Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson Publisher: No Starch Pub Date: January 15, 2008 Print ISBN-13: 978-1-59-327144-2 Pages: 480 Table of Contents | Index Overview Hacking is the art of creative problem solving, whether that means finding an unconventional solution to a difficult problem or exploiting holes in sloppy programming Many people call themselves hackers, but few have the strong technical foundation needed to really push the envelope Rather than merely showing how to run existing exploits, author Jon Erickson explains how arcane hacking techniques actually work To share the art and science of hacking in a way that is accessible to everyone, Hacking: The Art of Exploitation, 2nd Edition introduces the fundamentals of C programming from a hacker's perspective The included LiveCD provides a complete Linux programming and debugging environment-all without modifying your current operating system Use it to follow along with the book's examples as you fill gaps in your knowledge and explore hacking techniques on your own Get your hands dirty debugging code, overflowing buffers, hijacking network communications, bypassing protections, exploiting cryptographic weaknesses, and perhaps even inventing new exploits This book will teach you how to: Program computers using C, assembly language, and shell scripts Corrupt system memory to run arbitrary code using buffer overflows and format strings Inspect processor registers and system memory with a debugger to gain a real understanding of what is happening Outsmart common security measures like nonexecutable stacks and intrusion detection systems Gain access to a remote server using port-binding or connect-back shellcode, and alter a server's logging behavior to hide your presence Redirect network traffic, conceal open ports, and hijack TCP connections Crack encrypted wireless traffic using the FMS attack, and speed up brute-force attacks using a password probability matrix Hackers are always pushing the boundaries, investigating the unknown, and evolving their art Even if you don't already know how to program, Hacking: The Art of Exploitation, 2nd Edition will give you a complete picture of programming, machine architecture, network communications, and existing hacking techniques Combine this knowledge with the included Linux environment, and all you need is your own creativity Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson Publisher: No Starch Pub Date: January 15, 2008 Print ISBN-13: 978-1-59-327144-2 Pages: 480 Table of Contents | Index HACKING: THE ART OF EXPLOITATION, 2ND EDITION ACKNOWLEDGMENTS PREFACE Chapter 0x100 INTRODUCTION Chapter 0x200 PROGRAMMING Section 0x210 What Is Programming? Section 0x220 Pseudo-code Section 0x230 Control Structures Section 0x240 More Fundamental Programming Concepts Section 0x250 Getting Your Hands Dirty Section 0x260 Back to Basics Section 0x270 Memory Segmentation Section 0x280 Building on Basics Chapter 0x300 EXPLOITATION Section 0x310 Generalized Exploit Techniques Section 0x320 Buffer Overflows Section 0x330 Experimenting with BASH Section 0x340 Overflows in Other Segments Section 0x350 Format Strings Chapter 0x400 NETWORKING Section 0x410 OSI Model Section 0x420 Sockets Section 0x430 Peeling Back the Lower Layers Section 0x440 Network Sniffing Section 0x450 Denial of Service Section 0x460 TCP/IP Hijacking Section 0x470 Port Scanning Section 0x480 Reach Out and Hack Someone Chapter 0x500 SHELLCODE Section 0x510 Assembly vs C Section 0x520 The Path to Shellcode Section 0x530 Shell-Spawning Shellcode Section 0x540 Port-Binding Shellcode Section 0x550 Connect-Back Shellcode Chapter 0x600 COUNTERMEASURES Section 0x610 Countermeasures That Detect Section 0x620 System Daemons Section 0x630 Tools of the Trade Section 0x640 Log Files Section 0x650 Overlooking the Obvious Section 0x660 Advanced Camouflage Section 0x670 The Whole Infrastructure Section 0x680 Payload Smuggling Section 0x690 Buffer Restrictions Section 0x6a0 Hardening Countermeasures Section 0x6b0 Nonexecutable Stack Section 0x6c0 Randomized Stack Space Chapter 0x700 CRYPTOLOGY Section 0x710 Information Theory Section 0x720 Algorithmic Run Time Section 0x730 Symmetric Encryption Section 0x740 Asymmetric Encryption Section 0x750 Hybrid Ciphers Section 0x760 Password Cracking Section 0x770 Wireless 802.11b Encryption Section 0x780 WEP Attacks Chapter 0x800 CONCLUSION Section 0x810 References Section 0x820 Sources COLOPHON Index HACKING: THE ART OF EXPLOITATION, 2ND EDITION Copyright © 2008 by Jon Erickson All rights reserved No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher Printed on recycled paper in the United States of America 11 10 09 08 07 1 2 3 4 5 6 7 8 9 ISBN-10: 1-59327-144-1 ISBN-13: 978-1-59327-144-2 Publisher: William Pollock Production Editors: Christina Samuell and Megan Dunchak Cover Design: Octopod Studios Developmental Editor: Tyler Ortman Technical Reviewer: Aaron Adams Copyeditors: Dmitry Kirsanov and Megan Dunchak Compositors: Christina Samuell and Kathleen Mish Proofreader: Jim Brook Indexer: Nancy Guenther For information on book distributors or translations, please contact No Starch Press, Inc directly: No Starch Press, Inc 555 De Haro Street, Suite 250, San Francisco, CA 94107 phone: 415.863.9900; fax: 415.863.9950; info@nostarch.com; http://www.nostarch.com Library of Congress Cataloging-in-Publication Data Code View: Erickson, Jon, 1977 Hacking : the art of exploitation / Jon Erickson 2nd ed p cm ISBN-13: 978-1-59327-144-2 ISBN-10: 1-59327-144-1 Computer security Computer hackers Computer netwo I Title QA76.9.A25E75 2008 005.8 dc22 200 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc Other product and company names mentioned herein may be the trademarks of their respective owners Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark The information in this book is distributed on an "As Is" basis, without warranty While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it ACKNOWLEDGMENTS I would like to thank Bill Pollock and everyone else at No Starch Press for making this book a possibility and allowing me to have so much creative control in the process Also, I would like to thank my friends Seth Benson and Aaron Adams for proofreading and editing, Jack Matheson for helping me with assembly, Dr Seidel for keeping me interested in the science of computer science, my parents for buying that first Commodore VIC-20, and the hacker community for the innovation and creativity that produced the techniques explained in this book PREFACE The goal of this book is to share the art of hacking with everyone Understanding hacking techniques is often difficult, since it requires both breadth and depth of knowledge Many hacking texts seem esoteric and confusing because of just a few gaps in this prerequisite education This second edition of Hacking: The Art of Exploitation makes the world of hacking more accessible by providing the complete picture—from programming to machine code to exploitation In addition, this edition features a bootable LiveCD based on Ubuntu Linux that can be used in any computer with an x86 processor, without modifying the computer's existing OS This CD contains all the source code in the book and provides a development and exploitation environment you can use to follow along with the book's examples and experiment along the way Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] RainbowCrack rand() function rand_example.c program 2nd random numbers randomization randomized stack space 2nd 3rd 4th 5th 6th 7th 8th raw socket sniffer 2nd raw_tcpsniff.c program 2nd RC4 (stream cipher) 2nd 3rd 4th read permission read() function read-only permission Recording Industry Association of America (RIAA) recv() function 2nd recv_line() function 2nd redirection attack 2nd registers 2nd 3rd for x86 processor relatively prime numbers remainder remote access remote targets Request for Comments (RFC) 768 791 2nd 793 2nd ret instruction 2nd return address finding exact location in stack frame return command Return Material Authorization (RMA) return value of function 2nd Rieck RMA (Return Material Authorization) root privileges shell to restore to bind port shell overflow to open socket reuse 2nd 3rd 4th 5th user RSA Data Security 2nd 3rd RST hijacking 2nd 3rd 4th rst_hijack.c program 2nd 3rd 4th modification run time of simple algorithm Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] S-box array Sadmind worm salt value 2nd for password encryption Sasser worm saved frame pointer (SFP) 2nd 3rd 4th scanf() function scope of variables 2nd 3rd 4th 5th 6th 7th 8th 9th scope.c program scope2.c program 2nd scope3.c program 2nd script kiddies Secure Digital Music Initiative (SDMI) Secure Shell (SSH) differing host fingerprints 2nd 3rd 4th protections against identity spoofing Secure Sockets Layer (SSL) security changing vulnerabilities computational impact of mistakes unconditional seed number segmentation fault 2nd semicolon (;) send() function 2nd send_string() function seq command sequence numbers 2nd server example session layer (OSI) set disassembly intel command set user ID (setuid) permission seteuid() function setresuid() system call 2nd setsockopt() function SFP (saved frame pointer) Shannon shellcode 2nd and webser ver argument as placement option assembly language for 2nd connect-back 2nd creating memory location for port-binding 2nd 3rd proof of functioning restoring tinyweb daemon execution shell-spawning 2nd shellcode.s program 2nd Shor short keyword short writes 2nd shorthand expressions 2nd shroud.c program 2nd 3rd 4th sigint_handler() function SIGKILL signal signal() function signal_example.c program 2nd signal_handler() function signals 2nd 3rd signed numerical values Simple Mail Transfer Protocol (SMTP) simple_server.c file 2nd 3rd 4th simplenote.c program 2nd 3rd 4th sizeof() function sizeof() macro (C) Sklyarov SMTP (Simple Mail Transfer Protocol) smurf attacks sniffing packets in promiscuous mode sockaddr structure 2nd 3rd 4th sockaddr_in structure socket() function 2nd socket_reuse_restore.s file socketcall() system call (Linux) sockets 2nd 3rd 4th 5th 6th address conversion addresses 2nd 3rd file descriptor for accepted connection functions reuse 2nd 3rd 4th 5th server example 2nd 3rd 4th tinyweb server 2nd 3rd 4th 5th 6th software piracy Solar Designer Song 2nd source address Source Index (ESI) register Sparc processor spoofing 2nd logged IP address 2nd 3rd 4th 5th 6th packet contents sprintf() function srand() function stack 2nd arguments to function call in assembly instructions using 2nd 3rd frame 2nd 3rd instructions to set up and remove structures memory in nonexecutable 2nd randomized space 2nd 3rd 4th 5th role with format strings segment variables and shellcode reliability Stack Pointer (ESP) register stack_example.c program 2nd 3rd 4th 5th 6th Stallman standard error standard input 2nd standard input/output (I/O) library standard output static function memory static keyword static variables 2nd 3rd 4th 5th static.c program static2.c program status flags stderr argument stdio header file stealth stealth SYN scan stepi command (GDB) storage space strace program 2nd 3rd 4th 5th strcat() function strcpy() function 2nd stream ciphers stream sockets 2nd string.h strings 2nd 3rd concatenation in Perl encoding 2nd strlen() function 2nd 3rd strncasecmp() function strstr() function structs 2nd 3rd access to elements su command sub instruction 2nd sub operation sudo command 2nd superposition 2nd suspended process switched network environment symmetric encryption 2nd 3rd SYN flags SYN flooding 2nd 3rd 4th 5th 6th SYN scan preventing information leakage with stealth syncookies synflood.c file 2nd sys/stat.h file bit flags defined in system calls system daemons 2nd 3rd 4th 5th system() function returning into 2nd 3rd 4th Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] TCP/IP connection hijacking 2nd stack tcp_v4_send_reset() function tcpdump 2nd BPFs for source code for tcphdr structure (Linux) teardrop telnet 2nd to open TCP/IP connection to webserver text segment th_flags field then keyword 2nd time() function time/space trade-off attack time_example.c program time_example2.c program 2nd time_ptr variable timestamp() function tiny_shell.s program 2nd tinyweb.c program as daemon 2nd 3rd 4th 5th 6th converting to system daemon exploit for vulnerability in tinyweb_exploit.c program tinyweb_exploit2.c program tinywebd.c program 2nd 3rd exploit tool 2nd 3rd 4th log file tm time struct translator Transmission Control Protocol (TCP) 2nd connection for remote shell access 2nd flags opening connection packet header 2nd sniffing structure transport layer (OSI) 2nd Triple-DES two's complement 2nd to remove null bytes typecasting 2nd 3rd 4th 5th 6th 7th from tm struct pointer to integer pointer typecasting.c program typedef typeless pointers Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] UDP (User Datagram Protocol) 2nd 3rd 4th echo packets uid_demo.c program ulimit command uname command unary operator address-of operator dereference operator 2nd unconditional jumps unconditional security unencrypted data transmission Unicode character set Unix systems manual pages signals for interprocess communication 2nd 3rd 4th time on unsigned keyword unsigned numerical values integer for pointer address unswitched network until loop update_info.c file 2nd usage() function User Datagram Protocol (UDP) 2nd user IDs 2nd 3rd 4th 5th 6th 7th 8th 9th 10th displaying notes written by setting effective user-supplied input users /usr/include/asm-i386/unistd.h file /usr/include/asm/socket.h file /usr/include/bits/socket.h file /usr/include/if_ether.h file /usr/include/linux/if_ethernet.h file /usr/include/netinet/ip.h file 2nd /usr/include/netinet/tcp.h file 2nd /usr/include/stdio.h file /usr/include/sys/sockets.h file /usr/include/time.h file /usr/include/unistd.h file /usr/src/mitm-ssh Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] values assigning to variable returned by function variables 2nd comparison operators for 2nd scope 2nd 3rd 4th 5th structs 2nd typecasting 2nd 3rd 4th void keyword for declaring function void pointer (C) 2nd vuln.c program vulnerabilities in software 2nd in tinyweb.c program stack-based 2nd zero-day VML Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] warnings web browser 2nd 3rd 4th 5th web client 2nd 3rd 4th 5th 6th web requests webserver telnet for TCP/IP connection to webserver_id.c file 2nd WEP (Wired Equivalent Privacy) 2nd 3rd attacks 2nd 3rd where command while/until loops Wired Equivalent Privacy (WEP) 2nd attacks 2nd wireless 802.11b encryption 2nd word worms Wozniak WPA wireless protocol write permission for text segment write() function manual page for pointer for Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] X-mas scans 2nd x/3xw command x86 processor 2nd 3rd 4th assembly instructions for xchg (exchange) instruction xor instruction 2nd xtool_tinywebd.sh script xtool_tinywebd_reuse.sh script xtool_tinywebd_silent.sh script 2nd xtool_tinywebd_spoof.sh script 2nd xtool_tinywebd_stealth.sh script Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] zeroing registers EAX (Accumulator) register with polymorphic shellcode ... This second edition of Hacking: The Art of Exploitation makes the world of hacking more accessible by providing the complete picture—from programming to machine code to exploitation In addition, this edition features a bootable LiveCD based on Ubuntu Linux that... 200 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc Other product and company names mentioned herein may be the trademarks of their respective owners... Combine this knowledge with the included Linux environment, and all you need is your own creativity Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson Publisher: No Starch Pub Date: January 15, 2008