- Page 1: CD INside 2nd Edition Hacking the a
- Page 6 and 7: HACKING: THE ART OF EXPLOITATION, 2
- Page 9 and 10: CONTENTS IN DETAIL PREFACE xi ACKNO
- Page 11 and 12: 0x470 Port Scanning ...............
- Page 13 and 14: PREFACE The goal of this book is to
- Page 15 and 16: 0x100 INTRODUCTION The idea of hack
- Page 17 and 18: etter understanding the world. This
- Page 19 and 20: 0x200 PROGRAMMING Hacker is a term
- Page 21 and 22: But a computer doesn’t natively u
- Page 23 and 24: Of course, other languages require
- Page 25 and 26: { Drive straight for 1 mile; Add 1
- Page 27 and 28: statement b = a / 5 will result in
- Page 29 and 30: The example statement consisting of
- Page 31 and 32: integer (perhaps a function that ca
- Page 33 and 34: Functions aren’t commonly used in
- Page 35 and 36: As long as the compiled program wor
- Page 37 and 38: 8048391: eb 13 jmp 80483a6 8048393
- Page 39 and 40: which are commonly used to point to
- Page 41 and 42: 0x080483a3 : mov DWORD PTR [esp],0x
- Page 43 and 44: This is slightly confusing, because
- Page 45 and 46: variable i for the for loop. If tha
- Page 47 and 48: first instruction is another mov in
- Page 49 and 50: (gdb) x/6cb 0x8048484 0x8048484: 72
- Page 51 and 52: (gdb) disass main Dump of assembler
- Page 53 and 54: at the end is used as a delimiter c
- Page 55 and 56:
The address in EIP at the middle br
- Page 57 and 58:
} printf("The 'unsigned int' data t
- Page 59 and 60:
7 char *pointer2; // And yet anothe
- Page 61 and 62:
An additional unary operator called
- Page 63 and 64:
Example of printing with different
- Page 65 and 66:
7 - Hello, world! 8 - Hello, world!
- Page 67 and 68:
are actually printed with the %d an
- Page 69 and 70:
pointer_types3.c #include int main
- Page 71 and 72:
eader@hacking:~/booksrc $ gcc point
- Page 73 and 74:
eader@hacking:~/booksrc $ gcc -o co
- Page 75 and 76:
eader@hacking:~/booksrc $ gcc -g co
- Page 77 and 78:
In each function, the variable i is
- Page 79 and 80:
int main() { int i = 3; printf("[in
- Page 81 and 82:
static.c #include void function()
- Page 83 and 84:
With the addresses of the variables
- Page 85 and 86:
The following stack_example.c code
- Page 87 and 88:
pointer (SFP) and is later used to
- Page 89 and 90:
memory_segments.c #include int glo
- Page 91 and 92:
stack_var is at address 0xbffff834
- Page 93 and 94:
This program accepts a command-line
- Page 95 and 96:
printf("char_ptr (%p) --> '%s'\n",
- Page 97 and 98:
strcpy(buffer, argv[1]); // Copy in
- Page 99 and 100:
} for(i=0; i < 4; i++) { bit_a = (i
- Page 101 and 102:
0x282 File Permissions If the O_CRE
- Page 103 and 104:
eader@hacking:~/booksrc $ sudo su j
- Page 105 and 106:
This same technique can be used in
- Page 107 and 108:
eader@hacking:~/booksrc $ gcc -o no
- Page 109 and 110:
if(read(fd, ¬e_uid, 4) != 4) //
- Page 111 and 112:
A simple example will suffice for n
- Page 113 and 114:
} printf("bytes of struct located a
- Page 115 and 116:
function_ptr is 0x0804838d This is
- Page 117 and 118:
game_of_chance.c #include #include
- Page 119 and 120:
} return -1; else player = entry; /
- Page 121 and 122:
} else { for(i=0; i < user_pick; i+
- Page 123 and 124:
} j = i + 1; while(j < 16) { if(num
- Page 125 and 126:
-=-={ New Player Registration }=-=-
- Page 127 and 128:
[Name: Jon Erickson] [You have 170
- Page 129 and 130:
0x300 EXPLOITATION Program exploita
- Page 131 and 132:
unencrypted services such as telnet
- Page 133 and 134:
0x320 Buffer Overflows overflow_exa
- Page 135 and 136:
Program crashes are annoying, but i
- Page 137 and 138:
methods. If either of these passwor
- Page 139 and 140:
(gdb) continue Continuing. Breakpoi
- Page 141 and 142:
11 if(strcmp(password_buffer, "bril
- Page 143 and 144:
12 auth_flag = 1; 13 if(strcmp(pass
- Page 145 and 146:
0xbffff7d0: 0xb7ff47b0 0x08048510 0
- Page 147 and 148:
(gdb) cont Continuing. Breakpoint 3
- Page 149 and 150:
(gdb) quit reader@hacking:~/booksrc
- Page 151 and 152:
The notesearch program is vulnerabl
- Page 153 and 154:
(gdb) cont Continuing. Breakpoint 2
- Page 155 and 156:
Since the notesearch exploit allows
- Page 157 and 158:
35:*.mpg=01;35:*.mpeg=01;35:*.avi=0
- Page 159 and 160:
A breakpoint is set at the beginnin
- Page 161 and 162:
eader@hacking:~/booksrc $ ./notesea
- Page 163 and 164:
} signal(SIGINT, sigint); signal(SI
- Page 165 and 166:
Under normal conditions, the buffer
- Page 167 and 168:
A string is read until a null byte
- Page 169 and 170:
e difficult to access this account
- Page 171 and 172:
if((choice < 1) || (choice > 7)) pr
- Page 173 and 174:
Enter your new name: AAAAAAAAAAAAAA
- Page 175 and 176:
input. These selections will be mad
- Page 177 and 178:
[DEBUG] current_game pointer @ 0x08
- Page 179 and 180:
You now have 730 credits Would you
- Page 181 and 182:
7 - Quit [Name: Jon Erickson] [You
- Page 183 and 184:
address operator is used to write t
- Page 185 and 186:
The wrong way to print user-control
- Page 187 and 188:
0x354 Writing to Arbitrary Memory A
- Page 189 and 190:
The last %x format parameter uses 8
- Page 191 and 192:
Here, next_val is initialized with
- Page 193 and 194:
4b4e554a [*] test_val @ 0x080497f4
- Page 195 and 196:
Direct parameter access also simpli
- Page 197 and 198:
eader@hacking:~/booksrc $ gdb -q (g
- Page 199 and 200:
eader@hacking:~/booksrc $ nm ./dtor
- Page 201 and 202:
16 .dtors 0000000c 080495ac 080495a
- Page 203 and 204:
0x358 Another notesearch Vulnerabil
- Page 205 and 206:
This section consists of many jump
- Page 207:
once again for clarity. In the outp
- Page 210 and 211:
0x410 OSI Model When two computers
- Page 212 and 213:
All of this packet encapsulation ma
- Page 214 and 215:
From /usr/include/bits/socket.h /*
- Page 216 and 217:
From /usr/include/netinet/in.h /* S
- Page 218 and 219:
Added to hacking.h // Dumps raw mem
- Page 220 and 221:
The listen() call tells the socket
- Page 222 and 223:
From /etc/services finger 79/tcp #
- Page 224 and 225:
} bytes_to_send -= sent_bytes; buff
- Page 226 and 227:
eader@hacking:~/booksrc $ gcc -o ho
- Page 228 and 229:
tinyweb.c #include #include #incl
- Page 230 and 231:
} free(ptr); // Free file memory. }
- Page 232 and 233:
communications. At the bottom, the
- Page 234 and 235:
0x432 Network Layer The network lay
- Page 236 and 237:
The two major protocols at this lay
- Page 238 and 239:
Sequence numbers allow TCP to put u
- Page 240 and 241:
0x0020 8018 438a 4c8c 0000 0101 080
- Page 242 and 243:
0x442 libpcap Sniffer A standardize
- Page 244 and 245:
05 a8 2b 3f 00 00 01 01 08 0a 02 47
- Page 246 and 247:
u_int16_t frag_off; u_int8_t ttl; u
- Page 248 and 249:
| Data | |U|A|P|R|S|F| | | Offset|
- Page 250 and 251:
pcap_t *pcap_handle; device = pcap_
- Page 252 and 253:
if(tcp_header->tcp_flags & TCP_URG)
- Page 254 and 255:
Spoofing is the first step in sniff
- Page 256 and 257:
told that 192.168.0.118 is also at
- Page 258 and 259:
sudo nemesis arp -v -r -d eth0 -S 1
- Page 260 and 261:
typedef struct libnet_dns_hdr DNShd
- Page 262 and 263:
} } } (eth->ether_type == ETHERTYPE
- Page 264 and 265:
arpspoof.c static struct libnet_lin
- Page 266 and 267:
0x451 SYN Flooding A SYN flood trie
- Page 268 and 269:
libnet_error(LIBNET_ERR_WARNING, "c
- Page 270 and 271:
The TCP connections don’t actuall
- Page 272 and 273:
0x456 Distributed DoS Flooding A di
- Page 274 and 275:
flags are found in the following or
- Page 276 and 277:
* Sets a packet filter to look for
- Page 278 and 279:
0x470 Port Scanning Port scanning i
- Page 280 and 281:
At this point, the attacker contact
- Page 282 and 283:
PORT STATE SERVICE 22/tcp open|filt
- Page 284 and 285:
strcat(filter_string, "tcp[tcpflags
- Page 286 and 287:
23/tcp open telnet 24/tcp open priv
- Page 288 and 289:
(gdb) bt #0 0xb7fe77f2 in ?? () #1
- Page 290 and 291:
#define RETADDR 0xbffff688 int main
- Page 292 and 293:
The vulnerability certainly exists,
- Page 294 and 295:
Rh//shh/binRS Even though the remo
- Page 296 and 297:
0x510 Assembly vs. C The shellcode
- Page 298 and 299:
From /usr/include/unistd.h /* Stand
- Page 300 and 301:
; SYSCALL: write(1, msg, 14) mov ea
- Page 302 and 303:
mov edx, 15 ; Length of the string
- Page 304 and 305:
0xbffff9a3: 0xe8 0x0f 0x48 0x65 0x6
- Page 306 and 307:
00000029 6F outsd 0000002A 2C20 sub
- Page 308 and 309:
comprises 80 percent of the code. S
- Page 310 and 311:
passed as environment to the new pr
- Page 312 and 313:
sh-3.2# whoami root sh-3.2# This sh
- Page 314 and 315:
drop_privs.c #include void lowered
- Page 316 and 317:
0x532 And Smaller Still A few more
- Page 318 and 319:
} sin_size = sizeof(struct sockaddr
- Page 320 and 321:
$2 = 16 (gdb) x/16xb &host_addr 0xb
- Page 322 and 323:
int dup(int oldfd); int dup2(int ol
- Page 324 and 325:
0x0804839f : lea eax,[ebp-4] 0x0804
- Page 326 and 327:
The first two instructions before t
- Page 328 and 329:
eader@hacking:~/booksrc $ nasm bind
- Page 330 and 331:
Since these values are stored in ne
- Page 332 and 333:
multiple instructions. One way to d
- Page 334 and 335:
minor outbreak early instead of yea
- Page 336 and 337:
System daemons run detached from a
- Page 338 and 339:
eader@hacking:~/booksrc $ kill -l 1
- Page 340 and 341:
write(logfd, "Starting up.\n", 15);
- Page 342 and 343:
This daemon program forks into the
- Page 344 and 345:
When the program is run, it just ex
- Page 346 and 347:
The debugger shows that the request
- Page 348 and 349:
0x640 Log Files One of the two most
- Page 350 and 351:
localhost [127.0.0.1] 80 (www) open
- Page 352 and 353:
When run through strace, the noteta
- Page 354 and 355:
The shellcode opens a file to creat
- Page 356 and 357:
0x08049307 : mov DWORD PTR [esp+4],
- Page 358 and 359:
Back in the debugging terminal, the
- Page 360 and 361:
shellcode: mark_restore (53 bytes)
- Page 362 and 363:
0x660 Advanced Camouflage Our curre
- Page 364 and 365:
(perl -e "print \"$FAKEREQUEST\"";
- Page 366 and 367:
sin_zero = "\000\000\000\000_ (gdb)
- Page 368 and 369:
(perl -e "print \"$FAKEREQUEST\"";
- Page 370 and 371:
warning: not using untrusted file "
- Page 372 and 373:
xtool_tinywebd_reuse.sh To effectiv
- Page 374 and 375:
The following shellcode pushes thes
- Page 376 and 377:
0xbffff738: 52 '4' 103 'g' 110 'n'
- Page 378 and 379:
strncpy(description, desc, MAX_DESC
- Page 380 and 381:
0x691 Polymorphic Printable ASCII S
- Page 382 and 383:
eader@hacking:~/booksrc $ gdb -q (g
- Page 384 and 385:
printf("calculating printable value
- Page 386 and 387:
push eax sub eax,0x25696969 sub eax
- Page 388 and 389:
0x080484b5 : lea eax,[ebp-24] 0x080
- Page 390 and 391:
(gdb) stepi 10 0xbffff9c4 in ?? ()
- Page 392 and 393:
(gdb) break main Breakpoint 1 at 0x
- Page 394 and 395:
aslr_demo.c #include int main(int
- Page 396 and 397:
Trying offset of 13 words buffer is
- Page 398 and 399:
Despite the randomization between r
- Page 400 and 401:
find_jmpesp.c int main() { unsigned
- Page 402 and 403:
Without the jmp esp instruction at
- Page 404 and 405:
The first result looks very promisi
- Page 407 and 408:
0x700 CRYPTOLOGY Cryptology is defi
- Page 409 and 410:
0x712 One-Time Pads One example of
- Page 411 and 412:
0x720 Algorithmic Run Time Algorith
- Page 413 and 414:
and diffusion. Confusion refers to
- Page 415 and 416:
the greatest common divisor (GCD) o
- Page 417 and 418:
The numbers in the previous example
- Page 419 and 420:
The algorithm is actually quite sim
- Page 421 and 422:
This means that the attacker actual
- Page 423 and 424:
Connection to 192.168.42.72 closed.
- Page 425 and 426:
However, there are two different pr
- Page 427 and 428:
Escape character is '^]'. SSH-1.5-O
- Page 429 and 430:
---[Fuzzy Map]---------------------
- Page 431 and 432:
1024 ba:06:7c:d2:15:a2:d3:0d:bf:f0:
- Page 433 and 434:
eader@hacking:~/booksrc $ gcc -o cr
- Page 435 and 436:
trying word: Aachen ==> jeyQc3uB14q
- Page 437 and 438:
-incremental[:MODE] incremental mod
- Page 439 and 440:
The basic idea is to split the plai
- Page 441 and 442:
eturn (((enum_hashbyte(c)%4)*4096)+
- Page 443 and 444:
* This is the crack program for the
- Page 445 and 446:
fseek(fd,(DCM*2)+enum_hashtriplet(p
- Page 447 and 448:
@W @v @| AO B/ B0 BO Bz C( D8 D> E8
- Page 449 and 450:
Plaintext message P (M with 32-bit
- Page 451 and 452:
in a matter of minutes under the as
- Page 453 and 454:
exist in the packet in the binary f
- Page 455 and 456:
Since the key is currently unknown,
- Page 457 and 458:
Again, the correct key byte is dete
- Page 459 and 460:
S[i] = S[j]; S[j] = t; } if(j < 2)
- Page 461 and 462:
19 2 | 51 0 | 83 0 | 115 0 | 147 1
- Page 463:
AIRCRACK-NG(1) AIRCRACK-NG(1) NAME
- Page 466 and 467:
don’t have malicious intent; inst
- Page 468 and 469:
0x820 Sources pcalc A programmer’
- Page 470 and 471:
ARP. See Address Resolution Protoco
- Page 472 and 473:
crash, 61, 128 from buffer overflow
- Page 474 and 475:
exploitation, continued format stri
- Page 476 and 477:
hardware addresses, 218 hash lookup
- Page 478 and 479:
LiveCD, 4, 19 John the Ripper, 422
- Page 480 and 481:
O O_APPEND access mode, 84 objdump
- Page 482 and 483:
Recording Industry Association of A
- Page 484 and 485:
stack, continued frame, 70, 74, 128
- Page 486:
V values assigning to variable, 12
- Page 489 and 490:
THE ART OF ASSEMBLY LANGUAGE by RAN
- Page 492:
International Best-Seller! the fund