book

Hacking: The Art of Exploitation, 2nd Edition

by Jon Erickson

January 2008

Beginner to intermediate

480 pages

12h 58m

English

No Starch Press

Read now

Unlock full access

0x210. What Is Programming?
0x231. If-Then-Else0x232. While/Until Loops0x233. For Loops
0x241. Variables0x242. Arithmetic Operators0x243. Comparison Operators0x244. Functions
0x250. Getting Your Hands Dirtyfirstprog.c0x251. The Bigger Picture0x252. The x86 Processor0x253. Assembly LanguageASCII Table

0x261. Stringschar_array.cchar_array2.c0x262. Signed, Unsigned, Long, and Shortdatatype_sizes.c0x263. Pointerspointer.caddressof.caddressof2.c0x264. Format Stringsfmt_strings.cinput.c0x265. Typecastingtypecasting.cpointer_types.cpointer_types2.cpointer_types3.cpointer_types4.cpointer_types5.c0x266. Command-Line Argumentscommandline.cconvert.cconvert2.c0x267. Variable Scopingscope.cscope2.cscope3.cstatic.cstatic2.c
0x270. Memory Segmentationstack_example.c0x271. Memory Segments in Cmemory_segments.c0x272. Using the Heapheap_example.c0x273. Error-Checked malloc()errorchecked_heap.c
0x281. File Accesssimplenote.cbitwise.cfcntl_flags.c0x282. File Permissions0x283. User IDsuid_demo.chacking.hnotetaker.cnotesearch.c0x284. Structstime_example.ctime_example2.c0x285. Function Pointersfuncptr_example.c0x286. Pseudo-random Numbersrand_example.c0x287. A Game of Chancegame_of_chance.c
0x310. Generalized Exploit Techniques
0x320. Buffer Overflowsoverflow_example.cexploit_notesearch.c0x321. Stack-Based Buffer Overflow Vulnerabilitiesauth_overflow.cauth_overflow2.c
0x330. Experimenting with BASHFrom exploit_notesearch.c0x331. Using the Environmentgetenv_example.cgetenvaddr.cCode from libc-2.2.2exploit_notesearch_env.c
0x341. A Basic Heap-Based OverflowExcerpt from notetaker.c0x342. Overflowing Function PointersFrom game_of_chance.c
0x351. Format Parametersfmt_uncommon.c0x352. The Format String Vulnerabilityfmt_vuln.c0x353. Reading from Arbitrary Memory Addresses0x354. Writing to Arbitrary Memory Addresses0x355. Direct Parameter Access0x356. Using Short Writes0x357. Detours with .dtorsdtors_sample.c0x358. Another notesearch Vulnerability0x359. Overwriting the Global Offset Table
0x410. OSI Model
0x421. Socket FunctionsFrom /usr/include/bits/socket.hFrom /usr/include/bits/socket.h0x422. Socket AddressesFrom /usr/include/bits/socket.hFrom /usr/include/bits/socket.hFrom /usr/include/netinet/in.h0x423. Network Byte Order0x424. Internet Address Conversion0x425. A Simple Server ExampleAdded to hacking.hsimple_server.cFrom a Remote MachineOn a Local Machine0x426. A Web Client ExampleFrom /etc/serviceshacking-network.hFrom /usr/include/netdb.hhost_lookup.cwebserver_id.c0x427. A Tinyweb Servertinyweb.c
0x431. Data-Link Layer0x432. Network LayerFrom RFC 7910x433. Transport LayerFrom RFC 793
0x441. Raw Socket Snifferraw_tcpsniff.c0x442. libpcap Snifferpcap_sniff.c0x443. Decoding the LayersFrom /usr/include/if_ether.hAdded to hacking-network.hFrom /usr/include/netinet/ip.hFrom RFC 791Added to hacking-network.hFrom /usr/include/netinet/tcp.hFrom RFC 793Added to hacking-network.hdecode_sniff.c0x444. Active SniffingFrom nemesis-arp.cFrom nemesis.hFrom nemesis-arp.cFrom nemesis-proto_arp.cFrom the libnet Man PageFrom the arpspoof Man Pagearpspoof.cFrom the libnet Man Page
0x451. SYN Floodingsynflood.c0x452. The Ping of Death0x453. Teardrop0x454. Ping Flooding0x455. Amplification Attacks0x456. Distributed DoS Flooding
0x461. RST Hijackingrst_hijack.c0x462. Continued Hijacking
0x471. Stealth SYN Scan0x472. FIN, X-mas, and Null Scans0x473. Spoofing Decoys0x474. Idle Scanning0x475. Proactive Defense (shroud)FIN Scan Before the Kernel ModificationFIN Scan After the Kernel Modificationshroud.c
0x480. Reach Out and Hack SomeoneFrom hacking-network.h0x481. Analysis with GDB0x482. Almost Only Counts with Hand Grenadestinyweb_exploit.c0x483. Port-Binding ShellcodeNew Line from tinyweb_exploit2.c
0x510. Assembly vs. C0x510. Assembly vs. Chelloworld.cMan Page for the write() System CallFrom /usr/include/unistd.h0x511. Linux System Calls in AssemblyFrom /usr/include/asm-i386/unistd.hhelloworld.asm
0x521. Assembly Instructions Using the Stackhelloworld1.s0x522. Investigating with GDB0x523. Removing Null Byteshelloworld2.shelloworld3.s
0x530. Shell-Spawning Shellcodeexec_shell.cexec_shell.stiny_shell.s0x531. A Matter of Privilegedrop_privs.cpriv_shell.s0x532. And Smaller Stillshellcode.s
0x540. Port-Binding Shellcodebind_port.cFrom /usr/include/linux/net.hbind_port.s0x541. Duplicating Standard File DescriptorsNew Instructions from bind_shell1.s0x542. Branching Control Structuresbind_shell.s
0x550. Connect-Back Shellcodeconnectback_shell.sFrom Another Terminal Window
0x610. Countermeasures That Detect
0x621. Crash Course in Signalssignal_example.c0x622. Tinyweb Daemontinywebd.c
0x631. tinywebd Exploit Toolxtool_tinywebd.sh
0x640. Log Filestinywebd Log File0x641. Blend In with the Crowdxtool_tinywebd_stealth.sh
0x651. One Step at a Timemark.s0x652. Putting Things Back Together Againmark_break.smark_restore.s0x653. Child Laborersloopback_shell_restore.s
0x661. Spoofing the Logged IP AddressCode Segment from tinywebd.caddr_struct.cxtool_tinywebd_spoof.sh0x662. Logless Exploitationxtool_tinywebd_silent.sh
0x671. Socket ReuseExcerpt from tinywebd.csocket_reuse_restore.sxtool_tinywebd_reuse.sh
0x681. String Encodingencoded_sockreuserestore_dbg.sFrom Another Terminal0x682. How to Hide a Sled
0x690. Buffer Restrictionsupdate_info.c0x691. Polymorphic Printable ASCII Shellcodeprintable_helper.cprintable.s
0x6b1. ret2libc0x6b2. Returning into system()vuln.c
0x6c0. Randomized Stack Spaceaslr_demo.c0x6c1. Investigations with BASH and GDB0x6c2. Bouncing Off linux-gatefind_jmpesp.c0x6c3. Applied Knowledge0x6c4. A First Attemptaslr_execl.c0x6c5. Playing the Oddsaslr_execl_exploit.c
0x710. Information Theory0x711. Unconditional Security0x712. One-Time Pads0x713. Quantum Key Distribution0x714. Computational Security
0x721. Asymptotic Notation
0x731. Lov Grover's Quantum Search Algorithm
0x741. RSA0x742. Peter Shor's Quantum Factoring Algorithm
0x751. Man-in-the-Middle AttacksOn Machine 192.168.42.250 (tetsuo), Connecting to 192.168.42.72 (loki)On the Attacker's Machine0x752. Differing SSH Protocol Host FingerprintsFrom 192.168.42.250 (tetsuo), Just an Innocent Machine on the NetworkOn the Attacker's Machine, Setting Up mitm-ssh to Only Use SSH1 ProtocolNow Back on 192.168.42.250 (tetsuo)0x753. Fuzzy FingerprintsNormal ConnectionMitM-Attacked Connection
0x760. Password Crackingcrypt_test.c0x761. Dictionary Attackscrypt_crack.c0x762. Exhaustive Brute-Force Attacks0x763. Hash Lookup Table0x764. Password Probability Matrixppm_gen.cppm_crack.c
0x771. Wired Equivalent Privacy0x772. RC4 Stream Cipher
0x781. Offline Brute-Force Attacks0x782. Keystream Reuse0x783. IV-Based Decryption Dictionary Tables0x784. IP Redirection0x785. Fluhrer, Mantin, and Shamir Attackfms.c
0x810. References

Content preview from Hacking: The Art of Exploitation, 2nd Edition

Shell-Spawning Shellcode

Now that you've learned how to make system calls and avoid null bytes, all sorts of shellcodes can be constructed. To spawn a shell, we just need to make a system call to execute the /bin/sh shell program. System call number 11, execve(), is similar to the C execute() function that we used in the previous chapters.

EXECVE(2) Linux Programmer's Manual EXECVE(2) NAME execve - execute program SYNOPSIS #include <unistd.h> int execve(const char *filename, char *const argv[], char *const envp[]); DESCRIPTION execve() executes the program pointed to by filename. Filename must be either a binary executable, or a script starting with a line of the form "#! interpreter [arg]". In the latter case, the interpreter must be a valid pathname ...