Index

ASLR (Address Space Layout Randomization), 2.3 Vulnerability Remediation, Mitigation

assembly syntax, Step 4: List the IOCTLs, Step 4: Get Control over EIP, Step 4: Get Control over EIP, 8.2 Crash Analysis and Exploitation, Other Commands, Other Commands, Other Commands

AT&T, Step 4: Get Control over EIP, Other Commands
Intel, Step 4: List the IOCTLs, 8.2 Crash Analysis and Exploitation, Other Commands

Audio Toolbox (Apple iOS audio framework), 8.1 Vulnerability Discovery

avast! antivirus product, One Kernel to Rule Them All

B

Blue Screen of Death (BSoD), 6.2 Exploitation
brute force technique, Step 4: Manipulate the strk Chunk to Gain Control over EIP, Step 4: Get Control over EIP
BSoD (Blue Screen of Death), 6.2 Exploitation
buffer overflows, Potentially Vulnerable Code Locations, Back to the ’90s, Step 5: Reverse Engineer the Object Methods, 8.2 Crash Analysis and Exploitation, A.1 Stack Buffer Overflows, C.1 Exploit Mitigation Techniques, Detecting Exploit Mitigation Techniques
bug hunting, definition of, Bug Hunting

C

Celestial (Apple iOS audio framework), 8.1 Vulnerability Discovery

checksec.sh, Detecting Exploit Mitigation Techniques

Cisco, Browse and You’re Owned, 5.3 Vulnerability Remediation

Common Vulnerabilities and Exposures Identifiers (CVE-IDs), 2.5 Addendum, 2.5 Addendum, 3.5 Addendum, 4.5 Addendum, 5.2 Exploitation, 6.5 Addendum, 7.5 Addendum, 8.2 Crash Analysis and Exploitation

CVE-2007-4686, 7.5 Addendum
CVE-2008-1625, 6.5 Addendum
CVE-2008-3558, 5.2 Exploitation
CVE-2008-4654, 2.5 Addendum
CVE-2008-568, 3.5 Addendum
CVE-2009-0385, 4.5 Addendum
CVE-2010-0036, 8.2 Crash Analysis and Exploitation

COMRaider, Step 1: List the Registered WebEx Objects and Exported Methods

coordinated disclosure, 2.3 Vulnerability Remediation

Core Audio (Apple iOS audio framework), 8.1 Vulnerability Discovery

cross-site scripting (XSS), Step 2: Test the Exported Methods in the Browser

CTL_CODE, Step 5: Find the User-Controlled Input Values

CurrentStackLocation, Step 4: List the IOCTLs

CVE-IDs. See Common Vulnerabilities and Exposures Identifiers, 2.3 Vulnerability Remediation

Cygwin environment, 2.3 Vulnerability Remediation

D

Data Execution Prevention (DEP), 2.3 Vulnerability Remediation, C.1 Exploit Mitigation Techniques

data transfer type, Step 5: Find the User-Controlled Input Values

debuggers, 1.4 Tools of the Trade, Debuggers, Debuggers, Debuggers, Debuggers, Debuggers, Step 3: Manipulate the TiVo Movie File to Crash VLC, Step 1: Trigger the NULL Pointer Dereference for a Denial of Service, Step 3: Find the Object Methods in the Binary, Step 4: List the IOCTLs, Step 5: Find the User-Controlled Input Values, 6.2 Exploitation, Step 1: Trigger the Bug to Crash the System (Denial of Service), Step 2: Build a Simple Fuzzer and Fuzz the Phone, Debugging, B.2 The Windows Debugger (WinDbg), B.4 The GNU Debugger (gdb)

Immunity Debugger, Debuggers, Step 3: Manipulate the TiVo Movie File to Crash VLC
OllyDbg, Debuggers
The GNU Debugger (gdb), Debuggers, Step 1: Trigger the Bug to Crash the System (Denial of Service), Step 2: Build a Simple Fuzzer and Fuzz the Phone, B.4 The GNU Debugger (gdb)
The Modular Debugger (mdb), Debuggers, Step 1: Trigger the NULL Pointer Dereference for a Denial of Service, Debugging
WinDbg, Debuggers, Step 3: Find the Object Methods in the Binary, Step 4: List the IOCTLs, Step 5: Find the User-Controlled Input Values, 6.2 Exploitation, B.2 The Windows Debugger (WinDbg)

demuxer, 2.1 Vulnerability Discovery, 4.1 Vulnerability Discovery

DEP (Data Execution Prevention), 2.3 Vulnerability Remediation, Mitigation

DeviceIoControl(), Step 4: List the IOCTLs

Direct Kernel Object Manipulation (DKOM), 6.2 Exploitation

disassemblers, Debuggers

DispCallFunc(), Step 3: Find the Object Methods in the Binary

DKOM (Direct Kernel Object Manipulation), 6.2 Exploitation

double frees, 1.3 Memory Errors

DriverView, Step 2: Generate a List of the Drivers and Device Objects Created by avast!

DRIVER_OBJECT, Step 4: List the IOCTLs

dynamic analysis, 1.2 Common Techniques

E

ELF (Executable and Linkable Format), Step 3: Manipulate the strk Chunk to Crash FFmpeg, A.3 Type Conversions in C

Enhanced Mitigation Experience Toolkit (EMET), 2.3 Vulnerability Remediation

Executable and Linkable Format (ELF), Step 3: Manipulate the strk Chunk to Crash FFmpeg, A.4 GOT Overwrites

exploit, Bug Hunting, 1.5 EIP = 41414141, Step 4: Manipulate the TiVo Movie File to Gain Control of EIP, Step 2: Use the Zero Page to Get Control over EIP/RIP, Step 4: Manipulate the strk Chunk to Gain Control over EIP, 5.2 Exploitation, 6.2 Exploitation, Step 4: Get Control over EIP

development of, 1.5 EIP = 41414141
for avast! antivirus product vulnerability, 6.2 Exploitation
for FFmpeg vulnerability, Step 4: Manipulate the strk Chunk to Gain Control over EIP
for Mac OS X kernel vulnerability, Step 4: Get Control over EIP
for Sun Solaris kernel vulnerability, Step 2: Use the Zero Page to Get Control over EIP/RIP
for VLC media player vulnerability, Step 4: Manipulate the TiVo Movie File to Gain Control of EIP
for WebEx vulnerability, 5.2 Exploitation

F

FFmpeg multimedia library, NULL Pointer FTW, A.3 Type Conversions in C
FreeBSD, 7.5 Addendum
full disclosure, 2.3 Vulnerability Remediation, 5.3 Vulnerability Remediation
fuzzing, 1.2 Common Techniques, 8.1 Vulnerability Discovery

G

gdb (The GNU Debugger), Debuggers, Step 1: Trigger the Bug to Crash the System (Denial of Service), Step 2: Build a Simple Fuzzer and Fuzz the Phone, Step 3: Configure WinDbg on the VMware Host for Windows Kernel Debugging
Global Offset Table (GOT), Step 3: Manipulate the strk Chunk to Crash FFmpeg, 4.3 Vulnerability Remediation, A.4 GOT Overwrites, Detecting Exploit Mitigation Techniques
GNU Debugger, The (gdb), Debuggers, Step 1: Trigger the Bug to Crash the System (Denial of Service), Step 2: Build a Simple Fuzzer and Fuzz the Phone, Step 3: Configure WinDbg on the VMware Host for Windows Kernel Debugging
GOT overwrite, 4.3 Vulnerability Remediation, A.4 GOT Overwrites

H

heap buffer overflows, A.1 Stack Buffer Overflows
heap mitigation techniques, C.1 Exploit Mitigation Techniques
heap spraying techniques, 5.2 Exploitation, Step 4: Get Control over EIP
heap-memory management, 1.3 Memory Errors

I

I/O request packet (IRP), Step 4: List the IOCTLs

IDA Pro (Interactive Disassembler Professional), Debuggers, Step 4: Find the User-Controlled Input Values, 6.1 Vulnerability Discovery, Detecting Exploit Mitigation Techniques

Immunity Debugger, Debuggers, Step 3: Manipulate the TiVo Movie File to Crash VLC

input/output controls (IOCTL), 3.1 Vulnerability Discovery, 6.1 Vulnerability Discovery, A Bug Older Than 4.4BSD, Step 2: Identify the Input Data

ioctl(), Step 2: Identify the Input Data

instruction alignment, 8.2 Crash Analysis and Exploitation

instruction pointer, 1.5 EIP = 41414141, A.1 Stack Buffer Overflows

Intel, 1.5 EIP = 41414141, A.1 Stack Buffer Overflows

Interactive Disassembler Professional (IDA Pro), Debuggers, Step 4: Find the User-Controlled Input Values, 6.1 Vulnerability Discovery, Detecting Exploit Mitigation Techniques

Internet Explorer, Browse and You’re Owned

IoCreateDevice(), 6.1 Vulnerability Discovery

IOCTL (input/output controls), 3.1 Vulnerability Discovery, 6.1 Vulnerability Discovery, A Bug Older Than 4.4BSD, Step 2: Identify the Input Data

ioctl(), Step 2: Identify the Input Data

iPhone, The Ringtone Massacre

IRP (I/O request packet), Step 4: List the IOCTLs

IRP_MJ_DEVICE_CONTROL, Step 4: List the IOCTLs

J

jmp reg technique, Step 4: Manipulate the TiVo Movie File to Gain Control of EIP, 2.3 Vulnerability Remediation

K

Kernel Debug Kit, Step 2: Get the Necessary Software Packages
kernel debugging, Debuggers, Step 1: Trigger the NULL Pointer Dereference for a Denial of Service, 6.1 Vulnerability Discovery, Step 1: Trigger the Bug to Crash the System (Denial of Service), B.3 Windows Kernel Debugging, Other Commands
kernel driver, One Kernel to Rule Them All
kernel panic, Step 3: Trace the Input Data, Step 1: Trigger the NULL Pointer Dereference for a Denial of Service, Step 1: Trigger the Bug to Crash the System (Denial of Service), Other Commands
kernel space, Step 2: Use the Zero Page to Get Control over EIP/RIP, Step 6: Reverse Engineer the IOCTL Handler
KeSetEvent(), 6.2 Exploitation

L

Linux, Debuggers, 4.2 Exploitation, Step 4: Manipulate the strk Chunk to Gain Control over EIP, Step 1: Trigger the Bug to Crash the System (Denial of Service), 8.1 Vulnerability Discovery, A.1 Stack Buffer Overflows, Example: Stack Buffer Overflow Under Linux, A.3 Type Conversions in C, A.3 Type Conversions in C, Other Commands, B.5 Using Linux as a Mac OS X Kernel-Debugging Host, C.1 Exploit Mitigation Techniques, Detecting Exploit Mitigation Techniques, Detecting Exploit Mitigation Techniques, C.2 RELRO

and exploit mitigation techniques, C.1 Exploit Mitigation Techniques, Detecting Exploit Mitigation Techniques
Debian, A.3 Type Conversions in C, C.2 RELRO
debugging the Mac OS X kernel with, Step 1: Trigger the Bug to Crash the System (Denial of Service), Other Commands
fuzzing the iPhone with, 8.1 Vulnerability Discovery
gdb, debugger for, Debuggers
Red Hat, B.5 Using Linux as a Mac OS X Kernel-Debugging Host
stack buffer overflows under, A.1 Stack Buffer Overflows
Ubuntu, 4.2 Exploitation, Step 4: Manipulate the strk Chunk to Gain Control over EIP, Example: Stack Buffer Overflow Under Linux

little-endian, Step 4: Manipulate the TiVo Movie File to Gain Control of EIP, 8.2 Crash Analysis and Exploitation

LookingGlass, 2.3 Vulnerability Remediation

M

Mac OS X, Debuggers, A Bug Older Than 4.4BSD, Other Commands
mdb (The Modular Debugger), Debuggers, Step 1: Trigger the NULL Pointer Dereference for a Denial of Service, Debugging
mediaserverd, Step 1: Research the iPhone’s Audio Capabilities
memcpy(), Step 6: Reverse Engineer the IOCTL Handler, 8.2 Crash Analysis and Exploitation
memory corruption, 1.3 Memory Errors, Step 2: Build a Simple Fuzzer and Fuzz the Phone, A.1 Stack Buffer Overflows, A.4 GOT Overwrites
memory errors, 1.3 Memory Errors
memory leak, Step 4: Get Control over EIP, Step 2: Build a Simple Fuzzer and Fuzz the Phone
METHOD_BUFFERED, Step 5: Find the User-Controlled Input Values
MindshaRE, Step 3: Find the Object Methods in the Binary
mmap(), Step 2: Use the Zero Page to Get Control over EIP/RIP
MobileSafari, 8.1 Vulnerability Discovery
Modular Debugger, The (mdb), Debuggers, Step 1: Trigger the NULL Pointer Dereference for a Denial of Service, Debugging
Most Significant Bit (MSB), A.3 Type Conversions in C
movie header atom, 8.2 Crash Analysis and Exploitation
movsx, Potentially Vulnerable Code Locations
MSB (Most Significant Bit), A.3 Type Conversions in C

N

non-maskable interrupt (NMI), Step 3: Connect the Debugger to the Target System
NULL pointer dereference, 1.3 Memory Errors, Step 3: Trace the Input Data, NULL Pointer FTW, A.2 NULL Pointer Dereferences

O

objdump, Step 4: Manipulate the strk Chunk to Gain Control over EIP, A.4 GOT Overwrites, Test Case 1: Partial RELRO
OS X, Debuggers, A Bug Older Than 4.4BSD, Other Commands

P

parser, Back to the ’90s
PLT (Procedure Linkage Table), A.4 GOT Overwrites
privilege escalation, 6.2 Exploitation, Step 4: Get Control over EIP
Procedure Linkage Table (PLT), A.4 GOT Overwrites
program counter, 1.5 EIP = 41414141, A.1 Stack Buffer Overflows
Python, Step 2: Test the Exported Methods in the Browser

Q

QuickTime (File Format Specification), 8.2 Crash Analysis and Exploitation

R

readelf, A.4 GOT Overwrites
RELRO, 4.3 Vulnerability Remediation, C.2 RELRO
rep movsd, Step 6: Reverse Engineer the IOCTL Handler
responsible disclosure, 2.3 Vulnerability Remediation
return address (RET), A.1 Stack Buffer Overflows
runtime link editor (rtld), A.3 Type Conversions in C, A.4 GOT Overwrites

S

saved frame pointer (SFP), A.1 Stack Buffer Overflows

security advisories, Notes, Notes, Notes, Notes, Notes, Notes, Notes, Notes

TKADV2007-001, Notes
TKADV2008-002, Notes
TKADV2008-009, Notes
TKADV2008-010, Notes
TKADV2008-015, Notes
TKADV2009-004, Notes
TKADV2010-002, Notes

security cookie, 2.3 Vulnerability Remediation, Example: Stack Buffer Overflow Under Windows, C.1 Exploit Mitigation Techniques

SFP (saved frame pointer), A.1 Stack Buffer Overflows

sign bit, A.3 Type Conversions in C

sign-extension vulnerabilities, Potentially Vulnerable Code Locations

SiteLock, 5.4 Lessons Learned

Solaris, Debuggers, Escape from the WWW Zone, Escape from the WWW Zone

kernel, Escape from the WWW Zone
mdb, debugger for, Debuggers

Solaris Zones, Step 1: Trigger the NULL Pointer Dereference for a Denial of Service, C.3 Solaris Zones

sprintf(), Step 5: Reverse Engineer the Object Methods

stack buffer overflows, A.1 Stack Buffer Overflows

stack canary, Example: Stack Buffer Overflow Under Linux, C.1 Exploit Mitigation Techniques

stack frame, A.1 Stack Buffer Overflows

static analysis, 1.2 Common Techniques

STREAMS, Step 2: Identify the Input Data

T

Tipping Point, Zero Day Initiative (ZDI), Step 4: Manipulate the TiVo Movie File to Gain Control of EIP
TiVo file format, Back to the ’90s
type conversion, NULL Pointer FTW, Step 3: Trace the Input Data, A.3 Type Conversions in C

U

uninitialized variables, 1.3 Memory Errors
user space, Step 2: Identify the Input Data, Step 2: Use the Zero Page to Get Control over EIP/RIP, NULL Pointer FTW, Step 4: List the IOCTLs, Step 4: Get Control over EIP

V

VBScript, Step 2: Test the Exported Methods in the Browser

VCP (Vulnerability Contributor Program), Step 4: Manipulate the TiVo Movie File to Gain Control of EIP, 5.2 Exploitation

Verisign iDefense Labs, Vulnerability Contributor Program (VCP), Step 4: Manipulate the TiVo Movie File to Gain Control of EIP, 5.2 Exploitation

VideoLAN, Back to the ’90s

VirusTotal, One Kernel to Rule Them All

VLC media player, Back to the ’90s, NULL Pointer FTW, Step 4: Manipulate the strk Chunk to Gain Control over EIP

VMware, 6.1 Vulnerability Discovery, B.3 Windows Kernel Debugging

vulnerability brokers, Step 4: Manipulate the TiVo Movie File to Gain Control of EIP, Step 4: Manipulate the TiVo Movie File to Gain Control of EIP, Step 4: Manipulate the TiVo Movie File to Gain Control of EIP, 5.2 Exploitation

Tipping Point, Step 4: Manipulate the TiVo Movie File to Gain Control of EIP
Verisign iDefense Labs, Step 4: Manipulate the TiVo Movie File to Gain Control of EIP, 5.2 Exploitation

Vulnerability Contribution Program (VCP), 2.3 Vulnerability Remediation, 5.2 Exploitation

vulnerability rediscovery, 5.4 Lessons Learned

W

WebEx Meeting Manager, Browse and You’re Owned
WinDbg, Debuggers, Step 3: Find the Object Methods in the Binary, Step 4: List the IOCTLs, Step 5: Find the User-Controlled Input Values, 6.2 Exploitation, B.2 The Windows Debugger (WinDbg)
Windows I/O manager, Step 4: List the IOCTLs
Windows Vista, Step 1: Generate a List of the Demuxers of VLC, 2.3 Vulnerability Remediation, Example: Stack Buffer Overflow Under Windows, A.3 Type Conversions in C, Detecting Exploit Mitigation Techniques
Windows XP, 5.1 Vulnerability Discovery, 6.1 Vulnerability Discovery, 6.2 Exploitation, Information Commands, NX and DEP
WinObj, Step 3: Check the Device Security Settings

X

XNU kernel, A Bug Older Than 4.4BSD, Step 2: Get the Necessary Software Packages
XSS (cross-site scripting), Step 2: Test the Exported Methods in the Browser
xxd, Step 2: Build a Simple Fuzzer and Fuzz the Phone

Z

Zero Day Initiative (ZDI), Step 4: Manipulate the TiVo Movie File to Gain Control of EIP
zero page, Step 2: Use the Zero Page to Get Control over EIP/RIP, A.2 NULL Pointer Dereferences

Index

A note on the digital index

Symbols

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Z