Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
A Bug Hunter's Diary
Acknowledgments Introduction
The Goals of This Book Who Should Read the Book Disclaimer Resources
1. Bug Hunting
1.1 For Fun and Profit 1.2 Common Techniques
My Preferred Techniques Potentially Vulnerable Code Locations Fuzzing Further Reading
1.3 Memory Errors 1.4 Tools of the Trade
Debuggers Disassemblers
1.5 EIP = 41414141 1.6 Final Note
Notes
2. Back to the ’90s
2.1 Vulnerability Discovery
Step 1: Generate a List of the Demuxers of VLC Step 2: Identify the Input Data Step 3: Trace the Input Data
2.2 Exploitation
Step 1: Find a Sample TiVo Movie File Step 2: Find a Code Path to Reach the Vulnerable Code Step 3: Manipulate the TiVo Movie File to Crash VLC Step 4: Manipulate the TiVo Movie File to Gain Control of EIP
2.3 Vulnerability Remediation 2.4 Lessons Learned 2.5 Addendum
Notes
3. Escape from the WWW Zone
3.1 Vulnerability Discovery
Step 1: List the IOCTLs of the Kernel Step 2: Identify the Input Data Step 3: Trace the Input Data
3.2 Exploitation
Step 1: Trigger the NULL Pointer Dereference for a Denial of Service Step 2: Use the Zero Page to Get Control over EIP/RIP
3.3 Vulnerability Remediation 3.4 Lessons Learned 3.5 Addendum
Notes
4. NULL Pointer FTW
4.1 Vulnerability Discovery
Step 1: List the Demuxers of FFmpeg Step 2: Identify the Input Data Step 3: Trace the Input Data
4.2 Exploitation
Step 1: Find a Sample 4X Movie File with a Valid strk Chunk Step 2: Learn About the Layout of the strk Chunk Step 3: Manipulate the strk Chunk to Crash FFmpeg Step 4: Manipulate the strk Chunk to Gain Control over EIP
4.3 Vulnerability Remediation 4.4 Lessons Learned 4.5 Addendum
Notes
5. Browse and You’re Owned
5.1 Vulnerability Discovery
Step 1: List the Registered WebEx Objects and Exported Methods Step 2: Test the Exported Methods in the Browser Step 3: Find the Object Methods in the Binary Step 4: Find the User-Controlled Input Values Step 5: Reverse Engineer the Object Methods
5.2 Exploitation 5.3 Vulnerability Remediation 5.4 Lessons Learned 5.5 Addendum
Notes
6. One Kernel to Rule Them All
6.1 Vulnerability Discovery
Step 1: Prepare a VMware Guest for Kernel Debugging Step 2: Generate a List of the Drivers and Device Objects Created by avast! Step 3: Check the Device Security Settings Step 4: List the IOCTLs Step 5: Find the User-Controlled Input Values Step 6: Reverse Engineer the IOCTL Handler
6.2 Exploitation 6.3 Vulnerability Remediation 6.4 Lessons Learned 6.5 Addendum
Notes
7. A Bug Older Than 4.4BSD
7.1 Vulnerability Discovery
Step 1: List the IOCTLs of the Kernel Step 2: Identify the Input Data Step 3: Trace the Input Data
7.2 Exploitation
Step 1: Trigger the Bug to Crash the System (Denial of Service) Step 2: Prepare a Kernel-Debugging Environment Step 3: Connect the Debugger to the Target System Step 4: Get Control over EIP
7.3 Vulnerability Remediation 7.4 Lessons Learned 7.5 Addendum
Notes
8. The Ringtone Massacre
8.1 Vulnerability Discovery
Step 1: Research the iPhone’s Audio Capabilities Step 2: Build a Simple Fuzzer and Fuzz the Phone
8.2 Crash Analysis and Exploitation 8.3 Vulnerability Remediation 8.4 Lessons Learned 8.5 Addendum
Notes
A. Hints for Hunting
A.1 Stack Buffer Overflows
Example: Stack Buffer Overflow Under Linux Example: Stack Buffer Overflow Under Windows
A.2 NULL Pointer Dereferences A.3 Type Conversions in C A.4 GOT Overwrites
Notes
B. Debugging
B.1 The Solaris Modular Debugger (mdb)
Starting and Stopping mdb General Commands Breakpoints Running the Debuggee Examining Data Information Commands Other Commands
B.2 The Windows Debugger (WinDbg)
Starting and Stopping a Debugging Session General Commands Breakpoints Running the Debuggee Examining Data Information Commands Other Commands
B.3 Windows Kernel Debugging
Step 1: Configure the VMware Guest System for Remote Kernel Debugging Step 2: Adjust the boot.ini of the Guest System Step 3: Configure WinDbg on the VMware Host for Windows Kernel Debugging
B.4 The GNU Debugger (gdb)
Starting and Stopping gdb General Commands Breakpoints Running the Debuggee Examining Data Information Commands Other Commands
B.5 Using Linux as a Mac OS X Kernel-Debugging Host
Step 1: Install an Ancient Red Hat 7.3 Linux Operating System Step 2: Get the Necessary Software Packages Step 3: Build Apple’s Debugger on the Linux Host Step 4: Prepare the Debugging Environment Notes
C. Mitigation
C.1 Exploit Mitigation Techniques
Address Space Layout Randomization (ASLR) Security Cookies (/GS), Stack-Smashing Protection (SSP), or Stack Canaries NX and DEP Detecting Exploit Mitigation Techniques
C.2 RELRO
Test Case 1: Partial RELRO Test Case 2: Full RELRO Conclusion
C.3 Solaris Zones
Terminology Set Up a Non-Global Solaris Zone Notes
D. Updates Index About the Author Colophon
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion