You are previewing Hacking: The Art of Exploitation, 2nd Edition.
O'Reilly logo
Hacking: The Art of Exploitation, 2nd Edition

Book Description

Hacking is the art of creative problem solving, whether that means finding an unconventional solution to a difficult problem or exploiting holes in sloppy programming. Many people call themselves hackers, but few have the strong technical foundation needed to really push the envelope.

Rather than merely showing how to run existing exploits, author Jon Erickson explains how arcane hacking techniques actually work. To share the art and science of hacking in a way that is accessible to everyone, Hacking: The Art of Exploitation, 2nd Edition introduces the fundamentals of C programming from a hacker's perspective.

The included LiveCD provides a complete Linux programming and debugging environment-all without modifying your current operating system. Use it to follow along with the book's examples as you fill gaps in your knowledge and explore hacking techniques on your own. Get your hands dirty debugging code, overflowing buffers, hijacking network communications, bypassing protections, exploiting cryptographic weaknesses, and perhaps even inventing new exploits. This book will teach you how to:

  • Program computers using C, assembly language, and shell scripts

  • Corrupt system memory to run arbitrary code using buffer overflows and format strings

  • Inspect processor registers and system memory with a debugger to gain a real understanding of what is happening

  • Outsmart common security measures like nonexecutable stacks and intrusion detection systems

  • Gain access to a remote server using port-binding or connect-back shellcode, and alter a server's logging behavior to hide your presence

  • Redirect network traffic, conceal open ports, and hijack TCP connections

  • Crack encrypted wireless traffic using the FMS attack, and speed up brute-force attacks using a password probability matrix

Hackers are always pushing the boundaries, investigating the unknown, and evolving their art. Even if you don't already know how to program, Hacking: The Art of Exploitation, 2nd Edition will give you a complete picture of programming, machine architecture, network communications, and existing hacking techniques. Combine this knowledge with the included Linux environment, and all you need is your own creativity.

Table of Contents

  1. Hacking: The Art of Exploitation, 2nd Edition
    1. HACKING: THE ART OF EXPLOITATION, 2ND EDITION.
    2. ACKNOWLEDGMENTS
    3. PREFACE
    4. 0x100. INTRODUCTION
    5. 0x200. PROGRAMMING
      1. 0x210. What Is Programming?
      2. 0x220. Pseudo-code
      3. 0x230. Control Structures
        1. 0x231. If-Then-Else
        2. 0x232. While/Until Loops
        3. 0x233. For Loops
      4. 0x240. More Fundamental Programming Concepts
        1. 0x241. Variables
        2. 0x242. Arithmetic Operators
        3. 0x243. Comparison Operators
        4. 0x244. Functions
      5. 0x250. Getting Your Hands Dirty
        1. 0x250. Getting Your Hands Dirty
          1. firstprog.c
        2. 0x251. The Bigger Picture
        3. 0x252. The x86 Processor
        4. 0x253. Assembly Language
          1. ASCII Table
      6. 0x260. Back to Basics
        1. 0x261. Strings
          1. char_array.c
          2. char_array2.c
        2. 0x262. Signed, Unsigned, Long, and Short
          1. datatype_sizes.c
        3. 0x263. Pointers
          1. pointer.c
          2. addressof.c
          3. addressof2.c
        4. 0x264. Format Strings
          1. fmt_strings.c
          2. input.c
        5. 0x265. Typecasting
          1. typecasting.c
          2. pointer_types.c
          3. pointer_types2.c
          4. pointer_types3.c
          5. pointer_types4.c
          6. pointer_types5.c
        6. 0x266. Command-Line Arguments
          1. commandline.c
          2. convert.c
          3. convert2.c
        7. 0x267. Variable Scoping
          1. scope.c
          2. scope2.c
          3. scope3.c
          4. static.c
          5. static2.c
      7. 0x270. Memory Segmentation
        1. 0x270. Memory Segmentation
          1. stack_example.c
        2. 0x271. Memory Segments in C
          1. memory_segments.c
        3. 0x272. Using the Heap
          1. heap_example.c
        4. 0x273. Error-Checked malloc()
          1. errorchecked_heap.c
      8. 0x280. Building on Basics
        1. 0x281. File Access
          1. simplenote.c
          2. bitwise.c
          3. fcntl_flags.c
        2. 0x282. File Permissions
        3. 0x283. User IDs
          1. uid_demo.c
          2. hacking.h
          3. notetaker.c
          4. notesearch.c
        4. 0x284. Structs
          1. time_example.c
          2. time_example2.c
        5. 0x285. Function Pointers
          1. funcptr_example.c
        6. 0x286. Pseudo-random Numbers
          1. rand_example.c
        7. 0x287. A Game of Chance
          1. game_of_chance.c
    6. 0x300. EXPLOITATION
      1. 0x310. Generalized Exploit Techniques
      2. 0x320. Buffer Overflows
        1. 0x320. Buffer Overflows
          1. overflow_example.c
          2. exploit_notesearch.c
        2. 0x321. Stack-Based Buffer Overflow Vulnerabilities
          1. auth_overflow.c
          2. auth_overflow2.c
      3. 0x330. Experimenting with BASH
        1. 0x330. Experimenting with BASH
          1. From exploit_notesearch.c
        2. 0x331. Using the Environment
          1. getenv_example.c
          2. getenvaddr.c
          3. Code from libc-2.2.2
          4. exploit_notesearch_env.c
      4. 0x340. Overflows in Other Segments
        1. 0x341. A Basic Heap-Based Overflow
          1. Excerpt from notetaker.c
        2. 0x342. Overflowing Function Pointers
          1. From game_of_chance.c
      5. 0x350. Format Strings
        1. 0x351. Format Parameters
          1. fmt_uncommon.c
        2. 0x352. The Format String Vulnerability
          1. fmt_vuln.c
        3. 0x353. Reading from Arbitrary Memory Addresses
        4. 0x354. Writing to Arbitrary Memory Addresses
        5. 0x355. Direct Parameter Access
        6. 0x356. Using Short Writes
        7. 0x357. Detours with .dtors
          1. dtors_sample.c
        8. 0x358. Another notesearch Vulnerability
        9. 0x359. Overwriting the Global Offset Table
    7. 0x400. NETWORKING
      1. 0x410. OSI Model
      2. 0x420. Sockets
        1. 0x421. Socket Functions
          1. From /usr/include/bits/socket.h
          2. From /usr/include/bits/socket.h
        2. 0x422. Socket Addresses
          1. From /usr/include/bits/socket.h
          2. From /usr/include/bits/socket.h
          3. From /usr/include/netinet/in.h
        3. 0x423. Network Byte Order
        4. 0x424. Internet Address Conversion
        5. 0x425. A Simple Server Example
          1. Added to hacking.h
          2. simple_server.c
          3. From a Remote Machine
          4. On a Local Machine
        6. 0x426. A Web Client Example
          1. From /etc/services
          2. hacking-network.h
          3. From /usr/include/netdb.h
          4. host_lookup.c
          5. webserver_id.c
        7. 0x427. A Tinyweb Server
          1. tinyweb.c
      3. 0x430. Peeling Back the Lower Layers
        1. 0x431. Data-Link Layer
        2. 0x432. Network Layer
          1. From RFC 791
        3. 0x433. Transport Layer
          1. From RFC 793
      4. 0x440. Network Sniffing
        1. 0x441. Raw Socket Sniffer
          1. raw_tcpsniff.c
        2. 0x442. libpcap Sniffer
          1. pcap_sniff.c
        3. 0x443. Decoding the Layers
          1. From /usr/include/if_ether.h
          2. Added to hacking-network.h
          3. From /usr/include/netinet/ip.h
          4. From RFC 791
          5. Added to hacking-network.h
          6. From /usr/include/netinet/tcp.h
          7. From RFC 793
          8. Added to hacking-network.h
          9. decode_sniff.c
        4. 0x444. Active Sniffing
          1. From nemesis-arp.c
          2. From nemesis.h
          3. From nemesis-arp.c
          4. From nemesis-proto_arp.c
          5. From the libnet Man Page
          6. From the arpspoof Man Page
          7. arpspoof.c
          8. From the libnet Man Page
      5. 0x450. Denial of Service
        1. 0x451. SYN Flooding
          1. synflood.c
        2. 0x452. The Ping of Death
        3. 0x453. Teardrop
        4. 0x454. Ping Flooding
        5. 0x455. Amplification Attacks
        6. 0x456. Distributed DoS Flooding
      6. 0x460. TCP/IP Hijacking
        1. 0x461. RST Hijacking
          1. rst_hijack.c
        2. 0x462. Continued Hijacking
      7. 0x470. Port Scanning
        1. 0x471. Stealth SYN Scan
        2. 0x472. FIN, X-mas, and Null Scans
        3. 0x473. Spoofing Decoys
        4. 0x474. Idle Scanning
        5. 0x475. Proactive Defense (shroud)
          1. FIN Scan Before the Kernel Modification
          2. FIN Scan After the Kernel Modification
          3. shroud.c
      8. 0x480. Reach Out and Hack Someone
        1. 0x480. Reach Out and Hack Someone
          1. From hacking-network.h
        2. 0x481. Analysis with GDB
        3. 0x482. Almost Only Counts with Hand Grenades
          1. tinyweb_exploit.c
        4. 0x483. Port-Binding Shellcode
          1. New Line from tinyweb_exploit2.c
    8. 0x500. SHELLCODE
      1. 0x510. Assembly vs. C
        1. 0x510. Assembly vs. C
          1. helloworld.c
          2. Man Page for the write() System Call
          3. From /usr/include/unistd.h
        2. 0x511. Linux System Calls in Assembly
          1. From /usr/include/asm-i386/unistd.h
          2. helloworld.asm
      2. 0x520. The Path to Shellcode
        1. 0x521. Assembly Instructions Using the Stack
          1. helloworld1.s
        2. 0x522. Investigating with GDB
        3. 0x523. Removing Null Bytes
          1. helloworld2.s
          2. helloworld3.s
      3. 0x530. Shell-Spawning Shellcode
        1. 0x530. Shell-Spawning Shellcode
          1. exec_shell.c
          2. exec_shell.s
          3. tiny_shell.s
        2. 0x531. A Matter of Privilege
          1. drop_privs.c
          2. priv_shell.s
        3. 0x532. And Smaller Still
          1. shellcode.s
      4. 0x540. Port-Binding Shellcode
        1. 0x540. Port-Binding Shellcode
          1. bind_port.c
          2. From /usr/include/linux/net.h
          3. bind_port.s
        2. 0x541. Duplicating Standard File Descriptors
          1. New Instructions from bind_shell1.s
        3. 0x542. Branching Control Structures
          1. bind_shell.s
      5. 0x550. Connect-Back Shellcode
        1. 0x550. Connect-Back Shellcode
          1. connectback_shell.s
          2. From Another Terminal Window
    9. 0x600. COUNTERMEASURES
      1. 0x610. Countermeasures That Detect
      2. 0x620. System Daemons
        1. 0x621. Crash Course in Signals
          1. signal_example.c
        2. 0x622. Tinyweb Daemon
          1. tinywebd.c
      3. 0x630. Tools of the Trade
        1. 0x631. tinywebd Exploit Tool
          1. xtool_tinywebd.sh
      4. 0x640. Log Files
        1. 0x640. Log Files
          1. tinywebd Log File
        2. 0x641. Blend In with the Crowd
          1. xtool_tinywebd_stealth.sh
      5. 0x650. Overlooking the Obvious
        1. 0x651. One Step at a Time
          1. mark.s
        2. 0x652. Putting Things Back Together Again
          1. mark_break.s
          2. mark_restore.s
        3. 0x653. Child Laborers
          1. loopback_shell_restore.s
      6. 0x660. Advanced Camouflage
        1. 0x661. Spoofing the Logged IP Address
          1. Code Segment from tinywebd.c
          2. addr_struct.c
          3. xtool_tinywebd_spoof.sh
        2. 0x662. Logless Exploitation
          1. xtool_tinywebd_silent.sh
      7. 0x670. The Whole Infrastructure
        1. 0x671. Socket Reuse
          1. Excerpt from tinywebd.c
          2. socket_reuse_restore.s
          3. xtool_tinywebd_reuse.sh
      8. 0x680. Payload Smuggling
        1. 0x681. String Encoding
          1. encoded_sockreuserestore_dbg.s
          2. From Another Terminal
        2. 0x682. How to Hide a Sled
      9. 0x690. Buffer Restrictions
        1. 0x690. Buffer Restrictions
          1. update_info.c
        2. 0x691. Polymorphic Printable ASCII Shellcode
          1. printable_helper.c
          2. printable.s
      10. 0x6a0. Hardening Countermeasures
      11. 0x6b0. Nonexecutable Stack
        1. 0x6b1. ret2libc
        2. 0x6b2. Returning into system()
          1. vuln.c
      12. 0x6c0. Randomized Stack Space
        1. 0x6c0. Randomized Stack Space
          1. aslr_demo.c
        2. 0x6c1. Investigations with BASH and GDB
        3. 0x6c2. Bouncing Off linux-gate
          1. find_jmpesp.c
        4. 0x6c3. Applied Knowledge
        5. 0x6c4. A First Attempt
          1. aslr_execl.c
        6. 0x6c5. Playing the Odds
          1. aslr_execl_exploit.c
    10. 0x700. CRYPTOLOGY
      1. 0x710. Information Theory
        1. 0x711. Unconditional Security
        2. 0x712. One-Time Pads
        3. 0x713. Quantum Key Distribution
        4. 0x714. Computational Security
      2. 0x720. Algorithmic Run Time
        1. 0x721. Asymptotic Notation
      3. 0x730. Symmetric Encryption
        1. 0x731. Lov Grover's Quantum Search Algorithm
      4. 0x740. Asymmetric Encryption
        1. 0x741. RSA
        2. 0x742. Peter Shor's Quantum Factoring Algorithm
      5. 0x750. Hybrid Ciphers
        1. 0x751. Man-in-the-Middle Attacks
          1. On Machine 192.168.42.250 (tetsuo), Connecting to 192.168.42.72 (loki)
          2. On the Attacker's Machine
        2. 0x752. Differing SSH Protocol Host Fingerprints
          1. From 192.168.42.250 (tetsuo), Just an Innocent Machine on the Network
          2. On the Attacker's Machine, Setting Up mitm-ssh to Only Use SSH1 Protocol
          3. Now Back on 192.168.42.250 (tetsuo)
        3. 0x753. Fuzzy Fingerprints
          1. Normal Connection
          2. MitM-Attacked Connection
      6. 0x760. Password Cracking
        1. 0x760. Password Cracking
          1. crypt_test.c
        2. 0x761. Dictionary Attacks
          1. crypt_crack.c
        3. 0x762. Exhaustive Brute-Force Attacks
        4. 0x763. Hash Lookup Table
        5. 0x764. Password Probability Matrix
          1. ppm_gen.c
          2. ppm_crack.c
      7. 0x770. Wireless 802.11b Encryption
        1. 0x771. Wired Equivalent Privacy
        2. 0x772. RC4 Stream Cipher
      8. 0x780. WEP Attacks
        1. 0x781. Offline Brute-Force Attacks
        2. 0x782. Keystream Reuse
        3. 0x783. IV-Based Decryption Dictionary Tables
        4. 0x784. IP Redirection
        5. 0x785. Fluhrer, Mantin, and Shamir Attack
          1. fms.c
    11. 0x800. CONCLUSION
      1. 0x810. References
      2. 0x820. Sources
    12. COLOPHON