Index

P

P plaintext message, 213

packet fragments, 142-43

packets, 140-41

ACK packets, 163, 164, 170

banner response packet, 170 command-line packet-injection tool, 151, 157

Ethernet packets, 145, 146

FIN packets, 163

ICMP, 142, 160, 162

IP (Internet Protocol), 142, 143, 150

nemesis packet-injection tool, 151, 157, 231

packet fragments, 142-43

RST packets, 157, 158, 163, 164, 1660

SYN packets, 144, 145, 162, 163, 164, 168

SYN/ACK packets, 144, 162, 163, 164, 166, 167

UDP echo packets, 162

pads, 175

parameter access, 71-73

password cracking, 196-211

dictionary attacks, 197-99

exhaustive brute-force attacks, 199-200

hash lookup table, 200-201

password probability matrix, 201-11

ppm_crack.c file, 206-11

ppm_gen.c file, 203-5

program for, 199

password hash, 197

PATH environment variable, 62

pcalc calculator, 231

Perl script, 154-56, 197

Phiral Research Laboratories, 118

Physical layer, 140, 141, 145

ping flooding, 161

Ping of Death, The, 160

plaintext, 202, 212, 215

pointers, 16-17

polarization, 175-76

polarized photons, 176

polymorphic shellcode, 102-18

ASCII printable, 103-18

assembled print2 shellcode, 114-18

print2.asm, 112-14

printable_exploit.c, 109-11

print.asm, 107-9

overview, 102-3

pop <dest> instruction, 105

pop instruction, 85

popping, 19

port scanning, 162-72

FIN, X-mas, and Null scans, 163

idle scanning, 163-65

proactive defense (Shroud), 165-72

spoofing decoys, 163

stealth SYN scan, 163

ppm_crack.c file, 206-11

ppm_gen.c file, 203-5

practically secure, 174

Presentation layer, 140, 141

PRGA (Pseudo Random Generation Algorithm), 213-14

printable ASCII shellcode, 103, 109, 119

printable shellcode, 120

printf( ) function, 54-59, 129, 134-35

private keys, 180

proactive defense (Shroud), 165-72

procedure linkage table, 80

procedure prolog, 20

processor registers, 84

product ciphers, 179

program, defined, 8

program exploitation, 11-14

program memory segmentation, 18-21

programming, 7-139

buffer overflows, 22-23

format strings, 54-83 detours with dtors, 74-80

direct parameter access, 71-73

format-string vulnerability, 59– 61

overwriting global offset table, 80-83

and printf( ), 54-59

reading from arbitrary memory addresses, 61-62

writing to arbitrary memory addresses, 62-71

generalized exploit techniques, 14-15

heap- and bss-based overflows, 41-54

basic heap-based overflow, 41-46

overflowing function pointers, 46-54

memory, 16-21

memory declaration, 17

null byte termination, 18

program memory segmentation, 18-21

multi-user file permissions, 15-16

program exploitation, 11-14

returning into libc, 129-38

chaining return into libc calls, 132-33

returning into system( ), 130-31

using wrapper, 133-34

writing multiple words with single call, 136-38

writing nulls with return into libc, 134-36

stack-based overflows, 23-41

See also environment

exploit.c code, 26-27

exploiting without exploit code, 27-31

vuln.c code, 24-26

what it is, 8-11

writing shellcode, 84-129

See also ASCII printable polymorphic shellcode; dissembler

avoiding using other segments, 92-94

common assembly instructions, 84-85

Hello, World program, 87-89

Linux system calls, 85-87

polymorphic shellcode, 102-3

printable ASCII instructions, 101-2

removing null bytes, 94-98

shell-spawning code, 90-92

using stack, 98-101

promiscuous mode, 146

protocol host fingerprints, 189

pseudo-code, 9-10

Pseudo Random Generation Algorithm (PRGA), 213-14

PSH flag, 144

pushing, 19

push instruction, 85, 105