
0x08048f5f : call 0x08048f64 : nop
Page 357 and 358:
push BYTE 0x6 ; Close () pop eax in
Page 359 and 360:
A quick glance at the function prol
Page 361 and 362:
push edx ; Build arg array: { proto
Page 363 and 364:
This program can be used to inject
Page 365 and 366:
Then, from another terminal, the ne
Page 367 and 368:
strace is used with the -p command-
Page 369 and 370:
ig red flag. We could change the po
Page 371 and 372:
of new_sockfd will still be correct
Page 373 and 374:
00000020 b0 3f cd 80 49 79 f9 b0 0b
Page 375 and 376:
push ebx mov ecx, esp int 0x80 ; pu
Page 377 and 378:
Instruction Hex ASCII inc eax 0x40
Page 379 and 380:
eader@hacking:~/booksrc $ gcc -o up
Page 381 and 382:
Amazingly, these instructions, comb
Page 383 and 384:
ESP up (toward lower memory address
Page 385 and 386:
eader@hacking:~/booksrc $ gcc -o pr
Page 387 and 388:
At the end, the shellcode has been
Page 389 and 390:
esp 0xbffffa2c 0xbffffa2c eax 0x0 0
Page 391 and 392:
functions are shared, so any progra
Page 393 and 394:
A quick binary search shows that th
Page 395 and 396:
eginning of the buffer. When a prog
Page 397 and 398:
The breakpoint is set at the last i
Page 399 and 400:
Bouncing off linux-gate refers to a
Page 401 and 402:
matrix@loki /hacking $ for i in `se
Page 403 and 404:
manual page for execve() for detail
Page 405:
for(i=0; i < 90; i+=4) // Fill buff
Page 408 and 409:
encryption, credit card transaction
Page 410 and 411:
through the incorrect filter, its p
Page 412 and 413:
This means that, in general, the gr
Page 414 and 415:
Without some way to manipulate the
Page 416 and 417:
With a little bit of basic algebra,
Page 418 and 419:
Since this is all done modulo N, th
Page 420 and 421:
0x750 Hybrid Ciphers A hybrid crypt
Page 422 and 423:
[:] - Static route to port on host
Page 424 and 425:
communication channel with the atta
Page 426 and 427:
e asked to add the new fingerprint.
Page 428 and 429:
to be a bit hazy. The goal behind t
Page 430 and 431:
---[Current State]-----------------
Page 432 and 433:
0x760 Password Cracking Passwords a
Page 434 and 435:
crypt_crack.c #define _XOPEN_SOURCE
Page 436 and 437:
Custom dictionary files are often m
Page 438 and 439:
possible hashes for a single plaint
Page 440 and 441:
Of course, there are downsides. Fir
Page 442 and 443:
charval = (k-32)*95 + (l-32); // La
Page 444 and 445:
} /* Print the plaintext pairs that
Page 446 and 447:
printf("Building probability vector
Page 448 and 449:
Of course, if WEP is turned on, onl
Page 450 and 451:
Now when keystream data is needed,
Page 452 and 453:
After an IV collision is discovered
Page 454 and 455:
is really quite amazing. It takes a
Page 456 and 457:
Seed = IV concatenated with the key
Page 458 and 459:
int key[13] = {1, 2, 3, 4, 5, 66, 7
Page 460 and 461:
and the key is hard-coded into the
Page 462 and 463:
9 0 | 41 1 | 73 0 | 105 0 | 137 1 |
Page 465 and 466:
0x800 CONCLUSION Hacking tends to b
Page 467 and 468:
CNET News. “40-Bit Crypto Proves
Page 469 and 470:
INDEX Symbols & Numbers & (ampersan
Page 471 and 472:
uffer overrun, 119 buffers, 38 prog
Page 473 and 474:
dtors_sample.c program, 184 dump()
Page 475 and 476:
declaring as void, 17 for error che
Page 477 and 478:
Internet Protocol (IP), 220 address
Page 479 and 480:
nemesis_arp() function, 245 nemesis
Page 481 and 482:
pointer_types4.c program, 56 pointe
Page 483 and 484:
session layer (OSI), 196 for web br
Page 485 and 486:
text segment, of memory, 69 then ke
Page 488 and 489:
More No-Nonsense Books from NO STAR
Page 490:
UPDATES Visit http://www.nostarch.c
show all

hacking-the-art-of-exploitation

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?