attackerWhen networkcan be confidentsecurity mechanismsthat the techniquedo not 
Attack patterns
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
// TRACE("a is equal to one");
printf("ccc");
return 42;
}
•Table of Contents
printf("-");
•Index
Exploiting Software How to Break Code
return 0;
ByGreg Hoglund,Gary McGraw
}
Publisher: Addison Wesley
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
Pages: 512
The function, compiled without debugging, looks like this:
How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
<stuff>
attack, you must first learn how real attacks are really carried out.
00401000 cmp dword ptr [esp+4],1
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
00401005 jne 0040101A
00401007 push 407034h
Why software exploit will continue to be a serious problem
0040100C call 00401060
When network security mechanisms do not work
00401011Attack paddtterns |
esp,4 |
|
Reverse engineering |
eax,2Ah |
|
00401014 |
mov |
|
Classic attacks against server software |
||
00401019 |
ret |
|
Surprising attacks against client software |
||
0040101A |
push |
407030h |
Techniques for crafting malicious input |
||
0040101F |
call |
00401060 |
The technical details of buffer overflows |
||
00401024 |
add |
esp,4 |
Rootkits |
eax,eax |
|
00401027 |
xor |
|
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
00401029 ret software.
In this listing, we can see that the compiled program has several jmp statements. These statem cause the code to branch. Typically these branches occur as a result of if() or while() calls pr in the source code. We can take advantage of this fact and subtly alter program flow. Patches p over branching statements do not require code to be shifted in any way. That is, we can cause t
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
which is called via
• |
Table of Contents |
|
|
• |
Index |
|
|
Exploiting Software How to Break Code |
|
|
|
ByGreg Hoglund,Gary McGraw |
|
|
|
|
Publisher: Addison Wesley |
|
|
00401030Pub Date:68February38 7017, 40200400 |
push |
407038h |
|
|
ISBN: 0-201-78695-8 |
|
|
00401035Pages:FF51215 58 60 40 00 |
call |
dword ptr ds:[406058h] |
|
0040103B C3 |
ret |
|
|
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? We have accomplished something quite powerful in this example—adding the ability to trace pr
What tools can be used to break software? This book provides the answers.
execution and know when particular program states have occurred. This allows us some insight
the logical flow inside a program, which is excellent news for budding software exploiters. Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
Patching the NT Kernel to Remove All Security
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
As a general rule, some of the best patches are very simple in nature. A good patch may be onl bytes long. This is certainly the case with the NT kernel. It is possible to patch the kernel and re
all security with, literally, just a few well-placed bytes. This trick was published by one of us
Why software exploit will continue to be a serious problem
(Hoglund) several years ago. Since then, multiple sources have reported optimizing the kernel
to a single byte. In one case, the difference between the original byte and the patched byte is a
When network security mechanisms do not work
only 2 bits! This leads to a very amusing "2-bit hack" to the NT OS. The idea that a single strate
flip can cause such a far-reaching and catastrophic result to the security of a system is very telli Attack patterns
Perhaps NT security is only worth two bits after all!
Reverse engineering
Personally, we would be afraid to fly on an airplane in which the flight control software could be
easily and catastrophically affected by a solar flare. Imagine the US navy, which to this day ope Classic attacks against server software
ships using a Windows NT infrastructure. Could a simple bit flip (caused by, say, a power surge computerSurprisingmemoryattackscauseagainstthe entireclientsecuritysoftwarecontrol of the information system to fail? If the bit f occurs in a primary domain controller this may very well be the case. Many safety-critical softw systemsTechniquesare extremelyfor craftingfault tolerantmalicioustoinputstrangeness, like bit rot, but not Windows NT. Clearly, f
tolerance was not one of the goals of the Microsoft kernel team. 
The technical details of buffer overflows
The following is a reverse assembly of a critical function in the NT kernel called SeAccessCheck
Rootkits
This single function is responsible for enforcing a go/no-go on all object access in the kernel. Th
means that, no matter who you are, if you try to access something within the NT environment,
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break have to get past this function first. This goes for all sorts of bit patterns, including files, registry
software.
handles, semaphores, and pipes. The function returns success or failure depending on the acces controls placed on the target object. It performs a great deal of comparison between the access of the user and the ACL of the target. The reverse assembly is provided by IDA-Pro, as follows:.
8019A0E6 ; Exported entry 816. SeAccessCheck
8019A0E6
8019A0E6• |
;Table of Contents |
• |
Index |
===========================================================================
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
8019A0E6
Publisher: Addison Wesley |
S u b r o u t i n e |
|
8019A0E6 ; |
||
Pub Date: February 17, 2004 |
|
|
8019A0E6ISBN:;0-201Attributes:-78695-8 |
bp-based |
frame |
Pages: 512 |
|
|
8019A0E6 |
|
|
8019A0E6 |
public |
SeAccessCheck |
8019A0E6 SeAccessCheck |
proc near |
|
How does software break? How do attackers make software break on purpose? Why are
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? |
|
8019A0E6 |
; sub_80133D06+B0p ... |
What tools can be used to break software? This book provides the answers.
8019A0E6
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
8019A0E6 arg_0 = dword ptr 8 ; appears to point to a attack, you must first learn how real attacks are really carried out.
; Security Descriptor
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
8019A0E6 arg_4 = dword ptr 0Ch
8019A0E6 arg_8 = byte ptr 10h
Why software exploit will continue to be a serious problem
8019A0E6WhenargnetworkC security mechanisms= dword doptrnot14hwork
Attack patterns |
= dword ptr |
18h |
8019A0E6 arg 10 |
||
Reverse engineering |
= dword ptr |
1Ch |
8019A0E6 arg_14 |
||
Classic attacks against server software |
20h |
|
8019A0E6 arg_18 |
= dword ptr |
|
Surprising attacks against client software |
24h |
|
8019A0E6 arg_1C |
= dword ptr |
|
Techniques for crafting malicious input |
28h |
|
8019A0E6 arg_20 |
= dword ptr |
|
The technical details of buffer overflows |
2Ch |
|
8019A0E6 arg_24 |
= dword ptr |
|
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
Note that IDA shows us the arguments to the function call. This is very useful because we can s the arguments are referenced in the code below. At the time this was discovered, the SeAccess call was not documented by Microsoft directly, but it was declared in the header files provided i DDK, where it was obviously called. The call looks like this:
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
8019A213 |
push |
[ebp+arg_1C] |
8019A216 |
push |
[ebp+arg_10] |
8019A219 |
push |
[ebp+arg_18] |
8019A21C |
push |
ebx |
•Table of Contents
8019A21D• |
Index |
push |
dword ptr [esi] |
|
Exploiting Software How to Break Code |
|
|
||
8019A21FByGreg Hoglund,Gary McGraw |
push |
dword ptr [esi+8] |
|
|
8019A222 |
|
push |
[ebp+arg_0] |
|
Publisher: Addison Wesley |
|
|
|
|
Pub Date: February 17, 2004 |
call |
sub_80199836 |
; decompiled below |
|
8019A225 |
|
|||
ISBN: 0-201-78695-8 |
|
|
|
|
Pages: 512 |
cmp |
[ebp+arg_8], 0 |
|
|
8019A22A |
|
|
||
8019A22E |
|
mov |
bl, al |
|
8019A230 |
|
jnz |
short loc_8019A238 |
|
How does software break? How do attackers make software break on purpose? Why are
8019A232 push esi
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
8019A233 call SeUnlockSubjectContext ; not usually hit
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
8019A238
techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out.
8019A238 loc_8019A238: ; CODE XREF: SeAccessCheck+1
This must-have book may shock you—and it will certainly educate you.Getting beyond the
8019A238script kiddie treatment found inmovmany hackingal, blooks, you will learn about
8019A23A
Why software exploit will continue to be a serious problem |
|
||
8019A23A loc_8019A23A: |
|
; CODE |
XREF: SeAccessCheck+4 |
When network security mechanisms do not work |
|
||
8019A23A |
|
; SeAccessCheck+65 ... |
|
Attack patterns |
|
|
|
8019A23AReverse engineering |
pop |
edi |
|
8019A23BClassic attacks against serverpop softwareesi |
|
||
8019A23CSurprising attacks againstpopclient softwareebx |
|
||
8019A23DTechniques for crafting maliciouspop |
inputebp |
|
|
The technical details of buffer overflows |
|
||
8019A23E |
retn |
28h |
|
Rootkits |
endp |
|
|
8019A23E SeAccessCheck |
|
|
|
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break software.
The code for the call sub_80199836 is decompiled. So far we haven't made any changes to the because we really are just trying to find our way around. The following routine is called directly
SeAccessCheck and does the actual, real work. It is here we will begin patching the kernel.
IDA-Pro allows you to create comments in the source. You can see the comments made as we s through the source. To learn what was happening, we create a file on our computer and set the permissions so that we can't access it. We then tried repeatedly to access the file while setting
points in the kernel using SoftIce. Whenever we hit the break point, we single step through the using SoftIce. The following is a result of perhaps a hundred trips through the code in real time
The following is a subroutine called from SeAccessCheck. Looks like most of the work is being d here. We'll try to patch this routine.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
Publisher: Addison Wesley
80199836 ;
Pub Date: February 17, 2004
ISBN: 0-201-78695-8
==============================================================================
Pages: 512
80199836
80199836 ; |
S u b r o u t i n e |
How80199836does softwa; Attributes:e break? Howbp-baseddo attackersframemake software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What80199836tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and |
|||
80199836 sub_80199836 |
proc near |
; CODE |
XREF: PAGE:80199FFA |
techniques used by bad guys to break software. If you want to protect your software from |
|
attack, you must first learn how real attacks are really carried out. |
|
80199836 |
; SeAccessCheck+13F ... |
This must-have book may shock you—and it will certainly educate you.Getting beyond the
80199836
script kiddie treatment found in many hacking books, you will learn about
80199836 |
var_14 |
= dword ptr -14h |
|
||
Why software exploit will continue to be a serious problem |
|||||
80199836 |
var_10 |
= dword ptr -10h |
|
||
When network security mechanisms do not work |
|
||||
80199836 |
var_C |
= dword ptr -0Ch |
|
||
Attack patterns |
= dword ptr -8 |
|
|||
80199836 |
var_8 |
|
|||
Reverse engineering |
ptr -2 |
|
|||
80199836 |
var_2 |
= byte |
|
||
Classic attacks against server software |
8 |
|
|||
80199836 |
arg_0 |
= dword ptr |
|
||
Surprising attacks against client software |
|
|
|||
80199836 |
arg_4 |
= dword ptr |
0Ch |
|
|
Techniques for crafting malicious input |
|
|
|||
80199836 |
arg_8 |
= dword ptr |
10h |
|
|
The technical details of buffer overflows |
|
|
|||
80199836Rootkitsarg_C |
= dword ptr |
14h |
|
||
80199836ExploitingargSoftware_10 |
is filled with= dwordthe tools,ptrconcepts,18h |
and knowledge necessary to break |
|||
software. |
arg_16 |
= byte |
ptr |
1Eh |
|
80199836 |
|
||||
80199836 |
arg_17 |
= byte |
ptr |
1Fh |
|
80199836 |
arg_18 |
= dword ptr |
20h |
|
|
80199836 |
arg_1C |
= dword ptr |
24h |
|
|
80199836 |
arg_20 |
= |
dword ptr |
28h |
|
80199836 |
arg_24 |
= |
dword ptr |
2Ch |
|
80199836 |
|
|
|
|
|
80199836 |
|
push |
ebp |
|
|
•Table of Contents
80199837 |
mov |
ebp, esp |
•Index
Exploiting Software How to Break Code |
esp, 14h |
|
|
80199839 |
sub |
|
|
ByGreg Hoglund,Gary McGraw |
|
|
|
8019983C |
push |
ebx |
|
Publisher: Addison Wesley |
|
|
|
8019983DPub Date: February 17, 2004 |
push |
esi |
|
ISBN: 0-201-78695-8 |
|
|
|
8019983EPages: 512 |
push |
edi |
|
8019983F |
xor |
ebx, ebx |
|
80199841 |
mov |
eax, [ebp+arg_8] |
; pulls eax |
How does software break? How do attackers make software break on purpose? Why are
80199844 mov [ebp+var_14], ebx ; ebx is zero, looks firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and |
|||
|
|
|
; bunch of loca |
techniques used by bad guys to break software. If you want to protect your software from |
|||
attack, you must first learn how real attacks are really carried out. |
|||
80199847 |
mov |
[ebp+var_C], ebx |
|
This must-have book may shock you—and it will certainly educate you.Getting beyond the |
|||
8019984A |
mov |
[ebp-1], bl |
|
script kiddie treatment found in many hacking books, you will learn about |
|||
8019984D |
mov |
[ebp+var_2], bl |
|
Why software exploit will continue to be a serious problem |
; check that arg8 is |
||
80199850 |
cmp |
eax, ebx |
|
When network security mechanisms do not work |
; NULL |
||
Attack patterns |
|
|
|
jnz |
short loc_80199857 |
|
|
80199852 |
|
||
Reverse engineering |
mov |
eax, [ebp+arg_4] |
; arg4 pts to |
80199854 |
|||
Classic attacks against server software |
|
||
Surprising attacks against client software |
; "USER32 " |
||
|
|||
80199857 |
|
|
|
Techniques for crafting malicious input |
|
||
80199857The technicalloc_80199857:details of buffer overflows |
|
||
80199857Rootkits |
mov |
edi, [ebp+arg_C] |
; checking some flags |
; off of this o
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software. |
mov |
[ebp+var_8], eax |
; var_8 = arg_4 |
|
8019985A |
||||
8019985D |
test |
edi, 1000000h |
; obviously fla |
|
|
|
|
; |
desired acces |
|
|
|
; |
I think... |
80199863 |
jz |
short loc_801998CA ; normally |
this jumps.. |
|
|
; |
go ahead and |
80199865 |
push |
[ebp+arg_18] |
|
80199868 |
push |
[ebp+var_8] |
|
•Table of Contents
8019986B |
push |
dword_8014EE94 |
•Index
Exploiting Software How to Break Code |
dword_8014EE90 |
|
|
80199871 |
push |
|
|
ByGreg Hoglund,Gary McGraw |
|
|
|
80199877 |
call |
sub_8019ADE0 |
; another undoc'd sub |
Publisher: Addison Wesley |
|
|
|
8019987CPub Date: February 17, 2004 |
test |
al, al |
; return code |
ISBN: 0-201-78695-8 |
|
|
|
8019987EPages: 512 |
jnz |
short loc_80199890 |
|
80199880 |
mov |
ecx, [ebp+arg_24] |
|
80199883 |
xor |
al, al |
|
How does software break? How do attackers make software break on purpose? Why are |
||
80199885 |
mov |
dword ptr [ecx], 0C0000061h |
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? |
||
What tools can be used to break software? This book provides the answers. |
||
8019988B |
jmp |
loc_80199C0C |
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
80199890 ;
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
===========================================================================
This must-have book may shock you—and it will certainly educate you.Getting beyond the removed source here
script kiddie treatment found in many hacking books, you will learn about
801998CA ;
Why software exploit will continue to be a serious problem
===========================================================================
When network security mechanisms do not work
801998CA
Attack patterns |
|
|
|
; jump from above lands |
801998CA loc_801998CA: |
|
|
|
|
Reverse engineering |
|
|
|
; sub_80199836 |
801998CA |
|
|
|
|
Classic attacks against server software |
|
|
||
801998CA |
mov |
eax, [ebp+arg_0] |
; arg0 pts to a |
|
Surprising attacks against client software |
|
|
||
Techniques for crafting malicious input |
|
; Security Descr |
||
801998CDThe technical details of buffermov overflowsdx, [eax+2] |
; offset 2 is th |
|||
Rootkits |
|
|
|
; 80 04 number.. |
801998D1Exploiting Softwareis filled withmovthe tools,cx,concepts,dx |
and knowledge necessary to break |
|||
software. |
and |
cx, 4 |
|
; 80 04 become 0 |
801998D4 |
|
|||
801998D8 |
jz |
short loc_801998EA |
; normally doesnt jump |
|
801998DA |
mov |
esi, [eax+10h] |
; SD[10h] is an |
|
|
|
|
|
; value to the D |
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
the source and the target requirements. In this case, if a match occurs, we are explicitly denied access. Obviously this is bad and we want to avoid the match. The jz only jumps if the match f this case, we always want the jump to occur. We can patch the jz to make it a straight jmp tha always jump regardless of the preceding logic.
•Table of Contents
•Index
Exploiting Software How to Break Code
ByGreg Hoglund,Gary McGraw
80199B5FPublisher: Addison Wesley |
test |
[esi+4], edi |
; we avoid this flag |
Pub Date: February 17, 2004 |
|
|
; check w/ the patch |
ISBN: 0-201-78695-8 |
|
|
|
Pages: 512 |
jnz |
short loc_80199B79 |
|
80199B62 |
|
||
80199B64 |
|
|
|
80199B64 loc_80199B64: |
|
; CODE |
XREF: sub_801998 |
How does software break? How do attackers make software break on purpose? Why are |
|||
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? |
|||||
80199B64 |
|
|
; sub_80199836+2D3 |
||
What tools can be used to break software? This book provides the answers. |
|||||
80199B64 |
mov |
ecx, [ebp+var_10] |
; our loop routine, |
||
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and |
|||||
techniques used by bad guys to break software. If you want to protect your software from |
|||||
attack, you must first learn how real attacks are really carried out. |
; |
called from above |
|||
|
|
||||
|
|
|
|
; |
we loop around and |
This must-have book may shock you—and it will certainly educate you.Getting beyond the |
|||||
script kiddie treatment found in many hacking books, you will learn about |
|||||
|
|
|
|
; |
around. |
Why software exploit will continue to be a serious problem |
|
; |
var_10 is the numb |
||
When network security mechanisms do not work |
|
; |
of ACEs |
||
80199B67Attack patterns |
inc |
[ebp+var_C] |
|
; |
var_C is the curre |
Reverse engineering |
|
|
|
; |
ACE |
Classic attacks against server software |
|
; |
byte 3 is the offs |
||
80199B6A |
movzx |
eax, word ptr [esi+2] |
|||
Surprising attacks against client software |
|
; |
to the next ACE |
||
|
|
|
|
||
Techniques for crafting malicious input |
; FFWD |
|
|
||
80199B6E |
add |
esi, eax |
|
|
|
The technical details of buffer overflows |
; check |
to see if we |
|||
80199B70 |
cmp |
[ebp+var_C], ecx |
|||
Rootkits |
|
|
|
; |
are done |
|
|
|
|
||
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break |
|||||
80199B73software. |
jb |
loc_80199AE7 |
|
; |
if not, go back up |
80199B79 |
|
|
|
|
|
80199B79 loc_80199B79: |
|
|
; CODE |
XREF: sub_801998 |
|
80199B79 |
|
|
; sub_80199836+2B3 |
||
80199B79 |
xor |
eax, eax |
; this is our general |
||
|
|
|
|
; exit routine |
||
80199B7B |
|
test |
edi, edi |
; if EDI isn't |
empty, |
|
|
|
|
|
; then a |
DENIED stat |
|
• |
Table of Contents |
|
|
; was reached above |
||
jz |
short loc_80199B91 ; so patch the |
JZ into |
||||
80199B7D• |
Index |
|||||
Exploiting Software How to Break Code
; a JMP so we never
ByGreg Hoglund,Gary McGraw
; return ACCESS_DENI
Publisher: Addison Wesley
Pub Date: February 17, 2004 |
; <PATCH ME> |
|
ISBN: 0-201-78695-8
Pages: 512
A final check is made here to determine what the result of the call will be. If any of the previous
results in a denied state, then the jz will not jump. We obviously want the jump to occur no ma
what, so we (once again) patch the jz into a jmp. This is the final patch, and the routine will no
How does software break? How do attackers make software break on purpose? Why are always evaluate to TRUE. The rest of the routine follows for those who are interested in the cod firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?
What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
attack, you must first learn how real attacks are really carried out.
This must-have book may shock you—and it will certainly educate you.Getting beyond the
script kiddie treatment found in many hacking books, you will learn about
80199B7F |
mov |
ecx, [ebp+arg_1C] |
|
Why software exploit will continue to be a serious problem |
|||
80199B82 |
mov |
[ecx], |
eax |
When network security mechanisms do not work |
|||
80199B84 |
mov |
eax, [ebp+arg_24] |
|
Attack patterns |
|
|
|
Reverse engineering |
; STATUS_ACCESS_DENIED |
||
|
|
||
80199B87 |
mov |
dword ptr [eax], 0C0000022h |
|
Classic attacks against server software |
|
||
80199B8DSurprising attacks againstxorclient softwareal, al |
|
||
80199B8FTechniques for crafting maliciousjmp |
inputshort loc_80199C0C |
||
80199B91The technical; |
details of buffer overflows |
|
|
===========================================================================Rootkits
Exploiting80199B91 Softwareis filled with the tools, concepts, and knowledge necessary to break
software.
80199B91 |
loc_80199B91: |
|
|
; |
CODE |
XREF: sub_801998 |
80199B91 |
|
mov |
eax, [ebp+1Ch] |
|
|
|
80199B94 |
|
mov |
ecx, [ebp+arg_1C] |
; |
result code into |
|
|
|
|
|
|
|
; &arg_1C |
80199C0A |
|
; sub_80199836+152 |
|
80199C0A |
mov |
al, 1 |
|
80199C0C |
|
|
|
80199C0C loc_80199C0C: |
|
; CODE |
XREF: sub_801998 |
•Table of Contents
80199C0C |
; sub_80199836+8F |
•Index
Exploiting Software How to Break Code |
edi |
|
|
80199C0C |
pop |
|
|
ByGreg Hoglund,Gary McGraw |
|
|
|
80199C0D |
pop |
esi |
|
Publisher: Addison Wesley |
|
|
|
80199C0EPub Date: February 17, 2004 |
pop |
ebx |
|
ISBN: 0-201-78695-8 |
|
|
|
80199C0FPages: 512 |
mov |
esp, ebp |
|
80199C11 |
pop |
ebp |
|
80199C12 |
retn |
28h |
; Outta Here! |
How does software break? How do attackers make software break on purpose? Why are |
|
80199C12 sub_80199836 |
endp |
firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.
Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and
techniques used by bad guys to break software. If you want to protect your software from
The result of the kernel patch shown here is that a remote user can connect to the target machi
attack, you must first learn how real attacks are really carried out.
using the anonymous IPC$ pipe, no password required, and kill any process, download the SAM
(equivalent of a user/password file) database, modify the SAM database, and upload/overwrite
This must-have book may shock you—and it will certainly educate you.Getting beyond the SAM database. This is not good. The anonymous user can operate like a device driver and acces script kiddie treatment found in many hacking books, you will learn about
part of the trusted computing base in the target domain.
Using our US navy example, this means that any computer program operating anywhere within
Why software exploit will continue to be a serious problem
NT domain can access any other part of the domain with impunity. So, why does the navy insist
using NT?
When network security mechanisms do not work
Attack patterns
Reverse engineering
Classic attacks against server software
Surprising attacks against client software
Techniques for crafting malicious input
The technical details of buffer overflows
Rootkits
Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break
software.