E

F

$15 register (Alpha CPU), 303
fault injection
delimiting logic, 355 “357
fault delivery, 358 “359
fuzzing, 363 “364
heuristics, 359 “360
input generation
automated generation, 352 “353
fuzz generation, 353
live capture, 353
manual generation, 352
test supplements, 351 “352
input sanitization , 357 “358
modification engines, 354 “355
Nagel algorithm, 359
state-based protocols, 360
stateless protocols, 360
timing, 359
fault injection systems
DEPEND , 349
DOCTOR , 349
FERRARI , 349
FINE , 349
FIST , 349
MENDOSUS , 349
ORCHESTRA , 349, 353
ProFI , 349
Quality Assurance (QA) engineers , 350
research grants, 349
RIOT , 361 “362
Xception , 349
fault monitoring
debuggers , 360 “361
FaultMon utility, 361 “362
importance of, 360
FaultMon utility, 361 “362
FERRARI fault injection system, 349
FIFO (First In First Out), 5
FileMon, 340
filters
alphanumeric filters, 197 “201
"Bypassing MSB Data Filters for Buffer Overflows" (paper), Riley "Caezar" Eller, 197 “198
"Creating Arbitrary Shell Code in Unicode Expanded Strings" (paper), Chris Anley, 201 “202
Unicode filters, 201 “202
finding
buffer length, 89
DOS attacks, 422 “423
find-socket Tru64 shellcode, 317 “319
findsocket Unix shellcode, 288
find_sym() function (Solaris), 299 “300
FINE fault injection system, 349
fingerprint systems
application identification, 505
OS identification, 505
ports, 506 “507
vulnerability tracing, 448 “449
First In First Out (FIFO), 5
FIST fault injection system, 349
for loops , 459 “460
fork() system call, 45
format string attacks
articles and papers, 342
controlling execution, 69 “71
misconceptions, 61
Format String Attacks (article), Tim Newsham, 342
format string bugs
C programming language, 55
causes of, 79
defined, 55, 57
direct parameter access, 67 “69, 80
exploits, 62 “63
fprintf function, 58
heap overflows, 82
kernel-level vulnerabilities, 530
overwriting options
application-specific function pointer, 81
atexit handler, 81
atexit structure, 71
C library hooks, 71
default unhandled exception handler, 71
entries in the DTORS section, 71, 81
function pointers, 71
Global Offset Table (GOT) entry, 71 “78, 81
null terminator with non-null data, 82
pointers to an exception handler, 81
saved return address, 71, 81
printf function, 57 “62
snprintf function, 58
source code auditing, 389 “390
sprintf function, 58
stack, 80
stack overflows, 82
statd , 411
Van Dyke VShell SSH Gateway for Windows, 61
vfprintf function, 58
vprintf function, 58
vsnprintf function, 58
vsprintf function, 58
vulnerability tracing, 449
Washington University FTP daemon, 62 “67
wprintf function, 58
writing to addresses, 80 “81
format strings
conversion specifiers, 60
defined, 56 “57
format specifiers, 56 “57
stack, 60
Foster, Jeff, creator of CQual, 386
fprintf functionformat string bug, 58
fragmented heap, 92
frame pointer, 15
Alpha CPU, 303
SPARC, 218
frame-based exception handlers
EXCEPTION_REGISTRATION structure, 150 “155
Windows 2003 Server, 155 “160
Fredriksen, Lars, fuzz program creator, 353
free() function (Solaris), 234
free() system call, 85, 87 “92
FreeBSD accept system call, 535 “537
Friedrichs, Oliver, syscall proxies, 487
fstat utility, 339
function hooking
defined, 431
import hooking, 436 “438
prelude hooking, 438 “439
prologue hooking, 439
function layouts in compiler-generated code, 458
function pointers
heap overflows, 100
overwriting, 71
overwriting application-specific function pointers, 81
functions
calling conventions
C, 457
defined, 456
Stdcall, 457
fprintf , 58
hash functions, 138 “139
Import Address Table (IAT), 434 “435
importing, 434 “435
inlining, 435 “436
kernel-level vulnerabilities, 530
printf , 57 “62
recvloop , 132 “134
re-entrant safe versions, 402
snprintf , 58
sprintf , 58
stack, 15 “18
static linking, 433 “434
thread-safe versions, 402
vfprintf , 58
vprintf , 58
vsnprintf , 58
vsprintf , 58
wprintf , 58
functions (OpenBSD)
check_exec() , 542
coff_find_section() , 544
exec_ibcs2_coff_prep__zmagic( ), 540 “544
kern_sysctl() , 558
syscall() , 566 “567
sysctl_doproc() , 558 “559
vn_rdwr() , 539, 544
functions (Sendmail)
crackaddr , 392
prescan , 399
functions (Solaris)
cleanfree() , 234
find_sym() , 299 “300
free() , 234
leaf functions, 219
realfree() , 234
_smalloc , 260
t_delete() , 254 “256
functions (SQL)
CHAR , 526 “527
CHR , 526 “527
vulnerabilities, 526
functions (Windows)
connect() , 132
CreateProcess() , 110, 116
CreateProcessA() , 147
CreateProcessAsUser() , 116
DLLs (Dynamic Link Libraries), 107 “108
DuplicateHandle() , 147
DuplicateTokenEx() , 116
ExitProcess() , 132
ExitThread() , 115
GetDefaultHeap() , 109
GetLastError() , 109
GlobalAlloc() , 168
GlobalFree() , 168
HeapAllocate() , 109, 168
HeapCreate() , 108, 167
HeapFree() , 168
HeapValidate() , 109
KiUserExceptionDispatcher() , 180
LocalAlloc() , 168
LocalFree() , 168
LogonUser() , 114 “115
MultiByteToWideChar() , 203, 466
RevertToSelf() , 114 “115
socket() , 147
UnhandledExceptionFilter() , 180
WideCharToMultiByte() , 203
WinExec() , 109
WSASocket() , 147
wscat() , 203
wscpy() , 203
fuzz program, 353
fuzzers
Blackhat briefings slides, Greg Hoglund, 381 “382
CHAM, 381
defined, 4
generic fuzzers, 337
Hailstorm, 381
Holodeck, 367
limitations, 370
protocol-specific , 371
sharefuzz, 364 “367
SPIKE, 112 “114, 118, 372 “381
writing, 382
fuzzing
bit flipping, 371
dynamic analysis, 372
fault injection, 363 “364
open source programs, 372
scalability, 368 “369
static analysis, 368


The Shellcoder's Handbook. Discovering and Exploiting Security
Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)
ISBN: N/A
EAN: 2147483647
Year: 2003
Pages: 198
Authors: Neal Krawetz

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net