0-day security: software vulnerability analysis technology (version 2nd)

0-day security: software vulnerability analysis technology (version 2nd)

Basic Information

Author:Wang Qing
Zhang Donghui
Zhou Hao
Wang Jigang
Zhao Shuang

Series Name:Security Technology Department

Press: Electronic Industry Press

ISBN:9787121133961

Mounting time:

Published on: February 1, June 2011

Http://product.china-pub.com/194031

0-day security: software vulnerability analysis technology (version 2nd)

Introduction

0-day security: software vulnerability analysis technology (version 2nd) is divided into five chapters and 33 chapters. It systematically and comprehensively introduces the analysis, detection, and protection of buffer overflow vulnerabilities on Windows platforms. Article 1: Missing
The basic theory and basic technology of cave exploit can help readers get started quickly. The second article, based on the first article, combines the cutting-edge results of relevant researchers at home and abroad, attacking and defending vulnerability Technologies
Summary; the third part discusses the methods and ideas for discovering vulnerabilities in common software from the perspective of security testers; the fourth article fills in the mystery of this book in terms of Windows Kernel security and related Attack and Defense knowledge.
Technical gaps in the field. The fifth article analyzes a large number of 0-day cases to help readers understand the various ideas and methods in the first four articles.
　　
0-day security: software vulnerability analysis technology (version 2nd) can be used as a reference guide for network security practitioners and hacker technology enthusiasts, it can also be used as a guide for graduate or undergraduate students majoring in network security.

Directory

0-day security: software vulnerability analysis technology (version 2nd)

1st vulnerability exploitation principles (preliminary)

Chapter 2 Basic Knowledge 2

1.1 vulnerability Overview 2

1.1.1 bug and vulnerability 2

1.1.2 several confusing Security Questions 2

1.1.3 vulnerability mining, vulnerability analysis, and exploits 3

1.1.4 vulnerability announcement and 0-day response 5

1.2 Overview of binary files 5

1.2.1 PE File Format 5

1.2.2 virtual memory 6

1.2.3 ing between PE files and virtual memory 7

1.3 essential tools 11

1.3.1 Introduction to ollydbg 11

1.3.2 SoftICE Introduction 11

1.3.3 windbg Introduction 16

1.3.4 Ida pro Overview 18

1.3.5 binary editor 20

1.3.6 VMware Introduction 21

1.3.7 Python programming environment 28

. 1.4 crack small experiment 29

Chapter 3 Stack Overflow principles and practices 38

2.1 how the system stack works 38

2.1.1 different memory usage 38

2.1.2 stack and system stack 39

2.1.3 what happened when a function is called 40

2.1.4 register and function stack frame 43

2.1.5 function call conventions and related instructions 44

2.2 modify the adjacent variable 47

2.2.1 principle of modifying adjacent variables 47

2.2.2 password verification program breakthrough 49

2.3 modify function return address 53

2.3.1 return address and procedure 53

2.3.2 execution process of the control program 57

2.4 code implantation 62

2.4.1 principle of code implantation 62

2.4.2 Add code 62 to the Process

Chapter 1 art of shellcode development 71

3.1 shellcode overview 71

3.1.1 shellcode and exploit 71

3.1.2 issues to be resolved by shellcode 72

3.2 locate shellcode 73

3.2.1 stack frame shifting and jmp esp 73

3.2.2 obtain the jump server address 76

3.2.3 exploit 78

3.3 organizations in the buffer zone 81

3.3.1 buffer composition 81

3.3.2 raise the stack top protection shellcode 83

3.3.3 use other jump commands 83

3.3.4 skip command 84

3.3.5 function return address shifting 85

3.4 develop common shellcode 87

3.4.1 API locating principle 87

3.4.2 loading and debugging of shellcode 88

3.4.3 dynamically locate shellcode 89 of the API address

3.5 shellcode coding technology 98

3.5.1 why do we need to encode shellcode 98?

3.5.2 The shellcode 99 that will be "deformed"

3.6 For shellcode "Weight Loss" 103

3.6.1 shellcode slimming method 103

3.6.2 select the appropriate hash algorithm 105

3.6.3 bindshell 191 With 107 bytes

Chapter 2 Use metasploit to develop exploit 4th

4.1 Vulnerability Testing Platform MSF overview 119

4.2 intrusion into windows 121

4.2.1 vulnerability profile 121

4.2.2 graphic interface Vulnerability Testing 121

4.2.3 console interface Vulnerability Testing 125

4.3 Use MSF to create shellcode 126

4.4 scan the stepping stone with MSF 128

4.5 Ruby introduction 129

4.6 "silly" Exploit development 134

4.7 release POC 140 with MSF

Chapter 1 Heap Overflow exploitation 5th

5.1 how heap works 144

5.1.1 history of Windows heap 144

5.1.2 difference between heap and stack 145

5.1.3 heap data structure and management policy 146

5.2 roaming in heap 151

5.2.1 call relationship between heap allocation functions 151

5.2.2 method of heap debugging 152

5.2.3 recognition heap table 155

5.2.4 allocate heap blocks 158

5.2.5 heap block release 159

5.2.6 merge heap blocks 159

5.2.7 use of express tables 161

5.3 Heap Overflow (top) -- DWORD shoot 163

5.3.1 problems in chain table "disassembly" 163

5.3.2 "DWORD shoot" 165 during debugging

5.4 Heap Overflow exploitation (lower) -- code implantation 169

5.4.1 DWORD shoot utilization method 169

5.4.2 sniper P. E. B rtlentercritical-section () function pointer 170

5.4.3 precautions for heap overflow 175

Chapter 2 various memory attack technologies 6th

6.1 sniper attack against Windows Exception Handling Mechanism 178

6.1.1 S. E. H overview 178

6.1.2 use S. E. H 180 in Stack Overflow

6.1.3 use s.e. h 184 in Heap Overflow

6.1.4 dig into windows Exception Handling 187

6.1.5 use of other exception handling mechanisms 192

6.2 utilization of "off by one": 196

6.3 virtual functions of C ++ attacks 198

6.4 heap spray: coordinated heap and stack attacks 201

Chapter 1 Buffer Overflow in mobile phones 7th

7.1 Introduction to Windows Mobile 204

7.1.1 Windows Mobile 204 past and present

7.1.2 Windows Mobile architecture 205

7.1.3 Windows Mobile memory management 209

7.2 arm Introduction 212

7.2.1 what is arm 212

7.2.2 arm register 212

7.2.3 Arm Assembly command structure 215

7.2.4 arm instruction addressing method 220

7.2.5 arm function call and return 222

7.3 helloworld 223 on Windows Mobile

7.4 introduction to remote debugging tools 227

7.4.1 Remote Information Management Kit 227

7.4.2 debugging on mobile phones -- Microsoft Visual Studio 231

7.4.3 debugging on mobile phones-Ida 233

7.5 exploit me 237 on mobile phones

Chapter 1 other types of software vulnerabilities 8th

8.1 formatting String Vulnerability 243

8.1.1 defects in printf 243

8.1.2 use printf to read 244 of Memory Data

8.1.3 use printf to write data to memory 245

8.1.4 detect and prevent formatting string vulnerabilities 246

8.2 SQL injection attacks 247

8.2.1 SQL Injection principle 247

8.2.2 attack PHP + MySQL website 248

8.2.3 attack ASP + SQL Server website 250

8.2.4 detection and prevention of injection attacks 252

8.3 other injection methods 253

8.3.1 cookie injection, bypassing the marqino line 253

8.3.2 XPath injection, XML Achilles' heel 254

8.4 XSS attacks 255

8.4.1 reason why the script can be "Cross-Site" 255

8.4.2 XSS reflection attack scenario 256

8.4.3 stored XSS attack scenario 258

8.4.4 attack case review: XSS worm 258

8.4.5 XSS Detection and Prevention 259

8.5 path tracing vulnerability 260

8.5.1 basic principles of path tracing 260

8.5.2 normalization and path backtracking 261

2nd vulnerability exploitation principles (advanced)

Chapter 2 Windows Security Mechanism overview 9th

Chapter 5 guardian angel in stack: GS 10th

10.1 protection principle of GS Security compilation options 267

10.2 use unprotected memory to break through GS 271

10.3 overwrite the virtual function to break through GS 273

10.4 attack Exception Handling exceeded GS 276

10.5 Replace the cookie in both the stack and. Data to break through GS 280

Chapter 3: safeseh 11th

11.1 safeseh protection principle for exception handling 284

11.2 attack return address bypassing safeseh 288

11.3 use virtual functions to bypass safeseh 288

11.4 bypass safeseh 288 from the heap

11.5 use the disabled safeseh module to bypass safeseh 292

11.6 bypass safeseh 299 using an address outside the loading Module

11.7 use the Adobe Flash Player ActiveX Control to bypass safeseh 305

Chapter 2 watershed between data and Programs: DEP 12th

12.1 Dep mechanism protection principle 313

12.2 attacks Dep disabled programs 316

12.3 use ret2libc to challenge Dep 317

12.3.1 use zwsetinformationprocess 318 in ret2libc practice

12.3.2 use virtualprotect 330 in ret2libc practice

12.3.3 use virtualalloc 339 in ret2libc practice

12.4 challenge Dep 348 with executable memory

12.5 use. Net to challenge Dep 352

12.6 challenge Dep 359 with Java Applet

Chapter 4 hiding in memory: aslr 13th

13.1 principles of memory randomization protection 363

13.2 Attack Module 367 without aslr Enabled

13.3 use partial coverage to locate the memory address 372

13.4 use heap spray technology to locate memory address 376

13.5 use Java Applet heap spray technology to locate memory address 379

13.6 disable aslr 382 for the. NET Control

Chapter 2 S. E. H ultimate protection: sehop 14th

14.1 sehop principle 386

14.2 attack return address 388

14.3 attack virtual functions 388

14.4 use a module with no sehop enabled 388

14.5 counterfeit S. E. H linked list 390

Chapter 1 heap under heavy protection 15th

15.1 principles of heap protection 396

15.2 variables stored in the attack heap: 397

15.3 use chunk to reset the size of the attack heap 398

15.4 use lookaside tables for heap overflow 407

3rd vulnerability Mining Technology

Chapter 2 vulnerability Mining Technology 16th

16.1 vulnerability mining overview 414

16.2 Dynamic Testing Technology 415

16.2.1 introduction to spike 415

16.2.2 bestorm 421

16.3 static code audit 429

Chapter 2 file type vulnerability mining and smart fuzz 17th

17.1 smart fuzz overview 431

17.1.1 basic methods for fuzz file format 431

17.1.2 blind fuzz and smart fuzz 432

17.2 file mining vulnerability with peach 433

17.2.1 peach introduction and installation 433

17.2.2 XML 434

17.2.3 simple Peach Pit 436

17.2.4 define data dependency 440

17.2.5 use peach fuzz PNG file 441

17.3 010 script, 446 swiss army knife for parsing complex files

17.3.1 010 editor 446

17.3.2 getting started with script writing 447

17.3.3 010 script writing improvement-PNG File Parsing 449

17.3.4 in-depth analysis and mining-pptfile parsing 452

Chapter 2 FTP vulnerability mining 18th

18.1 FTP 457

18.2 vulnerability mining Note 1: DOS 457

18.3 vulnerability mining NOTE 2: access permission 466

18.4 vulnerability mining Note 3: Buffer Overflow 468

18.5 vulnerability mining NOTE 4: Fuzz DIY 472

Chapter 1 e-mail vulnerability mining 19th

19.1 mining SMTP Vulnerabilities 477

19.1.1 SMTP Protocol Introduction 477

19.1.2 SMTP vulnerability mining manual 478

19.2 exploit POP3 vulnerabilities 480

19.2.1 POP3 Protocol Introduction 480

19.2.2 POP3 vulnerability mining note 481

19.3 mining IMAP4 vulnerabilities 489

19.3.1 about IMAP4 489

19.3.2 IMAP4 vulnerability mining note 490

19.4 other email vulnerabilities 491

19.4.1 path backtracing 491 in URL

494 path backtracing in memory

XSS 500 in the 19.4.3 email

Chapter 2 ActiveX Control Vulnerability mining 20th

20.1 ActiveX Control introduction 502

4.1.1.1 relationship between browsers and ActiveX controls 502

503 properties of the control

20.2 Manually test ActiveX controls 504

4.1.2.1 create a test template 504

4.1.2.2 obtain control interface information 505

20.3 test ActiveX control using tools: comraider 509

20.4 ActiveX Vulnerability mining 516

4.1.4.1 ActiveX Vulnerability classification 516

Cause 4.2 vulnerability mining NOTE 1: The superstar reader overflows 517

521 vulnerability mining NOTE 2: Directory operation permission

4.1.4.4 vulnerability mining Note 3: 523 File Read Permission

525 vulnerability mining Note 3: File Deletion permission

4th operating system kernel Security

Chapter 2 exploring ring0 21st

21.1 kernel basics 528

21.1.1 kernel overview 528

21.1.2 Hello World 528

21.1.3 dispatch routine and IRP structure 533

21.1.4 ring3 open the driver 537

21.1.5 deviceiocontrol function and iocontrolcode 538

Four communication modes of 21.1.6 ring3/ring0: 539

21.2 getting started with kernel debugging 541

21.2.1 create a kernel debugging environment 541

21.2.2 blue screen analytics 549

21.3 Kernel Vulnerability overview 551

21.3.1 classification of kernel vulnerabilities 551

21.3.2 Kernel Vulnerability research process 553

21.4 write secure drivers 555

21.4.1 input/output check 555

21.4.2 verified driver caller 556

21.4.3 challenges to the whitelist mechanism 556

Chapter 4 Kernel Vulnerability exploitation technology 22nd

22.1 experiment-based exploitme. sys 557

22.2 Kernel Vulnerability exploitation ideas 559

22.3 Kernel Vulnerability exploitation method 560

22.4 Kernel Vulnerability exploitation practices and programming 565

22.5 ring0 shellcode compilation 570

Chapter 2 fuzz driver 23rd

23.1 kernel fuzz ideas 579

23.2 kernel fuzz tool introduction 581

23.3 kernel fuzz tool DIY 583

23.3.1 fuzz object, fuzz policy, fuzz item 583

23.3.2 iocontrol mitm fuzz 583

23.3.3 iocontrol driver fuzz 585

23.3.4 myiocontrol fuzzer interface 586

23.4 Kernel Vulnerability mining practices 588

23.4.1 super patrol astdriver. sys Local Elevation of Privilege Vulnerability 588

23.4.2 Dongfang weidian mp110013.sys Local Elevation of Privilege Vulnerability 594

23.4.3 rising hookcont. sys Driver local denial of service vulnerability 601

Chapter 4 Kernel Vulnerability case analysis 24th

24.1 Remote Denial of Service Kernel Vulnerability 605

24.2 local dos Kernel Vulnerability 611

24.3 Buffer Overflow Kernel Vulnerability 614

24.4 arbitrary address write arbitrary data Kernel Vulnerability 619

24.5 arbitrary address write fixed data Kernel Vulnerability 622

5th CASES OF VULNERABILITY ANALYSIS

Chapter 1 Vulnerability Analysis Technology overview 25th

25.1 Vulnerability Analysis Method 628

25.2 seeking breakthroughs in sports: debugging technology 629

25.2.1 breakpoint skills 630

25.2.2 backtracking 644

25.3 walk in PE with "White eyebrow" 647

25.3.1 command tracing technology and megamei 647

25.3.2 installation of megamei 648

25.3.3 use PE stalker 649

25.3.4 quickly locate code 652 corresponding to a specific function

25.4 patch comparison 654

Chapter 2 RPC intrusion: ms06-040 and MS08-067 26th

26.1 RPC Vulnerability 658

26.1.1 RPC Vulnerability 658

26.1.2 RPC programming 658

26.2 ms06-040 659

26.2.1 ms06-040 overview 659

26.2.2 dynamic debugging 660

26.2.3 static analyses 667

26.2.4 Remote Exploit 670

26.3 ms06-040 exploit 677 in Windows XP

26.3.1 static analyses 677

26.3.2 exploit Method for Worm samples 682

26.3.3 cross-platform exploit 684

26.4 MS08-067 690

26.4.1 MS08-067 overview 690

26.4.2 understand legacy folder 693

26.4.3 "Migration" test 694

26.4.4 "Migration" risk 695

26.4.5 POC construction 696

26.5 magic wave, Conficker and worm 703

Chapter 2 ms06-055 analysis: heap spray 27th

27.1 ms06-055 introduction 705

27.1.1 introduction to Vector Markup Language (VML) 705

27.1.2 0-day security response documentary 706

27.2 vulnerability analysis 707

27.3 exploits 710

Chapter 2 MS09-032 analysis: a "&"-induced blood case 28th

28.1 MS09-032 introduction 713

28.2 vulnerability principle and utilization analysis 713

Chapter 2 Yahoo! 719 messenger Stack Overflow Vulnerability

29.1 vulnerability introduction 719

29.2 vulnerability analysis 719

29.3 exploits 723

Chapter 2 cve-2009-0927: JS 30th in PDF

30.1 cve-2009-0927 introduction 725

30.2 PDF document format introduction 725

30.3 vulnerability principle and utilization analysis 727

Chapter 3 ant cave of dam: over-long URL Overflow Vulnerability 31st

31.1 vulnerability introduction 731

31.3 vulnerability principle and utilization analysis 731

Chapter 4 storm audio and video M3U File Parsing Vulnerability 32nd

32.1 vulnerability introduction 737

32.2 introduction to M3U File 737

32.3 vulnerability principle and utilization analysis 738

Chapter 2 lnk shortcut file vulnerability 33rd

33.1 vulnerability introduction 744

33.2 vulnerability principle and utilization analysis 744

Appendix A published list of kernel program vulnerabilities 750

References 753