The last three chapters discussed exploitation and exploit payload techniques in isolation, presenting the background and theory of vulnerability exploitation. In this chapter, we are going to put the theory into practice and demonstrate the techniques in real-world exploits for Mac OS X Tiger and Leopard for both PowerPC and x86.
In the examples in this chapter, we will also demonstrate the process of developing an exploit for a given vulnerability from the point where the vulnerability may be reliably triggered to the point that we have reliable code execution. If an attack string can be considered an equation, where the variables are the elements in the attack string that affect execution, then this process essentially involves identifying and solving for these variables. In practice we will use tools such as pattern strings to identify the offsets of significant elements in the attack string, and we’ll examine the process address space to find suitable memory addresses or values for these elements.
Most exploits are no longer run as stand-alone programs, but are used within a larger framework such as the CORE IMPACT and CANVAS penetration-testing tools or the open-source Metasploit Framework. In this chapter we will use Metasploit since it is freely available and well documented. All the exploits in this chapter are available as fully functional exploits for Metasploit in this book’s accompanying source-code package. They may be used with Metasploit’s ...