R | Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)

S

$1621 registers (Alpha CPU), 303

Sabin, Todd, DCE-RPC tools, 112

Samba heap overflows, 86

save instruction (Solaris), 216219

saved return address, overwriting, 71, 81

Scalable Processor Architecture (SPARC) in Solaris, 216

scut, Exploiting Format String Vulnerabilities (article), 342

searching shellcode, 142146

sections

DLLs, 108

PE files, 107

security

closed source software, 451

database servers, 509510

exploits (defined), 4

inverse relationship with functionality, 510

Solaris/SPARC, 216

vulnerabilities (defined), 4

Web servers, 509

security bug (defined), 4

security holes

defined, 4

Windows 9X/ME, 120

Windows 2000, 120

Windows 2003 Server, 121

Windows NT, 120

Windows XP, 120

segment registers, 7

segments

.bss , 5, 84

.data , 5, 84

heap, 8485

.text , 5

SEH (Win32 applications), 117

select() kernel stack buffer overflow (OpenBSD), 530533

selective approach to source code auditing, 387388

Sendmail

crackaddr function, 392

prescan function vulnerability, 399

service crashing, 63

SetDefaultExceptionHandler, 119

setitimer() kernel memory overwrite (OpenBSD), 533535

setregid system call (Solaris), 222

setreiud system call (Solaris), 222

SetThreadToken(token_to__attach) function, 114

setuid(0)+ execve Tru64 shellcode, 310316

sharefuzz tool, 364367

shellcode

byte matching, 288

continuation of execution, 346

defined, 35

optimizing development, 343344

Packetstorm packaged shellcodes, 501

reusing connections, 347348

shellcode creation tools

Cygwin, 124

Visual Studio, 124

shellcode failures

configuration- related , 502

host IDS-related, 502

network-related, 501

privilege-related, 501502

thread-related, 502

shellcode library, 345

shellcode (Linux)

CALL instruction, 4950

creating, 5053

define byte (DB) directive, 50

exit() , 3841

exit_group() , 4142

hardcoded addresses, 49

hexadecimal opcodes, 35

injectable, 4244

jump instruction, 49

null characters , 4244

placeholders, 5051

POP ESI instruction, 4950

relative addressing, 4950

size considerations, 39

spawning, 4449

testing, 53

shellcode (Solaris/SPARC)

examples, 220

exec system call, 221222

locations, 227

self-location determination, 220221

stack overflow, 228233

stabilizing exploits, 347

system calls, 36

shellcode (Tru64)

bind-socket, 319320

connect-back , 316317

find-socket , 317319

setuid(0)+execve , 310316

XOR decoder, 308310

shellcode (Unix)

bindsocket, 288

connectback, 288

encryption, 289299

findsocket, 288

shellcode (Windows)

encoder/decoder, 123124

extendibility, 126

hardcoded addresses, 125

heapoverflow.c, 126142

kernel32.dll , 125

popping, 147148

Position Independent Code (PIC), 127

Process Environment Block (PEB), 134135

reliability, 126

searching, 142146

size considerations, 126

writing, 119, 344345

Shellcoder's Handbook Web site, 3

signal() system call, 116

signature-based recognition of attacks, 419

signed comparison vulnerabilities, 395396

single stepping dynamic linker (Solaris/SPARC), 271286

size_t length specifier , 395

skipping null termination in strings, 394395

Slammer worm, 125, 423, 528

sll instruction (Alpha), 305

small chunk corruption (Solaris), 260

_smalloc function (Solaris), 260

Smashing the Stack for Fun and Profit paper, Aleph One, 11, 340

smiler, The Art of Writing Shellcode (article), 341

SMTP CDONTS.NewMail SMTP injection bug, 413

Snort IDS, 289

Snort RPC preprocessor bug, 391

snprintf function format string bug, 58

So, Bryan, fuzz program creator, 353

socket() function, 147

sockets

bind-socket Tru64 shellcode, 319320

bindsocket Unix shellcode, 288

find-socket Tru64 shellcode, 317319

findsocket Unix shellcode, 288

Soeder, Derek, FaultMon utility creator, 361

SoftICE debugger, 118, 335336

software fault injection systems

DEPEND , 349

DOCTOR , 349

FERRARI , 349

FINE , 349

FIST , 349

MENDOSUS , 349

ORCHESTRA , 349, 353

ProFI , 349

Quality Assurance (QA) engineers , 350

research grants, 349

RIOT , 361362

Xception , 349

software protection schemes, 431

Solaris Login heap overflows, 86

Solaris Xsun heap overflows, 86

Solaris/Intel, 215

Solaris/SPARC

ABI manual, 269

dynamic linking, 269270

dynamic string ( dynstr ) table, 270

Global Offset Table (GOT) entries, 269270

heap overflows

arbitrary free vulnerabilities, 262

Bottom chunk, 259

chunk consolidation, 254

double free vulnerabilities, 261262

example, 262266

function pointers, 233234, 258259

limitations, 257258

off-by-one overflows, 261

small chunk corruption, 260

static data overflows, 267

style tricks, 286288

t_delete() function, 254256

tree structure, 234254

lazy binding, 270

memory management, 223224

non-executable stack, 216, 266268

overwrite targets, 258259

priocntl() vulnerability, 537538

Procedure Linkage Table (PLT), 270271

root privileges, 579580

RPC services, 215

security features, 216

sharefuzz tool, 364

single stepping dynamic linker, 271286

stack, 223224

stack overflows

arbitrary size overwrite, 224

bypassing non-executable stack protection, 267268

complications, 225226

%i7 register, 225226

off-by-one vulnerabilities, 226

shellcode, 228233

static data overflows, 267

SunOS, 215

system calls, 220

versions, 215

vfs_getvfssw() vulnerability

explanation, 544548

exploit, 574580

vulnerabilities, 215

Solaris/SPARC shellcode

examples, 220

exec system call, 221222

locations, 227

self-location determination, 220221

stack overflows, 228233

so_socket system call (Solaris), 222

source code for MySQL, 481

source code auditing

format string bugs , 389390

methodologies

bottom-up approach, 387

selective approach, 387388

top-down (specific) approach, 387

reasons for, 383384

tools

Cbrowser, 385

CQual, 386

Cscope, 384385

Ctags, 385

editors, 385

RATS, 386

Splint, 386

vulnerabilities versus bugs, 402403

source code disclosure bugs, 413

source, dest mnemonic (AT&T), 124

source-code auditing

binary auditing, 452

vulnerability tracing, 428

SPARC Architecture Online Reference Manual, 334

SPARC Assembly Language Reference Manual, 334

SPARC processor

delay slot, 219

frame pointer, 218

registers

flow control, 219

general-purpose registers, 216217

global registers, 217

input registers, 217219

%i7 , 225226

local registers, 217, 219

%npc , 219

output registers, 217219

%pc , 219

stack pointer, 218

SPARC (Scalable Processor Architecture) in Solaris, 216

spawning shellcode, 4449

SPIKE fuzzer

benefits, 374

DCE-RPC recon, 112114

dtlogin example, 374381

HTTP, 374

generic fuzzers , 374

GNU Public License, 372

MSRPC fuzzer, 374

SunRPC fuzzer, 374

using, 373381

Splint, 386

sprintf library function, 58, 466

SQL Injection, 420

SQL Server (Microsoft)

bugs, 469

running operating system commands, 521522

3-Byte Patch, 477479, 481

xp_cmdshell , 521522

SQL (Structured Query Language)

functions

CHAR , 526527

CHR , 526527

vulnerabilities, 526527

sqlping tool, 423

SQL*Plus (Oracle), 526

SQL-UDP bug, 415, 423424

srl instruction (Alpha), 305

stabilizing exploits, 347

stack

defined, 5

EBP register, 15

extended stack pointer (ESP) register, 1314

format string bugs, 80

format strings, 60

functions, 1518

growing down the address space, 5

Last In First Out (LIFO), 5

non-executable, 2930

POP instruction, 1415

PUSH instruction, 14

Solaris/SPARC, 216, 223224, 266267

stack frames

Alpha CPU, 305

defined, 454

functions without a frame pointer, 455456

non-traditional BP-based, 456

traditional BP-based, 455

stack lookup (process descriptor), 558

stack overflows

articles and papers, 340341

buffers, 1213, 1820

format string bugs, 82

instruction pointer, 2022

kernel-level vulnerabilities, 530

OpenBSD exec_ibcs2_coff_prep_zmagic() , 538544, 549574

root privileges, 2224

"Smashing the Stack for Fun and Profit" (paper), Aleph One, 11

Solaris/SPARC

arbitrary size overwrite, 224

bypassing non-executable stack protection, 267268

complications, 225226

%i7 register, 225226

off-by-one vulnerabilities, 226

shellcode, 228233

static data overflows, 267

SQL-UDP bug, 423424

Tru64/Alpha, 320322

Windows, 191196

stack pointer

address, 2426

Alpha CPU, 303

defined, 7, 1314,

offset, 2426

SPARC, 218

stack protection in Windows 2003 Server, 161167

stack values in heap overflows, 101

stack-based exception handlers, 150

StackGuard, 161

statd format string bug, 411

state-based protocols, 360

stateless protocols, 360

static analysis, 368

static data overflows (Solaris/SPARC), 267

static linking (functions), 433434

static source code analysis tools, 386

Stdcall calling convention, 457

Stl instruction (Alpha), 304

Stq instruction (Alpha), 304

strace (system call tracer), 4041

strcat library function, 466

strcpy library function, 466

strings

non-null termination, 393394

null termination, 394395

skipping null termination, 394395

strlen library function, 462463

Structured Query Language (SQL)

functions

CHAR , 526527

CHR , 526527

vulnerabilities, 526527

stw, stb instruction (Alpha), 304

subl instruction (Alpha), 304

subq instruction (Alpha), 304

subtraction overflows, 397

Sun RPC library multiplication overflow vulnerability, 398

SunOS. See Solaris

switch statements, 460462

symbol packs (Windows), 108, 454

synthetic instructions (Solaris), 219

syscall() function (OpenBSD), 566567

syscall proxies

concurrency problem, 489490

defined, 486487

how they work, 487488

implementation approaches, 488489

iteration problem, 489

marshalling, 488

RPC, 488

tools problem, 489

Windows example, 490498

syscalls. See system calls

sysctl system call (OpenBSD), 558560

sysctl_doproc() function (OpenBSD), 558559

sysfs () system call (Solaris), 546547

Sysinternals Process Explorer, 114115

sysinternals Web site, 339

system() attacks in DCOM, 114

system call tracer ( strace ), 4041

system calls (Alpha CPU), 308

system calls (defined), 36

system calls (Linux)

arguments, 37

assembly instructions, 3738

brk() , 8485

executing, 3637

execve() , 4549

exit() , 3738

fastcall convention, 36

fork() , 45

free() , 85, 8792

int 0x80 instruction, 36

integer values, 37

libc wrappers, 36

malloc()

heap overflows, 85, 8788, 9399

Win32, 109

mmap() , 8485

open () , 107

printing, 4041

protected kernel mode, 36

realloc() , 85

signal() , 116

tracing, 40

user mode, 36

Win32, 125

write() , 107

system calls (OpenBSD), 558560

system calls (Solaris)

accept , 222

bind , 222

connect , 222

dup , 222

exec , 221222

listen , 222

mount() , 547548

open , 222

priocntl , 537

setregid , 222

setreiud , 222

so_socket , 222

sysfs() , 546547

trap eight system trap, 220

trap zero system trap, 220

system calls (Unix)

ltrace, 339

strace, 339