The Shellcoder's Handbook E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

About the Authors

Credits

Acknowledgments

Introduction to the Second Edition

Part I: Introduction to Exploitation: Linux on x86

Chapter 1: Before You Begin

Basic Concepts

Recognizing C and C++ Code Constructs in Assembly

Conclusion

Chapter 2: Stack Overflows

Buffers

The Stack

Overflowing Buffers on the Stack

An Interesting Diversion

Using an Exploit to Get Root Privileges

Defeating a Non-Executable Stack

Conclusion

Chapter 3: Shellcode

Understanding System Calls

Writing Shellcode for the exit() Syscall

Injectable Shellcode

Spawning a Shell

Conclusion

Chapter 4: Introduction to Format String Bugs

Prerequisites

What Is a Format String?

What Is a Format String Bug?

Format String Exploits

Controlling Execution for Exploitation

Why Did This Happen?

Format String Technique Roundup

Conclusion

Chapter 5: Introduction to Heap Overflows

What Is a Heap?

Finding Heap Overflows

Conclusion

Part II: Other Platforms—Windows, Solaris, OS/X, and Cisco

Chapter 6: The Wild World of Windows

How Does Windows Differ from Linux?

Heaps

The Genius and Idiocy of the Distributed Common Object Model and DCE-RPC

Debugging Windows

Conclusion

Chapter 7: Windows Shellcode

Syntax and Filters

Setting Up

Popping a Shell

Why You Should Never Pop a Shell on Windows

Conclusion

Chapter 8: Windows Overflows

Stack-Based Buffer Overflows

Frame-Based Exception Handlers

Abusing Frame-Based Exception Handling on Windows 2003 Server

Stack Protection and Windows 2003 Server

Heap-Based Buffer Overflows

The Process Heap

Exploiting Heap-Based Overflows

Other Overflows

Exploiting Buffer Overflows and Non-Executable Stacks

Conclusion

Chapter 9: Overcoming Filters

Writing Exploits for Use with an Alphanumeric Filter

Writing Exploits for Use with a Unicode Filter

Exploiting Unicode-Based Vulnerabilities

The Venetian Method

Decoder and Decoding

Conclusion

Chapter 10: Introduction to Solaris Exploitation

Introduction to the SPARC Architecture

Solaris/SPARC Shellcode Basics

Solaris/SPARC Stack Frame Introduction

Stack-Based Overflow Methodologies

Stack Overflow Exploitation In Action

Heap-Based Overflows on Solaris/SPARC

Basic Exploit Methodology (t_delete)

Other Heap-Related Vulnerabilities

Heap Overflow Example

Other Solaris Exploitation Techniques

Conclusion

Chapter 11: Advanced Solaris Exploitation

Single Stepping the Dynamic Linker

Various Style Tricks for Solaris SPARC Heap Overflows

Advanced Solaris/SPARC Shellcode

Conclusion

Chapter 12: OS X Shellcode

OS X Is Just BSD, Right?

Is OS X Open Source?

OS X for the Unix-aware

OS X PowerPC Shellcode

OS X Intel Shellcode

OS X Cross-Platform Shellcode

OS X Heap Exploitation

Bug Hunting on OS X

Some Interesting Bugs

Essential Reading for OS X Exploits

Conclusion

Chapter 13: Cisco IOS Exploitation

An Overview of Cisco IOS

Vulnerabilities in Cisco IOS

Reverse Engineering IOS

Exploiting Cisco IOS

Conclusion

Chapter 14: Protection Mechanisms

Protections

Implementation Differences

Conclusion

Part III: Vulnerability Discovery

Chapter 15: Establishing a Working Environment

What You Need for Reference

What You Need for Code

What You Need for Investigation

What You Need to Know

Optimizing Shellcode Development

Conclusion

Chapter 16: Fault Injection

Design Overview

Fault Monitoring

Putting It Together

Conclusion

Chapter 17: The Art of Fuzzing

General Theory of Fuzzing

Weaknesses in Fuzzers

Modeling Arbitrary Network Protocols

Other Fuzzer Possibilities

SPIKE

Other Fuzzers

Conclusion

Chapter 18: Source Code Auditing: Finding Vulnerabilities in C-Based Languages

Tools

Automated Source Code Analysis Tools

Methodology

Vulnerability Classes

Beyond Recognition: A Real Vulnerability versus a Bug

Conclusion

Chapter 19: Instrumented Investigation: A Manual Approach

Philosophy

Oracle extproc Overflow

Common Architectural Failures

Bypassing Input Validation and Attack Detection

Windows 2000 SNMP DOS

Finding DOS Attacks

SQL-UDP

Conclusion

Chapter 20: Tracing for Vulnerabilities

Overview

Conclusion

Chapter 21: Binary Auditing: Hacking Closed Source Software

Binary versus Source-Code Auditing: The Obvious Differences

IDA Pro—The Tool of the Trade

Binary Auditing Introduction

Reconstructing Class Definitions

Manual Binary Analysis

Binary Vulnerability Examples

Conclusion

Part IV: Advanced Materials

Chapter 22: Alternative Payload Strategies

Modifying the Program

The SQL Server 3-Byte Patch

The MySQL 1-Bit Patch

OpenSSH RSA Authentication Patch

Other Runtime Patching Ideas

Upload and Run (or Proglet Server)

Syscall Proxies

Problems with Syscall Proxies

Conclusion

Chapter 23: Writing Exploits that Work in the Wild

Factors in Unreliability

Countermeasures

Conclusion

Chapter 24: Attacking Database Software

Network Layer Attacks

Application Layer Attacks

Running Operating System Commands

Exploiting Overruns at the SQL Level

Conclusion

Chapter 25: Unix Kernel Overflows

Kernel Vulnerability Types

0day Kernel Vulnerabilities

Solaris vfs_getvfssw() Loadable Kernel Module Traversal Vulnerability

Conclusion

Chapter 26: Exploiting Unix Kernel Vulnerabilities

The exec_ibcs2_coff_prep_zmagic() Vulnerability

Solaris vfs_getvfssw() Loadable Kernel Module Path Traversal Exploit

Conclusion

Chapter 27: Hacking the Windows Kernel

Windows Kernel Mode Flaws—An Increasingly Hunted Species

Introduction to the Windows Kernel

Common Kernel-Mode Programming Flaws

Windows System Calls

Communicating with Device Drivers

Kernel-Mode Payloads

Essential Reading for Kernel Shellcoders

Conclusion

Index

The Shellcoder’s Handbook, Second Edition: Discovering and Exploiting Security Holes

Published by Wiley Publishing, Inc.

10475 Crosspoint Boulevard

Indianapolis, IN 46256

http://www.wiley.com

Copyright © 2007 by Chris Anley, John Heasman, Felix “FX” Lindner, and Gerardo Richarte

Published by Wiley Publishing, Inc.,

Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-0-470-08023-8

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Library of Congress Cataloging-in-Publication DataThe shellcoder’s handbook : discovering and exploiting security holes / Chris Anley ... [et al.]. — 2nd ed. p. cm. ISBN 978-0-470-08023-8 (paper/website) 1. Computer security. 2. Data protection. 3. Risk assessment. I. Anley, Chris.

QA76.9.A25S464 2007 005.8 — dc22 2007021079

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

This book is dedicated to anyone and everyone who understands that hacking and learning is a way to live your life, not a day job or semi-ordered list of instructions found in a thick book.

About the Authors

Chris Anley is a founder and director of NGSSoftware, a security software, consultancy, and research company based in London, England. He is actively involved in vulnerability research and has discovered security flaws in a wide variety of platforms including Microsoft Windows, Oracle, SQL Server, IBM DB2, Sybase ASE, MySQL, and PGP.

John Heasman is the Director of Research at NGSSoftware. He is a prolific security researcher and has published many security advisories in enterprise level software. He has a particular interest in rootkits and has authored papers on malware persistence via device firmware and the BIOS. He is also a co-author of The Database Hacker’s Handbook: Defending Database Servers (Wiley 2005).

Felix “FX” Lindner leads Recurity Labs GmbH, a Berlin-based professional consulting company specializing in security analysis, system design creation, and verification work. Felix looks back at 18 years of programming and over a decade of computer security consulting for enterprise, carrier, and software vendor clients. This experience allows him to rapidly dive into complex systems and evaluate them from a security and robustness point of view, even in atypical scenarios and on arcane platforms. In his spare time, FX works with his friends from the Phenoelit hacking group on different topics, which have included Cisco IOS, SAP, HP printers, and RIM BlackBerry in the past.

Gerardo Richarte has been doing reverse engineering and exploit development for more than 15 years non-stop. In the past 10 years he helped build the technical arm of Core Security Technologies, where he works today. His current duties include developing exploits for Core IMPACT, researching new exploitation techniques and other low-level subjects, helping other exploit writers when things get hairy, and teaching internal and external classes on assembly and exploit writing. As result of his research and as a humble thank you to the community, he has published some technical papers and open source projects, presented in a few conferences, and released part of his training material. He really enjoys solving tough problems and reverse engineering any piece of code that falls in his reach just for the fun of doing it.

Credits

Executive Editor

Carol Long

Senior Development Editor

Kevin Kent

Production Editor

Eric Charbonneau

Project Coordinator, Cover

Adrienne Martinez

Copy Editor

Kim Cofer

Editorial Manager

Mary Beth Wakefield

Production Manager

Tim Tate

Vice President and Executive Group Publisher

Richard Swadley

Vice President and Executive Publisher

Joseph B. Wikert

Compositor

Craig Johnson, Happenstance Type-O-Rama

Proofreader

Jen Larsen

Indexer

Johnna VanHoose Dinse

Anniversary Logo Design

Richard Pacifico

Acknowledgments

I would first like to thank all of the people that have made this book possible — the (many) authors, of course: Gerardo Richarte, Felix “FX” Lindner, John Heasman, Jack Koziol, David Litchfield, Dave Aitel, Sinan Eren, Neel Mehta, and Riley Hassell. Huge thanks are also due to the team at Wiley — our excellent Executive Editor Carol Long and our equally excellent Development Editor Kevin Kent. On a personal note I’d like to thank the team at NGS for a great many hangovers, technical discussions, hangovers, ideas, and hangovers. Finally, I’d like to thank my wife Victoria for her enduring patience, love, and gorgeousness.

— Chris Anley

I would like to thank my friends and family for their unwavering support.

— John Heasman

I would like to thank my friends from Phenoelit, who are still with me despite the turns and detours life takes and despite the strange ideas I have, technical and otherwise. Special thanks in this context go to Mumpi, who is a very good friend and my invaluable support in all kinds of activities. Additional thanks and kudos go to the Recurity Labs team as well as to Halvar Flake, who is responsible for the existence of this team in the first place. Last but not least, I thank Bine for enduring me on a daily basis.

— Felix “FX” Lindner

I want to thank those in the community who share what excites them, their ideas and findings, especially the amazing people at Core, past and present, and my pals in the exploit writing team with whom the sudden discovery never ends — it is quite often simple and enlightening. I also want to thank Chris and John (co-authors) and Kevin Kent from Wiley Publishing, who all took the time to go through my entangled English, turning it more than just readable. And I want to thank Chinchin, my love, who’s always by my side, asking me questions when I need them, listening when I talk or am quiet, and supporting me, always.

— Gerardo Richarte

Introduction to the Second Edition

Wherever terms have a shifting meaning, independent sets of considerations are liable to become complicated together, and reasonings and results are frequently falsified.

— Ada Augusta, Countess of Lovelace, from her notes on “Sketch of The Analytical Engine,” 1842

You have in your hands The Shellcoder’s Handbook Second Edition: Discovering and Exploiting Security Holes. The first edition of this volume attempted to show the reader how security vulnerabilities are discovered and exploited, and this edition holds fast to that same objective. If you’re a skilled network auditor, software developer, or sysadmin and you want to understand how bugs are found and how exploits work at the lowest level, you’ve come to the right place.

So what’s this book about? Well, the preceding quotation more or less sums it up. This book is mostly concerned with arbitrary code execution vulnerabilities, by which we mean bugs, that allow attackers to run code of their choice on the target machine. This generally happens when a program interprets a piece of data as a part of the program — part of an http “Host” header becomes a return address, part of an email address becomes a function pointer, and so on. The program ends up executing the data the attacker supplied with disastrous effects. The architecture of modern processors, operating systems, and compilers lends itself toward this kind of problem — as the good Countess wrote, “the symbols of operation are frequently also the symbols of the results of operations.” Of course, she was writing about the difficulty of discussing mathematics when the number “5” might also mean “raised to the power of 5” or “the fifth element of a series,” but the basic idea is the same. If you confuse code and data, you’re in a world of trouble. So, this book is about code and data, and what happens when the two become confused.

This subject area has become much more complicated since the first edition of this volume was published; the world has moved on since 2004. It’s now commonplace for compilers and operating systems to have built-in measures that protect against the types of vulnerabilities this book is mostly concerned with, though it’s also true to say that these measures are far from perfect. Nor does the supply of arbitrary-code execution bugs look to be drying up any time soon, despite advances in methods for finding them — if you check out the U.S. National Vulnerability Database Web site (nvd.nist.gov), click “statistics” and select “buffer overflow,” you’ll see that buffer overflows continue to increase in number, running at around 600 per year in 2005 and 2006, with 2007 on course to match or exceed that.

So it’s clear that we still need to know about these bugs and how they’re exploited — in fact, there’s a strong argument that it’s more important to know about the precise mechanisms now that we have so many partial defenses to choose from when considering how to protect ourselves. If you’re auditing a network, a working exploit will give you 100 percent confidence in your assessment, and if you’re a software developer, creating proof-of-concept exploits can help understand which bugs need to be fixed first. If you’re purchasing a security product, knowing how to get around a non-executable stack, exploit a tricky heap overflow, or write your own exploit encoder will help you to make a better judgment of the quality of the various vendors. In general, knowledge is preferable to ignorance. The bad guys already know this stuff; the network-auditing, software-writing, network-managing public should know it, too.

So why is this book different? Well, first, the authors find and exploit bugs as part of their day jobs. We’re not just writing about this stuff; we’re doing it on a daily basis. Second, you’ll not see us writing too much about tools. Most of the content of this book is concerned with the raw meat of security bugs — assembler, source code, the stack, the heap, and so on. These ideas allow you to write tools rather than just use tools written by others. Finally, there’s a question of focus and attitude. It isn’t written down in any particular paragraph, but the message that shines out through the whole of this book is that you should experiment, explore, and try to understand the systems you’re running. You’ll find a lot of interesting stuff that way.

So, without further ado, here’s the second edition of The Shellcoder’s Handbook. I hope you enjoy it, I hope it’s useful, and I hope you use it to do some good. If you have any comments, criticisms, or suggestions, please let me know.

Cheers,

Chris Anley

Part I: Introduction to Exploitation: Linux on x86

Welcome to the Part I of the Shellcoder’s Handbook Second Edition: Discovering and Exploiting Security Holes. This part is an introduction to vulnerability discovery and exploitation. It is organized in a manner that will allow you to learn exploitation on various fictitious sample code structures created specifically for this book to aid in the learning process, as well as real-life, in-the-wild, vulnerabilities.

You will learn the details of exploitation under Linux running on an Intel 32-bit (IA32 or x86) processor. The discovery and exploitation of vulnerabilities on Linux/IA32 is the easiest and most straightforward to comprehend. This is why we have chosen to start with Linux/IA32. Linux is easiest to understand from a hacker’s point of view because you have solid, reliable, internal operating system structures to work with when exploiting.

After you have a solid understanding of these concepts and have worked through the example code, you are graduated to increasingly difficult vulnerability discovery and exploitation scenarios in subsequent Parts. We work through stack buffer overflows in Chapter 2, introductory shellcoding in Chapter 3, format string overflows in Chapter 4, and finally finish up the part with heap-based buffer overflow hacking techniques for the Linux platform in Chapter 5. Upon completion of this part, you will be well on your way to understanding vulnerability development and exploitation.

Chapter 2

Stack Overflows

Stack-based buffer overflows have historically been one of the most popular and best understood methods of exploiting software. Tens, if not hundreds, of papers have been written on stack overflow techniques on all manner of popular architectures. One of the most frequently referred to, and likely the first public discourse on stack overflows, is Aleph One’s “Smashing the Stack for Fun and Profit.” Written in 1996 and published in Phrack magazine, the paper explained for the first time in a clear and concise manner how buffer overflow vulnerabilities are possible and how they can be exploited. We recommend that you read the paper available at http://insecure.org/stf/smashstack.html.

Aleph One did not invent the stack overflow; knowledge and exploitation of stack overflows had been passed around for a decade or longer before “Smashing the Stack” was released. Stack overflows have theoretically been around for at least as long as the C language and exploitation of these vulnerabilities has occurred regularly for well over 25 years. Even though they are likely the best understood and most publicly documented class of vulnerability, stack overflow vulnerabilities remain generally prevalent in software produced today. Check your favorite security news list; it’s likely that a stack overflow vulnerability is being reported even as you read this chapter.

Buffers

A buffer is defined as a limited, contiguously allocated set of memory. The most common buffer in C is an array. The introductory material in this chapter focuses on arrays.

Stack overflows are possible because no inherent bounds-checking exists on buffers in the C or C++ languages. In other words, the C language and its derivatives do not have a built-in function to ensure that data being copied into a buffer will not be larger than the buffer can hold.

Consequently, if the person designing the program has not explicitly coded the program to check for oversized input, it is possible for data to fill a buffer, and if that data is large enough, to continue to write past the end of the buffer. As you will see in this chapter, all sorts of crazy things start happening once you write past the end of a buffer. Take a look at this extremely simple example that illustrates how C has no bounds-checking on buffers. (Remember, you can find this and many other code fragments and programs on The Shellcoder’s Handbook Web site, http://www.wiley.com/go/shellcodershandbook.)