book

Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition, 4th Edition

by Daniel Regalado, Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Branko Spasojevic, Ryan Linn, Stephen Sims

January 2015

Intermediate to advanced

656 pages

18h 58m

English

McGraw-Hill

Read now

Unlock full access

Why You Need to Understand Your Enemy’s TacticsRecognizing Trouble When It HappensThe Ethical Hacking ProcessThe Penetration Testing ProcessWhat Would an Unethical Hacker Do Differently?The Rise of CyberlawUnderstanding Individual CyberlawsThe Controversy of “Hacking” ToolsVulnerability DisclosureDifferent Teams and Points of ViewHow Did We Get Here?CERT’s Current ProcessOrganization for Internet SafetyConflicts Will Still Exist“No More Free Bugs”Bug Bounty ProgramsSummaryReferencesFor Further Reading

C Programming LanguageBasic C Language ConstructsSample ProgramCompiling with gccComputer MemoryRandom Access Memory (RAM)EndianSegmentation of MemoryPrograms in MemoryBuffersStrings in MemoryPointersPutting the Pieces of Memory TogetherIntel ProcessorsRegistersAssembly Language BasicsMachine vs. Assembly vs. CAT&T vs. NASMAddressing ModesAssembly File StructureAssemblingDebugging with gdbgdb BasicsDisassembly with gdbPython Survival SkillsGetting PythonHello World in PythonPython ObjectsStringsNumbersListsDictionariesFiles with PythonSockets with PythonSummaryReferencesFor Further Reading
Ethical Reverse EngineeringWhy Bother with Reverse Engineering?Reverse Engineering ConsiderationsSource Code AnalysisSource Code Auditing ToolsThe Utility of Source Code Auditing ToolsManual Source Code AuditingAutomated Source Code AnalysisBinary AnalysisManual Auditing of Binary CodeAutomated Binary Analysis ToolsSummaryFor Further Reading
Static Analysis ChallengesStripped BinariesStatically Linked Programs and FLAIRData Structure AnalysisQuirks of Compiled C++ CodeExtending IDA ProScripting in IDAPythonExample 4-1: Decrypting Strings in PlaceExecuting Python CodeSummaryFor Further Reading
Introduction to FuzzingChoosing a TargetInput TypesEase of AutomationComplexityTypes of FuzzersMutation FuzzersGeneration FuzzersGetting StartedFinding the Fuzzing TemplatesLab 5-1: Collecting Samples from the Internet ArchiveChoosing the Optimal Template Set with Code CoverageLab 5-2: Selecting the Best Samples for FuzzingPeach Fuzzing FrameworkPeach Fuzzing StrategiesSpeed Does MatterCrash AnalysisLab 5-3: Mutation Fuzzing with PeachOther Mutation FuzzersGeneration FuzzersSummaryFor Further Reading
User Space ShellcodeSystem CallsBasic ShellcodePort Binding ShellcodeReverse ShellcodeFind Socket ShellcodeCommand Execution CodeFile Transfer CodeMultistage ShellcodeSystem Call Proxy ShellcodeProcess Injection ShellcodeOther Shellcode ConsiderationsShellcode EncodingSelf-Corrupting ShellcodeDisassembling ShellcodeKernel Space ShellcodeKernel Space ConsiderationsSummaryReferencesFor Further Reading
Basic Linux ShellcodeSystem CallsSystem Calls by CSystem Calls by AssemblyExit System Callsetreuid System CallShell-Spawning Shellcode with execveImplementing Port-Binding ShellcodeLinux Socket ProgrammingAssembly Program to Establish a SocketTest the ShellcodeImplementing Reverse Connecting ShellcodeReverse Connecting C ProgramReverse Connecting Assembly ProgramEncoding ShellcodeSimple XOR EncodingStructure of Encoded ShellcodeJMP/CALL XOR Decoder ExampleFNSTENV XOR ExamplePutting the Code TogetherAutomating Shellcode Generation with MetasploitGenerating Shellcode with MetasploitEncoding Shellcode with MetasploitSummaryFor Further Study
What Is Spoofing?ARP SpoofingLab 8-1: ARP Spoofing with EttercapViewing Network TrafficModifying Network TrafficDNS SpoofingLab 8-2: DNS Spoofing with EttercapExecuting the AttackNetBIOS Name Spoofing and LLMNR SpoofingLab 8-3: Attacking NetBIOS and LLMNR with ResponderCracking NTLMv1 and NTLMv2 HashesSummaryFor Further Reading
Attacking Community Strings and PasswordsLab 9-1: Guessing Credentials with Ncrack and MetasploitLab 9-2: Guessing Community Strings with Onesixtyone and MetasploitSNMP and TFTPLab 9-3: Downloading Configuration Files with MetasploitLab 9-4: Modifying Configurations with SNMP and TFTPAttacking Cisco PasswordsAttacking Cisco Type 7 PasswordsLab 9-5: Cracking Type 7 Passwords with CainLab 9-6: Cracking Type 7 Passwords with MetasploitAttacking Cisco Type 5 PasswordsLab 9-7: Attacking Cisco Type 5 Passwords with John the RipperMiddling Traffic with TunnelsLab 9-8: Setting Up a GRE TunnelLab 9-9: Routing Traffic over a GRE TunnelExploits and Other AttacksCisco ExploitsMaintaining Access on Cisco DevicesSummaryFor Further Reading
Stack OperationsFunction Calling ProcedureBuffer OverflowsLab 10-1: Overflow of meet.cRamifications of Buffer OverflowsLocal Buffer Overflow ExploitsLab 10-2: Components of the ExploitLab 10-3: Exploiting Stack Overflows from the Command LineLab 10-4: Exploiting Stack Overflows with Generic Exploit CodeLab 10-5: Exploiting Small BuffersExploit Development ProcessLab 10-6: Building Custom ExploitsSummaryFor Further Reading
Format String ExploitsThe ProblemLab 11-1: Reading from Arbitrary MemoryLab 11-2: Writing to Arbitrary MemoryLab 11-3: Changing Program ExecutionMemory Protection SchemesCompiler ImprovementsLab 11-4: Bypassing Stack ProtectionKernel Patches and ScriptsLab 11-5: Return to libc ExploitsLab 11-6: Maintaining Privileges with ret2libcBottom LineSummaryReferencesFor Further Reading
Compiling and Debugging Windows ProgramsLab 12-1: Compiling on WindowsDebugging on Windows with Immunity DebuggerLab 12-2: Crashing the ProgramWriting Windows ExploitsExploit Development Process ReviewLab 12-3: Exploiting ProSSHD ServerUnderstanding Structured Exception Handling (SEH)Implementation of SEHSummaryReferencesFor Further Reading
Understanding Windows Memory Protections (XP SP3, Vista, 7, 8, Server 2008, and Server 2012)Stack-Based Buffer Overrun Detection (/GS)Safe Structured Exception Handling (SafeSEH)SEH Overwrite Protection (SEHOP)Heap ProtectionsData Execution Prevention (DEP)Address Space Layout Randomization (ASLR)Enhanced Mitigation Experience Toolkit (EMET)Bypassing Windows Memory ProtectionsBypassing /GSBypassing SafeSEHBypassing ASLRBypassing DEPBypassing EMETBypassing SEHOPSummaryReferencesFor Further Reading
Why Access Control Is Interesting to a HackerMost People Don’t Understand Access ControlVulnerabilities You Find Are Easy to ExploitYou’ll Find Tons of Security VulnerabilitiesHow Windows Access Control WorksSecurity IdentifierAccess TokenSecurity DescriptorThe Access CheckTools for Analyzing Access Control ConfigurationsDumping the Process TokenDumping the Security DescriptorSpecial SIDs, Special Access, and “Access Denied”Special SIDsSpecial AccessInvestigating “Access Denied”Analyzing Access Control for Elevation of PrivilegeAttack Patterns for Each Interesting Object TypeAttacking ServicesAttacking Weak DACLs in the Windows RegistryAttacking Weak Directory DACLsAttacking Weak File DACLsWhat Other Object Types Are Out There?Enumerating Shared Memory SectionsEnumerating Named PipesEnumerating ProcessesEnumerating Other Named Kernel Objects (Semaphores, Mutexes, Events, and Devices)SummaryFor Further Reading
Overview of the Top 10 Web VulnerabilitiesMD5 Hash InjectionLab 15-1: Injecting the HashMultibyte Encoding InjectionUnderstanding the VulnerabilityLab 15-2: Leverage Multibyte EncodingHunting Cross-site Scripting (XSS)Lab 15-3: Basic XSS Injection into a JavaScript BlockUnicode Normalization Forms AttackLab 15-4: Leveraging Unicode NormalizationUnicode Normalization IntroductionNormalization FormsPreparing the Environment for TestingXSS Testing via x5s the Plug-InLaunching the Attack ManuallyAdding Your Own Test CaseSummaryReferencesFor Further Reading
Setting Up the EnvironmentWinDbg ConfigurationAttaching the Browser to WinDbgIntroduction to Heap SpraySpraying with HTML5Lab 16-1: Heap Spray via HTML5DOM Element Property Spray (DEPS)Lab 16-2: Heap Spray via DEPS TechniqueHeapLib2 TechniqueForcing New Allocations by Exhausting the Cache BlocksLab 16-3: HeapLib2 SprayingFlash Spray with Byte ArraysLab 16-4: Basic Heap Spray with FlashFlash Spray with Integer VectorsLab 16-5: Heap Spray with Flash VectorsLeveraging Low Fragmentation Heap (LFH)SummaryReferencesFor Further Reading
Use-After-Free OverviewDebugging JavaScriptDissecting Use-After-Free (UAF)Lab 17-1: Dissecting UAF, Step by StepLeveraging the UAF VulnerabilityExample 17-1: Connecting the DotsSummaryReferencesFor Further Reading
BeEF BasicsLab 18-1: Setting Up BeefLab 18-2: Using the BeEF ConsoleHooking BrowsersLab 18-3: The Basic XSS HookLab 18-4: Hooking Browsers with Site SpoofingLab 18-5: Automatically Injecting Hooks with ShankFingerprinting with BeEFLab 18-6: Fingerprinting Browsers with BeEFLab 18-7: Fingerprinting Users with BeEFLab 18-8: Fingerprinting Computers with BeEFBrowser ExploitationLab 18-9: Exploiting Browsers with BeEF and JavaExploiting Browsers with BeEF and MetasploitAutomating AttacksSummaryFor Further Reading
Introduction to Binary DiffingApplication DiffingPatch DiffingBinary Diffing ToolsBinDiffturbodiffLab 19-1: Our First DiffPatch Management ProcessMicrosoft Patch TuesdayLab 19-2: Obtaining and Extracting Microsoft PatchesExamining the PatchLab 19-3: Diffing MS14-006 with turbodiffKernel DebuggingLab 19-4: Kernel Debugging MS14-006SummaryReferencesFor Further Reading
The Android PlatformAndroid Application PackageApplication ManifestAnalyzing DEXJava DecompilationDEX DecompilationDEX DisassemblingExample 20-1: Running APK in EmulatorMalware AnalysisMalware Analysis PrimerExample 20-2: Black-Box APK Monitoring with DroidboxSummaryFor Further Reading
History of RansomwareOptions for Paying the RansomDissecting RansomlockExample 21-1: Dynamic AnalysisExample 21-2: Static AnalysisCryptoLockerSummaryFor Further Reading
Overview of the AMD64 ArchitectureAMD64 Calling ConventionsDecrypting C&C DomainsExample 22-1: Decrypting C&C DomainsSummaryFor Further Reading
Notable IDA Plug-insIDAscopeIDA ToolbagCollaborationHoneypots and Sandboxes Using TrapXA Free Tool for Dynamic AnalysisA Commercial Alternative: TrapX Malware TrapSummaryReferencesFor Further Reading

Content preview from Gray Hat Hacking The Ethical Hacker's Handbook, Fourth Edition, 4th Edition

CHAPTER 16 Exploiting IE: Smashing the Heap

This chapter shows you the different techniques used in 0-day attacks, as disclosed in 2013 and 2014, to place malicious code (shellcode) at predictable addresses in the heap.

In this chapter, we cover the following topics:

• Spraying with HTML5

• DOM Element Property Spray (DEPS)

• HeapLib2 technique

• Flash spray with byte arrays

• Flash spray with integer vectors

• Leveraging low fragmentation heap (LFH)

Setting Up the Environment

Before learning about the different heap spray techniques, it is imperative that you have a solid understanding of how to configure and use WinDbg Debugger since we will use ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Gray Hat Hacking: The Ethical Hacker's Handbook, Sixth Edition, 6th Edition

Allen Harper, Ryan Linn, Stephen Sims, Michael Baucom, Huascar Tejeda, Daniel Fernandez, Moses Frost

Gray Hat Hacking The Ethical Hacker's Handbook, Fifth Edition, 5th Edition

Daniel Regalado, Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Branko Spasojevic, Ryan Linn, Stephen Sims

Hacking Exposed 7, 7th Edition

Stuart McClure, Joel Scambray, George Kurtz

The Web Application Hacker's Handbook, 2nd Edition

Dafydd Stuttard, Marcus Pinto

Publisher Resources

ISBN: 9780071832380

CHAPTER 16

Exploiting IE: Smashing the Heap