INDEX
Symbols and numbers
/* */ comments, 178
#$ format token, 230–231
// comments, 178
/x, 228
< (less-than operator), 177
<= (less-than-or-equal-to operator), 177
%x token, 229
!token in Process Explorer debugger, 539–541
18 USC 1029 (ADS), 25–29
18 USC 1030 (CFAA), 29–38
18 USC 2510 of ECPA, 38–42
18 USC 2701 of ECPA, 38–42
A
Access Check. See also access control
about, 535
allowed ACEs, 537
DACL checks with, 535–536
enumerating executable files with, 569
flowchart of, 536
privilege checks with, 535
restricted SIDs access rights, 537
restricted tokens, 537
access control, 525–577. See also Access Check; ACEs
about Vista’s, 496
access tokens, 528–531, 537, 538–542, 575–576
AccessCheck function flowchart, 536
changing desiredAccess requests, 552–553
DACL check, 535–536
desiredAccess requests, 550–551
dumping security descriptor, 541–542
elevation of privilege in, 553–554, 567–569
enumerating named pipes, 574–575
finding untrusted process DACLs, 575–576
hackers’ interest in, 525–526
investing denied access during testing, 545–548, 571
key components of, 526
locating weak file DACLs, 569–573
power permissions for, 554
privilege check, 535
privilege escalation for directory DACLs, 567–569
restricted SIDs, 537
reviewing named kernel objects, 576–577
RunAs feature, 529–530
secret.txt in, 545–550
security descriptors, 531–535
security identifier of, 527
service attack patterns, 554–560
shared memory sections, 573–574
tools analyzing, 538–542
weak directory DACLs, 564–567
Access Device Statute (18 USC 1029), 25–29
access tokens
about, 528–531
dumping process, 538–542
restricted SIDs in, 537
restricted tokens, 530–531
RunAs feature for, 529–530
token kidnapping, 575–576
AccessChk command
enumerating executable files with, 569
permissions display for secret.txt, 548–550
ACEs (access control entries)
allowed, 537
enumerating service, 554–555
explicitly denied, 536
inherited deny ACEs, 537
types of access control, 532
ActiveX controls
exploiting in ADODB.Stream, 500
functions to avoid in, 513
fuzzing, 515
reviewing safe-for-scripting, 511–513
security implications of, 497–498
tricking users to accept, 514–515
add command, 186
address space layout randomization. See ASLR
addresses
exploiting buffer overflow to control, 612–613
finding WAP IP and MAC, 87
noting where programs crashed, 597
overwriting stack’s saved return, 609–610
addressing modes, 188
administrator privileges. See local administrator privileges
Adobe Reader
CVEs for, 358
enabling DEP for, 360
protecting from content-type attacks, 359–360
ADODB.Connection crash, 518–520
ADODB.Stream vulnerabilities, 500
ADS (Access Device Statute), 25–29
Advanced Packaging Tool (APT), 139–140
agreements
making penetration testing, 161–162
making with clients, 12
Alinean, 5–6
Amazon, 7
antivirus software
disabling, 115–116
malware detection rates of, 5
obfuscating hex code in Adobe Reader, 352
applications. See also patching applications; software; web applications; and specific applications
assessing exploitability of, 596–601
detailed view of stack layout, 604
development process for, 472–473
educating developers of, 72
patching, 619–632
pre- and postconditions of vulnerable, 602–603
reducing privileges for Internet-facing, 522–523
trying to break, 471–472
understanding vulnerabilities in, 601–611
arbitrary code execution. See shellcode
arguments
environment/arguments section in memory, 182
notation for Sulley, 581
sanitized shellcode, 606–609
ASLR (address space layout randomization)
checking if on/off, 210
protection and vulnerabilities with, 240–241, 249
purpose of, 321–322
assembly language, 184–189
about, 185
add and sub commands, 186
addressing modes in, 188
call and ret commands, 187
executing setreuid, then calling execve, 273–274
file structure for, 189
files for setreuid system calls, 272
function calling procedures in, 202–203
inc and dec commands, 187
int command, 188
jne, je, jz, jnz, and jmp commands, 187
lea command, 188
Linux shellcode in, 267
making object code and executing in, 189
mov command, 186
moving system calls from C to, 269–270
NASM and AT&T syntax in, 185–188
push and pop commands, 187
shellcode system calls in, 269
writing port_bind_asm.asm program, 279–281
xor command, 187
Asteroid, 387–388
AT&T assembly language syntax, 185–188
ATM skimming devices, 27
attaching debuggers, 474–475
attacks. See also content-type attacks; exploits; penetration testing
Blaster worm, 33–35
educating staff about types of, 18–19
emulating, 19
file DACL, 569–573
inviteflood, 387
planning access control service, 554–560
possibilities with cross-site scripting, 378
SCADA, 395–409
SIP flaws available for, 381–382
spear phishing, 496–497
staying informed about, 522
using honeypots for warnings of, 638
VoIP, 379–394
weak registry key DACLs, 564
Windows directory DACLs, 564–567
Windows Registry DACLs, 560–564
Windows service attack patterns, 554–560
auditing
binary code, 427
security, 72
authorization, 71
Autodafé fuzzing framework
help menu, 403
installing, 399–400
running Wireshark to examine packets in, 403
using ADBG debugger, 402
automated malware analysis, 671
automating Metasploit, 155–156, 294–296
AutoRunScript variable, 155
availability in VoIP, 384, 385
AxEnum, 510–515
AxMan, 515–520
B
backdoor connect capabilities, 670–671
BackTrack, 125–140
about, 125–126
automatically saving and restoring changes in, 135–137
creating custom ISO for, 134–135
exploring, 130
illustrated, 129, 130, 132, 135, 136
installing Nepenthes on, 644–646
installing to DVD or USB drive, 126–127
persisting changes to installation, 131–137
running inside VirtualBox, 132–133
starting network services in, 130–131
supporting Autodafé fuzzing with, 399–400
using ISO within virtual machine, 128–131
bash shells, 231
BAT files, enumerating vulnerable, 569–571
/bin/sh program, 272–276
assembly code executing setreuid, then calling execve, 273–274
execve syscalls executing, 273
binaries
analyzing after unpacking, 670
binary mutations, 626–631
getting locations of functions and strings in, 243–244
identifying packed, 661–663
patching, 622–626
recovering original, 663
unpacking, 661–669
binary analysis, 427–443. See also IDA Pro; reverse engineering
analyzing compiled C++, 459–460
analyzing statically linked libraries, 448–451
automated tools for, 441–443
BinDiff for, 442–443
BinNavi for, 439–440
BugScam for, 441–442
Chevarista for, 442
decompilers for, 428–430
disassemblers for auditing, 427, 430
PEiD for malware, 646–647
precautions for live malware, 648–649, 671
source code vs., 427
using Hex-Rays Decompiler plug-in, 439
viewing program headers in IDA Pro, 457–459
working with stripped binaries, 446–448
binary mutations, 626–631
binary values in Sulley, 582
bind shells, 253–254
BinDiff, 442–443
binmode function, 608
BinNavi, 439–440
biometric door locks, 103
bit fields in Sulley, 583
bits, 180
BitTorrent protocol, 8–9
black box testing
debugging in, 474–476
memory monitoring tools for, 480
using code coverage analysis tools, 476–477
black hat hackers
defined, 47
source code auditing tools for, 419
usefulness of source code auditing tools, 419
Blaster worm attacks, CFAA and, 33–35
blocks in Sulley, 584–585
boot device, 112
booting
BackTrack LiveDVD System, 129, 137–139
Dradis servers, 165–166
bot herders, 6
botnets, 6
browsers. See client-side browser exploits; web browsers; and specific browsers
.bss sections in memory, 181
buffer overflows
creating local, 209–217
detecting stack-based, 318–320
exploiting, 612–613
Linux, 203–208
NIPRINT3, 594
parsing buffer overrun vulnerability, 501–502, 503
testing, 222–223
buffers
about memory, 182
exploiting small, 215–217
fake frame to attack small, 237–239
IFRAME Tag Parsing Buffer Overrun, 501–502, 503
BugScam
implementing with IDC script, 464
using for binary analysis, 441–442
Bugtraq, 49
buildings
biometric door locks in, 103
common ways into, 97–107
defeating locks in, 103–107
entering unmanned foyers, 102
getting by lobby security in multitenant, 99–100
mantraps, 102
penetrating campus-style or single-tenant, 101
penetration testing once inside, 107
reconnaissance of, 95–96
tailgating into, 103
bump keys, 105–106
bypassing Windows memory
protections, 322–339
ASLR, 324–325
/GS protection mechanism, 323, 338
methods for, 338
overwriting SEH records, 323
SafeSEH, 323–324
SEHOP, 331–337
bytes
defined, 180
writing to arbitrary memory, 231–232
C
C programming language, 173–180
adapting code for reverse connecting shellcode, 284–285
for and while loops, 177–178
assembly vs., 185
basic constructs in, 173–178
building precision desiredAccess request test tool, 550–551
comments in, 178
compiling with gcc, 179–180
debugging with gdb, 190–192
decompiling, 430
establishing sockets, 276, 277–278
executing processes with DTOR section, 233–234
execution of main() function in, 446–447
functions in, 174
if/else construct, 178
Linux shellcode in, 267, 268–269
main() structure in, 173–174
making stdin copy of other file descriptors, 421
printf command, 175–176
scanf command, 176
starting exit system calls in, 269–270
strcpy/strncpy commands, 176–177
structures in, 276–277
system() function in return to libc exploits, 609
using memory in, 183–184
variables in, 174–175
working with IDC scripting language, 461–464
writing sample program, 178–179
C++ programming language
extending IDA Pro with plug-ins in, 464–466
IDA Pro for analyzing compiled, 459–460
working with IDC scripting language, 461–464
Cain
disabling antivirus software to load, 115–116
identifying users in, 118–120
loading, 116–117
recovering local administrator, 117–118
call command, 187
call function, 202–203
campus-style buildings, 101
canary values
implementing stack canary, 299, 318–320
overwriting, 231–232
placing between stack buffers and frame state data, 237
Cato Institute, 41
CBC (capacitor bank controller) devices, 405, 406
CERT Coordination Center (CERT/CC), 50–52
CFAA (Computer Fraud and Abuse Act), 29–38
Blaster worm attacks and, 33–35
disgruntled employees and, 35–36
social media and VoIP events, 36
state law alternatives to, 36–38
worms and viruses under, 33
Chevarista, 442
child fork process, 474
chroot environment, 134–135
circumvention, 43
class ids (clsid), 510–511
classified documents, 41–42
client-side browser exploits, 495–523. See also Internet Explorer
AxEnum for, 510–515
AxFuzz for, 515
AxMan for, 515–520
css-grammar-fuzzer for, 510
exploiting javaprxy.dll as COM object, 502–504
finding new vulnerabilities for, 506–522
heap exploits with InternetExploiter, 521–522
history and trends in, 499–506
installing malware using, 506
Internet Explorer security concepts, 497–499
Metasploit for, 147–149
Mozilla fuzzing tools for, 509–510
Operation Aurora, 505–506
protecting against, 522–523
running client-side apps with lower privileges, 496, 522–523
vulnerabilities on client-side, 495–497
WMIScriptUtils design vulnerability, 504–505
client-side scripting
reflected XSS and, 375–376
stored XSS and, 376–377
vulnerabilities in, 373–374
clients
alerting to SEAs, 79–81
coordinating penetration testing with, 164
expectations during penetration testing, 163
get-out-of-jail-free letters from, 162
kickoff meetings for penetration testing, 162–163
making agreements with, 12, 161–162
preparing for physical penetration attacks, 94
receiving penetration testing results, 168–169
simulating insider attacks for, 109–110
training employees about SEAs, 91
CMD files, 569–571
code coverage analysis tools, 476–477
collisions, 452
COM objects
exploiting javaprxy.dll as, 502–504
fuzzing with AxMan, 515–520
using AxEnum to find all registered, 510–515
using to entice users to malicious sites, 496, 497, 514
commands
basic gdb, 190–191
command execution code, 257
injection vulnerabilities for, 361
SQL, 366
comments, 178
communication of vulnerabilities, 70
compiling
C programs with gcc, 179–180
IDA Pro for C++, 459–460
using gcc, 179, 202–203, 236–240
Windows programs, 297–299
Computer Fraud and Abuse Act (18 USC 1030), 29–38
computers
Intel processors, 184
memory in, 180–184
protected, 30–31
conducting
insider attacks, 110–122
penetration tests, 162–164
physical penetration, 94–97
social engineering attacks, 79–81
confidentiality in VoIP, 384, 385
configuration
changing, 60
Dradis user accounts and interface, 166
constructors, 429
consumers
points of view on ethical disclosure, 48–49
releasing information to, 61
content-type attacks, 341–360
about PDF files, 345–348
changing file extensions of malicious PDF samples, 350
file formats exploited for, 343–345
how they work, 341–343
malicious PDF, 348–350
protecting environment from, 359–360
testing protection against, 358
tools detecting malicious PDF files, 351–358
control flow analysis, 477–479
cookies
bypassing in /GS protection mechanism, 323
ECPA and, 40
core dump files, 475
crackers and ADS violations, 26
crashes
developing exploit from, 596
interpreting results of in debuggers, 596–601
reproducing with mangleme, 508
reviewing instruction pointers in, 597–599
Sulley postmortem analysis of, 592–593
viewing summary of eip register, 592–593, 594
CreateProcess function calls, 253
credit card numbers, 26
cross-references to functions, 478
cross-site scripting (XSS), 373–378
about, 62–63
attack possibilities with, 378
how it works, 374–375
reflected XSS, 375–376
scripting of web result pages, 373–374
stored XSS, 376–377
vulnerabilities of, 362
CSEA (Cyber Security Enhancement Act), 45–46
css-grammar-fuzzer, 510
Cyber Security Enhancement Act (CSEA), 45–46
cyberlaw, 23–46
Access Device Statute, 25–29
Computer Fraud and Abuse Act, 29–38
Cyber Security Enhancement Act, 45–46
development of, 23–25
Digital Millennium Copyright Act, 42–45
sections 2510 and 2701 of ECPA, 38–42
SPY act, 46
state alternatives to CFAA, 36–38
Stored Communications Act, 39
cyberterrorism and Stuxnet malware, 408
D
DACL (Discretionary Access Control List)
about, 531
attacking Windows Registry, 560–564
checking, 535–536
displaying, 541–542
enumerating object’s, 553–554
evaluating accessibility of, 554
NULL, 545
rights of ownership and, 545
service attack patterns, 554–560
viewing in Windows Explorer UI, 533, 541
DameWare, 122
data
analyzing structure in IDA Pro, 454–457
controlling and collecting with honeywall, 641
ensuring safe handling of, 71
generating random, 582
locating sensitive, 122
manually auditing user-supplied, 420–421
process_monitor.py script to monitor Sulley crash, 588–589
Data Control Language (DCL), 365
Data Definition Language (DDL), 365
Data Execution Prevention. See DEP
Data Manipulation Language (DML), 365
.data sections in memory, 181
Datagram Transport Layer Security (DTLS) protocols, 383
DCL (Data Control Language), 365
DDL (Data Definition Language), 365
de-obfuscating malware, 660–669
about, 660
how packers work, 660–661
unpacking binaries, 661–669
debuggers
about, 474–476
ADBG debugger, 402
attaching, 474–475
changing desiredAccess requests in, 552–553
closing before running editbin command on programs, 597
core dump files in, 475
debugging Windows exploits, 314–315
detaching Windows, 541
interpreting results of crashes with, 596–601
unpacking binaries with, 664–665
Valgrind, 480–483
dec command, 187
decoder for encoded shellcode, 288–289, 293
decompilers
Hex-Rays Decompiler plug-in, 439
using for binary analysis, 428–430
defeating building locks, 103–107
defense strategies
developing against insider attacks, 123
effective for insider attacks, 123
physical penetration attacks, 108
return to libc exploits, 611
social engineering attacks, 91
defensive malware techniques
protective wrappers with encryption, 637
rootkits, 636
VM detection, 637
delimiters in Sulley, 582–583
denial of service attacks. See DoS attacks
DEP (Data Execution Prevention)
about, 321
enabling, 360
gadgets in, 326–331
methods for bypassing memory protection, 338
VirtualProtect function in, 326
Department of Homeland Security (DHS), 32, 42
dependencies in Sulley, 586
desiredAccess requests, 550–553
development process
exploit development, 217–223, 305
software, 472–473
dictionaries, Python, 197
diff tool, 621–622
Digital Millennium Copyright Act (DMCA), 42–45, 413–414
Dionaea, 639
direct parameter access, 230–231
directory DACL attacks, 564–567
about, 564
enumerating directories and DACLs, 564–565
loading attack DLL at runtime, 566
privilege escalation for directory DACLs, 567–569
replacing .exe files, 566–567
working with magic directories, 567
write permissions for, 565–566
disabling
antivirus, 115–116
GCC non-executable stack, 240
JavaScript in Adobe Reader, 359
disassembling
code with gdb, 191–192
shellcode, 262–263
discovery process in OIS disclosures, 54–55
Discretionary Access Control List. See DACL
DLLs
enumerating vulnerable, 569–571
exploiting javaprxy.dll as COM object, 502–504
loading runtime attack, 566
DMCA (Digital Millennium Copyright Act), 42–45, 413–414
DML (Data Manipulation Language), 365
DNP3 (Distributed Network Protocol version 3), 398
Doo, 642
DoS (denial of service) attacks
buffer overflows and, 208
Twitter, 7
VoIP, 387–388
worms with built-in, 655
downloading
jsfunfuzz, 510
Nepenthes, 644
OWASP Broken Web Applications VM, 367–368
Python, 192
Download.Ject attacks, 500–501
downtime losses from hacking, 5–6
Dradis servers
about, 164
adding export/upload and import plug-ins, 167–168
installing, 164–165
starting and using, 161, 165–166
synchronizing data for teams, 168
DTLS (Datagram Transport Layer Security) protocols, 383
DTOR (destructor) section
overwriting, 233–235
using in C/C++, 233–234
DVDs burning, 126
DWORD (double word), 180
E
eavesdropping in VoIP attacks, 386
ebp (extended base pointer) register
overwriting, 609–610
stack operations with, 201–202
ECPA (Electronic Communication Privacy Act), 38–42
editbin command, 325
educating
application developers, 72
staff about attacks and techniques, 18–19
eip (extended instruction pointer) register
adjusting shellcode if close to esp, 313
analyzing in crashes, 592–593, 594, 597–599
defined, 202
exploiting and controlling, 204, 205, 208, 218, 306–308
local buffer overflow exploits and, 209
pointing to NOP sled, 209
repeating return addresses, 210–211
running shellcode, 209
Electronic Communication Privacy Act (ECPA), 38–42
Electronic Frontier Foundation, 46
elevation of privilege
analyzing access control for, 553–554
attack patterns, 527–573
directory DACL attacks, 567–569
escalating service privileges, 559–560
file DACL attacks, 573
weak registry key DACLs and, 564
ELF (Executable and Linking Format) files
disassembling, 430
limitations of patching, 625–626
patching into hole, 624–625
tools to work with ELF32 format, 233
understanding structure of, 622–624
embedding components in malware, 657–658
employees
finding on LinkedIn, 88
termination procedures for, 35–36
tracking time spent on attacks, 38
training about SEAs, 91
encoding shellcode, 260, 261, 287–293
FNSTENV XOR example for, 289–291
JMP/CALL XOR decoder for, 288–289, 293
reasons for, 287
sample code for, 291–293
simple XOR encoding, 287
structure for, 288
using Metasploit, 295–296
encrypting
TEA algorithm for, 658
using protective wrappers with, 637
enumeration and VoIP attacks, 384–386
environment/arguments section in memory, 182
environment strings in shellcode, 606–609
envstrings function, 424
epilogues, 609
error messages in SQL, 368–369
escalation of trust, 80
esi register, 600
esp (extended stack pointer) register
adjusting shellcode too close to eip, 313
overwriting with eip, 220, 221
stack operations with, 201–202
ethical disclosure, 47–73
about, 47–48
CERT’s process for, 50–52
conflicts between finders and vendors in, 62–66
developing guidelines for, 49–50
points of view on, 48–49
publicity in, 69
RainForest Puppy Policy v2, 52–53
security community’s view of, 67
team approach in, 69–70
types of OIS, 54–61
vendor’s view of, 67–68
vulnerability disclosures and resolutions, 65–66
ethical hackers, 10–15
doing penetration tests, 11–14
emulating attacks, 19
ethical reverse engineering, 413–414
managing expectations and problems during penetration testing, 163
“No More Free Bugs” stance of, 63–64
providing vulnerability assessments, 10–11
relating to customers, 11
reporting penetration testing results, 168–169
role of, 10
toolsets used by, 16–18
usefulness of source code auditing tools, 418–420
using software traps, 268
ethics, 3–21. See also cyberlaw; ethical disclosure; ethical hackers
dual nature of toolsets, 16–18
educating staff on attacks and techniques, 18–19
hacking books and classes, 15–16
recognizing security gray areas, 8–9
role of ethical hackers, 10–15
why know enemy’s tactics, 3–8
Everyone SID, 543
.exc (exclusion) files, 452
exception handling. See SEH
.exe files
autoloading from USB drive, 82–86
enumerating vulnerable, 569–571
replacing with own, 566–567
Executable and Linking Format files. See ELF files
execve() system calls, 272–276
assembling, linking, and testing, 274
code calling, 273–274
extracting hex opcodes, 274–275
launching Linux with, 604–606
making in Unix systems, 253
testing shellcode for, 275
exit system calls
assembling, linking, and testing, 271
signature of, 269
starting in C, 269–270
verifying, 271
exploit development process, 217–223. See also exploits; safe test environments; user space shellcode
adding return statement jumps to code, 600–601, 606
building exploit sandwich, 222
controlling Linux eip, 204, 205, 208, 218
determining offset(s), 218–221
documenting problems, 614–615
improving reliability of exploit, 599–601
interpreting results of crashes, 596–601
kernel space considerations in, 264–265
payload construction, 611–614
recognizing pre- and postconditions, 602–603
repeatability of exploits, 603
setting attack vector, 221–222
stack predictability, 603–609
understanding program vulnerabilities, 601–611
exploit sandwich
assemblying in Metasploit, 222, 312–313
bypassing SEHOP, 331–337
preceding with NOP slide in shellcode, 313
using gadgets in, 327–331
exploits. See also client-side browser exploits; Linux exploits; Windows exploits
developing from crashes, 596–601
launching in Metasploit, 142–146
mutated layout for format string, 629–631
payload construction considerations, 611–614
repeatability of, 603
return to libc, 241–249, 609–610
using generic code for stack overflow, 213–214
export/upload plug-ins for Dradis, 167
F
fake frame technique, 237–239
Fast Library Acquisition for Identification and Recognition (FLAIR), 451
Fast Library Identification and Recognition Technology (FLIRT), 431, 450–451
FBI (Federal Bureau of Investigation), 32, 34
file DACL attacks, 569–573
enumerating DACLs for files, 569–571
locating data files to attack data parser, 571–572
modifying configuration files, 571
privilege escalation for, 573
read permissions, 572–573
write permissions, 572
file transfer code, 257–258
FileMon (File Monitor), 650–651
files. See also content-type attacks; file DACL attacks; and specific files
accessing Python, 197–199
changing extensions of malicious samples, 350
detecting associated malware, 669
enumerating DACLs for executable, 569
formats exploited for content-type attacks, 343–345
generating signature, 451–454
java class, 428
PE and ELF formats, 430
reviewing binaries with PEiD, 646–647
structure of assembly language source, 189
structure of executable, 622–624
unpacking, 647
find socket shellcode, 256–257
find.c file
auditing source code of, 416–417
manually analyzing, 423–425
using IDA Pro with, 436–439
finders/reporters
acting on vulnerabilities in shared code bases, 57–58
defined, 54
disclosure conflicts between vendors and, 62–66
managing communication with vendors, 68–69
relationships to vendors, 69
views on publicizing vulnerabilities, 69
working as team for disclosures, 69–70
firewalls
blocking port binding shellcode, 253–254
bypassing with client-side browser vulnerabilities, 495–496
conditions suitable for find socket shellcode, 256–257
dealing with reverse shellcode for, 254–256
honeywalls, 640
on-by-default Windows, 499
preventing attackers with, 617–618
first chance exception, 303
flags
gcc, 179
inheritance, 534
removing -static, 270
FLAIR (Fast Library Acquisition for Identification and Recognition), 451
FLIRT (Fast Library Identification and Recognition Technology), 431, 450–451
flow analysis tools, 477–479
fmstr (format string program), 228–229, 234–235
FNSTENV assembly instruction, 289–291
for loops, 177–178
fork operations, 474
format string exploits, 225–236
direct parameter access for, 230–231
mutations mitigating, 629–631
operating vulnerabilities with format functions, 227–228
printf command for, 225–229
reading arbitrary strings with %s token, 229
using %x token to map stack, 229
writing to arbitrary memory, 231–232
format tokens, printf command, 176, 226
FPU (floating-point unit) environment, 289–291
functions
C programming language, 174
constructors, 429
defining blocks in SPIKE, 490
execution order of main(), 446–447
failure to check return values of, 417
flowchart graph in IDA Pro, 478–479
format string, 225–227
free(), 182
function call tree in IDA Pro, 477–478
required and optional arguments in Sulley, 581
reviewing cross-references to, 478
SPIKE, 489–491
further references
access checks, 537
advanced Linux exploits, 249
BackTrack, 137
bypassing Windows memory protections, 338–339
caller ID spoofing, 81
CERT/CC disclosure process, 52
content-type attack, 350, 358, 359–360
css-grammar-fuzzer, 510
DMCA, 414
ethics of ethical hacking, 8
extending IDA Pro, 470
full disclosure using RFP v2, 53
GetPC Code, 293
Guidelines for Security Vulnerability Reporting and Response, 61
Ibiza and Download.Ject attacks against Windows, 500–501
insider attacks, 122
Internet Explorer vulnerabilities, 499, 506
InternetExploiter, 522
links for SEA, 89
Linux and Windows exploit variations, 601
Linux socket programming, 283
malware, 659
Mark of the Web, 515
Metasploit, 141–142, 156, 296, 614
Microsoft debugging tools, 304
migration options, 619
mitigation, 632
Mozilla fuzzing tools, 509–510
overwriting code, 236
OWASP Broken Web Applications project, 373
passive analysis, 427
port knocking, 618
protecting against client-side exploits, 523
protocol analysis of target, 581
recording ISO disk image, 127
return to libc exploits, 611
reverse-engineering malware, 672
reverse engineering tools, 483
reverse shellcodes, 287
service attack patterns, 560
shellcode, 260
stacks, 611
structured exception handling, 317
thwarting VMware detection, 643
unpacking binaries, 669
user space shellcode, 260
VirtualBox, 131
vulnerability disclosures and resolutions, 65–66
web application vulnerabilities, 362, 378
Windows memory protections, 322
WinObj download, 577
writing system calls, 276
writing Windows exploits, 315
fuzzing, 484–493. See also Autodafé fuzzing framework; intelligent fuzzing; Sulley
about, 473
ActiveX control methods with AxFuzz, 515
building fuzzers for open protocols, 487–488
COM objects with AxMan, 515–520
detecting fuzzing tools in Valgrind, 484
evaluating effectiveness of, 476
intelligent, 579–594
mangleme tool for, 501–502, 506–509
Mozilla CSS, 509–510
SCADA, 399–407
Sharefuzz, 492–493
SPIKE fuzzer creation toolkit, 488–492
SPIKE Proxy, 492
Sulley’s postmortem analysis of, 592–593
TFTP Daemon Fuzzer, 405–407
understanding how it works, 601–602
URL, 485–487
uses of, 484
using Sulley sessions, 581, 587–588
G
gadgets, 326–331
gcc (GNU C Compiler), 179, 202–203, 236–240
gdb debugging
basic commands, 190–191
disassembly with, 191–192
viewing meet.c overflow, 204–207
get-out-of-jail-free letters, 162
getopcode.c, 600–601
GETPC (get program counter) techniques, 288, 293
GNU C Compiler (gcc), 179, 202–203, 236–240
Good Samaritan attack techniques, 81–86
goodbye() function, 234
lawsuits against Google Buzz, 40
offers cash bounty for hackers, 64
using Google Earth, 95
graphs
IDA Pro function flowchart, 478–479
producing Sulley session in uDraw, 587–598
viewing Sulley postmortem analysis in, 593
gray hat hackers. See also ethical hackers
assessing exploitability of programs, 596–601
defined, 47
usefulness of source code tools for, 419–420
groups in Sulley, 585
grub boot loader in BackTrack, 137–139
/GS compiler
bypassing by reconstructing SEH chain, 331–337
bypassing memory protection with, 323, 338
detecting buffer overrun with, 318–320
/GS flag, 299
H
H.323 protocol, 382–383
hackers. See also ethical hackers assessing program exploitability, 596–601
avoiding mantraps, 102
black, white, and gray hat, 47
conducting insider attacks, 110–122
doing penetration testing, 14–15
duplicating ActiveX controls on malicious websites, 497–498
emotions exploited for SEAs, 77–78
entering via smokers’ door, 96, 98–99
enticing users to malicious websites, 496
finding software flaws, 19–20
getting past multitenant lobby security, 99–100
interest in access control, 525–526
knowing tactics of, 3–8
loading runtime attack DLLs, 566
mental preparation for physical penetration, 97
obfuscating malware, 660
once inside buildings, 107
organizing penetration testing team, 158
penetrating buildings, 101
preparing for face-to-face attacks, 89–91
reconnaissance of buildings, 95–96
replacing .exe with own file, 566–567
running shellcode, 209
subverting biometric door locks, 103
toolsets used by, 16–18
unmanned foyers, 102
using shellcode, 251
hacking
Access Device Statue laws against, 27–28
books and classes on, 15–16
Computer Fraud and Abuse Act laws against, 29–31
disgruntled employees and, 35–36
downtime losses from, 5–6
Electronic Communication Privacy Act protections against, 38–42
measuring costs of, 36–38
hactivism, 9
hardware
hardware interrupts, 268
hardware traps, 268
testing fuzzing approach for, 402
hashdump command, 153–154
header files, 457–459, 465–466
heaps
about memory, 181
attacks against, 236–239
double free problem corrupting, 482–483
dynamic memory allocation at, 480
exploiting with InternetExploiter, 521–522
mutated layout for overflowed, 628–629
preventing execution of, 240
recognizing pre- and postconditions with overflows, 602–603
Windows protections for, 320–321
Hello program
example in assembly language, 189
example in Python, 193
IDA Pro script executing, 463
PDF file content listing for, 345–348
sample in C language, 178–179
help menu in Autodafé, 403
hex opcodes
extracting from execve system calls, 274–275
extracting with objdump tool, 274, 275, 281–282
writing Linux shellcode in, 267
Hex-Rays Decompiler plug-in, 439
hflow format, 641
high-interaction honeypots, 639
HMI (human machine interface), 396
honeyd scripts, 639
honeynet technology, 637–643
high-interaction honeypots, 639
limitations of, 638–639
low-interaction honeypots, 639
setting malware traps, 644–646
using as warnings of attacks, 638
using honeypots, 637–638
hostent data structure, 435
hosts
detecting malware, 670
hosts file, 658
hotkeys in IDA Pro, 432
HTA files, 569–571
HTTP (Hypertext Transfer Protocol), 484, 491–492
human behavior
emotions exploited in SEAs, 77–78
mental preparation for physical penetration, 97
preparing for face-to-face attacks, 89–91
human machine interface (HMI), 396
I
Ibiza, 500–501
ICCP (Inter-Control Center Protocol) protocol, 396–397
about, 445
analyzing statically linked libraries, 448–451
assistance unpacking binaries, 665–669
BugScam scripts for, 441–442
building plug-ins for, 466–467
data structure analysis, 454–457
disassembling binary code with, 430–431
discovering vulnerabilities with, 436
extending, 461–470
function call tree in, 477–478
function flowchart graph, 478–479
generating sig files, 451–454
Hex-Rays Decompiler plug-in for, 439
ida-x86emu plug-in, 467–468
IDAPython plug-in, 474
IDC scripting language, 427–430, 461–464
loaders and processor modules for, 434–436
loading files manually in, 457–458
navigating disassembly in, 433
scripting with IDC, 427–430
SDK and plug-in modules for, 464–468
stripped binaries in, 446–448
structure of plug-ins for, 431–432
using, 431–439
viewing program headers in, 457–459
working with compiled C++ in, 459–460
ida-x86emu plug-in, 467–468
IDAPython plug-in, 474
IDC scripting language, 427–430, 461–464
IED (intelligent electronic device), 396
IETF (Internet Engineering Task Force), 579, 581
if/else construct, 178
Immunity Debugger, 304, 309–310
importing
Dradis plug-ins for, 167–168
structures and functions into IDA Pro, 458–459
inc command, 187
inheritance ACEs, 532, 534–535
injection vulnerabilities, 361
injunctions, 36
input validation, 374–375
insider attacks, 109–123
about, 109–110
conducting, 110–122
defending against, 123
disabling antivirus, 115–116
finding sensitive information, 122
gaining local administrator privileges, 111–115
getting orientation for, 111
identifying users in Cain, 118–120
joining Domain Admins group, 121
recovering local administrator password, 117–118
tools and preparation for, 110–111
user’s domain password recovery, 121–122
installing
Autodafé fuzzing framework, 399–400
BackTrack to DVD or USB drive, 126–127
Dradis servers, 164–165
Metasploit, 141–142
Nepenthes, 644–646
steps in VoIPER, 388–393
Sulley, 581
TFTP Daemon Fuzzer, 406
instruction pointers. See eip register
int 0x80 instruction, 252, 269
int command, 188
integers in Sulley, 583
Intel processors, 184
intelligent electronic device (IED), 396
intelligent fuzzing, 579–594
conducting protocol analysis of target, 579–581
defined, 579
using Sulley, 581–594
Inter-Control Center Protocol (ICCP), 396–397
Internet
changes in information available on, 40–42
connecting BackTrack to network services, 130–131
Internet Engineering Task Force (IETF), 579, 581
Internet Explorer. See also client-side browser exploits
ActiveX controls in, 497–498, 511–515
exploiting javaprxy.dll as COM object, 502–504
Ibiza and Download.Ject attacks against, 500–501
IFRAME tag parsing buffer overrun vulnerability, 501–502, 503
mangleme code for, 508
Operation Aurora and attacks on, 505–506
security zones in, 498–499
updating security patches regularly, 522
using Protected Mode in, 522–523
WMIScriptUtils design vulnerability, 504–505
Internet Protocol, voice communications over, 379–380
Internet Security Systems (ISS), 49–50
InternetExploiter, 502, 521–522
interorganizational learning phases, 68
Intranet zone, 498
investigation process in OIS disclosures, 57
inviteflood, 387
IP addresses
changing sample code’s, 307
finding WAP, 87
ISO disk image. See also BackTrack
booting virtual machine with attached, 128–131
creating custom ISO, 134–135
opening with ISO Recorder, 126, 127
using ISO within virtual machine, 128–131
ISSAF (Information Systems Security Assessment Framework), 159
J
Java
decompiler example in, 428
exploiting javaprxy.dll, 502–504, 510, 511–512
je command, 187
JMP/CALL XOR decoder, 288–289, 293
jne command, 187
jnz command, 187
Join the Company SEAs, 88–89
jsfunfuzz, 509–510
jumping to esp
adding return statement jumps to code, 600–601, 606
overwriting Windows eip by, 309–312
jz command, 187
K
kernel space
debuggers for, 475–476
defined, 251
shellcode in, 263–265
kernels
enumerating DACL kernel objects, 576–577
patches and scripts for, 240–241, 249
reviewing named kernel objects, 576–577
vulnerabilities in Windows, 264
KeyGhost device placement, 122
keystroke collecting, 122
keyword stuffing, 9
kickoff meetings for penetration testing, 162–163
knock sequence, 618
L
launching exploits in Metasploit, 142–146
laws. See cyberlaw
LDAP injection vulnerabilities, 362
lea command, 188
libraries
analyzing statically linked, 448–451
matching signatures of with FLIRT, 431, 450–451
parsing and generating IDA Pro sig files for, 451–454
linking files
execve system calls, 274
exit system calls, 271
setreuid system calls, 272
Linux exploits, 201–223, 225–249. See also writing Linux shellcode
buffer overflows, 203–208
determining offset(s), 218–221
exploiting and controlling eip, 218
exploiting local buffer overflows, 209–217
format string exploits, 225–236
function calling procedure, 202–203
memory protection schemes, 236–249
protecting memory with libsafe, 236, 249
setting attack vector, 221–222
stack operation exploits, 201–203
testing, 222–223
user space system calls from shellcode, 252
Linux operating systems. See also Linux exploits
execve() system call launching, 604–606
exploits using Windows vs., 297
Metasploit compatibility with, 141–142
socket programming for, 276–283
understanding network byte order for, 276
loaders
BackTrack grub boot, 137–139
IDA Pro, 434–436
local administrator privileges
gaining, 111–115
joining Domain Admins group, 121
targeting client-side sessions with, 496
user’s domain password recovery, 121–122
Local Machine zone (LMZ)
about, 498–499
pushing page loads into more restrictive zone, 513
zone elevation attacks against, 500–501
locations for penetration testing, 158
locks
bump keys for, 105–106
making picks for, 104–105
shims for, 106–107
tumbler, 103–104
logging in, 153–155
logging keystrokes, 152
LOGON SID, 544–545
loops
for and while, 177–178
writing Python, 199
LordPE process-dumping utility, 664
low-interaction honeypots, 639
M
MAC addresses, 87
Mac OS X, 192
magic directories, 567
main() function
about, 173–174
locating, 449
order of execution in C/C++, 446–447
Malcode Analysis Pack (MAP), 653
malicious activities, 19
malloc() function, 182
analyzing with Norman Sandbox, 653–655
automated analysis of, 671
catching, 644–646
de-obfuscating, 660–669
defenses protecting, 636–637
embedding components in, 657–658
hiding, 658–659
honeynet technology trends, 637–643
how packed, 663
identifying packed binaries, 661–663
live analysis of, 648–655, 671
operation phase for, 670–671
“pay-per-install” business model for, 519
reverse-engineering, 669–672
rootkits, 636
setup phase for, 670
spyware/adware, 636
static analysis of, 646–648
Stuxnet, 408
thwarting VMware detection technologies, 642–643
trends in, 657–659
Trojan horse, 636
using vulnerabilities to install, 506
viruses, 635
worms, 636
management
allowing password testing, 17–18
termination procedures for employees, 35–36
understanding cyberlaw, 23–24
mangleme tool, 501–502, 506–509
mantraps, 102
Mark of the Web (MOTW), 513, 515, 516
Media Gateway Control Protocol (Megaco H.248), 382
meet.c
gaining root privileges with, 208
overflowing buffer in, 204–207
using generic code for stack overflow, 213–214
Megaco H.248 protocol, 382
memory. See also heaps; memory protection schemes
about, 180
buffers, 182
bypassing Windows memory protections, 322–339
double free problem corrupting heaps, 482–483
endian methods for shells, 181
enumerating shared memory sections, 573–574
example of, 183–184
memory leaks, 480
monitoring program’s use of runtime, 480–483
overwriting locations with strcpy/strncpy commands, 176–177
pointers, 182–183
program sections loaded into, 181–182
RAM, 180–181
reading arbitrary, 230
segmentation of, 181
strings in, 182
understanding Windows memory protections, 318–322
writing canary address to arbitrary, 231–232
memory protection schemes, 236–249. See also bypassing Windows memory protections
disabling GCC non-executable stack, 240
kernel patches and scripts, 240–241, 249
return to libc exploits, 241–249
Stack Smashing Protection, 237–239
Metasploit, 141–156
assemblying Windows exploit sandwich, 312–313
automating and scripting, 155–156
automating shellcode generation with, 294–296
avoiding corrupted shellcode in, 613–614
building exploit sandwich, 222
compatibility and downloading, 141–142
determining offset(s) in, 218–221, 308–309
encoding shellcode using, 295–296
exploiting client-side vulnerabilities in, 147–149
launching exploits in, 142–146
option name in, 143
payload construction in, 144–146
penetration testing with Meterpreter, 149–155
setting attack vector in, 221–222
testing buffer overflow modules in, 222–223
testing content-type vulnerabilities, 358
verifying server vulnerability in, 306–308
Meterpreter, 149–155
mhtml: protocol handler, 500–501
Microsoft. See also access control; Internet Explorer; Microsoft Office; Windows operating systems
addressing client-side vulnerabilities, 499–500
client-side exploits affecting, 499–506
exploiting javaprxy.dll as COM object, 502–504
exploits against HTML tag parsing vulnerability, 501–502
Ibiza and Download.Ject attacks against Windows, 500–501
Microsoft Security Response Center blog, 523
Operation Aurora and attacks on client-side browser, 505–506
repairing WMIScriptUtils design vulnerability, 504–505
reporting vulnerabilities to, 64
responding to third-party patches, 631–632
security concepts in Internet Explorer, 497–499
source code auditing tools by, 416
vulnerabilities of ActiveX controls, 511–515
warning users about attacks, 523
Microsoft Office
content-type attacks on, 359
enabling DEP for, 360
exploiting file formats of, 343–345
migrate.rb script, 156
migration options, 618–619
mitigating software vulnerabilities, 617–632
evaluating alternatives, 617–618
migration options, 618–619
patching applications, 619–632
port knocking, 618
Modbus protocol, 397–398, 400–405
monitoring
runtime memory use, 480–483
system under test, 388
MOTW (Mark of the Web), 513, 515, 516
mov command, 186
Mozilla
fuzzers for, 509–510
mangleme code for, 508
reporting vulnerabilities to, 64
MS08-067 vulnerabilities, 142–146, 147
MS10-022 vulnerabilities, 147–149
msfencode, 260
msfpayload command, 294–295
multistage shellcode, 258
mutated layout for format string, 629–631
N
named pipes, 574–575
naming
functions and variables in IDA Pro, 433
programs when overwriting values, 232
NASM (Netwide Assembler), 185–188
Nepenthes
about, 639
installing on BackTrack, 644–646
reporting binaries to Norman Sandbox, 653, 655
network_monitor.py script, 589
networks. See also honeynet technology
BackTrack services for, 130–131
byte order for IP, 276
command execution code on, 257
file transfer code compromising, 257–258
H.323 protocol recommended for PBN, 382–383
importance of physical penetration for testing, 94
inspecting malicious packets with Sulley, 589, 593–594
network byte order for IP, 276
placing unauthorized WAP on, 86–88
port binding shellcode on, 253–254
reverse shellcode on, 254–256
using find socket shellcode on, 256–257
nibble, 180
NIPRINT3 buffer overflow, 594
NOP sled, 209–210
NOP slides
locating in exploitable code, 606
using before shellcode in exploit sandwich, 313
Norman Sandbox, 653–655
notification process in OIS disclosures, 55–57
null characters in strcpy, 260
NULL DACL, 545
null pointers, 415
O
obfuscated code
ida-x86emu plug-in analyzing, 467–468
malware as, 660
objdump command, 233
objdump tool, 274, 275, 281–282
Object Linking and Embedding for Process Control (OPC) protocol, 396
objects
attack patterns for access control, 554–573
coding and executing assembly language, 189
DACL kernel, 576–577
enumerating DACL for, 553–554
exposing execution vulnerabilities with various, 573–577
file extension of object code, 513
finding untrusted process DACLs, 575–576
named pipes, 574–575
rights of ownership and DACLs for, 545
searching for shared memory of, 573–574
security descriptors of, 531
socket, 199–200
Office. See Microsoft Office
Offline NT Password, 112
offsets
determining Windows, 308–309
using Metasploit to determine Linux, 218–221
using OllyDbg to find correct, 337
OIS (Organization for Internet Safety), 54–61
discovery process, 54–55
investigation phase, 57
notification process in, 55–57
releasing information to public, 61
reporting confirmed, disproved, or inconclusive flaws, 58
resolving flaws, 59–60
timeframe of remedy, 60–61
validation phase, 57
vulnerabilities in shared code bases, 57–58
OllyDbg
about, 475
breakpoint capability for, 664–665
commands in, 301
debugging on Windows with, 299–304
examining CPU registers in, 597
plug-ins for SEH searches in, 334–335
stack display in, 598
updating symbols server for, 302
OPC (Object Linking and Embedding for Process Control) protocol, 396
Open Web Application Security Project. See OWASP
OpenAction verb in PDF files, 349–350
Opera mangleme code, 508
operating systems. See also Linux operating system; Unix operating systems; Windows operating systems
kernel space shellcode for, 263–265
Metasploit compatibility with, 141–142
migrating to new, 618–619
ways to communicate with kernel, 268
Organization for Internet Safety. See OIS
OSSTMM (Open Source Security Testing Methodology Manual), 159
out brief of penetration test reports, 169
overwriting
calling function pointers, 323
canary values, 231–232
.dtors, 233–235
ebp register, 609–610
memory locations with strcpy/strncpy, 176–177
SEH records, 323
stack’s saved return addresses, 609–610
OWASP (Open Web Application Security Project)
defined, 159
downloading Broken Web Applications VM, 367–368
testing DVWA SQL injection, 368–373
top ten list of vulnerabilities, 361–362
P
packet-based networks (PBNs), 382–383
packets. See UDP packets
Page-eXec (PaX) patches, 240
parent fork process, 474
parsers, 571–572
passive analysis, 413–443. See also IDA Pro
automated source code analysis, 425–427
binary analysis, 427–443
ethical reverse engineering, 413–415
manually auditing source code, 420–425
recognizing vulnerabilities in source code, 421–425
source code analysis, 416–427
passwords
logging in with shared, 153–155
modifying account, 113–114
modifying in SAM file, 97–98
recovering from remote computers, 121–122
recovering local administrator, 114–115, 117–118
recovering offline NT, 111–112
removing from SAM file, 114
SIP password-cracking, 386
software for cracking, 17
testing security of, 17–18
patch tool, 622
patching applications, 619–632
about, 619–620
client-side vulnerabilities addressed by Microsoft, 499–500
command-line tools for, 621–622
finding holes for, 624–625
limitations of patching ELF files, 625–626
patch failures, 70
patching binaries, 622–626
source code patching, 620–622
updating security patches, 359, 522
PaX (Page-eXec) patches, 240
payload construction considerations, 611–614
about, 611–612
buffer orientation problems, 612–613
choosing payload options in Metasploit, 144–146
embedding components in malware, 657–658
protocol elements and, 612
self-destructive shellcode, 613–614
PBN (packet-based networks), 382–383
PDF files
about, 345–348
detecting and disarming malicious, 351–358
exploiting formats for, 343–345
malicious PDF content in, 348–350
pdf-parser.py, 355–358
PDFiD, 351–354
PDML2AD tool, 401
PE (Portable Executable) files, 430
penetration testing, 157–169. See also insider attacks; physical penetration attacks; social engineering attacks
access during, 163
activities for, 12–14
carrying out physical penetration, 94–97
conducting SEAs, 79–81
doing, 11–14
external and internal coordination during, 164
Good Samaritan attack techniques, 81–86
importance of physical penetration for network, 94
kickoff meetings for, 162–163
locations for, 158
making agreements about, 161–162
managing expectations and problems during, 163
Metasploit Meterpreter for, 149–155
methodologies and standards for, 159
once inside buildings, 107
options for unethical hackers, 14–15
organizing testing team, 158
phases of, 159–160
planning, 157–160
process for, 12
reporting results, 168–169
scenario for insider attacks, 110–122
scope of, 158
setting up unauthorized network WAP, 86–88
sharing information on Dradis servers, 164–168
spreadsheets for test plans, 161
steadiness during, 164
types of, 157–158
Perl
binmode function, 608
Metasploit payload encoders, 613–614
script for TFTP Daemon Fuzzer in, 405–406
phreakers, 26
physical penetration attacks, 93–108
about, 93
campus-style or single-tenant buildings, 101
common ways into buildings, 97–107
conducting, 94–97
defeating building locks, 103–107
defenses against, 108
getting by multitenant building lobby security, 99–100
importance of physical penetration, 94
mantraps, 102
mental preparation for, 97
subverting biometric door locks, 103
tailgating into buildings, 103
unmanned foyers, 102
PLC (programmable logic controller), 396
plug-ins
Dradis export/upload and import, 167–168
IDA Pro, 464–468
ida-x86emu, 467–468
IDAPython, 474
OllyDbg SEH search, 334–335
tips for writing IDA Pro, 466–467
using Hex-Rays Decompiler, 439
pointers in memory, 182–183
pop-up calculator shellcode, 309–312
port binding shellcode
assembly programs establishing sockets, 279–281
blocking, 253–254
building sockaddr structures, 276–277
drawbacks to, 626
establishing sockets, 276, 277–278
implementing, 276–283
port_bind_asm.asm program, 279–281
port_bind.c for building sockets, 278
port_bind_sc.c test code, 282–283
testing, 281–283
Portable Executable (PE) file format, 430
ports. See also port binding shellcode port knocking, 618
researching protocol requirements for, 580
power permissions. See also privileges
analyzing for elevation of privilege, 554
directory, 565–566
file, 572
service, 556–557
Windows registry keys, 563–564
primary domain controllers (PDCs), 119
primitives in Sulley, 581–582
printf command
exploiting format strings with, 225–229
forms of, 175–176
stack layout for, 630–631
stack operations with format functions, 227–228
stack overflows and, 205–207
using %x token to map stack, 229
Prioritizing Resources and Organization for Intellectual Property Act, 45
privileges. See also elevation of privilege; local administrator privileges
gaining local administrator privileges, 111–115
impersonating with named pipe, 574–575
protecting from client-side browser vulnerabilities, 496
running client-side apps with lower, 496, 522–523
process control infrastructures. See SCADA attacks
Process Explorer, 538–541
examining running malware processes, 651–652
!token in debugger, 539–541
process injection shellcode, 259
Process Monitor, 548–550
Process Stalker, 476–477
processes
access token for, 528–530
examining running malware, 651–652
finding untrusted process DACLs, 575–576
IDA Pro process modules, 434–436, 468
sorting and finding, 307
profiling tools, 477
program headers in IDA Pro, 457–459
programmable logic controller (PLC), 396
programming, 173–200. See also specific languages
adding return statement jumps to code, 600–601
addressing modes in assembly language, 188
assembly language, 184–189
C language, 173–180
compiling Windows programs, 297–299
computer memory skills, 180–184
debugging with gdb, 190–192
Python skills, 192–200
structure of executable files, 622–624
understanding vulnerabilities in, 601–611
x86 epilogue and prologue code, 609–610
prologues, 609–610
prosecuting computer crimes, 36, 38
ProSSHD server, setting up, 305–306
protected computers, 30–31
Protected Mode in Microsoft, 496, 523
protection. See also defensive malware techniques; memory protection schemes
against client-side browser exploits, 522–523
against SCADA attacks, 408–409
against VoIP attacks, 393–394
changing extensions of malicious file samples, 350
from content-type attacks, 359–360
migrating to new system or program for, 618–619
understanding Windows memory, 318–322
protective wrappers with encryption, 637
protocol handlers, 500–501
protocols. See also VoIP attacks
building fuzzers for open, 487–488
designing exploits for, 612
HTTP and SSH, 484
Internet Protocol, 379–380
SCADA, 396–399
understanding using RFC, 579–581
used by VoIP, 380–384
psexec command, 153, 154–155, 523
publicizing ethical disclosures, 69
pvefindaddr tool
avoiding ASLR with, 324–325
comparing shellcode in memory and in file with, 315
determining attack vector with, 309–310
using with OllyDbg and Immunity Debugger, 305
Python, 192–200
about, 192
decompiling code in, 428
dictionaries, 197
downloading, 192
file access in, 197–199
Hello, World program in, 193
IDAPython plug-in, 474
lists, 196–197
numbers, 195–196
objects in, 193–197
script controlling VMware in Sulley, 589–590
socket object in, 199–200
strings, 193–195
white space and indentation of code blocks in, 199
R
RainForest Puppy Policy (RFP) v2, 52–53
RAM (random access memory), 180–181
RATS (Rough Auditing Tool for Security), 416–417
read attributes for desiredAccess requests, 551
read permissions
directory, 567
reviewing for file DACL attacks, 572–573
receivers. See software vendors
reconnaissance of buildings, 95–96
reflected XSS examples, 375–376
registers. See also ebp register; eip register; esp register
registry keys
attacks on weak DACLs of, 564
enumerating DACLs for Windows, 561–563
write permissions for, 563
Regshot, 649–650
relative identifier (RID), 527
remote computers
creating remote access Trojan on, 81–86
pushing command shell to, 84–86
recovering passwords from, 121–122
remote terminal unit (RTU), 396
repeatability of exploits, 603
replybuf function, 424
reporters. See finders/reporters
reporting
confirmed, disproved, or inconclusive flaws, 58
exploitable vulnerabilities, 595, 614–615
Guidelines for Security Vulnerability Reporting and Response, 61
penetration testing results, 168–169
reports for penetration testing, 168–169
Request for Confirmation of Receipt (RFCR), 56
Resource Hacker, 658
Restricted Sites zone, 498
restricted tokens, 530–531
ret command, 187
return to libc exploits
about, 241
defenses against, 611
frame faking technique, 609–610
stack randomization and, 242
reverse connecting shellcode
assembly program for, 285–287
firewalls and, 254–256
writing C program for, 284–285
reverse engineering, 471–493
building fuzzers for open protocols, 487–488
code coverage analysis tools, 476–477
debuggers in, 474–476
Doomjuice.A worm, 655
ethical, 413–414
flow analysis tools, 477–479
fuzzing, 484–493
malware, 669–672
memory use monitoring tools, 480–483
passive analysis and, 413
profiling tools, 477
source code auditing tools, 416–418
tools for, 473–483
understanding software development process, 472–473
Valgrind, 480–483
reverse shellcode, 254–256
revfrom() function, 423
RFC (Request for Comments), 579–581
RFP (RainForest Puppy Policy v2), 52–53
RID (relative identifier), 527
roo, 640
Rough Auditing Tool for Security (RATS), 416–417
RTU (remote terminal unit), 396
Ruby for Windows command shell, 306–308
Russian Business Network (RBN), 4–5
S
SACL (System Access Control List), 531
safe structure exception handling. See SafeSEH
safe test environments
examining running processes, 651–652
features of Norman Sandbox technology, 653–655
finding changes in file systems, 650–651
live malware analysis in, 648–655, 671
monitoring VoIP system under test, 388
preparing VoiPER, 388
reviewing binaries with PEiD, 646–647
setting malware traps in, 644–646
setting up ProSSHD server for VMware, 305–306
taking registry snapshot, 649–650
unpacking files with UPX tool, 647
viewing ASCII strings, 647–648
viewing network activity with TCPView tool, 652–653
SAFER Software Restriction Policy (SRP), 523
SafeSEH (safe structure exception handling)
bypassing, 323–324
defined, 320
methods for bypassing memory protection, 338
reconstructing SEH chain to bypass, 331–337
SAM file
finding, 112–113
modifying account passwords in, 97–98
recovering Offline NT password from, 111–112
removing passwords from, 114
SanDisk Cruzer, 82–86
SCADA (supervisory control and data acquisition) attacks, 395–409
components of, 395
defined, 395–396
DNP3 protocol, 398
ICCP protocol, 396–397
Modbus protocol, 397–398, 400–405
OPC protocol, 396
protecting against, 408–409
protocols for, 396–399
SCADA fuzzing, 399–407
Stuxnet malware and, 408
TFTP Daemon Fuzzer, 405–407
scanf command, 176
scraper sites, about, 9
scripting. See also cross-site scripting
controlling target virtual machines with Sulley, 589–590
honeyd scripts, 639
inspecting malicious packets with Sulley, 589, 593–594
Metasploit, 155–156
running Sulley fuzzing session, 590–592
SPIKE, 491
Sulley fuzz sessions, 581, 587–588
using IDA Pro’s IDC, 427–430
using Sulley’s process_monitor.py script, 588–589
web result pages, 373–374
working with IDA Pro’s IDC, 461–464
search engines, 9
secret.txt, 545–550
Securely Protect Yourself Against Cyber Trespass (SPY Act), 46
security
compromises in current, 7
downtime losses from hacking, 5–6
engaging audits of, 72
ensuring safe data handling, 71
getting past multitenant lobby security, 99–100
limiting availability of classified documents, 41–42
recognizing gray areas in, 8–9
software complexity and, 20–21
testing client’s security operations team, 160
testing password, 17–18
vulnerability assessments of, 10–11
security descriptors (SDs), 531–535, 541–542
security patches. See patching applications
security professionals
alerting clients about proposed SEAs, 79–81
asking clients about SCADA systems, 395
developing disclosure guidelines for, 49–50
relating to customers, 11
view of ethical disclosure, 67
security quality assurance (SQA) for software, 71
security zones in Internet Explorer, 498–499
SEH Overwrite Protection. See SEHOP
SEH (structured exception handling)
implementing, 316–317
overwriting, 323
searched with OllyDbg plug-in, 334–335
SEHOP (SEH Overwrite Protection)
about, 320
bypassing, 331–337
methods for bypassing memory protection, 338
reconstructing SEH chain to bypass, 331–337
SELECT statements, 370–371
self-corrupting shellcode, 261–262
Server 2008. See Windows operating systems
service attack patterns, 554–560
escalating privileges, 559–560
execute permissions, 557
finding vulnerable services, 557–559
service read permissions, 556–557
write permissions, 556
SERVICE_CHANGE_CONFIG command, 559–560
sessions in Sulley, 581, 587–588
setreuid system calls, 271–272
shared memory sections, 573–574
shellcode, 251–265. See also writing Linux shellcode
allowing Metasploit stack space in GETPC routine, 313
avoiding self-destructive, 613–614
command execution code, 257
comparing in memory vs. in file, 315
dealing with sanitized arguments and environment strings in, 606–609
developing pop-up calculator, 309–312
disassembling, 262–263
executing /bin/sh program with execve, 272–276
exploiting small buffers, 215–217
file transfer code, 257–258
find socket shellcode, 256–257
finding bad characters in, 314–315
generating automatically, 294–296
kernel space, 263–265
layout in stack overflow, 261–262
making system calls in, 252
multistage, 258
overwriting canary address in, 232
port binding, 253–254, 276–283
process injection, 259
reverse, 254–256
reverse connecting, 284–287
running, 210
running in user space, 251
running stdin, stdout, and stderr files, 252–253
self-corrupting, 261–262
system call proxy, 258–259
testing for execve system calls, 275
using fake frame technique, 237–239
using setreuid system calls, 271–272
shells
creating bind, 253–254
direct parameter access format tokens for bash, 231
endian methods for, 181
shims for locks, 106–107
SIDs (security identifiers)
about, 527
access control and, 537
Authenticated Users group, 543
Authentication, 543–544
evaluating for potential elevation of privilege attacks, 553–554
Everyone, 543
found in access token, 528
LOGON, 544–545
signature files
generating with IDA Pro, 451–454
matching library, 431, 450–451
setreuid system calls, 272
single-tenant buildings, 101
SIP (Session Initiation Protocol)
about, 381–382
Asteroid attacks in, 387–388
password-cracking in, 386
SIP inviteflood attacks, 387
skimming, 27
social engineering attacks (SEA), 77–91
about, 77–78
conducting, 79–81
defenses for, 91
Good Samaritan techniques, 81–86
Join the Company pretext for, 88–89
meeting announcements, 86–88
preparing for face-to-face attacks, 89–91
social networking sites, 78, 79, 80, 88–89
sockets
find socket shellcode, 256–257
initiating connection to port on attacker’s computer, 255
malware’s user of, 670
Python socket objects, 199–200
sockaddr structures, 276–277, 435
software. See also mitigating software vulnerabilities
complexity of current, 20–21
developing guidelines for disclosing flaws in, 49–50
development process for, 472–473
educating developers of, 72
finding flaws in, 19–20
lines of code in, 20
mistrusting user input, 71
payments for finding vulnerabilities, 64
resolving flaws in, 59–60
reverse engineering of, 413–415
security quality assurance for, 71
testing fuzzing approach for, 402
timeframe for remedying flaws, 60–61
vulnerabilities after patch released, 70–71
software traps, 268
software vendors. See also applications; patching applications
acting on vulnerabilities in shared code bases, 57–58
CERT/CC guidelines for, 51
conflicts between finders and, 62–66
disclosure using RFP v2, 52–53
following up on reported vulnerabilities, 71
interorganizational learning phases of reporting vulnerabilities, 68
liability for vulnerabilities, 471–472
managing communication with finders, 68–69
points of view on ethical disclosure, 48–49
reporting vulnerabilities to, 58, 595, 614–615
resolving software flaws, 59–60
responding to third-party patches, 631–632
setting timeframes for repairing flaws, 61
view of ethical disclosure, 67–68
working with disclosure team, 69–70
source code
developing and using patches for, 621–622
when and what to patch, 620–621
source code analysis, 416–427
auditing tools for, 416–418
automated, 425–427
binary vs., 427
manual auditing of, 420–425
recognizing vulnerabilities in, 421–425
spamdexing, 9
spear phishing, 497
special characters in SQL, 367
SPIKE
about, 488–490
block handling primitives in, 490
creation primitives in, 489
example of HTTP requests from, 491–492
fuzzing variable declaration in, 491
script parsing in, 491
static content primitives in, 489–490
SPIKE Proxy, 492
spraying heaps, 521–522
SPY Act (Securely Protect Yourself Against Cyber Trespass), 46
spyware/adware, 636
SQL (Structured Query Language)
about, 362
components of, 365–366
databases and statements in, 365–367
key commands in, 366
special characters in, 367
SQL injection vulnerabilities, 362–374
SRP (SAFER Software Restriction Policy), 523
SRTP (Secure Real-time Transport Protocol), 384, 386
SSH (Secure Shell) protocol, 484
SSP (Stack Smashing Protection), 237–239, 249
Stack Smashing Protection (SSP), 237–239, 249
stacks
allowing Metasploit stack space in GETPC routine, 313
bypassing SafeSEH on, 323–324
exploiting buffer overflow, 612–613
exploiting Linux, 201–203
function calling procedures in, 202–203
gcc non-executable, 240
implementing stack canary, 299, 318–320
layout of Linux program, 604–606
making calls with system() function, 241–245
mapping with %x token, 229
mutated layout for overflowed, 626–628
operating vulnerabilities with format functions, 227–229
Page-eXec patches gaining execution control of, 240
placing fake SEH chain on, 332
protection mechanisms for, 609
randomization and return to libc exploits, 242
return-oriented programming to execute code on, 326
shellcode layout in overflow of, 261–262
stack frame in IDA Pro, 434
stack predictability, 603–609
stack section in memory, 182
structured exception handling on, 316–317
working with paged, 606
-static flag, 270
state trespassing laws, 36–38
Statement of Work (SOW) agreements, 161–162
static analysis, 445–461. See also reverse engineering
analyzing statically linked libraries, 448–451
challenges in, 445–446
data structure analysis with IDA Pro, 454–457
difficulties of control flow analysis, 479
generating IDA Pro signature files, 451–454
IDA Pro for analyzing compiled C++, 459–460
malware, 646–648
plug-in IDA Pro architecture for, 461–470
viewing program headers in IDA Pro, 457–459
working with stripped binaries, 446–448
stdin files
making copy of C program, 421
running in shellcode, 252–253
steadiness during penetration testing, 164
Stored Communications Act, 40
stored XSS examples, 376–377
strcpy command
about, 176–177
avoiding terminal null character with, 260
dangers of, 419
exploiting vs. converting to strncpy, 418–419
patches for, 620
stress testing, 473
strings. See also format string exploits
creating format string exploits, 225–236
mutated layout for format string exploits, 629–631
Python, 193–195
using %s token for reading arbitrary, 229
using esi register for string operations, 600
using in memory, 182
using in Sulley, 582–583
viewing malware ASCII, 647–648
stripping binaries, 446–448
strncpy command
converting to strcpy, 418–419
dangers of, 419
overwriting locations with strcpy and, 176–177
structured exception handling. See SEH
Structured Query Language. See SQL
Stuxnet malware, 408
sub command, 186
SUID (set user ID), 492–493
Sulley, 581–594
bit fields, 583
blocks, 584–585
code for fuzzing session script, 590–592
controlling VMware in, 589–590
dependencies, 586
generating random data, 582
groups, 585
inspecting network traffic, 589, 593–594
installing, 581
integers, 583
monitoring data for faults, 588–589
postmortem analysis of crashes, 592–593
primitives in, 581–582
strings and delimiters in, 582–583
using binary values, 582
supervisory control and data acquisition attacks. See SCADA attacks
SupportSoft install dialog box., 515
Sysdream.com, 331–332
system calls
assembling, linking, and testing exit, 271
execve, 273
exit, 269–270
making shellcode, 252, 268–269
proxy shellcode for, 258–259
setreuid, 271–272
socketcall, 279
writing for C-based shellcode, 268–269
system() function, 241–245
system under test (SUT), 388
T
tailgating into buildings, 103
TCPView tool, 652–653
TEA (Tiny Encryption Algorithm), 658
teams
kickoff meetings for penetration testing, 162–163
organizing for penetration testing, 158
synchronizing data for, 168
team approach to ethical disclosure, 69–70
temporary visitor security badges, 99–100
terminating employees, 35–36
testing. See also safe test environments
code for SQL injection vulnerabilities, 367–374
execve system calls, 274
exit system calls, 271
files for setreuid system calls, 272
investing access denials during, 545–548
Linux exploit, 222–223
port binding shellcode, 281–283
protection against content-type attacks, 358
reproducing crashes with mangleme, 508
shellcode for execve system calls, 275
stress, 473
VoIP attacks with VoIPER, 388–393
.text sections in memory, 181
tfp.exe DACL, 544
TFTP Daemon Fuzzer
about, 405–406
executing, 406–407
installing, 406
third-party patching initiatives, 631–632
this pointers, 459
TLBs (translation look-aside buffers), 240
TLS (Transport Layer Security) protocols, 383
token kidnapping, 575–576
tools. See also Dradis servers
analyzing access control, 538–542
automated binary analysis, 441–443
BackTrack, 125–140
BinDiff, 442–443
BinNavi, 439–440
BugScam, 441–442
Chevarista, 442
code coverage analysis, 476–477
detecting malicious PDF files, 351–358
diff, 621–622
FileMon, 650–651
finding new client-side vulnerabilities, 506–522
flow analysis, 477–479
fuzzing, 473
Hex-Rays Decompiler plug-in, 439
intelligent fuzzing, 581–594
jsfunfuzz, 509–510
loading Cain, 116–117
lock-picking, 104–107
Malcode Analysis Pack, 653
memory monitoring, 480
Metasploit, 141–142
Microsoft compilers, 297–299
needed for insider attacks, 110–111
Norman Sandbox, 653–655
open protocol fuzzers, 487–488
precision desiredAccess request test, 550–551
Process Explorer, 651–652
profiling, 477
pvefindaddr, 309–310, 315, 324–325
reverse engineering instrumentation, 473–483
source code auditing, 416–418
SPIKE fuzzer creation toolkit, 488–492
SPIKE Proxy, 492
TCPView, 652–653
testing protection against content-type attacks, 358
thwarting VMware detection, 642–643
UPX, 647
URL fuzzers, 485–487
used by attackers and professionals, 16–18
Valgrind, 480–483
VoIPER, 388–393
Yasca, 426
Trojan horse, 636
trust, escalating, 80
tumbler locks, 103–104
Twitter, 7
type secret.txt command, 545–547
U
UDP packets
analyzing vulnerabilities in incoming, 423–425
examining with Wireshark, 403, 594
using Sulley to inspect, 589, 593–594
uDraw, 587–598
UNetbootin utility, 126–127
United States vs. Digati, 34
United States vs. Kernell, 34
United States vs. Kwak, 45
United States vs. Mettenbrink, 33
United States vs. Rocci, 45
United States vs. Sklyarov, 45
United States vs. Tscheigg, 34
Universal Plug and Play (UPnP) service, 526
Unix operating systems. See also Linux operating systems
execve system calls in, 253
root users with buffer overflows, 208
user space system calls from shellcode in, 252
unmanned foyers, 102
unpacking binaries, 661–669
analyzing after, 670
debugger-assisted unpacking, 664–665
IDA Pro assistance for, 665–669
run and dump unpacking, 663–664
UPX tool for, 647
updating
Internet Explorer security patches, 522
OllyDbg symbols server, 302
upnphost vulnerability, 526
UPX tool, 647
URLs, 498
USB drive
assembling tools for insider attacks on, 110–111
BackTrack installations to, 131–133
installing BackTrack to, 126–127
preparing for autorun SEAs, 82–86
user space
debuggers for, 475
hiding malware in, 658–659
user space shellcode, 251–260
about, 251
command execution code, 257
file transfer code, 257–258
find socket shellcode, 256–257
making system calls in, 252
multistage, 258
port binding, 253–254, 276–283
process injection, 259
reverse shellcode, 254–256
running stdin, stdout, and stderr files, 252–253
system call proxy shellcode, 258–259
users
enticing to malicious websites, 496, 497, 514
escalating service privileges of, 559–560
identifying in Cain, 118–120
manually auditing data from, 420–421
reviewing Microsoft’s security warnings regularly, 522
running client-side apps with lower privileges, 496, 522–523
running Meterpreter as different logged-on, 152–153
software mistrusting input from, 71
user accounts in Dradis, 166
utility systems. See SCADA attacks
V
validation process in OIS disclosures, 57
variables
C programming, 174–175
declaring fuzzing, 491
VCP (Vulnerability Contributor Program), 72
verifying
exit system calls, 271
setreuid system calls, 272
VirtualBox
running BackTrack inside, 132–133
starting, 128–129
VirtualProtect function in DEP, 326
VMs (virtual machines)
detection of, 637
scripting control of, 589–590
using BackTrack ISO within, 128–131
Vista. See Windows operating systems
Visual Studio, 504–505
vmcontrol.py script, 589–590
VMware
catching, 644–646
controlling in Sulley, 589–590
fuzzing, 590–592
saving snapshot, 649–650
setting up on ProSSHD server, 305–306
thwarting detection of, 642–643
VoIP (Voice over Internet Protocol) attacks, 379–394
denial of service attacks, 387–388
eavesdropping/packet capture, 386
enumeration, 384–386
H.323 protocol, 382–383
Megaco H.248 protocol, 382
prosecution in, 36
protecting against, 393–394
protocols used by VoIP, 380–384
testing with VoIPER, 388–393
TLS and DTLS protocols, 383
types of, 384–393
what is VoIP, 379–380
VoIPER, 388–393
VSR (vulnerability summary report), 54–55
considerations before filing, 62–66
submitting for shared code bases, 58
validating, 57
vulnerabilities. See also VSR
application pre- and postconditions, 602–603
assessing, 10–11
attack possibilities with cross-site scripting, 378
continuing after patch released, 70–71
detecting malware, 670
disclosures about, 54
discovering with IDA Pro, 436
finding in shared code bases, 57–58
mitigating software, 617–632
OWASP’s list of, 361–362
patching into hole, 624–625
payload construction considerations, 611–614
repeatability of exploits, 603
types of client-side, 495–497
understanding application’s, 601–611
Vulnerability Contributor Program (VCP), 72
vulnerability summary report. See VSR
W
Walleye web interface, 640, 641–642
wanted_hotkey function, 465–466
WAP (wireless access point), 86–88
web applications, 361–378. See also OWASP
components in, 362–363
cross-site scripting vulnerabilities, 373–378
overview of, 361–362
SQL injection vulnerabilities, 362–373
testing for SQL injection vulnerabilities, 367–374
web browsers
client-side vulnerabilities of, 495–497
css-grammar-fuzzer, 510
exploiting javaprxy.dll as COM object, 502–504
finding new client-side vulnerabilities in, 506–522
Ibiza and Download.Ject attacks against, 500–501
IFRAME tag parsing buffer overrun vulnerability, 501–502, 503
Mozilla fuzzing tools for, 509–510
Operation Aurora and attacks on client-side, 505–506
outputting registered COM objects on system, 510–515
protection against client-side exploits, 522–523
WMIScriptUtils design vulnerability, 504–505
websites. See also cross-site scripting;
OWASP
disclosing vulnerabilities of, 62–63
duplicating ActiveX controls on malicious, 497–498
enticing users to malicious, 496
finding network capture information on, 400
scripting of web result pages, 373–374
wget utility, 258
while loops, 177–178
white hat hackers, 47, 418–419
Windows exploits, 297–339
address space layout randomization, 321–322
attack vector for, 309–312
building exploit sandwich, 312–313
bypassing memory protections, 322–339
compiling Windows programs, 297–299
controlling eip, 306–308
Data Execution Prevention and, 321
determining offset(s), 308–309
developing, 305
heap protections and, 320–321
implementing SEH, 316–317
launching against MS08-067 vulnerabilities, 142–146
safe structure exception handling and, 320
setting up ProSSHD server to develop, 305–306
stack-based buffer overrun detection, 318–320
Windows memory protections and, 318–322
writing, 304–315
Windows Explorer
examining DACLs in, 541–542
Windows memory protections, 318–339
about, 318
address space layout randomization, 321–322
bypassing, 322–339
Data Execution Prevention, 321
heap protections, 320–321
methods for bypassing, 338
overwriting calling function pointers, 595
replacing /GS protection mechanism cookie, 323
safe structure exception handling, 320
SEH Overwrite Protection, 320
stack-based buffer overrun detection, 318–320
Windows operating systems. See also access control; Windows exploits; Windows Registry DACL attacks
Access Check in, 535–537, 541, 542, 569, 571
access control RunAs feature, 529–530
attacks on weak directory DACLs, 564–567
compiling programs for, 297–299
CreateProcess function calls in, 253
debugging, 299–304
detaching Windows debugger, 541
displaying permissions for secret.txt, 547
finding COM objects in, 510–515
Ibiza and Download.Ject attacks against, 500–501
implementing SEH, 316–317
kernel space vulnerabilities in, 264
loading attack DLL at runtime, 566
locating vulnerable services, 557–559
malware registry modifications in, 659
memory protection in, 318–322
Metasploit compatibility with, 141–142
plug and play vulnerabilities, 526
registry DACL attacks, 560–564
replacing .exe files with attack .exe, 566–567
running client-side apps with lower privilege levels, 496, 522–523
service attack patterns in, 554–560
successful protection in Windows 7, 322
user space system calls from shellcode in, 252
Vista’s User Access Control, 496
Windows XP Service Pack 2, 499
working with magic directories, 567
Windows Registry DACL attacks, 560–564
about, 560–561
attacks on weak registry key DACLs, 564
enumerating registry key DACLs, 561–563
read permissions, 564
write permissions for registry keys, 563
Windows XP Service Pack 2, 499
WIPO (World Intellectual Property Organization Copyright) Treaty, 42–43
WMIScriptUtils vulnerabilities, 510
word, 180
worms
CFAA and, 33
defined, 636
write permissions, 572
writing. See also writing Linux shellcode bytes to arbitrary memory, 231–232
C-based shellcode system calls, 268–269, 276
Python loops, 199
reverse connecting shellcode, 284–285
sample program in C, 178–179
Windows exploits, 304–315
writing Linux shellcode, 267–296
automating with Metasploit, 294–296
basics of, 267–276
encoding shellcode, 260, 261, 287–293
executing /bin/sh program with execve, 272–276
exit system calls, 269–270
implementing port-binding shellcode, 276–283
making system calls, 268–269
setreuid system calls, 271–272
using reverse connecting shellcode, 284–287
X
xor command, 187
XP. See Windows operating systems
XSS. See cross-site scripting
Y
Yasca (Yet Another Source Code Analyzer), 426
Z
zero-day attacks
capturing with Walleye web interface, 640, 641–642
defined, 8
Zero-Day Initiative, 63, 64, 72
Zeroday Emergency Response Team, 642
zone elevation attacks, 499