hacking-the-art-of-exploitation

Recommendations

Info

and the key is hard-coded into the key array. The following output shows the compilation and execution of the fms.c code to crack an RC4 key. reader@hacking:~/booksrc $ gcc -o fms fms.c reader@hacking:~/booksrc $ ./fms Usage: ./fms reader@hacking:~/booksrc $ ./fms 0 Using IV: (3, 255, 0), first keystream byte is 7 Doing the first 3 steps of KSA.. at KSA iteration #3, j=5 and S[3]=1 key[0] prediction = 7 - 5 - 1 = 1 Using IV: (3, 255, 1), first keystream byte is 211 Doing the first 3 steps of KSA.. at KSA iteration #3, j=6 and S[3]=1 key[0] prediction = 211 - 6 - 1 = 204 Using IV: (3, 255, 2), first keystream byte is 241 Doing the first 3 steps of KSA.. at KSA iteration #3, j=7 and S[3]=1 key[0] prediction = 241 - 7 - 1 = 233 .:[ output trimmed ]:. Using IV: (3, 255, 252), first keystream byte is 175 Doing the first 3 steps of KSA.. S[0] or S[1] have been disturbed, discarding.. Using IV: (3, 255, 253), first keystream byte is 149 Doing the first 3 steps of KSA.. at KSA iteration #3, j=2 and S[3]=1 key[0] prediction = 149 - 2 - 1 = 146 Using IV: (3, 255, 254), first keystream byte is 253 Doing the first 3 steps of KSA.. at KSA iteration #3, j=3 and S[3]=2 key[0] prediction = 253 - 3 - 2 = 248 Using IV: (3, 255, 255), first keystream byte is 72 Doing the first 3 steps of KSA.. at KSA iteration #3, j=4 and S[3]=1 key[0] prediction = 72 - 4 - 1 = 67 Frequency table for key[0] (* = most frequent) 0 1 | 32 3 | 64 0 | 96 1 | 128 2 | 160 0 | 192 1 | 224 3 | 1 10*| 33 0 | 65 1 | 97 0 | 129 1 | 161 1 | 193 1 | 225 0 | 2 0 | 34 1 | 66 0 | 98 1 | 130 1 | 162 1 | 194 1 | 226 1 | 3 1 | 35 0 | 67 2 | 99 1 | 131 1 | 163 0 | 195 0 | 227 1 | 4 0 | 36 0 | 68 0 | 100 1 | 132 0 | 164 0 | 196 2 | 228 0 | 5 0 | 37 1 | 69 0 | 101 1 | 133 0 | 165 2 | 197 2 | 229 1 | 6 0 | 38 0 | 70 1 | 102 3 | 134 2 | 166 1 | 198 1 | 230 2 | 7 0 | 39 0 | 71 2 | 103 0 | 135 5 | 167 3 | 199 2 | 231 0 | 8 3 | 40 0 | 72 1 | 104 0 | 136 1 | 168 0 | 200 1 | 232 1 | 9 1 | 41 0 | 73 0 | 105 0 | 137 2 | 169 1 | 201 3 | 233 2 | 10 1 | 42 3 | 74 1 | 106 2 | 138 0 | 170 1 | 202 3 | 234 0 | 11 1 | 43 2 | 75 1 | 107 2 | 139 1 | 171 1 | 203 0 | 235 0 | 12 0 | 44 1 | 76 0 | 108 0 | 140 2 | 172 1 | 204 1 | 236 1 | 13 2 | 45 2 | 77 0 | 109 0 | 141 0 | 173 2 | 205 1 | 237 0 | 14 0 | 46 0 | 78 2 | 110 2 | 142 2 | 174 1 | 206 0 | 238 1 | 15 0 | 47 3 | 79 1 | 111 2 | 143 1 | 175 0 | 207 1 | 239 1 | 16 1 | 48 1 | 80 1 | 112 0 | 144 2 | 176 0 | 208 0 | 240 0 | 17 0 | 49 0 | 81 1 | 113 1 | 145 1 | 177 1 | 209 0 | 241 1 | 18 1 | 50 0 | 82 0 | 114 0 | 146 4 | 178 1 | 210 1 | 242 0 | 446 0x700
19 2 | 51 0 | 83 0 | 115 0 | 147 1 | 179 0 | 211 1 | 243 0 | 20 3 | 52 0 | 84 3 | 116 1 | 148 2 | 180 2 | 212 2 | 244 3 | 21 0 | 53 0 | 85 1 | 117 2 | 149 2 | 181 1 | 213 0 | 245 1 | 22 0 | 54 3 | 86 3 | 118 0 | 150 2 | 182 2 | 214 0 | 246 3 | 23 2 | 55 0 | 87 0 | 119 2 | 151 2 | 183 1 | 215 1 | 247 2 | 24 1 | 56 2 | 88 3 | 120 1 | 152 2 | 184 1 | 216 0 | 248 2 | 25 2 | 57 2 | 89 0 | 121 1 | 153 2 | 185 0 | 217 1 | 249 3 | 26 0 | 58 0 | 90 0 | 122 0 | 154 1 | 186 1 | 218 0 | 250 1 | 27 0 | 59 2 | 91 1 | 123 3 | 155 2 | 187 1 | 219 1 | 251 1 | 28 2 | 60 1 | 92 1 | 124 0 | 156 0 | 188 0 | 220 0 | 252 3 | 29 1 | 61 1 | 93 1 | 125 0 | 157 0 | 189 0 | 221 0 | 253 1 | 30 0 | 62 1 | 94 0 | 126 1 | 158 1 | 190 0 | 222 1 | 254 0 | 31 0 | 63 0 | 95 1 | 127 0 | 159 0 | 191 0 | 223 0 | 255 0 | [Actual Key] = (1, 2, 3, 4, 5, 66, 75, 123, 99, 100, 123, 43, 213) key[0] is probably 1 reader@hacking:~/booksrc $ reader@hacking:~/booksrc $ ./fms 12 Using IV: (15, 255, 0), first keystream byte is 81 Doing the first 15 steps of KSA.. at KSA iteration #15, j=251 and S[15]=1 key[12] prediction = 81 - 251 - 1 = 85 Using IV: (15, 255, 1), first keystream byte is 80 Doing the first 15 steps of KSA.. at KSA iteration #15, j=252 and S[15]=1 key[12] prediction = 80 - 252 - 1 = 83 Using IV: (15, 255, 2), first keystream byte is 159 Doing the first 15 steps of KSA.. at KSA iteration #15, j=253 and S[15]=1 key[12] prediction = 159 - 253 - 1 = 161 .:[ output trimmed ]:. Using IV: (15, 255, 252), first keystream byte is 238 Doing the first 15 steps of KSA.. at KSA iteration #15, j=236 and S[15]=1 key[12] prediction = 238 - 236 - 1 = 1 Using IV: (15, 255, 253), first keystream byte is 197 Doing the first 15 steps of KSA.. at KSA iteration #15, j=236 and S[15]=1 key[12] prediction = 197 - 236 - 1 = 216 Using IV: (15, 255, 254), first keystream byte is 238 Doing the first 15 steps of KSA.. at KSA iteration #15, j=249 and S[15]=2 key[12] prediction = 238 - 249 - 2 = 243 Using IV: (15, 255, 255), first keystream byte is 176 Doing the first 15 steps of KSA.. at KSA iteration #15, j=250 and S[15]=1 key[12] prediction = 176 - 250 - 1 = 181 Frequency table for key[12] (* = most frequent) 0 1 | 32 0 | 64 2 | 96 0 | 128 1 | 160 1 | 192 0 | 224 2 | 1 2 | 33 1 | 65 0 | 97 2 | 129 1 | 161 1 | 193 0 | 225 0 | 2 0 | 34 2 | 66 2 | 98 0 | 130 2 | 162 3 | 194 2 | 226 0 | 3 2 | 35 0 | 67 2 | 99 2 | 131 0 | 163 1 | 195 0 | 227 5 | 4 0 | 36 0 | 68 0 | 100 1 | 132 0 | 164 0 | 196 1 | 228 1 | 5 3 | 37 0 | 69 3 | 101 2 | 133 0 | 165 2 | 197 0 | 229 3 | 6 1 | 38 2 | 70 2 | 102 0 | 134 0 | 166 2 | 198 0 | 230 2 | 7 2 | 39 0 | 71 1 | 103 0 | 135 0 | 167 3 | 199 1 | 231 1 | 8 1 | 40 0 | 72 0 | 104 1 | 136 1 | 168 2 | 200 0 | 232 0 | Cryptology 447
Page 1:
CD INside 2nd Edition Hacking the a
Page 5 and 6:
® San Francisco
Page 7:
BRIEF CONTENTS Preface ............
Page 10 and 11:
0x300 EXPLOITATION 115 0x310 Genera
Page 12 and 13:
0x6a0 Hardening Countermeasures....
Page 14 and 15:
ACKNOWLEDGMENTS I would like to tha
Page 16 and 17:
2 0x100 The rules for this problem
Page 18 and 19:
4 0x100 overly simplistic encryptio
Page 20 and 21:
can be written to accomplish any gi
Page 22 and 23:
0x230 Control Structures Without co
Page 24 and 25:
lest it continue into infinity. A w
Page 26 and 27:
called constants. Returning to the
Page 28 and 29:
Quite often in programs, variables
Page 30 and 31:
0x244 Functions Sometimes there wil
Page 32 and 33:
void turn(variable_direction, targe
Page 34 and 35:
library, a function prototype is ne
Page 36 and 37:
Like a row of houses on a local str
Page 38 and 39:
Below, GDB is used to show the stat
Page 40 and 41:
There are also operations that are
Page 42 and 43:
The display format also uses a sing
Page 44 and 45:
The first four bytes are shown both
Page 46 and 47:
(gdb) x/10i $eip 0x804838b : cmp DW
Page 48 and 49:
022 18 12 DC2 122 82 52 R 023 19 13
Page 50 and 51:
familiar address of EBP minus 4 int
Page 52 and 53:
the English language, knowledge of
Page 54 and 55:
Function "strcpy" not defined. Make
Page 56 and 57:
only be in one of 2 32 possible bit
Page 58 and 59:
pointer.c #include #include int m
Page 60 and 61:
addressof.c #include int main() {
Page 62 and 63:
0x264 Format Strings The printf() f
Page 64 and 65:
The final line just shows the addre
Page 66 and 67:
As discussed earlier, dividing the
Page 68 and 69:
} } printf("[char pointer] points t
Page 70 and 71:
Naturally, it is far easier just to
Page 72 and 73:
This is rather hacky, but since thi
Page 74 and 75:
eader@hacking:~/booksrc $ ./a.out '
Page 76 and 77:
0x267 Variable Scoping Another inte
Page 78 and 79:
[in func1] i = 5, j = 42 [in func2]
Page 80 and 81:
10 (gdb) break 7 Breakpoint 1 at 0x
Page 82 and 83:
Notice that the static_var retains
Page 84 and 85:
70 0x200 The heap segment is a segm
Page 86 and 87:
End of assembler dump (gdb) disass
Page 88 and 89:
0x804836f : mov DWORD PTR [esp+8],0
Page 90 and 91:
int global_initialized_var = 5; voi
Page 92 and 93:
int main(int argc, char *argv[]) {
Page 94 and 95:
errorchecked_heap.c #include #incl
Page 96 and 97:
The bar code on the back of this bo
Page 98 and 99:
eader@hacking:~/booksrc $ ./simplen
Page 100 and 101:
} printf("\n"); display_flags("O_WR
Page 102 and 103:
eader@hacking:~/booksrc $ chmod 731
Page 104 and 105:
uid_demo.c #include int main() { p
Page 106 and 107:
} void fatal(char *); // A function
Page 108 and 109:
#define FILENAME "/var/notes" int p
Page 110 and 111:
[DEBUG] found a 34 byte note for us
Page 112 and 113:
of current_time, an empty tm struct
Page 114 and 115:
While struct memory can be accessed
Page 116 and 117:
815015288 1315541117 2080969327 450
Page 118 and 119:
printf("6 - Reset your account at 1
Page 120 and 121:
int fd; } printf("\n===============
Page 122 and 123:
} } // This function is the Pick a
Page 124 and 125:
invalid_choice = 1; while(invalid_c
Page 126 and 127:
Would you like to play again? (y/n)
Page 128 and 129:
114 0x200 Play around with this pro
Page 130 and 131:
A program can only do what it’s p
Page 132 and 133:
don’t say exactly what their crea
Page 134 and 135:
By now, you should be able to read
Page 136 and 137:
eader@hacking:~/booksrc $ gcc explo
Page 138 and 139:
11 if(strcmp(password_buffer, "bril
Page 140 and 141:
auth_overflow2.c #include #include
Page 142 and 143:
As expected, the overflow cannot di
Page 144 and 145:
(gdb) c Continuing. Breakpoint 2, c
Page 146 and 147:
Notice the two lines shown in bold
Page 148 and 149:
eader@hacking:~/booksrc $ perl -e '
Page 150 and 151:
0x0804848d : mov eax,DWORD PTR [eax
Page 152 and 153:
20 offset = atoi(argv[1]); (gdb) 21
Page 154 and 155:
called the NOP sled, that can assis
Page 156 and 157:
The function of the for loop should
Page 158 and 159:
\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6
Page 160 and 161:
eader@hacking:~/booksrc $ ./notesea
Page 162 and 163:
int main(int argc, char *argv[]) {
Page 164 and 165:
char *buffer = (char *) malloc(160)
Page 166 and 167:
7e99000-b7e9a000 rw-p b7e99000 00:0
Page 168 and 169:
for that user. Using the salt value
Page 170 and 171:
0x342 Overflowing Function Pointers
Page 172 and 173:
7 - Quit [Name: Jon Erickson] [You
Page 174 and 175:
0804b630 A _edata 0804b6d4 A _end 0
Page 176 and 177:
n 5 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Page 178 and 179:
6 - Reset your account at 100 credi
Page 180 and 181:
[Name: Jon Erickson] [You have 1230
Page 182 and 183:
Parameter Input Type Output Type %d
Page 184 and 185:
This is an interesting detail that
Page 186 and 187:
0x353 Reading from Arbitrary Memory
Page 188 and 189:
The wrong way to print user-control
Page 190 and 191:
The addresses and junk data at the
Page 192 and 193:
eader@hacking:~/booksrc $ reader@ha
Page 194 and 195:
0x355 Direct Parameter Access Direc
Page 196 and 197:
Since the stack doesn’t need to b
Page 198 and 199:
0x357 Detours with .dtors In binary
Page 200 and 201:
located. Then the actual bytes are
Page 202 and 203:
Since the .dtors section is writabl
Page 204 and 205:
[DEBUG] found a 34 byte note for us
Page 206 and 207:
eader@hacking:~/booksrc $ objdump -
Page 209 and 210:
0x400 NETWORKING Communication and
Page 211 and 212:
For example, whenever you browse th
Page 213 and 214:
Datagram sockets and UDP are common
Page 215 and 216:
From /usr/include/bits/socket.h /*
Page 217 and 218:
htons(short value) Host-to-Network
Page 219 and 220:
fatal("in socket"); if (setsockopt(
Page 221 and 222:
When compiled and run, the program
Page 223 and 224:
This reveals that the webserver is
Page 225 and 226:
From /usr/include/netdb.h /* Descri
Page 227 and 228:
} while(recv_line(sockfd, buffer))
Page 229 and 230:
} /* This function handles the conn
Page 231 and 232:
Accepting web requests on port 80 G
Page 233 and 234:
the two addressing schemes. In the
Page 235 and 236:
also exist on this layer. ICMP pack
Page 237 and 238:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3
Page 239 and 240:
Interrupt:16 Base address:0x2024 re
Page 241 and 242:
u_char buffer[9000]; if ((sockfd =
Page 243 and 244:
pcap_handle = pcap_open_live(device
Page 245 and 246:
eader@hacking:~/booksrc $ $ grep -R
Page 247 and 248:
The compiler padding, as mentioned
Page 249 and 250:
Now that the headers are defined as
Page 251 and 252:
The caught_packet() function gets c
Page 253 and 254:
With the headers decoded and separa
Page 255 and 256:
Due to timeout values, the victim m
Page 257 and 258:
eader@hacking:~/booksrc $ sudo neme
Page 259 and 260:
data structures for the packet head
Page 261 and 262:
if (pd->file_mem == NULL) pd->file_
Page 263 and 264:
only builds ethernet/IP ARP packets
Page 265 and 266:
The remaining libnet functions get
Page 267 and 268:
dest_ip = libnet_name_resolve(argv[
Page 269 and 270:
In the example above, the host 192.
Page 271 and 272:
0x454 Ping Flooding Flooding DoS at
Page 273 and 274:
The host machine will receive the s
Page 275 and 276:
char errbuf[PCAP_ERRBUF_SIZE]; // S
Page 277 and 278:
TH_RST, // Control flags (RST flag
Page 279 and 280:
Christmas tree), and the Null scan
Page 281 and 282:
0x475 Proactive Defense (shroud) Po
Page 283 and 284:
char errbuf[PCAP_ERRBUF_SIZE]; // S
Page 285 and 286:
NULL, // Payload (none) 0, // Paylo
Page 287 and 288:
} while(recv(sockfd, ptr, 1, 0) ==
Page 289 and 290:
$1 = 540 (gdb) p /x 0xbffff5c0 + 20
Page 291 and 292:
" 90 90 90 90 90 90 90 90 90 90 90
Page 293 and 294:
When this exploit is compiled and r
Page 295 and 296:
0x500 SHELLCODE So far, the shellco
Page 297 and 298:
mmap2(0xb7ee4000, 9596, PROT_READ|P
Page 299 and 300:
#define __NR_stime 25 #define __NR_
Page 301 and 302:
In shellcode, the bytes for the str
Page 303 and 304:
eader@hacking:~/booksrc $ export SH
Page 305 and 306:
which means that a small value like
Page 307 and 308:
Instruction inc dec Description I
Page 309 and 310:
After assembling this shellcode, he
Page 311 and 312:
exec_shell.s BITS 32 jmp short two
Page 313 and 314:
eader@hacking:~/booksrc $ nasm tiny
Page 315 and 316:
int setresuid(uid_t ruid, uid_t eui
Page 317 and 318:
push BYTE 11 pop eax push ecx push
Page 319 and 320:
So, to make socket system calls usi
Page 321 and 322:
push BYTE 16 ; argv: { sizeof(serve
Page 323 and 324:
00000030 80 b0 66 43 52 52 56 89 e1
Page 325 and 326:
This loop iterates ECX from 0 to 2,
Page 327 and 328:
push edx ; Build sockaddr struct: I
Page 329 and 330:
pop eax inc ebx ; ebx = 2 (needed f
Page 331 and 332:
the return address uses multiple by
Page 333 and 334:
0x600 COUNTERMEASURES The golden po
Page 335 and 336:
0x620 System Daemons To have a real
Page 337 and 338:
} printf("Caught signal %d\t", sign
Page 339 and 340:
tinywebd.c #include #include #inc
Page 341 and 342:
if(fd == -1) { // If file is not fo
Page 343 and 344:
In previous chapters, we’ve writt
Page 345 and 346:
63 if (listen(sockfd, 20) == -1) 64
Page 347 and 348:
message. Shell variables are used f
Page 349 and 350:
There’s a simple mistake in the t
Page 351 and 352:
any program to show every system ca
Page 353 and 354:
0x080487ee : mov DWORD PTR [esp+8],
Page 355 and 356:
0x08048f5f : call 0x08048f64 : nop
Page 357 and 358:
push BYTE 0x6 ; Close () pop eax in
Page 359 and 360:
A quick glance at the function prol
Page 361 and 362:
push edx ; Build arg array: { proto
Page 363 and 364:
This program can be used to inject
Page 365 and 366:
Then, from another terminal, the ne
Page 367 and 368:
strace is used with the -p command-
Page 369 and 370:
ig red flag. We could change the po
Page 371 and 372:
of new_sockfd will still be correct
Page 373 and 374:
00000020 b0 3f cd 80 49 79 f9 b0 0b
Page 375 and 376:
push ebx mov ecx, esp int 0x80 ; pu
Page 377 and 378:
Instruction Hex ASCII inc eax 0x40
Page 379 and 380:
eader@hacking:~/booksrc $ gcc -o up
Page 381 and 382:
Amazingly, these instructions, comb
Page 383 and 384:
ESP up (toward lower memory address
Page 385 and 386:
eader@hacking:~/booksrc $ gcc -o pr
Page 387 and 388:
At the end, the shellcode has been
Page 389 and 390:
esp 0xbffffa2c 0xbffffa2c eax 0x0 0
Page 391 and 392:
functions are shared, so any progra
Page 393 and 394:
A quick binary search shows that th
Page 395 and 396:
eginning of the buffer. When a prog
Page 397 and 398:
The breakpoint is set at the last i
Page 399 and 400:
Bouncing off linux-gate refers to a
Page 401 and 402:
matrix@loki /hacking $ for i in `se
Page 403 and 404:
manual page for execve() for detail
Page 405:
for(i=0; i < 90; i+=4) // Fill buff
Page 408 and 409:
encryption, credit card transaction
Page 410 and 411: through the incorrect filter, its p
Page 412 and 413: This means that, in general, the gr
Page 414 and 415: Without some way to manipulate the
Page 416 and 417: With a little bit of basic algebra,
Page 418 and 419: Since this is all done modulo N, th
Page 420 and 421: 0x750 Hybrid Ciphers A hybrid crypt
Page 422 and 423: [:] - Static route to port on host
Page 424 and 425: communication channel with the atta
Page 426 and 427: e asked to add the new fingerprint.
Page 428 and 429: to be a bit hazy. The goal behind t
Page 430 and 431: ---[Current State]-----------------
Page 432 and 433: 0x760 Password Cracking Passwords a
Page 434 and 435: crypt_crack.c #define _XOPEN_SOURCE
Page 436 and 437: Custom dictionary files are often m
Page 438 and 439: possible hashes for a single plaint
Page 440 and 441: Of course, there are downsides. Fir
Page 442 and 443: charval = (k-32)*95 + (l-32); // La
Page 444 and 445: } /* Print the plaintext pairs that
Page 446 and 447: printf("Building probability vector
Page 448 and 449: Of course, if WEP is turned on, onl
Page 450 and 451: Now when keystream data is needed,
Page 452 and 453: After an IV collision is discovered
Page 454 and 455: is really quite amazing. It takes a
Page 456 and 457: Seed = IV concatenated with the key
Page 458 and 459: int key[13] = {1, 2, 3, 4, 5, 66, 7
Page 462 and 463: 9 0 | 41 1 | 73 0 | 105 0 | 137 1 |
Page 465 and 466: 0x800 CONCLUSION Hacking tends to b
Page 467 and 468: CNET News. “40-Bit Crypto Proves
Page 469 and 470: INDEX Symbols & Numbers & (ampersan
Page 471 and 472: uffer overrun, 119 buffers, 38 prog
Page 473 and 474: dtors_sample.c program, 184 dump()
Page 475 and 476: declaring as void, 17 for error che
Page 477 and 478: Internet Protocol (IP), 220 address
Page 479 and 480: nemesis_arp() function, 245 nemesis
Page 481 and 482: pointer_types4.c program, 56 pointe
Page 483 and 484: session layer (OSI), 196 for web br
Page 485 and 486: text segment, of memory, 69 then ke
Page 488 and 489: More No-Nonsense Books from NO STAR
Page 490: UPDATES Visit http://www.nostarch.c
show all

hacking-the-art-of-exploitation

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?