Shellcoders Programming Uncovered (Uncovered series)

 Download CD Content

Overview

To make plundering raids on the peaceful pasture of the Internet, a hacker needs a good exploit. Exploits can be found in the Net. Start an exploit. After that, cursing and swearing at the dumb exploit, go and search for another one. Then swear again.

The vast majority of free exploits roaming the network have blatant design errors, which make them principally unusable. The few of them that work, as a rule, simply demonstrate the vulnerability and do not provide actual control over the target host (for instance, such an exploit might create a new administrative account on the target computer and then immediately block it). To elaborate and finish a ready exploit using some hacking tools, it is necessary to know how to use them. Development of exploits (as well as improvement and elaboration) requires you to adopt a certain way of thinking and master the detailed knowledge of computer science. This area of activity is not one that can be entered by outsiders. You must first learn the C/C++ programming language, master Assembly, understand the operating principles of contemporary microprocessors and the architecture of Windows and UNIX operating systems, learn how to quickly disassemble machine code, etc. In other words, you'll have a long road ahead of you, passing through an impenetrable jungle of logical traps, bit hacks, and pitfalls that are difficult to overcome without a guide. Books are the best teachers , and you'll need lots of them.

The list of recommended books, manuals, and other references is provided at the end of this chapter. These are must-reads and the best sources available.

Now it's time to describe the tools. Shellcode is mainly written in Assembly language, which means you'll need an Assembly translator. Under MS-DOS, Borland TASM once was popular; however, under Windows, its positions are not particularly strong. Most programmers use MASM from Microsoft, which is supplied as part of the Device Driver Kit (DDK) toolset intended for driver developers. It can be freely downloaded from http://www.microsoft.com (note that for each Windows versions there is a corresponding DDK). The closest MASM competitor is the noncommercial flat assembler (FASM) translator ( http://flatassembler.net/ ), optimized for the needs of system programmers and supporting a more natural syntax. There are also assemblers intended for UNIX, such as NASM (Fig. 1.1), which can be downloaded from http://nasm. sourceforge .net/ and is supplied as part of most distributions. In other words, the choice of assembler is a matter of the programmer's personal preferences.

Figure 1.1: The NASM logo

Before your assembly program can be started for execution, it must be linked. Any standard linker will be suitable for this purpose. For example, it is supplied as part of Microsoft Visual Studio or the Windows-platform Software Development Kit (SDK). It is also possible to recommend some nonstandard linkers, such as ulink from Yury Haron, which supports a wide range of file formats and lots of fine settings and tweaks that are not provided by other linkers. This linker can be downloaded from ftp://ftp.styx.cabel.net/pub/UniLinkyulnbXXXX.zip . To download the file, go to ftp://ftp.styx.cabel.net , log on anonymously, and then navigate the directory structure to find the required file. This is freeware, provided that it is used for noncommercial purposes.

For searching security holes and vulnerabilities, a debugger and a disassembler will be needed. Without a powerful toolkit, it is impossible to find lots of vulnerabilities. The aggressive nature of the binary code requires a specialized toolset. A debugger is an instrument that can be used for searching errors in your own applications and cracking programs written by someone else. There are lots of such instruments available, including Microsoft Visual Debugger, which is part of Microsoft Visual Studio; Microsoft Windows Debugger (WDB) and Kernel Debugger, supplied as part of SDK and DDK; SoftIce from NuMega and OllyDbg written by Oleh Yuschuk. The classic choice is SoftIce (Fig. 1.2); however, recently the compact and fast OllyDbg has begun to outperform it (Fig. 1.3). The main advantage of this debugger is automatic conversion of recognized American Standard Code for Information Interchange (ASCII) strings and offsets, which considerably simplifies the procedure of searching for overflowing buffers. In fact, they become clearly visible, as if they were spread before the eyes. Unfortunately, since OllyDbg is an application-level debugger, it cannot debug Windows kernel components (including some server processes).

Figure 1.2: SoftIce is a professional-oriented debugger

Figure 1.3: The compact and fast OllyDbg

As relates to disassemblers, IDA Pro is an indisputable leader that beats all its competitors and supports practically all formats of executable files, all processors, and all compilers existing nowadays (Fig. 1.4). However, other disassemblers also deserve attention, depending on the problems that you are going to solve. There is even a special disassembler for the Palm operating system (Fig. 1.5).

Figure 1.4: The console version of IDA Pro is the natural habitat of professional code diggers

Figure 1.5: There are disassemblers even for the Palm PC

If the program being investigated is packed, then it requires unpacking before disassembling. This goal can be achieved using any universal dumper (such as Proc Dump, PE-Tools, or Lord-PE); however, the best practice is to use a specialized unpacker specially intended for a specific packer, and gain the deepest possible insight of it. Unfortunately, such unpackers are not available for every packer. Dumps taken from the program most frequently do not work. To make them usable, the hacker must carry out a considerable amount of work. However, this problem is not as serious as it seems. After all, what is the purpose of executing dumps? For disassembling , they can be used "as is."

Among hexadecimal (hex) editors, the most popular one is HIEW. However, the hex editor of my choice is QVIEW. Auxiliary small utilities such as tools for comparing files, memory dumpers, packers, and unpackers also must be at hand. Finally, do not neglect a printer, paper, and pencils.

All above-mentioned products can be found in eDonkey or eMule ” peer-to-peer file sharing networks, which, roughly speaking, represent a kind of Internet within the Internet. With their arrival, searching for warez using the Web became obsolete. It is possible to find practically anything in peer-to-peer file-sharing networks ” any software, music, movies, or documentation. The most surprising fact, however, is that not everyone is aware of existence of such networks even now.

Категории