Home Page Icon
Home Page
Table of Contents for
Cover
Close
Cover
by Tobias Klein
A Bug Hunter's Diary
A Bug Hunter's Diary
Acknowledgments
Who Should Read the Book
Disclaimer
Resources
1. Bug Hunting
1.1 For Fun and Profit
1.2 Common Techniques
My Preferred Techniques
Potentially Vulnerable Code Locations
Fuzzing
Further Reading
1.3 Memory Errors
1.4 Tools of the Trade
Debuggers
Disassemblers
1.5 EIP = 41414141
1.6 Final Note
Notes
2. Back to the ’90s
2.1 Vulnerability Discovery
Step 1: Generate a List of the Demuxers of VLC
Step 2: Identify the Input Data
Step 3: Trace the Input Data
2.2 Exploitation
Step 1: Find a Sample TiVo Movie File
Step 2: Find a Code Path to Reach the Vulnerable Code
Step 3: Manipulate the TiVo Movie File to Crash VLC
Step 4: Manipulate the TiVo Movie File to Gain Control of EIP
2.3 Vulnerability Remediation
2.4 Lessons Learned
2.5 Addendum
Notes
3. Escape from the WWW Zone
3.1 Vulnerability Discovery
Step 1: List the IOCTLs of the Kernel
Step 2: Identify the Input Data
Step 3: Trace the Input Data
3.2 Exploitation
Step 1: Trigger the NULL Pointer Dereference for a Denial of Service
Step 2: Use the Zero Page to Get Control over EIP/RIP
3.3 Vulnerability Remediation
3.4 Lessons Learned
3.5 Addendum
Notes
4. NULL Pointer FTW
4.1 Vulnerability Discovery
Step 1: List the Demuxers of FFmpeg
Step 2: Identify the Input Data
Step 3: Trace the Input Data
4.2 Exploitation
Step 1: Find a Sample 4X Movie File with a Valid strk Chunk
Step 2: Learn About the Layout of the strk Chunk
Step 3: Manipulate the strk Chunk to Crash FFmpeg
Step 4: Manipulate the strk Chunk to Gain Control over EIP
4.3 Vulnerability Remediation
4.4 Lessons Learned
5. Browse and You’re Owned
5.1 Vulnerability Discovery
Step 1: List the Registered WebEx Objects and Exported Methods
Step 2: Test the Exported Methods in the Browser
Step 3: Find the Object Methods in the Binary
Step 4: Find the User-Controlled Input Values
Step 5: Reverse Engineer the Object Methods
5.2 Exploitation
5.4 Lessons Learned
6. One Kernel to Rule Them All
6.1 Vulnerability Discovery
Step 1: Prepare a VMware Guest for Kernel Debugging
Step 2: Generate a List of the Drivers and Device Objects Created by avast!
Step 3: Check the Device Security Settings
Step 4: List the IOCTLs
Step 5: Find the User-Controlled Input Values
Step 6: Reverse Engineer the IOCTL Handler
6.2 Exploitation
6.4 Lessons Learned
6.5 Addendum
Notes
7. A Bug Older Than 4.4BSD
7.1 Vulnerability Discovery
Step 1: List the IOCTLs of the Kernel
Step 2: Identify the Input Data
Step 3: Trace the Input Data
7.2 Exploitation
Step 1: Trigger the Bug to Crash the System (Denial of Service)
Step 2: Prepare a Kernel-Debugging Environment
Step 3: Connect the Debugger to the Target System
Step 4: Get Control over EIP
7.3 Vulnerability Remediation
7.4 Lessons Learned
7.5 Addendum
Notes
8. The Ringtone Massacre
8.1 Vulnerability Discovery
Step 1: Research the iPhone’s Audio Capabilities
Step 2: Build a Simple Fuzzer and Fuzz the Phone
8.2 Crash Analysis and Exploitation
8.3 Vulnerability Remediation
8.4 Lessons Learned
8.5 Addendum
Notes
A. Hints for Hunting
A.1 Stack Buffer Overflows
Example: Stack Buffer Overflow Under Linux
Example: Stack Buffer Overflow Under Windows
A.2 NULL Pointer Dereferences
A.3 Type Conversions in C
A.4 GOT Overwrites
Notes
B. Debugging
B.1 The Solaris Modular Debugger (mdb)
Starting and Stopping mdb
General Commands
Breakpoints
Running the Debuggee
Examining Data
Information Commands
Other Commands
B.2 The Windows Debugger (WinDbg)
Starting and Stopping a Debugging Session
General Commands
Breakpoints
Running the Debuggee
Examining Data
Information Commands
Other Commands
B.3 Windows Kernel Debugging
Step 1: Configure the VMware Guest System for Remote Kernel Debugging
Step 2: Adjust the boot.ini of the Guest System
Step 3: Configure WinDbg on the VMware Host for Windows Kernel Debugging
B.4 The GNU Debugger (gdb)
Starting and Stopping gdb
General Commands
Breakpoints
Running the Debuggee
Examining Data
Information Commands
Other Commands
B.5 Using Linux as a Mac OS X Kernel-Debugging Host
Step 1: Install an Ancient Red Hat 7.3 Linux Operating System
Step 2: Get the Necessary Software Packages
Step 3: Build Apple’s Debugger on the Linux Host
Step 4: Prepare the Debugging Environment
Notes
C. Mitigation
C.1 Exploit Mitigation Techniques
Address Space Layout Randomization (ASLR)
Security Cookies (/GS), Stack-Smashing Protection (SSP), or Stack Canaries
NX and DEP
Detecting Exploit Mitigation Techniques
C.2 RELRO
Test Case 1: Partial RELRO
Test Case 2: Full RELRO
Conclusion
C.3 Solaris Zones
Terminology
Set Up a Non-Global Solaris Zone
Notes
D. Updates
Index
About the Author
Colophon
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
A Bug Hunter's Diary
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset