List of Listings | Shellcoders Programming Uncovered (Uncovered series)

Chapter 2: Assembly Language Quick Start

Listing 2.1: Main methods of data exchange
Listing 2.2: Main types of conditional jumps
Listing 2.3: Calling API functions of the operating system
Listing 2.4: The simplest Assembly insert that adds two numbers

Chapter 3: Hacking Using GPRS Uncovered

Listing 3.1: IDA script that automatically computes the checksum

Chapter 4: Buffers Subject to Overflow (Lane of Monsters)

Listing 4.1: Sequential buffer overflow in the course of a write operation
Listing 4.2: Index overflow in the course of a read operation
Listing 4.3: Vulnerability to buffer overflow that overwrites the pointer to executable code
Listing 4.4: Vulnerability to sequential write overflow, with overwriting of the pointer to the virtual table
Listing 4.5: Disassembled listing of the vulnerable program with brief comments
Listing 4.6: Vulnerability to sequential write overflow and overwriting a scalar variable and pointer to data
Listing 4.7: Vulnerability to sequential write overflow with index overwriting
Listing 4.8: Vulnerability to overflow with overwriting a scalar variable
Listing 4.9: Vulnerability to sequential write overflow with overwriting another buffer
Listing 4.10: An example of a structure with an overflowing buffer (highlighted in bold)
Listing 4.11: An example of a dynamic memory block vulnerable to overflow

Chapter 5: Exploiting SEH

Listing 5.1: Description of the EXCEPTION_REGISTRATION structure
Listing 5.2: Simple tracer for SEH frames
Listing 5.3: Layout of SEH frames in the memory
Listing 5.4: Investigation of the SEH frame layout in a multithreaded environment
Listing 5.5: Layout of the SEH frame in memory
Listing 5.6: Determining the address of the pointer to the current SEH frame
Listing 5.7: Registration of the custom handlers of structured exceptions

Chapter 6: Specifiers Under Control

Listing 6.1: The cfingerd patch
Listing 6.2: Demo example of a program vulnerable to various types of overflows errors
Listing 6.3: Program's reaction to the %s specifier
Listing 6.4: Program's reaction to the %X specifier
Listing 6.5: Viewing the memory dump using specifiers
Listing 6.6: Manually viewing the memory dump at the artificially formed pointer
Listing 6.7: Disassembled fragment of the demo program
Listing 6.8: Forming the pointer in the end of buffer and displaying it on the screen
Listing 6.9: Overwriting the cell with the %n specifier
Listing 6.10: An example that demonstrates overflow of the target buffer

Chapter 7: Practical Overflow Example

Listing 7.1: Disassembled Internet Explorer fragment, ensuring control is passed to shellcode
Listing 7.2: The code of the exploit (abbreviated)

Chapter 8: Searching for Overflowing Buffers

Listing 8.1: The rabbit hole
Listing 8.2: Program vulnerable to overflow despite protection measures
Listing 8.3: Direct value of the maximum buffer length passed to the function
Listing 8.4: Local variables automatically recovered by IDA
Listing 8.5: Passing the pointer to a local buffer
Listing 8.6: The example for investigating overflow errors
Listing 8.7: Disassembling under the field conditions
Listing 8.8: Preparing the shellcode
Listing 8.9: Entering the shellcode from the keyboard

Chapter 9: Methods of Protecting Buffers Against Overflow

Listing 9.1: A wrapper for malloc
Listing 9.2: An example of poor implementation of memory-allocation success or failure
Listing 9.3: An improved variant of the implementation of the memory-allocation check

Chapter 10: Shellcoding Problems

Listing 10.1: Placing string arguments in the stack with dynamic generation of the terminating zero
Listing 10.2: The table of offsets of the " low-frequency " characters counted from the beginning of the encrypted code
Listing 10.3: The table of remainders from offset division by four
Listing 10.4: The table of suitable positions of the key characters in the range
Listing 10.5: Disassembled listing of the shellcode decryptor taken from the Love San worm
Listing 10.6: The _EXCEPTION_REGISTRATION structure
Listing 10.7: Determining the base load address of kernel32.dll using SEH
Listing 10.8: Determining the base load address by searching the main memory for MZ and PE signatures
Listing 10.9: Implementing the PEB structure in Windows 2000/XP
Listing 10.10: Implementing the PEB_LDR_DATA structure under Windows 2000/XP
Listing 10.11: Fragment of the Love San worm
Listing 10.12: Love San worm fragment that determines the table of exported names address
Listing 10.13: Love San worm fragment that determines the function index in the table
Listing 10.14: Love San worm fragment that determines the actual address of an API function in the main memory
Listing 10.15: Fragment of the mworm worm using remote shell under xBSD/x86
Listing 10.16: Numbers of system calls in Solaris/SPARC
Listing 10.17: An example illustrating shellcode under Solaris/SPARC
Listing 10.18: Numbers of system calls under Solaris/x86
Listing 10.19: An example of shellcode under Solaris/x86
Listing 10.20: Numbers of system calls under Linux/x86
Listing 10.21: An example of shellcode under Linux/x86
Listing 10.22: Numbers of system calls in BSD/x86
Listing 10.23: An example illustrating shellcode under BSD/x86

Chapter 11: The Technique of Writing Portable Shellcode

Listing 11.1: Determining the location of the shellcode B memory
Listing 11.2: Eliminating parasitic zeros from the shellcode
Listing 11.3: Determining absolute address of the GetCurrentThreadld function
Listing 11.4: Direct call to the API function by its absolute address
Listing 11.5: Pseudocode demonstrating the procedure of calling arbitrary functions
Listing 11.6: Searching for the base addresses of all loaded modules by PE signature
Listing 11.7: Manually parsing the export table
Listing 11.8: Determining the base address of kernel32.dll by analyzing PEB
Listing 11.9: Determining base address of kernel32.dll using SEH
Listing 11.10: Main native API functions

Chapter 12: Self-Modification Basics

Listing 12.1: An example of inefficient use of self-modifying code
Listing 12.2: IDA Pro automatically recognizes the self-modification of the code
Listing 12.3: Improved version of self-modifying code that deceives IDA Pro
Listing 12.4: Disassembled listing of self-modifying code without cross-references produced by IDA Pro
Listing 12.5: Modifying a machine command that has already entered the pipeline
Listing 12.6: Self-modifying code in the stack (heap)
Listing 12.7: Self-modification used for encryption
Listing 12.8: What the encrypted procedure looks likey
Listing 12.9: Using VirtualProtect to temporarily disable write protection on a local section
Listing 12.10: Using HIEW to obtain the opcodes of machine commands
Listing 12.11: Machine commands corresponding to the xor eax,66 command
Listing 12.12: Classical method of function calling makes code unrelocatable
Listing 12.13: Calling functions by pointers passed through arguments ensures the possibility of relocating the code

Chapter 13: Playing Hide-and-Seek Under Linux

Listing 13.1: The skeleton of the simplest module for version 2.4 kernels
Listing 13.2: The skeleton of the simplest module for version 2.6 kernels
Listing 13.3: Modules displayed by the Ismod command
Listing 13.4: Disguising the module using the Solar Designer method
Listing 13.5: The scheduler's "heart"
Listing 13.6: The procedure that needs to be inserted into the scheduler's body
Listing 13.7: Technique of trapping system calls
Listing 13.8: New filter for the proc_root file system
Listing 13.9: Reading from and writing to /dev/kmem from the application level
Listing 13.10: Fragment of the disassembled code of the int 80h interrupt handler
Listing 13.11: Searching for the int 80h interrupt handler inside /dev/kmem

Chapter 14: Capturing Ring 0 Under Linux

Listing 14.1: Key fragment of the Kernel Bluetooth Local Root exploit
Listing 14.2: Key fragment of the elf_core_dump() function vulnerable to overflow
Listing 14.3: Key fragment of the create_elf_tables function
Listing 14.4: Key fragment of load_elf_library containing the thread synchronization bug
Listing 14.5: Key fragment of sys_brk() with the auxiliary data structures coherence bug
Listing 14.6: Key fragment of the /mm/fault.c function containing a synchronization error

Chapter 15: Compiling and Decompiling Shellcode

Listing 15.1: A typical Assembly template for creating shellcode
Listing 15.2: An example illustrating insertion of the shellcode into the C program
Listing 15.3: Classical variant compiled in a normal way
Listing 15.4: An optimized variant of the program shown in Listing 15.3
Listing 15.5: Fragment of IIS-Worm with shellcode inside

Chapter 16: Life Cycle of a Worm

Listing 16.1: Head of the Code Red worm, arriving in the first TCP packet of the request
Listing 16.2: Fragment of the tail of the Morris worm
Listing 16.3: Five heads of the worm, striking the most vulnerable services
Listing 16.4: One of the worm's heads (see Listing 16.5 for its disassembled code)
Listing 16.5: Disassembled code of the MWorm worm
Listing 16.6: Head of the Code Red worm arriving in the first packet
Listing 16.7: Head of the Nimda worm
Listing 16.8: Fragment of the MWorm virus
Listing 16.9: Fragment of the Love San worm after unpacking

Chapter 18: Viruses in Scripts

Listing 18.1: Example of a virus that discloses its presence by an untypical formatting style
Listing 18.2: Fragment of the UNIX Tail.a virus that writes itself to the tail of the target file
Listing 18.3: Fragment of UNIX.Head.b inserting its body into the beginning of the target file
Listing 18.4: Fragment of the UNIX.Demo Perl virus

Chapter 19: ELF Files

Listing 19.1: Structure of the executable ELF file
Listing 19.2: Structure of the ELF file header
Listing 19.3: Structure of the program segment header
Listing 19.4: Structure of the section header
Listing 19.5: Typical memory map of a typical UNIX executable file
Listing 19.6: Fragment with UNIX.NuxBe.quilt, whose body " spreads " over the code section
Listing 19.7: Fragment with UNIX.NuxBe.jullet, whose body "spreads" over the data section
Listing 19.8: The .bss section of most files supplied as part of the FreeBSD distribution set
Listing 19.9: The disassembled .bss section viewed with IDA Pro and most disassemblers
Listing 19.10: Method of locating the code sections of a typical file
Listing 19.11: Fragment of ping using relative references between code segment sections
Listing 19.12: Map of the file infected by the virus that inserts its code into a special section

Chapter 20: Method of Capturing Control

Listing 20.1: Method used by the Is utility for calling the printf function

Chapter 21: Main Symptoms of Virus Infection

Listing 21.1: Fragment of the Lotek virus that carefully conceals its interest in ELF files
Listing 21.2: Fragment of the Linux.ZipWorm virus that confuses IDA Pro
Listing 21.3: An example of a normal start-up function with classical prologue and epilogue
Listing 21.4: Alternative example of the normal start-up function
Listing 21.5: Start-up code of the PolyEngine.Linux.LIME.poly virus

Chapter 22: Simplest Windows NT Virus

Listing 22.1: Source code of the key fragment of the lab virus
Listing 22.2: Batch file for recovery of infected files

Chapter 23: Bypassing Firewalls

Listing 23.1: Tracing the route stops at the firewall
Listing 23.2: Successful completion of tracing doesn't mean the firewall is missing

Chapter 24: Escaping through the Firewall

Listing 24.1: Key fragment of the shellcode that opens a new port at the server being attacked
Listing 24.2: Key fragment of the shellcode that establishes an outgoing connection
Listing 24.3: Key shellcode fragment that finds the socket corresponding to "its" connection
Listing 24.4: Key fragment of the shellcode that rebinds the opened port

Chapter 25: Organizing a Remote Shell Under UNIX and Windows NT

Listing 25.1: Key fragment of the simplest remote shell
Listing 25.2: Key fragment of the fully featured remote shell with the input/output scheduler

Chapter 27: Sniffing a LAN

Listing 27.1: Creating a raw socket under Linux/UNIX and switching it to promiscuous mode
Listing 27.2: Key fragment of the packet sniffer for Windows 2000/XP

Chapter 28: Databases Under Attack

Listing 28.1: Encryption of the password hash by a random string
Listing 28.2: Master password to the database stored as plaintext in the script body
Listing 28.3: A typical method of forming the database query

Chapter 31: Legends and Myths about Flashing BIOS

Listing 31.1: An example of the description of a BIOS firmware update
Listing 31.2: BSODs and critical application errors possibly caused by BIOS design errors
Listing 31.3: Environment of the entry point to ASUS AMI BIOS
Listing 31.4: Environment of the entry point to EPOX Award BIOS
Listing 31.5: Disassembled BIOS code

Chapter 32: Viruses Infecting BIOS

Listing 32.1: Hex dump of the last 30h bytes of the firmware
Listing 32.2: Disassembled listing of the environment of the firmware entry point
Listing 32.3: Start of the disassembled boot block
Listing 32.4: Unpacked code of BIOS firmware
Listing 32.5: The 9a69vpa1.bin module with the entry point at the 10h offset from the end
Listing 32.6: The pxe.lom module containing the 55 AA signature
Listing 32.7: The decomp_blk.bin module with the text header terminated by zero
Listing 32.8: The awardeyt.rom module starts with the entry point
Listing 32.9: An ISA module implementing additional password protection
Listing 32.10: Simple IDA script that automatically computes the checksum
Listing 32.11: Interrupt handler passes control the virus code when loading the boot sector
Listing 32.12: Fragment of a typical boot block
Listing 32.13: The magic 55 AA 7x sequence
Listing 32.14: BIOS extension that enables interleaving of the DRAM banks