+- الفريق العربي للهندسة العكسية (https://www.at4re.net/f)
+-- قسم : منتديات الهندسة العكسية - Reverse Engineering Forums (https://www.at4re.net/f/forum-4.html)
+--- قسم : كتب الهندسة العكسية والبرمجة - Ebooks (https://www.at4re.net/f/forum-34.html)
+--- الموضوع : The Shellcoder’s Handbook Discovering and Exploiting Security Holes Second Edition (/thread-179.html)
The Shellcoder’s Handbook Discovering and Exploiting Security Holes Second Edition - dj-siba - 20-10-2018
المشاركة الأصلية كتبت بواسطة dj-siba في 14-10-2007 الساعة 09:02 PM:
هديتي الخاصة بعيد الفطر كتاب:
The Shellcoder’s
Handbook
Discovering and Exploiting Security Holes
Second Edition
كتيب
اكتشاف واستغلال ثغرات أمنية
الطبعه الثانية
هدية خاصة لفئة معينة من زوار المنتدى
اهداء الكتاب
إقتباس :This book is dedicated to anyone and everyone who understands that
hacking and learning is a way to live your life, not a day job or
semi-ordered list of instructions found in a thick book
ولفتح الشهية هذا فهرست الكتاب
Introduction to the Second Edition xxiii
Part I Introduction to Exploitation: Linux on x86
Chapter 1 Before You Begin 3
Basic Concepts 3
Memory Management 4
Assembly 6
Recognizing C and C++ Code Constructs in Assembly 7
Conclusion 10
Chapter 2 Stack Overflows 11
Buffers 12
The Stack 13
Functions and the Stack 15
Overflowing Buffers on the Stack 18
Controlling EIP 22
An Interesting Diversion 23
Using an Exploit to Get Root Privileges 25
The Address Problem 27
The NOP Method 33
Defeating a Non-Executable Stack 35
Return to libc 35
Conclusion 39
Chapter 3 Shellcode 41
Understanding System Calls 42
Writing Shellcode for the exit() Syscall 44
Injectable Shellcode 48
Spawning a Shell 50
Conclusion 59
Chapter 4 Introduction to Format String Bugs 61
Prerequisites 61
What Is a Format String? 61
What Is a Format String Bug? 63
Format String Exploits 68
Crashing Services 69
Information Leakage 70
Controlling Execution for Exploitation 75
Why Did This Happen? 84
Format String Technique Roundup 85
Conclusion 88
Chapter 5 Introduction to Heap Overflows 89
What Is a Heap? 90
How a Heap Works 91
Finding Heap Overflows 91
Basic Heap Overflows 93
Intermediate Heap Overflows 98
Advanced Heap Overflow Exploitation 105
Conclusion 107
Part II Other Platforms—Windows, Solaris, OS/X, and Cisco
Chapter 6 The Wild World of Windows 111
How Does Windows Differ from Linux? 111
Win32 API and PE-COFF 112
Heaps 114
Threading 115
The Genius and Idiocy of the Distributed Common
Object Model and DCE-RPC 116
Recon 118
Exploitation 120
Tokens and Impersonation 120
Exception Handling under Win32 122
Debugging Windows 124
Bugs in Win32 124
Writing Windows Shellcode 125
A Hacker’s Guide to the Win32 API 126
A Windows Family Tree from the Hacker’s Perspective 126
Conclusion 127
Chapter 7 Windows Shellcode 129
Syntax and Filters 129
Setting Up 131
Parsing the PEB 132
Heapoverflow.c Analysis 132
Searching with Windows Exception Handling 148
Popping a Shell 153
Why You Should Never Pop a Shell on Windows 153
Conclusion 154
Chapter 8 Windows Overflows 155
Stack-Based Buffer Overflows 156
Frame-Based Exception Handlers 156
Abusing Frame-Based Exception Handling on
Windows 2003 Server 161
A Final Note about Frame-Based Handler Overwrites 166
Stack Protection and Windows 2003 Server 166
Heap-Based Buffer Overflows 173
The Process Heap 173
Dynamic Heaps 173
Working with the Heap 173
How the Heap Works 174
Exploiting Heap-Based Overflows 178
Overwrite Pointer to RtlEnterCriticalSection in the PEB 178
Overwrite Pointer to Unhandled Exception Filter 185
Repairing the Heap 191
Other Aspects of Heap-Based Overflows 193
Wrapping Up the Heap 194
Other Overflows 194
.data Section Overflows 194
TEB/PEB Overflows 196
Exploiting Buffer Overflows and Non-Executable Stacks 197
Conclusion 203
Chapter 9 Overcoming Filters 205
Writing Exploits for Use with an Alphanumeric Filter 205
Writing Exploits for Use with a Unicode Filter 209
What Is Unicode? 210
Converting from ASCII to Unicode 210
Exploiting Unicode-Based Vulnerabilities 211
The Available Instruction Set in Unicode Exploits 212
The Venetian Method 213
An ASCII Venetian Implementation 214
Decoder and Decoding 218
The Decoder Code 219
Getting a Fix on the Buffer Address 220
Conclusion 221
Chapter 10 Introduction to Solaris Exploitation 223
Introduction to the SPARC Architecture 224
Registers and Register Windows 224
The Delay Slot 227
Synthetic Instructions 228
Solaris/SPARC Shellcode Basics 228
Self-Location Determination and SPARC Shellcode 228
Simple SPARC exec Shellcode 229
Useful System Calls on Solaris 230
NOP and Padding Instructions 231
Solaris/SPARC Stack Frame Introduction 231
Stack-Based Overflow Methodologies 232
Arbitrary Size Overflow 232
Register Windows and Stack Overflow Complications 233
Other Complicating Factors 233
Possible Solutions 234
Off-By-One Stack Overflow Vulnerabilities 234
Shellcode Locations 235
Stack Overflow Exploitation In Action 236
The Vulnerable Program 236
The Exploit 238
Heap-Based Overflows on Solaris/SPARC 241
Solaris System V Heap Introduction 242
Heap Tree Structure 242
Basic Exploit Methodology (t_delete) 263
Standard Heap Overflow Limitations 266
Targets for Overwrite 267
Other Heap-Related Vulnerabilities 270
Off-by-One Overflows 270
Double Free Vulnerabilities 270
Arbitrary Free Vulnerabilities 271
Heap Overflow Example 271
The Vulnerable Program 272
Other Solaris Exploitation Techniques 276
Static Data Overflows 276
Bypassing the Non-Executable Stack Protection 276
Conclusion 277
Chapter 11 Advanced Solaris Exploitation 279
Single Stepping the Dynamic Linker 281
Various Style Tricks for Solaris SPARC Heap Overflows 296
Advanced Solaris/SPARC Shellcode 299
Conclusion 311
Chapter 12 OS X Shellcode 313
OS X Is Just BSD, Right? 314
Is OS X Open Source? 314
OS X for the Unix-aware 315
Password Cracking 316
OS X PowerPC Shellcode 316
OS X Intel Shellcode 324
Example Shellcode 326
ret2libc 327
ret2str(l)cpy 329
OS X Cross-Platform Shellcode 332
OS X Heap Exploitation 333
Bug Hunting on OS X 335
Some Interesting Bugs 335
Essential Reading for OS X Exploits 337
Conclusion 338
Chapter 13 Cisco IOS Exploitation 339
An Overview of Cisco IOS 339
Hardware Platforms 340
Software Packages 340
IOS System Architecture 343
Vulnerabilities in Cisco IOS 346
Protocol Parsing Code 347
Services on the Router 347
Security Features 348
The Command-Line Interface 348
Reverse Engineering IOS 349
Taking the Images Apart 349
Diffing IOS Images 350
Runtime Analysis 351
Exploiting Cisco IOS 357
Stack Overflows 357
Heap Overflows 359
Shellcodes 364
Conclusion 373
Part I Introduction to Exploitation: Linux on x86
Chapter 1 Before You Begin 3
Basic Concepts 3
Memory Management 4
Assembly 6
Recognizing C and C++ Code Constructs in Assembly 7
Conclusion 10
Chapter 2 Stack Overflows 11
Buffers 12
The Stack 13
Functions and the Stack 15
Overflowing Buffers on the Stack 18
Controlling EIP 22
An Interesting Diversion 23
Using an Exploit to Get Root Privileges 25
The Address Problem 27
The NOP Method 33
Defeating a Non-Executable Stack 35
Return to libc 35
Conclusion 39
Chapter 3 Shellcode 41
Understanding System Calls 42
Writing Shellcode for the exit() Syscall 44
Injectable Shellcode 48
Spawning a Shell 50
Conclusion 59
Chapter 4 Introduction to Format String Bugs 61
Prerequisites 61
What Is a Format String? 61
What Is a Format String Bug? 63
Format String Exploits 68
Crashing Services 69
Information Leakage 70
Controlling Execution for Exploitation 75
Why Did This Happen? 84
Format String Technique Roundup 85
Conclusion 88
Chapter 5 Introduction to Heap Overflows 89
What Is a Heap? 90
How a Heap Works 91
Finding Heap Overflows 91
Basic Heap Overflows 93
Intermediate Heap Overflows 98
Advanced Heap Overflow Exploitation 105
Conclusion 107
Part II Other Platforms—Windows, Solaris, OS/X, and Cisco
Chapter 6 The Wild World of Windows 111
How Does Windows Differ from Linux? 111
Win32 API and PE-COFF 112
Heaps 114
Threading 115
The Genius and Idiocy of the Distributed Common
Object Model and DCE-RPC 116
Recon 118
Exploitation 120
Tokens and Impersonation 120
Exception Handling under Win32 122
Debugging Windows 124
Bugs in Win32 124
Writing Windows Shellcode 125
A Hacker’s Guide to the Win32 API 126
A Windows Family Tree from the Hacker’s Perspective 126
Conclusion 127
Chapter 7 Windows Shellcode 129
Syntax and Filters 129
Setting Up 131
Parsing the PEB 132
Heapoverflow.c Analysis 132
Searching with Windows Exception Handling 148
Popping a Shell 153
Why You Should Never Pop a Shell on Windows 153
Conclusion 154
Chapter 8 Windows Overflows 155
Stack-Based Buffer Overflows 156
Frame-Based Exception Handlers 156
Abusing Frame-Based Exception Handling on
Windows 2003 Server 161
A Final Note about Frame-Based Handler Overwrites 166
Stack Protection and Windows 2003 Server 166
Heap-Based Buffer Overflows 173
The Process Heap 173
Dynamic Heaps 173
Working with the Heap 173
How the Heap Works 174
Exploiting Heap-Based Overflows 178
Overwrite Pointer to RtlEnterCriticalSection in the PEB 178
Overwrite Pointer to Unhandled Exception Filter 185
Repairing the Heap 191
Other Aspects of Heap-Based Overflows 193
Wrapping Up the Heap 194
Other Overflows 194
.data Section Overflows 194
TEB/PEB Overflows 196
Exploiting Buffer Overflows and Non-Executable Stacks 197
Conclusion 203
Chapter 9 Overcoming Filters 205
Writing Exploits for Use with an Alphanumeric Filter 205
Writing Exploits for Use with a Unicode Filter 209
What Is Unicode? 210
Converting from ASCII to Unicode 210
Exploiting Unicode-Based Vulnerabilities 211
The Available Instruction Set in Unicode Exploits 212
The Venetian Method 213
An ASCII Venetian Implementation 214
Decoder and Decoding 218
The Decoder Code 219
Getting a Fix on the Buffer Address 220
Conclusion 221
Chapter 10 Introduction to Solaris Exploitation 223
Introduction to the SPARC Architecture 224
Registers and Register Windows 224
The Delay Slot 227
Synthetic Instructions 228
Solaris/SPARC Shellcode Basics 228
Self-Location Determination and SPARC Shellcode 228
Simple SPARC exec Shellcode 229
Useful System Calls on Solaris 230
NOP and Padding Instructions 231
Solaris/SPARC Stack Frame Introduction 231
Stack-Based Overflow Methodologies 232
Arbitrary Size Overflow 232
Register Windows and Stack Overflow Complications 233
Other Complicating Factors 233
Possible Solutions 234
Off-By-One Stack Overflow Vulnerabilities 234
Shellcode Locations 235
Stack Overflow Exploitation In Action 236
The Vulnerable Program 236
The Exploit 238
Heap-Based Overflows on Solaris/SPARC 241
Solaris System V Heap Introduction 242
Heap Tree Structure 242
Basic Exploit Methodology (t_delete) 263
Standard Heap Overflow Limitations 266
Targets for Overwrite 267
Other Heap-Related Vulnerabilities 270
Off-by-One Overflows 270
Double Free Vulnerabilities 270
Arbitrary Free Vulnerabilities 271
Heap Overflow Example 271
The Vulnerable Program 272
Other Solaris Exploitation Techniques 276
Static Data Overflows 276
Bypassing the Non-Executable Stack Protection 276
Conclusion 277
Chapter 11 Advanced Solaris Exploitation 279
Single Stepping the Dynamic Linker 281
Various Style Tricks for Solaris SPARC Heap Overflows 296
Advanced Solaris/SPARC Shellcode 299
Conclusion 311
Chapter 12 OS X Shellcode 313
OS X Is Just BSD, Right? 314
Is OS X Open Source? 314
OS X for the Unix-aware 315
Password Cracking 316
OS X PowerPC Shellcode 316
OS X Intel Shellcode 324
Example Shellcode 326
ret2libc 327
ret2str(l)cpy 329
OS X Cross-Platform Shellcode 332
OS X Heap Exploitation 333
Bug Hunting on OS X 335
Some Interesting Bugs 335
Essential Reading for OS X Exploits 337
Conclusion 338
Chapter 13 Cisco IOS Exploitation 339
An Overview of Cisco IOS 339
Hardware Platforms 340
Software Packages 340
IOS System Architecture 343
Vulnerabilities in Cisco IOS 346
Protocol Parsing Code 347
Services on the Router 347
Security Features 348
The Command-Line Interface 348
Reverse Engineering IOS 349
Taking the Images Apart 349
Diffing IOS Images 350
Runtime Analysis 351
Exploiting Cisco IOS 357
Stack Overflows 357
Heap Overflows 359
Shellcodes 364
Conclusion 373