You are previewing The Shellcoder's Handbook: Discovering and Exploiting Security Holes, Second Edition.
O'Reilly logo
The Shellcoder's Handbook: Discovering and Exploiting Security Holes, Second Edition

Book Description

  • This much-anticipated revision, written by the ultimate group of top security experts in the world, features 40 percent new content on how to find security holes in any operating system or application

  • New material addresses the many new exploitation techniques that have been discovered since the first edition, including attacking "unbreakable" software packages such as McAfee's Entercept, Mac OS X, XP, Office 2003, and Vista

  • Also features the first-ever published information on exploiting Cisco's IOS, with content that has never before been explored

  • The companion Web site features downloadable code files

Table of Contents

  1. Copyright
  2. About the Authors
  3. Credits
  4. Acknowledgments
  5. Introduction to the Second Edition
  6. I. Introduction to Exploitation: Linux on x86
    1. 1. Before You Begin
      1. 1.1. Basic Concepts
        1. 1.1.1. Memory Management
        2. 1.1.2. Assembly
          1. 1.1.2.1. Registers
      2. 1.2. Recognizing C and C++ Code Constructs in Assembly
      3. 1.3. Conclusion
    2. 2. Stack Overflows
      1. 2.1. Buffers
      2. 2.2. The Stack
        1. 2.2.1. Functions and the Stack
      3. 2.3. Overflowing Buffers on the Stack
        1. 2.3.1. Controlling EIP
      4. 2.4. An Interesting Diversion
      5. 2.5. Using an Exploit to Get Root Privileges
        1. 2.5.1. The Address Problem
        2. 2.5.2. The NOP Method
      6. 2.6. Defeating a Non-Executable Stack
        1. 2.6.1. Return to libc
      7. 2.7. Conclusion
    3. 3. Shellcode
      1. 3.1. Understanding System Calls
      2. 3.2. Writing Shellcode for the exit() Syscall
      3. 3.3. Injectable Shellcode
      4. 3.4. Spawning a Shell
      5. 3.5. Conclusion
    4. 4. Introduction to Format String Bugs
      1. 4.1. Prerequisites
      2. 4.2. What Is a Format String?
      3. 4.3. What Is a Format String Bug?
      4. 4.4. Format String Exploits
        1. 4.4.1. Crashing Services
        2. 4.4.2. Information Leakage
      5. 4.5. Controlling Execution for Exploitation
      6. 4.6. Why Did This Happen?
      7. 4.7. Format String Technique Roundup
      8. 4.8. Conclusion
    5. 5. Introduction to Heap Overflows
      1. 5.1. What Is a Heap?
        1. 5.1.1. How a Heap Works
      2. 5.2. Finding Heap Overflows
        1. 5.2.1. Basic Heap Overflows
        2. 5.2.2. Intermediate Heap Overflows
        3. 5.2.3. Advanced Heap Overflow Exploitation
          1. 5.2.3.1. What to Overwrite
            1. 5.2.3.1.1. GOT Entries
            2. 5.2.3.1.2. Global Function Pointers
            3. 5.2.3.1.3. DTORS
            4. 5.2.3.1.4. atexit Handlers
            5. 5.2.3.1.5. Stack Values
      3. 5.3. Conclusion
  7. II. Other Platforms—Windows, Solaris, OS/X, and Cisco
    1. 6. The Wild World of Windows
      1. 6.1. How Does Windows Differ from Linux?
        1. 6.1.1. Win32 API and PE-COFF
      2. 6.2. Heaps
        1. 6.2.1. Threading
      3. 6.3. The Genius and Idiocy of the Distributed Common Object Model and DCE-RPC
        1. 6.3.1. Recon
        2. 6.3.2. Exploitation
        3. 6.3.3. Tokens and Impersonation
        4. 6.3.4. Exception Handling under Win32
      4. 6.4. Debugging Windows
        1. 6.4.1. Bugs in Win32
        2. 6.4.2. Writing Windows Shellcode
        3. 6.4.3. A Hacker's Guide to the Win32 API
        4. 6.4.4. A Windows Family Tree from the Hacker's Perspective
      5. 6.5. Conclusion
    2. 7. Windows Shellcode
      1. 7.1. Syntax and Filters
      2. 7.2. Setting Up
        1. 7.2.1. Parsing the PEB
        2. 7.2.2. Heapoverflow.c Analysis
        3. 7.2.3. Searching with Windows Exception Handling
      3. 7.3. Popping a Shell
      4. 7.4. Why You Should Never Pop a Shell on Windows
      5. 7.5. Conclusion
    3. 8. Windows Overflows
      1. 8.1. Stack-Based Buffer Overflows
      2. 8.2. Frame-Based Exception Handlers
      3. 8.3. Abusing Frame-Based Exception Handling on Windows 2003 Server
        1. 8.3.1.
          1. 8.3.1.1. Abusing an Existing Handler
          2. 8.3.1.2. Find a Block of Code in an Address Not Associated with a Module That Will Get Us Back to Our Buffer
          3. 8.3.1.3. Find a Block of Code in the Address Space of a Module That Does Not Have a Load Configuration Directory
        2. 8.3.2. A Final Note about Frame-Based Handler Overwrites
      4. 8.4. Stack Protection and Windows 2003 Server
      5. 8.5. Heap-Based Buffer Overflows
      6. 8.6. The Process Heap
        1. 8.6.1. Dynamic Heaps
        2. 8.6.2. Working with the Heap
        3. 8.6.3. How the Heap Works
      7. 8.7. Exploiting Heap-Based Overflows
        1. 8.7.1. Overwrite Pointer to RtlEnterCriticalSection in the PEB
        2. 8.7.2. Overwrite Pointer to Unhandled Exception Filter
        3. 8.7.3. Repairing the Heap
        4. 8.7.4. Other Aspects of Heap-Based Overflows
          1. 8.7.4.1. COM Objects and the Heap
          2. 8.7.4.2. Overflowing Logic Program Control Data
        5. 8.7.5. Wrapping Up the Heap
      8. 8.8. Other Overflows
        1. 8.8.1. .data Section Overflows
        2. 8.8.2. TEB/PEB Overflows
      9. 8.9. Exploiting Buffer Overflows and Non-Executable Stacks
      10. 8.10. Conclusion
    4. 9. Overcoming Filters
      1. 9.1. Writing Exploits for Use with an Alphanumeric Filter
      2. 9.2. Writing Exploits for Use with a Unicode Filter
        1. 9.2.1. What Is Unicode?
        2. 9.2.2. Converting from ASCII to Unicode
      3. 9.3. Exploiting Unicode-Based Vulnerabilities
        1. 9.3.1. The Available Instruction Set in Unicode Exploits
      4. 9.4. The Venetian Method
        1. 9.4.1. An ASCII Venetian Implementation
      5. 9.5. Decoder and Decoding
        1. 9.5.1. The Decoder Code
        2. 9.5.2. Getting a Fix on the Buffer Address
      6. 9.6. Conclusion
    5. 10. Introduction to Solaris Exploitation
      1. 10.1. Introduction to the SPARC Architecture
        1. 10.1.1. Registers and Register Windows
        2. 10.1.2. The Delay Slot
        3. 10.1.3. Synthetic Instructions
      2. 10.2. Solaris/SPARC Shellcode Basics
        1. 10.2.1. Self-Location Determination and SPARC Shellcode
        2. 10.2.2. Simple SPARC exec Shellcode
        3. 10.2.3. Useful System Calls on Solaris
        4. 10.2.4. NOP and Padding Instructions
      3. 10.3. Solaris/SPARC Stack Frame Introduction
      4. 10.4. Stack-Based Overflow Methodologies
        1. 10.4.1. Arbitrary Size Overflow
        2. 10.4.2. Register Windows and Stack Overflow Complications
        3. 10.4.3. Other Complicating Factors
        4. 10.4.4. Possible Solutions
        5. 10.4.5. Off-By-One Stack Overflow Vulnerabilities
        6. 10.4.6. Shellcode Locations
      5. 10.5. Stack Overflow Exploitation In Action
        1. 10.5.1. The Vulnerable Program
        2. 10.5.2. The Exploit
      6. 10.6. Heap-Based Overflows on Solaris/SPARC
        1. 10.6.1. Solaris System V Heap Introduction
        2. 10.6.2. Heap Tree Structure
      7. 10.7. Basic Exploit Methodology (t_delete)
        1. 10.7.1. Standard Heap Overflow Limitations
        2. 10.7.2. Targets for Overwrite
          1. 10.7.2.1. The Bottom Chunk
          2. 10.7.2.2. Small Chunk Corruption
      8. 10.8. Other Heap-Related Vulnerabilities
        1. 10.8.1. Off-by-One Overflows
        2. 10.8.2. Double Free Vulnerabilities
        3. 10.8.3. Arbitrary Free Vulnerabilities
      9. 10.9. Heap Overflow Example
        1. 10.9.1. The Vulnerable Program
      10. 10.10. Other Solaris Exploitation Techniques
        1. 10.10.1. Static Data Overflows
        2. 10.10.2. Bypassing the Non-Executable Stack Protection
      11. 10.11. Conclusion
    6. 11. Advanced Solaris Exploitation
      1. 11.1. Single Stepping the Dynamic Linker
      2. 11.2. Various Style Tricks for Solaris SPARC Heap Overflows
      3. 11.3. Advanced Solaris/SPARC Shellcode
      4. 11.4. Conclusion
    7. 12. OS X Shellcode
      1. 12.1. OS X Is Just BSD, Right?
      2. 12.2. Is OS X Open Source?
      3. 12.3. OS X for the Unix-aware
        1. 12.3.1. Password Cracking
      4. 12.4. OS X PowerPC Shellcode
      5. 12.5. OS X Intel Shellcode
        1. 12.5.1. Example Shellcode
        2. 12.5.2. ret2libc
        3. 12.5.3. ret2str(l)cpy
      6. 12.6. OS X Cross-Platform Shellcode
      7. 12.7. OS X Heap Exploitation
      8. 12.8. Bug Hunting on OS X
      9. 12.9. Some Interesting Bugs
      10. 12.10. Essential Reading for OS X Exploits
      11. 12.11. Conclusion
    8. 13. Cisco IOS Exploitation
      1. 13.1. An Overview of Cisco IOS
        1. 13.1.1. Hardware Platforms
        2. 13.1.2. Software Packages
        3. 13.1.3. IOS System Architecture
          1. 13.1.3.1. Memory Layout
          2. 13.1.3.2. IOS Heap
          3. 13.1.3.3. IO Memory
      2. 13.2. Vulnerabilities in Cisco IOS
        1. 13.2.1. Protocol Parsing Code
        2. 13.2.2. Services on the Router
        3. 13.2.3. Security Features
        4. 13.2.4. The Command-Line Interface
      3. 13.3. Reverse Engineering IOS
        1. 13.3.1. Taking the Images Apart
        2. 13.3.2. Diffing IOS Images
        3. 13.3.3. Runtime Analysis
          1. 13.3.3.1. Cisco Onboard Tools
            1. 13.3.3.1.1. The ROM Monitor
            2. 13.3.3.1.2. Crash Dumps
          2. 13.3.3.2. GDB Agent
      4. 13.4. Exploiting Cisco IOS
        1. 13.4.1. Stack Overflows
        2. 13.4.2. Heap Overflows
          1. 13.4.2.1. IOS-Specific Challenges
          2. 13.4.2.2. Memory Write on Unlink
          3. 13.4.2.3. Alternatives
          4. 13.4.2.4. Partial Attacks
            1. 13.4.2.4.1. NVRAM Invalidation
            2. 13.4.2.4.2. Global Variable Overwrite
        3. 13.4.3. Shellcodes
          1. 13.4.3.1. Configuration Changing Shellcode
            1. 13.4.3.1.1. Complete Replacement
            2. 13.4.3.1.2. Partial Replacement
          2. 13.4.3.2. Runtime Image Patching Shellcode
          3. 13.4.3.3. Bind Shell
      5. 13.5. Conclusion
    9. 14. Protection Mechanisms
      1. 14.1. Protections
        1. 14.1.1. Non-Executable Stack
        2. 14.1.2. W^X (Either Writable or Executable) Memory
        3. 14.1.3. Stack Data Protection
          1. 14.1.3.1. Canaries
          2. 14.1.3.2. Ideal Stack Layout
        4. 14.1.4. AAAS: ASCII Armored Address Space
        5. 14.1.5. ASLR: Address Space Layout Randomization
        6. 14.1.6. Heap Protections
        7. 14.1.7. Windows SEH Protections
          1. 14.1.7.1. EEREAP
          2. 14.1.7.2. pdest
          3. 14.1.7.3. SEHInspector
        8. 14.1.8. Other Protections
          1. 14.1.8.1. Kernel Protections
          2. 14.1.8.2. Pointer Protections
      2. 14.2. Implementation Differences
        1. 14.2.1. Windows
          1. 14.2.1.1. W^X
          2. 14.2.1.2. ASLR
          3. 14.2.1.3. Stack Data Protections
          4. 14.2.1.4. Heap Protections
          5. 14.2.1.5. SEH Protections
          6. 14.2.1.6. Others
        2. 14.2.2. Linux
          1. 14.2.2.1. W^X
          2. 14.2.2.2. ASLR
          3. 14.2.2.3. Stack Data Protections
          4. 14.2.2.4. Heap Protections
          5. 14.2.2.5. Others
        3. 14.2.3. OpenBSD
          1. 14.2.3.1. W^X
          2. 14.2.3.2. ASLR
          3. 14.2.3.3. Stack Data Protections
          4. 14.2.3.4. Heap Protections
          5. 14.2.3.5. Others
        4. 14.2.4. Mac OS X
          1. 14.2.4.1. W^X
          2. 14.2.4.2. ASLR
          3. 14.2.4.3. Stack Data Protections
          4. 14.2.4.4. Heap Protections
          5. 14.2.4.5. Others
        5. 14.2.5. Solaris
          1. 14.2.5.1. W^X
          2. 14.2.5.2. ASLR
          3. 14.2.5.3. Stack Data Protections
          4. 14.2.5.4. Heap Protections
          5. 14.2.5.5. Others
      3. 14.3. Conclusion
  8. III. Vulnerability Discovery
    1. 15. Establishing a Working Environment
      1. 15.1. What You Need for Reference
      2. 15.2. What You Need for Code
        1. 15.2.1. gcc
        2. 15.2.2. gdb
        3. 15.2.3. NASM
        4. 15.2.4. WinDbg
        5. 15.2.5. OllyDbg
        6. 15.2.6. Visual C++
        7. 15.2.7. Python
      3. 15.3. What You Need for Investigation
        1. 15.3.1. Useful Custom Scripts/Tools
        2. 15.3.2.
          1. 15.3.1.1. An Offset Finder
          2. 15.3.1.2. Generic Fuzzers
          3. 15.3.1.3. The Debug Trick
        3. 15.3.2. All Platforms
        4. 15.3.3. Unix
          1. 15.3.3.1. ltrace and strace
          2. 15.3.3.2. truss
          3. 15.3.3.3. fstat (BSD)
          4. 15.3.3.4. tcpdump
          5. 15.3.3.5. Wireshark (formerly Ethereal)
        5. 15.3.4. Windows
          1. 15.3.4.1. IDA Pro Disassembler
      4. 15.4. What You Need to Know
        1. 15.4.1. Paper Archives
      5. 15.5. Optimizing Shellcode Development
        1. 15.5.1. Plan the Exploit
        2. 15.5.2. Write the Shellcode in Inline Assembler
        3. 15.5.3. Maintain a Shellcode Library
        4. 15.5.4. Make It Continue Nicely
        5. 15.5.5. Make the Exploit Stable
        6. 15.5.6. Make It Steal the Connection
      6. 15.6. Conclusion
    2. 16. Fault Injection
      1. 16.1. Design Overview
        1. 16.1.1. Input Generation
          1. 16.1.1.1. Manual Generation
          2. 16.1.1.2. Automated Generation
          3. 16.1.1.3. Live Capture
          4. 16.1.1.4. "Fuzz" Generation
        2. 16.1.2. Fault Injection
        3. 16.1.3. Modification Engines
          1. 16.1.3.1. Delimiting Logic
          2. 16.1.3.2. Getting around Input Sanitization
        4. 16.1.4. Fault Delivery
        5. 16.1.5. Nagel Algorithm
        6. 16.1.6. Timing
        7. 16.1.7. Heuristics
        8. 16.1.8. Stateless versus State-Based Protocols
      2. 16.2. Fault Monitoring
        1. 16.2.1. Using a Debugger
        2. 16.2.2. FaultMon
      3. 16.3. Putting It Together
      4. 16.4. Conclusion
    3. 17. The Art of Fuzzing
      1. 17.1. General Theory of Fuzzing
        1. 17.1.1. Static Analysis versus Fuzzing
        2. 17.1.2. Fuzzing Is Scalable
      2. 17.2. Weaknesses in Fuzzers
      3. 17.3. Modeling Arbitrary Network Protocols
      4. 17.4. Other Fuzzer Possibilities
        1. 17.4.1. Bit Flipping
        2. 17.4.2. Modifying Open Source Programs
        3. 17.4.3. Fuzzing with Dynamic Analysis
      5. 17.5. SPIKE
        1. 17.5.1. What Is a Spike?
        2. 17.5.2. Why Use the SPIKE Data Structure to Model Network Protocols?
          1. 17.5.2.1. Various Programs Included with SPIKE
          2. 17.5.2.2. SPIKE Example: dtlogin
      6. 17.6. Other Fuzzers
      7. 17.7. Conclusion
    4. 18. Source Code Auditing: Finding Vulnerabilities in C-Based Languages
      1. 18.1. Tools
        1. 18.1.1. Cscope
        2. 18.1.2. Ctags
        3. 18.1.3. Editors
        4. 18.1.4. Cbrowser
      2. 18.2. Automated Source Code Analysis Tools
      3. 18.3. Methodology
        1. 18.3.1. Top-Down (Specific) Approach
        2. 18.3.2. Bottom-Up Approach
        3. 18.3.3. Selective Approach
      4. 18.4. Vulnerability Classes
        1. 18.4.1. Generic Logic Errors
        2. 18.4.2. (Almost) Extinct Bug Classes
        3. 18.4.3. Format Strings
        4. 18.4.4. Generic Incorrect Bounds-Checking
        5. 18.4.5. Loop Constructs
        6. 18.4.6. Off-by-One Vulnerabilities
        7. 18.4.7. Non-Null Termination Issues
        8. 18.4.8. Skipping Null-Termination Issues
        9. 18.4.9. Signed Comparison Vulnerabilities
        10. 18.4.10. Integer-Related Vulnerabilities
        11. 18.4.11. Different-Sized Integer Conversions
        12. 18.4.12. Double Free Vulnerabilities
        13. 18.4.13. Out-of-Scope Memory Usage Vulnerabilities
        14. 18.4.14. Uninitialized Variable Usage
        15. 18.4.15. Use After Free Vulnerabilities
        16. 18.4.16. Multithreaded Issues and Re-Entrant Safe Code
      5. 18.5. Beyond Recognition: A Real Vulnerability versus a Bug
      6. 18.6. Conclusion
    5. 19. Instrumented Investigation: A Manual Approach
      1. 19.1. Philosophy
      2. 19.2. Oracle extproc Overflow
      3. 19.3. Common Architectural Failures
        1. 19.3.1. Problems Happen at Boundaries
          1. 19.3.1.1. A Process Calling into an External Process on the Same Host
          2. 19.3.1.2. A Process Calling into an External, Dynamically Loaded Library
          3. 19.3.1.3. A Process Calling into a Function on a Remote Host
        2. 19.3.2. Problems Happen When Data Is Translated
        3. 19.3.3. Problems Cluster in Areas of Asymmetry
        4. 19.3.4. Problems Occur When Authentication and Authorization Are Confused
        5. 19.3.5. Problems Occur in the Dumbest Places
      4. 19.4. Bypassing Input Validation and Attack Detection
        1. 19.4.1. Stripping Bad Data
        2. 19.4.2. Using Alternate Encodings
        3. 19.4.3. Using File-Handling Features
          1. 19.4.3.1. Required String Is Present in Path
          2. 19.4.3.2. Prohibited String Not Present in Path
          3. 19.4.3.3. Incorrect Behavior Based on File Extension
        4. 19.4.4. Evading Attack Signatures
        5. 19.4.5. Defeating Length Limitations
          1. 19.4.5.1. Sea Monkey Data
          2. 19.4.5.2. Harmful Truncation —Severing Escape Characters
          3. 19.4.5.3. Multiple Attempts
          4. 19.4.5.4. Context-Free Length Limits
      5. 19.5. Windows 2000 SNMP DOS
      6. 19.6. Finding DOS Attacks
      7. 19.7. SQL-UDP
      8. 19.8. Conclusion
    6. 20. Tracing for Vulnerabilities
      1. 20.1. Overview
        1. 20.1.1. A Vulnerable Program
        2. 20.1.2. Component Design
          1. 20.1.2.1. Process Injection
          2. 20.1.2.2. Machine-Code Analysis
            1. 20.1.2.2.1. Static Linking
            2. 20.1.2.2.2. Importing
            3. 20.1.2.2.3. Inlining
          3. 20.1.2.3. Function Hooking
            1. 20.1.2.3.1. Import Hooking
            2. 20.1.2.3.2. Prelude Hooking
            3. 20.1.2.3.3. Prologue Hooking
          4. 20.1.2.4. Data Collection
        3. 20.1.3. Building VulnTrace
          1. 20.1.3.1. VTInject
          2. 20.1.3.2. VulnTrace.dll
        4. 20.1.4. Using VulnTrace
        5. 20.1.5. Advanced Techniques
          1. 20.1.5.1. Fingerprint Systems
          2. 20.1.5.2. More Vulnerability Classes
            1. 20.1.5.2.1. Integer Overflows
            2. 20.1.5.2.2. Format Bugs
            3. 20.1.5.2.3. Other Classes
      2. 20.2. Conclusion
    7. 21. Binary Auditing: Hacking Closed Source Software
      1. 21.1. Binary versus Source-Code Auditing: The Obvious Differences
      2. 21.2. IDA Pro—The Tool of the Trade
        1. 21.2.1. Features: A Quick Crash Course
        2. 21.2.2. Debugging Symbols
      3. 21.3. Binary Auditing Introduction
        1. 21.3.1. Stack Frames
          1. 21.3.1.1. Traditional BP-Based Stack Frames
          2. 21.3.1.2. Functions without a Frame Pointer
          3. 21.3.1.3. Non-Traditional BP-Based Stack Frames
        2. 21.3.2. Calling Conventions
          1. 21.3.2.1. The C Calling Convention
          2. 21.3.2.2. The Stdcall Calling Convention
        3. 21.3.3. Compiler-Generated Code
          1. 21.3.3.1. Function Layouts
          2. 21.3.3.2. If Statements
          3. 21.3.3.3. For and While Loops
          4. 21.3.3.4. Switch Statements
        4. 21.3.4. memcpy-Like Code Constructs
        5. 21.3.5. strlen-Like Code Constructs
        6. 21.3.6. C++ Code Constructs
        7. 21.3.7. The this Pointer
      4. 21.4. Reconstructing Class Definitions
        1. 21.4.1. vtables
        2. 21.4.2. Quick but Useful Tidbits
      5. 21.5. Manual Binary Analysis
        1. 21.5.1. Quick Examination of Library Calls
        2. 21.5.2. Suspicious Loops and Write Instructions
        3. 21.5.3. Higher-Level Understanding and Logic Bugs
        4. 21.5.4. Graphical Analysis of Binaries
        5. 21.5.5. Manual Decompilation
      6. 21.6. Binary Vulnerability Examples
        1. 21.6.1. Microsoft SQL Server Bugs
        2. 21.6.2. LSD's RPC-DCOM Vulnerability
        3. 21.6.3. IIS WebDAV Vulnerability
      7. 21.7. Conclusion
  9. IV. Advanced Materials
    1. 22. Alternative Payload Strategies
      1. 22.1. Modifying the Program
      2. 22.2. The SQL Server 3-Byte Patch
      3. 22.3. The MySQL 1-Bit Patch
      4. 22.4. OpenSSH RSA Authentication Patch
      5. 22.5. Other Runtime Patching Ideas
        1. 22.5.1. GPG 1.2.2 Randomness Patch
      6. 22.6. Upload and Run (or Proglet Server)
      7. 22.7. Syscall Proxies
      8. 22.8. Problems with Syscall Proxies
      9. 22.9. Conclusion
    2. 23. Writing Exploits that Work in the Wild
      1. 23.1. Factors in Unreliability
        1. 23.1.1. Magic Numbers
        2. 23.1.2. Versioning
        3. 23.1.3. Shellcode Problems
          1. 23.1.3.1. Network Related
          2. 23.1.3.2. Privilege Related
          3. 23.1.3.3. Configuration Related
          4. 23.1.3.4. Host IDS Related
          5. 23.1.3.5. Thread Related
      2. 23.2. Countermeasures
        1. 23.2.1. Preparation
        2. 23.2.2. Brute Forcing
        3. 23.2.3. Local Exploits
        4. 23.2.4. OS/Application Fingerprinting
        5. 23.2.5. Information Leaks
      3. 23.3. Conclusion
    3. 24. Attacking Database Software
      1. 24.1. Network Layer Attacks
      2. 24.2. Application Layer Attacks
      3. 24.3. Running Operating System Commands
        1. 24.3.1. Microsoft SQL Server
        2. 24.3.2. Oracle
        3. 24.3.3. IBM DB2
      4. 24.4. Exploiting Overruns at the SQL Level
        1. 24.4.1. SQL Functions
          1. 24.4.1.1. Using the CHR/CHAR Function
      5. 24.5. Conclusion
    4. 25. Unix Kernel Overflows
      1. 25.1. Kernel Vulnerability Types
      2. 25.2. 0day Kernel Vulnerabilities
        1. 25.2.1. OpenBSD exec_ibcs2_coff_prep_zmagic() Stack Overflow
        2. 25.2.2. The Vulnerability
      3. 25.3. Solaris vfs_getvfssw() Loadable Kernel Module Traversal Vulnerability
        1. 25.3.1. The sysfs() System Call
        2. 25.3.2. The mount() System Call
      4. 25.4. Conclusion
    5. 26. Exploiting Unix Kernel Vulnerabilities
      1. 26.1. The exec_ibcs2_coff_prep_zmagic() Vulnerability
        1. 26.1.1. Calculating Offsets and Breakpoints
        2. 26.1.2. Overwriting the Return Address and Redirecting Execution
        3. 26.1.3. Locating the Process Descriptor (or the Proc Structure)
          1. 26.1.3.1. Stack Lookup
          2. 26.1.3.2. sysctl() Syscall
        4. 26.1.4. Kernel Mode Payload Creation
          1. 26.1.4.1. p_cred and u_cred
          2. 26.1.4.2. Breaking chroot
        5. 26.1.5. Returning Back from Kernel Payload
          1. 26.1.5.1. Return to User Mode: iret Technique
          2. 26.1.5.2. Return to Kernel Code: sidt Technique and _kernel_text Search
        6. 26.1.6. Getting root (uid=0)
      2. 26.2. Solaris vfs_getvfssw() Loadable Kernel Module Path Traversal Exploit
        1. 26.2.1. Crafting the Exploit
        2. 26.2.2. The Kernel Module to Load
        3. 26.2.3. Getting root (uid=0)
      3. 26.3. Conclusion
    6. 27. Hacking the Windows Kernel
      1. 27.1. Windows Kernel Mode Flaws—An Increasingly Hunted Species
      2. 27.2. Introduction to the Windows Kernel
      3. 27.3. Common Kernel-Mode Programming Flaws
        1. 27.3.1. Stack Overflows
          1. 27.3.1.1. The /GS Flag
        2. 27.3.2. Heap Overflows
        3. 27.3.3. Insufficient Validation of User-Mode Addresses
        4. 27.3.4. Repurposing Attacks
        5. 27.3.5. Shared Object Attacks
      4. 27.4. Windows System Calls
        1. 27.4.1. Understanding System Calls
        2. 27.4.2. Attacking System Calls
      5. 27.5. Communicating with Device Drivers
        1. 27.5.1. I/O Control Code Components
        2. 27.5.2. Finding Flaws in IOCTL Handlers
          1. 27.5.2.1. Static Analysis
          2. 27.5.2.2. Trial and Error
          3. 27.5.2.3. Collect and Fuzz
      6. 27.6. Kernel-Mode Payloads
        1. 27.6.1. Elevating a User-Mode Process
        2. 27.6.2. Running an Arbitrary User-Mode Payload
        3. 27.6.3. Subverting Kernel Security
        4. 27.6.4. Installing a Rootkit
      7. 27.7. Essential Reading for Kernel Shellcoders
      8. 27.8. Conclusion