A Bug Hunter’s Diary by Tobias Klein
This is a book that takes 7 examples of the author inspecting an application, finding an exploit and then exploiting it to take control of the machine. The examples cover a number of different machine architectures and operating systems. The appendices cover various technical items such as how to set up a windows kernel for debugging, notes on type conversions in C and an explanation of the ELF format global offset table.
Each exploit is covered in its own chapter. The author typically traces input from the user, and uses C reverse generated from x86 assembler to show how the target application doesn’t correctly use this input data. By crafting a suitable set of data, the author shows how the instruction pointer (EIP) can be manipulated, and then explains how this could be used to take control of the machine. On Windows, one of the examples is the exploitation of a virus checker which installs a device driver, accessible by everyone, which has an IOCTL call which copies data from a source location in user space to a target location that can be in either user or kernel space. By using a suitable crafted input request packet, this piece of code can be coerced into writing over its own code so that later execution of the virus checker will be running in kernel mode but will jump to an address that the writer has set up. Hence the user has elevated their privilege and has effectively got control of the machine.
The author makes the exploits look really easy- he explains that there are numerous fuzzing tools in existence that automatically alter the input to some piece of code as a means of finding out if the code can be coerced into altering something it shouldn’t.
Moreover, every chapter has a fairly extensive set of references to interesting papers and web pages that explain some of the tricks in more detail. For example, there are references to a paper explaining a Windows or Linux hack to enable a command shell and a very interesting article on how to construct a Rootkit and how this uses DKOM to hide the fact that it is on the machine.
The appendices cover some of the more modern defences against the techniques that are outlined – address space randomisation, security cookies (to prevent stack buffer overflows, and using the CPU no-execute bit. A very good read!