Index
A
ABI (Application Binary Interface), PowerPC
abstractions, Mach
Address Resolution Protocol (ARP) requests, Bonjour
address space layout randomization (ASLR)
administrative interface, QuickTime Streaming Server
agents, daemons vs.
AIM (AOL Instant Messaging), iChats spy
analysis
combining static and dynamic
dynamic
source code. See source-code analysis
static
ANNOUNCE method, RTSP
AOL Instant Messaging (AIM), iChats spy
Apple
AppleFileServer security bugs
Kernel Programming Guide
prelease-vulnerability collection
security of open-source code used by. See source-code analysis
Application Binary Interface (ABI), PowerPC
architecture. See Mac OS X architecture
ARP (Address Resolution Protocol) requests, Bonjour
The Art of Assembly Language (No Starch, 2003)
ASCII characters
smashing stack on PowerPC
smashing stack on x171
ASLR (address space layout randomization)
assembly
The Art of Assembly Language (No Starch, 2003)
Intel x86 exploit payloads
Mac OS X payload development
PowerPC exploit payloads
system calls at level of
trampoline code for x303
AT&T syntax, x86 assemblies
atom. mov files
.atr extension
attack strings
mDNSResponder UPnP exploit on x86
QuickTime RTSP exploit
QuickTime RTSP exploit on Leopard
QuickTime RTSP exploit on x86
smashing stack on PowerPC
smashing stack on x86
triggering vulnerabilities with
using return into system( )
attack surface, client side
cutting into
references
Safari
attack surface, defined
attack surface, server side
nonstandard listening processes
references
searching
B
Berkeley Software Distribution. See BSD (Berkeley Software Distribution)
binaries
EIP-relative data addressing when disassembling
finding bugs using static analysis
oddities of Mach-O
patching
reverse-engineering with Pai Mei
reversing Obj-C. See Obj-C (Objective-C), reversing
universal
blr (branch and link) register, PowerPC
Blue Pill, hardware-virtualization rootkit
Bonjour
disabling
interacting with
IP address requirement
mDNSResponder
minimizing exposure to attacks on
name translation setup requirement
overview of
real-world exploit. See mDNSResponder, UPnP location header overflow
references
requirements for
service discovery requirement
source code
Xcode project and
BootX booter
bp_set( ) function, PyDbg
branch and link (blr) register, PowerPC
breakpoints
QuickTime RTSP exploit
setting with Pai Mei
setting with PyDgb script
BSD (Berkeley Software Distribution)
Mac OS X architecture
Mac OS X kernel based on
Robert Morris Internet worm and
within XNU kernel
buffer overflows
discovering vulnerabilities
exploiting heap. See heap overflows, exploiting
exploiting Location headers in UPnP
exploiting stack. See stack overflows, exploiting
finding bugs in WebKit
finding heap
searching for
stack protection from
bugs, searching for
Apple’s prerelease-vulnerability collection
in changelogs
file fuzzing and
fuzzing and
network fuzzing and
overview of
references
strategies for
using source-code analysis. See source-code analysis
bundle injection. See also Mach injection
Mach-O inject_bundle exploit payload
references
testing
bundles
Mac OS X architecture
types of documents supported by
byte order
hiding files
in source code
triggering vulnerability on PowerPC
C
C++, Objective-C vs.
caches, PowerPC
calculateCompiledPatternLength( ) function
Calculator program
patching binaries
reverse engineering case study
working with Pai Mei
canary value, and stack protection
CanSecWest 2008 bug
case study
immediate patch-release for
overview of
QuickTime for Java real-world exploit
CANVAS penetration-testing tool
capability-based security model, Mach
case studies
exploiting heap overflows
reverse engineering
CD Sharing option, Sharing Pane
CFBundleDocumentTypes
CFBundleTypeRole
changelogs, bugs lurking in
chread_set_self( ) function, Mach injection
CISC (complex instruction set computer), x239
class-dump tool, method swizzling
client side attacks
cutting into
references
Safari and
coalescing, szone
CocoaSequenceGrabber
code coverage
CanSecWest 2008 bug
discovering vulnerabilities with
monitor
using Pai Mei for binary
code execution, overwriting heap metadata
CollectorBlocks, WebKit
Common Unix Printing System. See CUPS (Common Unix Printing System)
commpage
compileBranch( ) function, regular expressions
complex instruction set computer (CISC), x239
conditional jumps
Contents folder, application bundles
Content-Type header. See QuickTime RTSP Content-Type header overflow
control channel, rootkit
CORE IMPACT penetration-testing tool
CPU registers
CrashReporter. See ReportCrash (CrashReporter)
CSGCamera class
CSGCameraDelegate class
CSGCameraDelete class
ctr register, PowerPC
CUPS (Common Unix Printing System)
history of security bugs
nonstandard listening processes
searching for server-side attacks
D
D compiler, dtrace invoking
D programming language
DAAP (port 3689), attacks on iTunes
daemons, agents vs.
Darwin core
Darwin Streaming Server, for RTSP
Data Execution Prevention (DEP), Windows
data region, Mach-O file format
data segment buffer overflow. See mDNSResponder, UPnP location header overflow
_DATA segments, overwriting heap metadata
database
application information stored in
querying information
debugging. See also GDB (GNU Debugger)
case study using reverse engineering
creating in mDNSResponder
method swizzling using
using special heaps for
decimalNumberByAdding
decimalNumberBySubtracting
decode_longxor
decoders
decode_longxor
payload decoder stubs
defragmenting heap, feng shui
defragmenting packets, kernel
deny-by-default policy
DEP (Data Execution Prevention), Windows
DESCRIBE method, RTSP
device drivers
adding and managing with I/O Kit
adding and removing new code
maintaining access across reboots
Dictionary app program, attack surface
directories
device driver
mDNSResponder
systemwide launched configuration files
disassembly
analyzing for bugs in static analysis
easier to read after Obj-C clean up
IDA Pro starting for Pai Mei
oddities of Mach-O binaries
smashing stack on x172
using otool to get listing for
disassembly grep method
mDNSResponder UPnP overflow exploit
QuickTime RTSP exploit
QuickTime RTSP exploit on Leopard
dlopen( ) function
dlsym( ) function
.dmg files
DNS, Multicast DNS vs.
DNS-SD (DNS Service Discovery)
DTrace
D programming language
describing probes
finding and exploiting bugs
finding executed library calls
getting instruction tracer/code-coverage monitor
Mac OS X architecture
memory tracer example
overview of
dup2_std_fds
DVD Sharing option, Sharing Pane
dyld (dynamic linker)
executing payload from heap
finding useful instruction sequences
smashing stack on PowerPC
x86 inject_bundle payload
DYLD_INSERT_LIBRARIES
dynamic analysis. See also fuzzing
dynamic binding, Objective-C
dynamic libraries, loading
dynamic linker. See dyld (dynamic linker)
E
EAX register
executing payload from heap
executing system calls on x240
exploiting vulnerability
finding useful instruction sequences in
xdefined
effective user IDs
EIP-relative data addressing
encoders
encode_longxor encoder
payload. See payload encoders
encryption, fuzzing using
EngineNotificationProc, RTSP
ENOTSUP, vfork( )
epilog, subroutine
exceptions, Mach
exec-payload-from-heap stub
executable heap
Execute Disable (XD) bit
execve( )
calling vfork( ) prior to calling
executing shell
forking new process
execve_binsh
defined
executing shell
PowerPC exploit payloads
putting together simple payloads
testing
exploit payloads
constraints on
defined
dynamically injecting code into
executing from heap
Intel x86. See x86 exploit payloads
Mac OS X. See Mac OS X exploit payloads
PowerPC. See PowerPC exploit payloads
references
shellcode vs.
smashing stack on PowerPC
exploitation
of heap overflows. See heap overflows, exploiting
real-world exploits. See real-world exploits
of stack overflows. See stack overflows, exploiting
F
feng shui, heap
file formats
client-side attacks on Safari-supported
Safari safe files
Safari’s extended attack surface
file fuzzing
overview of
of QuickTime Player
File Sharing option, System Preference
Filemon utility
Finder, hiding files in rootkit
firewall, Leopard security and
fixobjc.idc file, cleaning up Obj-C
4-byte overwrite, arbitrary
frame pointer
defined
executing payload from heap
exploitation on x275
setting breakpoint after setting
smashing stack on x172
stack usage on PowerPC
stack usage on x86
frames, stack memory
free lists, szone
defined
freeing and allocating memory
obtaining code execution
overwriting heap metadata
FreeBSD code, within XNU kernel
fs_usage, DTrace
function hooking
overview of
references
SSLSpy example
function pointers
in data segment buffer overflows
exploiting on PowerPC using
heap spraying and
hooking functions using
obtaining code execution
system calls
WebKit’s JavaScript and
functions, identifying missing binary
fuzzing
defined
with dynamic analysis
file
.mov file format for
network
overview of
PyDbg in-memory
Fuzzing: Brute Force Vulnerability Discovery (Sutton, Greene and Amini)
FZMessage
G
garbage collection, forcing JavaScript
feng shui case study
WebKit’s JavaScript
GDB (GNU Debugger)
attaching to iTunes with
exploiting UPnP vulnerability on x86
method swizzling using
overview of
payload development using
ptrace and
triggering vulnerability on PowerPC
generation-based approach, to fuzzing
generic kernel extensions
getdirentriesattr( ) function
GNU Assembler syntax
GNU Debugger. See GDB (GNU Debugger)
Guard Malloc
gzip files, client-side attacks on
H
handler_breakpoint function, PyDbg
hardware, protecting
hardware-virtualization rootkits
hyperjacking
hypervisor
overview of
hashing function, x86 inject_bundle
headers
Mach-O file format
RTSP request
RTSP response
heap
difficulty of finding buffer overflows
executable
executing payload from
memory tracer analysis
overview of
unpredictability of
heap overflows, exploiting
case study
creating heap spray
feng shui
feng shui case study
the heap
heap spray case study
overwriting heap metadata
references
scalable zone allocator
WebKit’s JavaScript
heap sprays
defined
feng shui approach vs.
overview of
hello-kernel extension
hiding
files, creating simple rootkit for
rootkits
Honoroff, Jake
hooking functions. See function hooking
HTTP (HyperText Transfer Protocol), RTSP vs.
huge allocations, szone
human-readable names, probes
hyperjacking
HyperText Transfer Protocol (HTTP), RTSP vs.
hypervisor
I
iChats
injectable bundle to spy on
method swizzling and
IDA Pro
cleaning up Obj-C
correcting messed-up jump tables
ida-x86emu emulator for
identifying missing binary functions
patching binaries within
reverse engineering case study
setting breakpoints in Pai Mei
IDAPython
ida-x86emu emulator
IDE (Integrated Development Enviroment), XCode
IETF (Internet Engineering Task Force), Zero Configuration Working Group
_IMPORT segments, overwriting heap metadata
info mach-region command, GDB
info sharedlibrary command, QuickTime
Info.plist file
determining client-side attack surface from
for hello_kernel extension
maintaining access across reboots
from QuickTime Player
inject_bundle
injecting code into another process using Mach
Intel x86 exploit payload
loading dynamic library or bundle
testing
usage
injection vectors
defined
exploit payloads. See exploit payloads
exploiting heap overflows. See heap overflows, exploiting
exploiting stack overflows. See stack overflows, exploiting
in-memory fuzzing, PyDbg
input approaches, fuzzing
instruction sequences
exploitation techniques
PowerPC stack exploit
x86 stack exploit
instruction tracer/code-coverage monitor, DTrace
integer overflow, real-world exploit
Integrated Development Enviroment (IDE), XCode for Apple
Intel
syntax
VT-x virtualization
x86. See x86
interfaces, Mach
Internet Engineering Task Force (IETF), Zero Configuration Working Group
interprocess communication (IPC), Mach
invalid inputs
in fuzzing
testing application using
I/O Kit, Mac OS X
IOKit drivers
IP addresses, Bonjour
IP Filter, rootkit
IPC (interprocess communication), Mach
ipf_add4() function, rootkit IP Filter
iPhone bug
iSight photo capture
island function
IsRegister program
iTunes
anti-debugging features in
debugging and tracing
disabling anti-debugging features
remote attacks on
J
JavaScript, exploiting WebKit
jmp_buf [JB_EBP]
.jp2 files
JRSwizzle
jsRegExpCompile function
jump tables, messed-up
K
kdump command
KERN_SUCCESS
Kernel Programming Guide, Apple
kernel programming interface (KPI), IP Filter
kextfind tool
kexts (kernel extensions)
building using Xcode
debugging involving reboots
hiding files in rootkit
hiding rootkit
maintaining access across reboots
managing and organizing in kernel
overview of
kextstat command
hiding files within rootkit
hiding rootkit
listing all loaded drivers
kmod (kernel module)
defined
managing and organizing
kmod_hider
KPI (kernel programming interface), IP Filter
Ktrace
KUNCExecute( ) function, rootkit IP Filter
L
Label key
large allocations, szone
large arbitrary memory overwrite
Last Stage of Delirium (LSD) Research Group
last-free cache, szone
launchd
LaunchServices
LC_SEGMENT load command, x86 inject_bundle
LC_SYMTAB load command, x86 inject_bundle
Leopard
mDNSResponder running as unprivileged user
retargeting exploit on QuickTime RTSP to
Leopard security
executable heap
firewall
library randomization
Mach model
overview of
references
sandboxing (Seatbelt)
stack protection (propolice)
libraries
containing RTSP parsing code
loading
searching QuickTime for
Library Randomization
defined
Leopard security and
overcoming
overcoming in stack buffer overflow exploit
QuickTime RTSP exploit on x86 and
return-to-libc exploits
linked lists
detecting heap memory corruption
disadvantage of heap spraying
hiding rootkit by removing from
kernel modules stored in
_LINKEDIT segment, x86 inject_bundle
load commands, Mach-O file format
bundle-injection payload component
defined
header format
LC_SEGMENT format
LC_SYMTAB format
loading dynamic library or bundle, Mach injection
local-privilege escalation attacks
longjmp( ) function
lr (link register)
defined
smashing stack on PowerPC
stack usage on PowerPC
LSD (Last Stage of Delirium) Research Group
ltrace
M
.m file extension, Objective-C
Mac OS X architecture
basics
BSD kernel
bundles
Darwin
DTrace
I/O Kit
kernel. See XNU (Mac OS X) kernel
Ktrace
launchd
Leopard security. See Leopard security
Mach
Mach-O file format
Objective-C language
tools
universal binaries
XNU kernel
Mac OS X exploit payloads
encoders and decoders
executing shell
forking new process
overview of
payload components
restoring privileges
staged payload execution
Mac OS X Finder
Mac OS X Internals: A Systems Approach (Addison-Wesley)
Mac OS X parlance
Bonjour. See Bonjour
QuickTime Player. See QuickTime Player
Mac OS X Server
Mach
abstractions
changing FreeBSD code to coexist with
exceptions
implementing through GDB
introduction to
security model
within XNU kernel
Mach injection
example: iSight photo capture
inject-bundle( ) usage
loading dynamic library or bundle
overview of
references
remote process memory
remote threads
mach_inject
mach_inject_bundle( ) function
mach_msg_server( )
mach_override( ) function
mach_thread_trampoline
Mach-O (Mach object) file format
example
inject_bundle exploit payload
Mac OS X architecture
mach-regions command, GDB
magic addresses
magic constants
magic packet pattern,IP Filter rootkit
mDNS name resolution, Bonjour
mDNSCoreReceive function
mDNSCoreReceiveQuery function
mDNSCoreReceiveResponse function
mDNSMacOSXNetwork-Changed( ) function
mDNSResponder
code for sandboxing
disabling Bonjour
source code for
XCode project for
mDNSResponder, UPnP location header overflow
exploiting on PowerPC
exploiting vulnerability
overview of
triggering vulnerability
memory
allocated from heap
automatically allocated stack
executable heap and
freeing and allocating in heap
in-memory fuzzing using PyDbg
as Mach abstraction
QuickTime for Java real-world exploit
remote process
searching using PyDbg
stack
useful instruction sequences in
WebKit’s JavaScript
memory tracer, DTrace
messages, Mach
metadata, overwriting heap
metadata headers, szone
Metasploit Framework
QuickTime memory access exploit
QuickTime RTSP exploit. See QuickTime RTSP Content-Type header overflow
UPnP exploit. See mDNSResponder, UPnP location header overflow
using in exploits
method swizzling, Objective-C
iChat spy example
overview of
references
methods, possible RTSP
microkernel-based operating system
MIG (Mach Interface Generator)
Miller, Charlie
MIME types
Safari support for
safe file types
Morris, Robert
.mov, QuickTime file format
Movie Atom, .mov files
MPEG-47
MSG_PEEK flag, tcp_find
multithreaded processes
mutation-based approach
file fuzzing QuickTime Player
high-quality fuzzed inputs
network fuzzing QuickTime Player
N
name translation, Bonjour
NASM (Netwide Assembler)
NAT mappings, mDNSResponder
Netwide Assembler (NASM)
network fuzzing
Network Time Protocol daemon (ntpd)
New Media Playlist, QuickTime
NeXTSTEP
nm command
No Execute (NX) bit
non-executable stack
exploiting
QuickTime RTSP exploit on x86 and
stack buffer overflow exploit and
NOP (no-operation) instructions
heap feng shui and
heap spraying and
smashing stack on PowerPC
NSDecimal Number class
NSLinkModule( )
NSRunLoopt
NSString argument type
nsysent variable, system calls
ntpd (Network Time Protocol daemon)
NULL bytes
avoiding for exploit payloads
avoiding in decode_longxor payload
avoiding in execve_binsh payload
avoiding in local exploit payloads
executing shell passing
numberHeap, WebKit
NX (No Execute) bit
O
Obj-C (Objective-C)
in Mac OS X architecture
method swizzling
method swizzling, iChat spy example
Obj-C (Objective-C), reversing
case study
cleaning up
overview of
patching binaries
understanding objc_msgSend calls
objc_msgSend calls
cleaning up Obj-C
reversing Obj-C
objc_msgSend calls, reversing Obj-C
case study
understanding
object file displaying tool (otool)
object-oriented programming, in Objective-C
on_input() function, rootkit IP filter
OnDemand key, configuring launchd
Open command, Xcode
OpenBSD, W?X in
open-source software, Apple
prelease-vulnerability collection
updating
OPTIONS headers
otool (object file displaying tool)
overwriting heap metadata
with arbitrary 4-byte overwrite
with large arbitrary memory overwrite
obtaining code execution
overview of
P
Pai Mei
PAIMEIpstalker icon
patches
Apple taking many weeks to provide
binary
pattern_offset.rb tool, Metasploit
PAUSE method, RTSP
payload decoder stubs
payload encoders
decode_longxor payload
overview of
testing encoded payloads
payloads. See exploit payloads
PCRE code
peek, tcp_find payload
penetration testing, SSLSpy
PID (process ID), Mach tasks
pid_for_task( ) authorization
PIDA files, Pai Mei
PLAY method, RTSP
playlists, adding file to
plist (property list) files. See also Info.plist file
defined
overview of
plug-ins, Safari
popping stack
ports
comparing Multicast DNS with
Mach
in nonstandard listening processes
remote attacks on iTunes using
searching attack surface for open
POSIX threads, Mach injection
PowerPC
exploiting mDNSResponder UPnP vulnerability on
exploiting QuickTime RTSP Content-Type header overflow on
finding useful instruction sequences
Mach security model on Tiger for
smashing stack on
stack usage on
PowerPC exploit payloads
decode_longxor
dup2_std_fds
execve_binsh
overview of
putting together simple payloads
references
system
tcp_connect
tcp_find
tcp_listen
testing simple components
vfork
primaryHeap, WebKit
Printer Sharing option, System Preference
privileges, exploit payload development
probes, DTrace
process ID (PID), Mach tasks
Process Stalker (pstalker) module, Pai Mei
profiles, Seatbelt
Programming Under Mach (Addison-Wesley)
prolog, subroutine
protocols
Bonjour. See Bonjour
RTSP
providers, probes
pstalker (Process Stalker) module, Pai Mei
PT_DENY_ATTACH ptrace request
pthread_set_self( ) function, Mach injection
pthread_trampoline, Mach injection
PTR records, DNS-SD
ptrace debugging facilities
pushing stack
Pwn2Own contest
CanSecWest 2008 bug
source code for
vulnerability exploited in
PyDbg
basics
binary code coverage with Pai Mei
in-memory fuzzing
memory searching
overview of
Pai Mei built on top of
Python
pyzeroconf package
Q
QTHandleRef.toQTPointer( ) method
QTPointerRef objects
quanta of memory
queries, Multicast DNS vs.
quicklookd, Seatbelt
QuickTime Player
file types played by
Info.plist from
.mov
network fuzzing targeting
overview of
references
using RTSP protocol
QuickTime QTJava toQTPointer( ) memory access
exploiting toQTPointer( )
obtaining code execution
overview of
QuickTime RTSP Content-Type header overflow
exploiting on PowerPC
exploiting on x86
overview of
retargeting to Leopard (PowerPC)
triggering vulnerability
QuickTime Streaming Server, RTSP
R
RCDefaultApp
Real Time Streaming Protocol. See RTSP (Real Time Streaming Protocol)
real user IDs
Real-Time Control Protocol (RTCP)
RealTime Transport Protocol. See RTP (RealTime Transport Protocol)
real-world exploits
mDNSResponder UPnP overflow. See mDNSResponder, UPnP location header overflow
overview of
QuickTime memory access
QuickTime RTSP overflow. See QuickTime RTSP Content-Type header overflow
references
reboots
debugging kernel code involving
maintaining access across
RECORD method, RTSP
red zone, stack usage on PowerPC
REDIRECT method, RTSP
references
attack surfaces
Bonjour
bundle injection
exploit payloads
exploiting heap overflows
exploiting stack overflows
finding bugs
function hooking
Leopard security
Mach injection
Mach RPC
Objective-C method swizzling
QuickTime Player
real-world exploits
reverse engineering
rootkits
RTSP
tracing and debugging
regions, scalable zone allocator
registers
executing payload from heap
PowerPC architecture
smashing stack on PowerPC
smashing stack on x86
x239
regular expressions
compiling
feng shui case study
patching CanSecWest 2008 bug
remote access, rootkit providing
Remote Apple Events, Sharing pane
Remote Login, Sharing pane
remote procedure call. See RPC (remote procedure call), Mach
remote process memory, Mach injection
remote threads, Mach injection
remote_execution_loop
Intel x86 exploit payloads
output from testing
testing
Rendezvous. See Bonjour
ReportCrash (CrashReporter)
file fuzzing of QuickTime Player
smashing stack on PowerPC using
smashing stack on x86
ret instruction
return addresses, QuickTime RTSP exploit
return to system( ) function
return-to-libc exploits
executing payload from heap
overview of
using return into system( ) function
reverse engineering
case study
EIP-relative data addressing
identifying missed functions
messed-up jump tables
.mov file format for
Pai Mei using
patching binaries
references
reversing Obj-C. See Obj-C (Objective-C), reversing
rights, Mach port
RIP-relative data addressing
Robert Morris Internet worm
rootkits
controlling
defining
hardware-virtualization
hiding
hiding files
kernel extensions
maintaining access across reboots
providing remote access with
references
system calls
RPC (remote procedure call), Mach
controlling rootkit
Mach security model
overview of
RTCP (Real-Time Control Protocol)
RTP (RealTime Transport Protocol)
packet capture showing transition from RTSP to
RTSP using
streaming contents of media via
RTSP (Real Time Streaming Protocol)
defined
fuzzing of QuickTime Player
overview of
real-world exploit. See QuickTime RTSP Content-Type header overflow
references
Ruby scripts
smashing stack on PowerPC
smashing stack on x172
run( ) function
inject_bundle usage
iSight photo capture example
loading dynamic library
testing complex components
x86 inject_bundle payload
S
Safari
exploiting
extended features and attack surface of
Info.plist
other applications spawned by
safe file types
sandboxing limitations of
stack protection and
starting using launchd
safe file types
sandbox_init( ) function
sandboxes
caveat to
Leopard security and
mDNSResponder code for
saved-set user IDs
scalable zone allocator
scan_for_upnp_port( ) method
Scheme programming language, Seatbelt
Screen Sharing option, Sharing pane
.sdp playlist file, QuickTime Player
searching
for bugs. See bugs, searching for
memory, using PyDbg
Seatbelt
security. See also Leopard security
Mach model
perceiving Bonjour as risk to
testing using SSLSpy
segments, Obj-C binary
servers, RTSP
server-side attacks
service discovery, Bonjour
services, turning on
session identifiers, RTSP
SET_PARAMETER method, RTSP
seteuid( ) function
setjmp( ) function
setuid( ) function
SETUP method, RTSP
shared resources
constraints on exploit payloads
containing in bundles
Sharing pane, System Preferences
shellcode
defined
dynamically injected code as
executing shell
The Shellcoder’s Handbook
The Shellcoder’s Handbook
SIGABRT signal, stack protection
size
atom structure of .mov file
constraints on exploit payloads
getting around constraints of exploit injection vectors
small allocations, szone
smashmystack( ) function
source code
source-code analysis
CanSecWest 2008 bug
code coverage
getting to source
overview of
using static analysis
SSL
fuzzing from within program
SSLSpy example of function hooking
SSLClose( ), hook for
SSLHandshake( )
stack overflows
RTSP
stack protection (propolice)
stack overflows, exploiting
finding useful instruction sequences
overview of
real-world exploit. See QuickTime RTSP Content-Type header overflow
references
smashing stack on PowerPC
smashing stack on x86
stack basics
stack usage on PowerPC
stack usage on x86
x86 non-executable stack
stack pointer
defined
setting breakpoint after setting
smashing stack on x172
stack usage on PowerPC
stack usage on x86
stack protection (propolice)
staged payload execution
StartCalendarInterval key
StartInterval key
stateless, HTTP as
static analysis
stmw instruction
defined
execve_binsh payload
system payload
strcpy( ) function
strdup( ) function
subroutines
stack basics
stack usage on PowerPC
stack usage on x86
.swf files
sy_call field
sysent table
system
system( ) function, return-to-libc exploits
system calls
executing on x240
hiding files in rootkit
on PowerPC
working with
T
targets, setting with Pai Mei
task_for_pid( ) authorizations, Mach
tasks, Mach
loading dynamic library or bundle into
overview of
security model
TCP
searching attack surface of Mac OS X Server
transmitting RTSP over
tcp_connect
tcp_find
tcp_listen
TEARDOWN method, RTSP
test_component
testing, complex payload components in x86
thread_set_exception_ports( )
threads, Mach
injection
injection using remote
overview of
Tiger
firewall used in
heap blocks on free list
introducing launchd
Mach security model on PowerPC
mDNSResponder running as root
tiny allocations, szone
toggle_ipfilter() function, rootkit IP Filter
tools, Mac OS X
tracing and debugging
DTrace. See DTrace
GDB
iTunes
ptrace
PyDbg. See PyDbg
references
trampolines
try/catch block
U
UDP
searching attack surface of Mac OS X Server
streaming media via RTP over
transmitting RTSP over
Universal Plug and Play. See UPnP (Universal Plug and Play)
UNIX
under Mach
Mach security model vs.
sockets vs. Mach ports
update.sb
UPnP (Universal Plug and Play)
exploiting on PowerPC
exploiting vulnerability
mDNSResponder creating NAT mappings using
triggering vulnerability
upnp_server( ) method
URL handlers
user IDs
UserName key, launchd
ustack( ) function, D
V
vfork( )
defined
forking new process
PowerPC exploit payloads
video on demand, QuickTime Player
virtual machine monitor (VMM)
virtual-machine control structure (VMCS)
Vitriol, hardware-virtualization rootkit
defined
hyperjacking
rootkit hypervisor
vm_allocate( ) method
VMCS (virtual-machine control structure)
VM-entry
VM-exit events
VMM (virtual machine monitor)
VMX-root mode
W
WebKit
exploiting JavaScript
finding bugs in
rapidity of Apple fixes to publicly available
wide-area Bonjour
wildcards, DTrace
Windows
application sandboxing and
IDA Pro running only in
write4primitive
write-back caches, PowerPC
W?X
X
x86
calling subroutines in PowerPC vs.
exploiting non-executable stack
extensive use of stack on
finding useful instruction sequences
QuickTime RTSP exploit on
smashing stack on
stack usage on
x86 exploit payloads
CISC architecture of
common instructions
executing system calls
inject_bundle
references
remote_execution_loop
testing complex components
Xcode
building simple kext using
defined
in mDNSResponder
XD (Execute Disable) bit
XNU (Mac OS X) kernel
defined
FreeBSD code within
I/O Kit within
Mac OS X architecture
Mach within
XOR decoding
Z
Zero Configuration. See Bonjour
Zero Configuration Working Group, IETF
0x80 method, system calls on x240
Zeroconf. See Bonjour
zones. See also scalable zone allocator