Introduction

In this book, you're asked to accept one basic assumptionthat all memory corruption vulnerabilities should be treated as exploitable until you can prove otherwise. This assumption might seem a bit extreme, but it's a useful perspective for a code auditor. Attackers can often leverage an out-of-bounds memory write to modify a program's runtime state in an arbitrary manner, thus violating any security policy an application should be enforcing. However, it's hard to accept the severity of memory corruption vulnerabilities or even understand them until you have some knowledge of how memory corruption is exploited.

Exploit creation and software auditing are two differentbut highly complementaryskill sets. An auditor with a good understanding of exploit development is more effective, as this knowledge is useful for determining the difference between an innocuous bug and a genuine vulnerability. There are many well-documented techniques for exploiting memory corruption vulnerabilities, and this chapter provides a brief introduction to some basic approaches for the Intel x86 architecture (although the concepts are applicable to all architectures). Along with exploit techniques, you learn more details about anti-exploit technologies and strategies for determining exploitability. The coverage is not intended as a definitive guide to exploiting memory corruption vulnerabilities, but it does provide the background you need to understand and appreciate many of the vulnerabilities covered throughout this book.

Note

Readers interested in learning more about exploiting memory corruption vulnerabilities should pick up The Shellcoder's Handbook (Wiley, 2004) by Jack Koziol et al. or Exploiting Software (Addison-Wesley, 2004) by Greg Hoglund and Gary McGraw. You can also find numerous online resources about exploitation techniques, such as phrack magazine (www.phrack.org) and Uninformed magazine (www.uninformed.org).