Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)

O

$18 registers (Alpha CPU), 303

%o1%o5 registers (SPARC), 218

%o7 register (SPARC), 218

%o6 register (SPARC), 218

%o0 register (SPARC), 218

%o0 %o7 registers (SPARC), 217

objdump utility, 39

off-by-one vulnerabilities, 392393

offset finder, 336337

offsets, guessing

manually, 2427

No Operation (NOP) method, 2729

off_t length specifier , 395

OllyDbg debugger, 106, 118, 335, 504

"Once upon a free()" (paper), 254, 342

1-Bit Patch (MySQL), 481483

one-factor exploits, 500

open source program fuzzing, 372

open() system call, 107

open system call (Solaris), 222

OpenBSD

exec_ibcs2_coff_prep_zmagic() stack overflow, 538544, 549574

IDT (interrupt descriptor table), 564566

IDTR (interrupt descriptor table register), 564

interrupt vectors, 564

process descriptor, 558

root privileges, 567574

select() kernel stack buffer overflow, 530533

setitimer() kernel memory overwrite, 533535

OpenSSH

multiplication overflow vulnerability, 398

RSA Authentication Patch, 483484

operating system fingerprinting, 505507

optimizing shellcode development, 343344

Oracle

Alert 57, 406, 410

Alert 29, 407, 410

extproc overflow, 406410

running operating system commands, 522523

SQL*Plus, 526

Transparent Network Substrate (TNS) protocol, 510

TZ_OFFSET overflow, 416

ORCHESTRA fault injection system, 349, 353

out-of-scope memory usage vulnerabilities, 400

overflowing (defined), 4

overflowing heaps

articles and papers, 341342

atexit handlers, 101

basic theory of, 8788

defined, 86

dlmalloc , 83

.DTORS, 101

format string bugs , 82

free() system call, 8792

global function pointers, 100

GOT entries, 100

grep , 86

heapoverflow.c Windows shellcode, 126142

integer overflow heap overflow combination, 86

kernel-level vulnerabilities, 530

ltrace program, 99

malloc implementations , 83, 8992

malloc() system call, 8788, 9399

Microsoft IIS, 86

protecting against, 8687

samba, 86

Solaris Login, 86

Solaris Xsun, 86

Solaris/SPARC

arbitrary free vulnerabilities, 262

Bottom chunk , 259

chunk consolidation, 254

double free vulnerabilities, 261262

example, 262266

function pointers, 233234, 258259

limitations, 257258

off-by-one overflows, 261

small chunk corruption, 260

static data overflows, 267

style tricks, 286288

t_delete() function, 254256

tree structure, 234254

stack values, 101

threads, 502

triggering, 8889

what to overwrite, 100

Windows

calling Win32 API functions, 109

COM objects, 187188

first vectored handler at 77FC3210, 175178

logic program control data, 188

repairing the heap, 185187

RtlEnterCriticalSection in the PEB, 172174

Thread Environment Block (TEB), 184185

Unhandled Exception Filter, 178184

overflowing integers

addition or subtraction overflows, 397

articles and papers, 342

defined, 396397

integer overflow heap overflow combination, 86

kernel-level vulnerabilities, 530

multiplication overflows, 398

Professional Source Code Auditing (speech), 396

uses, 397

vulnerability tracing, 449

overflowing stacks

arbitrary size overwrite, 224

bypassing non-executable stack protection, 267268

complications, 225226

%i7 register, 225226

off-by-one vulnerabilities, 226

register windows, 224225

shellcode, 228233

static data overflows, 267

overwriting

application-specific function pointer, 81

atexit handler, 81

atexit structure, 71

C library hooks, 71

default unhandled exception handler, 71

defined, 4

entries in the DTORS section, 71, 81

function pointers, 71

Global Offset Table (GOT) entry, 7178, 81

null terminator with non-null data, 82

pointers to an exception handler, 81

saved return address, 71, 81

Solaris/SPARC, 258259