Index

Note: Page numbers in italics indicate figures and tables.

A

  • Access Control Entries (ACEs), 286

  • Access control list (ACL), 286, 290

  • Access token, 286, 292–295

    • locating, 299

    • patching, 299–300

  • Alloc algorithm, 144

  • AMD64, 57

  • APCs. See Asynchronous procedure calls

  • Application Binary Interface (ABI), 53

  • Arbitrary memory overwrite, 71–74, 229–239, 277

    • exploiting architecture, 73–74

    • global structures' function pointers, 72

  • Architecture level, kernel, 48, 48–58

  • Architecture-assisted software tables, 94–95, 95

  • Asynchronous interrupts, 365

  • Asynchronous procedure calls (APCs), exploiting Windows, 381–383

B

  • Brute forcing, 7

  • BSD

    • derivatives, 125

    • of XNU kernel, 197

  • Buffer overflow, 24, 28

  • Buffered I/O data transfer, 279

  • Bug, 21, 420

    • guest kernel security, 433–434

    • hypervisor security, 432

    • virtualization, 432–434

  • BugCheck code, 320, 321

C

  • C++, implementation of, 214, 214

  • Cache, 28

  • Cache-pointer, 75

  • CALL instruction, 349

  • Calling conventions, 53, 312, 312, 351

  • Closed source operating systems, 18

  • Complex Instruction Set Computer (CISC) architecture, 8, 49, 55

  • Computer architectures, 49

  • config commands, 114

  • Corrupted pointer, 24

  • Countermeasures, 8, 9, 11

  • Counters, 94

  • CPU, 48–50

    • physical addressing, 50, 51

    • virtual-to-physical address translation, 52

  • CrashReporter, 200

  • CVE-2009-1046, 163–165

  • CVE-2009-3234

    • exploiting, 190–193

    • revisiting, 184–193

D

  • Damn Vulnerable Windows Driver (DVWD), 276–277

    • Driver.c file, 277

    • Overwrite.c file, 277

    • StackOverflow.c file, 277

  • Data model, 22

    • data type sizes in, 23

  • DDK. See Driver Development Kit

  • Dead memory, 24

  • Debugger, 204

    • GDB, 112

  • Debugging, kernel, 200–208

    • Linux, 108–114

    • Mac OS X, 200–208

    • OpenSolaris, 116–125

    • print-based, 116

    • Windows, 282–285

  • Deferred context, 366

  • Demand paging, 14

  • Design flaw, 21

  • Development bits, 115

  • Direct I/O technique, 188–190, 279

  • Domain identifier, 288

  • Driver Development Kit (DDK), 277

  • DTrace, 116–122

  • dumpadm command, 124

  • DVWD. See Damn Vulnerable Windows Driver

E

  • EPROCESS structure, 292, 306, 307

    • locating, 298

    • token address within, 293, 293

  • ETHREAD (Executive Thread Block) structure, 298

  • Exceptions, 50

F

  • Fast virtual system calls, 406

  • FAT binary, 196

  • Forward Transmission Sequence Number (FWD-TSN), 388

  • Free algorithm, 144

  • Function Boundary Tracing (FBT), 117

G

  • gdb command, 113

  • GDB debugger, 113

  • Generic exploit, 6

  • gettimeofday() function, 411–412

  • Global Descriptor Table Register (GDTR), 56

  • GRSecurity, 97

H

  • Hardware Abstraction Layer (HAL), 271, 311

  • Heap addresses/values, 97

  • Heap allocator, 74–76

  • Heap layout, remotely adjusting, 395–397

  • Heap overflow, 35

  • HyperText Transfer Protocol (HTTP), 10

  • Hypervisor, 432

    • security, 432–433

I

  • Image Packaging System (IPS), 115

  • In-cache controlling structures, 78, 79

  • Infoleak bug, 91, 96–98

  • In-object controlling structures, 78

  • In-slab fake object, 173

  • Instruction byte sequences, finding, 352–353

  • Instruction pointer (IP), 49, 71

  • Instruction set, 48

  • Instruction Set Architecture (ISA), 3

  • Integer-related bugs, 29–33

    • integer overflows, 27, 29–31

    • sign conversion issues, 31–33

  • Interprocess communications (IPC), 41, 197

  • Interrupt context, 366

  • Interrupt Descriptor Table (IDT), 73, 74

    • descriptors, 74

  • Interrupt Descriptor Table Register (IDTR), 56

  • Interrupt service routines (ISRs), 365

  • Interrupt stacks, 26

  • Interrupt vector table, 50

  • Interrupts, 50

  • Intimate Shared Memory (ISM), 188

  • IOCTL, 217, 219, 220, 221

  • IOKit, 197–198, 214

  • iostat command, 214

  • IP. See Instruction pointer

  • IRETQ instruction, 69, 70

J

  • Jprobes, 110–112

K

  • KEP. See Kernel execution path context

  • Kernel

    • heap exploitation, 138–139

    • heap memory corruption, 27–29, 74–82

      • controlling heap allocator behavior, 74–76

      • overflow exploiting techniques, 76–77

      • overwriting adjacent object, 77

      • overwriting adjacent page, 80–82, 83

      • overwriting controlling structures, 78–80

    • preemption and scheduler, 87–88

    • space versus separated address spaces, 16–17

    • stack corruption, 26–27, 83–86

      • overwriting local variable, 86

      • overwriting return address, 84–85

    • stack overflows, attacking, 177–183

  • Kernel attacks, 420–425

    • levels of read access, 420, 421

    • principles of information security

      • availability, 425

      • confidentiality, 420–422

      • integrity, 422–424

  • Kernel data segment, 97

  • Kernel defense, 425–432

    • kernel assurance, 428–432

    • kernel threat analysis and modeling, 425–427

    • mechanisms, 427–428

  • Kernel execution path (KEP) context, 364–367

  • Kernel Executive, 271, 311

    • base address of, 275, 276

    • name and version, 273

  • Kernel exploitation, 3–9

    • execution step in, 58–71

      • fixating system, 59

      • gaining privileges, 58

    • information-gathering step in, 90–98

      • infoleaks, 91, 96–98

      • information from architecture, 94–96

      • information from operating system, 92–94

      • simplifying exploitation process, 90

    • triggering step in, 71–90

  • Kernel extensions (KEXT), 208–227

    • auditing, 215–227

    • directory structure of, 209

  • Kernel Mode Code Signing (KMCS), 291

  • Kernel Modular Debugger (kmdb), 122–125

  • Kernel Processor Control Block (KPRCB), 298

  • Kernel Processor Control Region (KPCR), 298

  • Kernel security, 433–434

  • Kernel symbol, 93, 94

  • Kernel-generated user-land vulnerabilities, 41–43

  • Kernel-land exploits versus user-land exploits, 11–13, 12–13

  • Kernel-land memory, 4

  • Kernel-land multiple page mappings, 372

  • Kernel-land stack, 26

  • Kernel-mode APCs, 381

    • types of, 382

  • Kernel-mode shadow mapping, 373

  • Kernel-mode stack, 83

  • KEXT. See Kernel extensions

  • kextload command, 211, 212

  • KGDB, 114

  • KLD API, 213

  • Kprobes, 110–112

  • Kretprobe, 110, 112

  • kstat command, 140, 140

L

  • Last in, first out (LIFO) approach, 54, 77

  • Linux, 104–114

    • arbitrary memory overwrite primitive, 394–402

    • execution step, 126–138

    • memory segments, disabling, 409–410

    • privilege model, 126–138

      • post-2.6.29, 135–138

      • pre-2.6.29, 126–135

    • remote exploitation, 393–394

  • Linux 2.6 SLAB allocator, attacking, 160–177, 160–163

  • Linux kernel

    • debugging, 108–114

    • stack buffer overflows, exploiting, 180–183

    • versions, 106

  • Linux SLUB allocator, 139

  • Linux Vsyscall page, 362

  • Loadable Kernel Module (LKM), 171, 172

  • Load-store architecture. See Reduced Instruction Set Computer (RISC) architecture

  • Local exploit, 6

  • Logic bugs, 39–43

M

  • Mac OS X, 195

    • arbitrary memory overwrite, 229–239

    • execution step, 227–228

    • exploitation notes, 228–266

    • fat binaries, 196

    • kernel debugging, 200–208

    • kernel extensions, 208–227, 215–227

    • memory allocator exploitation, 253–266

    • race conditions, 266

    • stack-based buffer overflows, 239–253

  • Mach of XNU kernel, 197

  • Machine Specific Registers (MSRs), 70

  • Memory

    • allocator exploitation, 253–266

    • corruption vulnerabilities, 26–29, 71–86, 94

    • management, 50–53

  • Memory descriptor list (MDL), 279

  • Memory management unit (MMU), 52

  • Modular kernels, 92

  • Multistage shellcode, 375–378

    • interrupt-to-process-context migration, 375–377

    • process-context-to-user-land migration, 377–378

    • three-phase, 367

    • two-phase, 367, 378–383

N

  • Neither buffered nor direct I/O method, 279

  • Non-Uniform Memory Access (NUMA), 162

  • Nonvalidated pointer, 24

  • NULL pointer dereference, 22, 40

  • nvram command, 201, 205

O

  • Objdump, 357

  • Object-pointer, 75

  • Open source operating systems, 18

  • OpenSolaris, 103, 114–125

  • OpenSolaris kernel debugging, 116–125

  • OpenSolaris slab allocator, 138, 143

    • attacking, 139–160

    • mandatory concepts, 139–146

  • Operating systems

    • kernel core load virtual address for, 346

    • open source versus closed source, 18

  • Overwrite-into-free-object-metadata technique, 166–172

P

  • Padding bytes for alignment, 370

  • Page cache for fun and profit, exhausting, 185–188

  • Page Directory Table (PDT), 56

  • Page fault handler, 36

  • Page Table Entry (PTE), 57

  • Page tables, 14, 361

  • Partial Reliable Stream Control Transmission Protocol (PR-SCTP), 386

  • Payload migration, 364–383

    • design considerations, 367–375

    • KEP context, 364–367

    • types, 367

  • Payload protocol identifier, 388

  • Per-processor data structure (PDA), 128

  • Physical Address Extension (PAE), 271

  • Physical device input validation, 40–41

  • Physical page allocator, 80

  • Plug and Play (hotplug) technology, 41

  • Pointer, 22–26

  • PowerPC architecture, 195

  • Print-based debugging, 116

  • Privileges, authorization mechanism, 286, 291–292

    • patching routine, 300–305

      • kernel-mode elevation, 300–302

      • user-mode elevation, 300

  • Program counter (PC). See Instruction pointer

R

  • Race condition, 33–38, 86–87, 266

    • example of, 35

    • exploitation techniques, 88–90

    • synchronization primitives, 34

  • Reduced Instruction Set Computer (RISC) architecture, 8, 49, 55

  • Redzoning, 29

  • Reference counter overflow, 39–40

  • Registers, 48–50

  • Relative identifier (RID), 289, 289

  • Relative virtual address (RVA), 276

  • Reliable slab overflow exploit, 148–160

  • Remote kernel exploitation, 6, 343, 344, 393–394

    • executing first instruction, 343, 344

      • arbitrary write of kernel memory, 360–362

      • direct execution flow redirection, 349–360

  • Remote kernel payloads, 362–383

  • Remote user-land payloads, 363

  • Remote vulnerabilities, attacking, 344–348

    • lack of control over remote target, 347–348

    • lack of exposed information, 344–347

  • Return into kernel text technique, 64–66, 84, 93

  • Return probes. See Kretprobe

  • Return-to-text technique, 359–360

  • RID. See Relative identifier

  • Rings, 56

  • RISC architecture. See Reduced Instruction Set Computer architecture

  • RtlCopyMemory() function, 335–337

S

  • SCTP, 386–388

    • data packet, 387

    • FWD chunk heap memory corruption, 386–393, 388

      • vulnerable path, 389–393

    • message building, 397–402

    • SSNMAP

      • structure, 392

    • TSN packet, 401–402, 402

  • Security descriptor, 286

  • Security identifier (SID), 286, 287–291

    • deny-only, 289

    • IdentifierAuthority, 288

    • integrity level, 290

    • internal structure, 288

    • list patching approach, 296–300

      • fixing token group, 300

      • locating access token, 299

      • locating EPROCESS structure, 298

      • patching access token, 299–300

    • logon, 289

    • restricted, 289, 294

    • Revision, 287

    • service, 290

    • SubAuthority, 288

    • SubAuthorityCount, 287

  • SEH. See Structured exception handling

  • set_selection()

    • case study, 172–177

    • memory corruption, 163–165

  • Shellcode, 6

    • example of two-stage, 63

    • executing, 410–414

    • installation of, 403–410

    • in kernel land, 62

    • mixed/multiple-stage, 62–64

    • multistage See Multistage shellcode

    • NOP landing zone on, 60, 61

    • placing, 59–66, 369–373

    • raising credentials, 67–68

    • recovering kernel state, 68–71

    • three-phase multistage, 367

    • two-phase multistage, 367, 378–383

    • in user land, 60–62

    • user-mode process, 403–410

  • showallkmods command, 205

  • showcurrentthreads command, 205

  • SID. See Security identifier

  • Slab allocator, 103

    • OpenSolaris See OpenSolaris Slab allocator

  • SLUB allocator, 162, 163, 166

    • Linux, 139

  • SMP systems. See Symmetric multiprocessing systems

  • Snow Leopard, 195, 266

  • Solaris, 114–125

  • Stack, 53–55, 372

    • addresses/values, 96

    • canary, 85, 319, 321, 322, 325

    • frame, 55

    • overflow, 35, 83, 84

    • pointer, 26

    • POP operation, 54

    • PUSH operation, 54

  • Stack-based buffer overflows, 239–253

  • Store Interrupt Descriptor Table (SIDT), 96

  • Stream identifier (SI), 387

  • Stream Sequence Number (SSN), 388

  • Structured exception handling (SEH), 322, 323, 325, 334

  • Super privileges, 287

  • Super user, 4, 5

  • Symmetric multiprocessing (SMP) systems, 33, 49, 88

  • Synchronous interrupts, 365

T

  • tail command, 212

  • target command, 206

  • Three-phase multistage shellcode, 367

  • Time Of Check Time Of Use (TOCTOU), 423

  • Time Stamp Counter (TSC), 88

  • Token-stealing technique, 305–308

  • touch command, 252

  • Trampoline sequences, 349

    • redirecting saved instruction pointer to, 352

  • Translation lookaside buffer (TLB), 52, 53, 431

  • Transmission Sequence Number (TSN), 387, 388

  • Traps, 50

  • Two-phase multistage shellcode, 367, 378–383

U

  • udevd, 42, 43

  • uname -a command, 115

  • uname -r command, 105

  • Undefined behavior, 29

  • Uninitialized pointer dereference, 22, 23

  • Uniprocessor (UP) systems, 33, 49, 88

  • Universal binary. See FAT binary

  • Unix, 104–125

    • exploitation, 138–193

  • User-land

    • buffer, 280, 304, 310

    • execution, 367

    • exploitation, 9–13

      • versus kernel-land exploits, 11–13, 12–13

    • memory, 4

    • multiple page mappings, 372

    • processes and scheduler, 13–14

    • stack, 26

  • User-land-to-kernel interface, 314

  • User-mode

    • APC, 381

    • buffer, accessing, 279, 280

    • mapping, 373

    • stack, 83

  • User-space

    • buffer, 280, 282, 328

    • on kernel space, 16–17

V

  • Virtual address space, 14, 15

  • Virtual Dynamically Linked Shared Object (vDSO), 403–407

  • Virtual memory, 14–17

  • Virtual memory management (VMM), 197

  • Virtual remote memcpy() primitive, 400

  • Virtual System Call Page (Vsyscall)

    • overwriting, 407–410

    • recovering, 413–414

  • vmlinux, 113

  • VMware, 283

  • Vulnerable dummy driver, 146–148

W

  • WDK. See Windows Driver Kit

  • WinDbg commands, 282, 284, 285, 285, 328

  • Windows Server 2003 32-bit overflow scenario, 321–334

    • fixing object table, 331–334

    • triggering exception, 326–331

    • user-space memory layout, 329

  • Windows Server 2008 64-bit overflow scenario, 334–339

    • index-based buffer overflow, 337

    • parent frame, 337–339

    • RtlCopyMemory() implementation, 335–337

  • Windows Server 2008 R2 64-bit, token structure, 294

  • Windows authorization model, 286–295

  • Windows Driver Kit (WDK), 277, 322

  • Windows kernel, 271–285

    • building shellcode, 295–308

    • debugging, 282–285

    • device I/O control, 278–279, 309, 310

    • information gathering, 272–276

    • I/O request packet dispatching, 278–279

    • user to kernel/kernel to user mode, 279–282

  • Windows kernel exploitation, 308–339

    • arbitrary memory overwrite, 308–319

      • leaking KPROCESS address, 314–319

      • one byte overwrite case study, 313

      • overwriting kernel control structures, 314–319

      • overwriting kernel dispatch tables, 311–313

    • stack buffer overflow, 319–339

  • Windows NT 5.x kernels, 295

  • Windows NT 6.x kernels, 295, 300, 304

  • Windows operating system, 270

    • version, detection of, 272

  • Windows SharedUserData area, 373–375, 379

  • Wireshark, 401–402

X

  • x86-32 architecture, 55–57, 361

  • x86-64 architecture, 53, 57–58, 88, 95, 361

    • interrupt/trap gate entry, 73

  • Xcode, 210, 211

  • XNU kernel, 195, 196–200

    • BSD component of, 197

    • IOKit in, 197–198, 214

    • Mach component of, 197

    • system call tables, 198–200

Z

  • Zone allocator, 253, 265

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset