Buffer Overflow Exploitation and Defense Evasion
Buffer Overflow Exploitation and Defense Evasion
About the Book
Dive deep into the intricate world of memory corruption with Buffer Overflow Exploitation and Defense Evasion. This comprehensive guide unravels the mechanics behind classic and modern vulnerability classes—from stack and heap overflows to format string bugs and integer manipulation pitfalls. Go beyond theory to understand how these flaws are leveraged at the assembly and OS level on x86/x64 and ARM architectures.
But exploitation is only half the story. This book meticulously dissects the evolution of defensive technologies, including Stack Canaries, NX/DEP, ASLR, PIE, RELRO, CFG, CFI, PAC, and MTE. Crucially, it then details the sophisticated bypass techniques developed by attackers, such as Return-Oriented Programming (ROP), JOP/COP, information leaks, and data-only attacks.
Packed with technical detail, shellcoding craftsmanship, kernel exploitation fundamentals, and insights into essential tooling (GDB, WinDbg, IDA, pwntools), this book is indispensable for security researchers, penetration testers, exploit developers, and advanced cybersecurity students seeking to master the low-level realities of software security and navigate the perpetual arms race between offense and defense. This is not an introductory text; a solid foundation in C/C++, assembly, and OS internals is required.
About the Author
Table of Contents
- Table of Contents:
- Preface
- Chapter 1: Memory, Processes, and the Von Neumann Bottleneck
- 1.1 Revisiting Process Memory Layout
- 1.2 Virtual Memory, Paging, and Permissions
- Chapter 1: Memory, Processes, and the Von Neumann Bottleneck (Continued)
- 1.3 CPU Architecture Basics: The Registers Guiding Execution
- 1.4 The C Language Memory Model: Power and Peril
- 1.5 Why Buffer Overflows Happen: The Missing Check
- 1.6 The Code/Data Equivalence: Enabling Execution
- Chapter 2: Stack-Based Buffer Overflows: The Canonical Exploit
- 2.1 Detailed Stack Frame Anatomy
- x86 (32-bit) Calling Conventions (cdecl, stdcall):
- x64 (64-bit) Calling Conventions (System V AMD64 ABI - Linux/macOS, Microsoft x64 - Windows):
- 2.2 Function Prologues and Epilogues
- Typical x86 Prologue (with Frame Pointer):
- Typical x86 Epilogue (with Frame Pointer):
- Typical x64 Prologue (System V, with Frame Pointer):
- Typical x64 Epilogue (System V, with Frame Pointer):
- 2.3 Overwriting the Return Address: Seizing Control
- Example Payload Structure (Conceptual):
- 2.4 Vulnerable Functions Revisited
- 2.5 Crafting the First Payload: NOP Sleds and Shellcode Injection
- Payload Structure:
- Example (Conceptual x86):
- 2.6 Finding Buffer Addresses: The Elusive Target
- 2.7 Variations: Beyond the Simple Overwrite
- Chapter 3: Shellcoding Craftsmanship
- 3.1 Principles of Position-Independent Code (PIC)
- 3.2 Common Shellcode Goals
- 3.3 Writing Basic Shellcode: Linux (x86/x64 Syscalls)
- Key Concepts:
- Example: x64 Linux
execve("/bin/sh", ["/bin/sh", NULL], NULL)
- 3.4 Writing Basic Shellcode: Windows (API Resolving)
- Key Concepts:
- Example Snippet (Conceptual x86 - Finding Kernel32 Base):
- 3.5 Dealing with Bad Characters
- Identifying Bad Characters:
- Avoiding Bad Characters:
- 3.6 Encoders, Decoders, and Simple Polymorphism
- Common Encoder Example (XOR):
- 3.7 Staged Shellcode
- Chapter 4: Heap-Based Buffer Overflows: The Unstructured Frontier
- 4.1 Heap vs. Stack Dynamics: A Tale of Two Memories
- 4.2 Heap Allocator Internals: Focus on dlmalloc/ptmalloc
- Core Components:
- 4.3 Classic Heap Exploitation Techniques
- 4.4 Advanced Heap Exploitation (
ptmallocspecific)
- 4.5 Heap Spraying Techniques
- Chapter 5: Format String Vulnerabilities: Exploiting Output Functions
- 5.1 Variadic Functions and the
printfFamily
- 5.2 Format Specifiers: The Language of
printf
- 5.3 The Vulnerability: Broken Trust
- Incorrect Code:
- Correct Code:
- Exploitation:
- 5.4 Information Leakage: Reading Process Memory
- 5.5 Arbitrary Memory Write: The Power of
%n
- Example (Conceptual): Write
0xdeadbeefto address0x12345678
- Using
%hnand%hhnfor Precise Writes:
- Example: Write
0x1234to addressTargetAddr(using%hn)
- Direct Parameter Access (
%N$n)
- 5.6 Exploitation Targets for Arbitrary Write
- 5.7 Mitigations
- 5.8 Real-world Context
- Chapter 6: Integer Overflows: The Silent Precursor
- 6.1 Integer Representation Fundamentals
- 6.2 Overflow, Underflow, and Wraparound: Crossing the Limits
- 6.3 Truncation: Losing Precision
- 6.4 Sign Extension Errors: Misinterpreting Signs
- 6.5 Exploitation Scenarios: From Bad Math to Memory Corruption
- 6.6 Real-world Case Studies (Brief Mentions)
- 6.7 Detection and Prevention
- 6.8 Conclusion
- Part 2: Modern Defenses and Bypasses
- Chapter 7: Platform Defenses: Raising the Bar
- 7.1 Stack Canaries / StackGuard / Stack Smashing Protector (SSP)
- 7.2 Non-Executable Memory (NX / DEP / W^X)
- 7.3 Address Space Layout Randomization (ASLR)
- 7.4 Position Independent Executables (PIE)
- 7.5 Relocation Read-Only (RELRO)
- 7.6 Control Flow Guard (CFG - Windows)
- 7.7 Control-Flow Integrity (CFI - Generic/Clang)
- 7.8 Pointer Authentication Codes (PAC - ARM)
- 7.9 Memory Tagging Extension (MTE - ARM)
- 7.10 Source Code Hardening & Secure Libraries
- 7.11 Conclusion
- Chapter 8: Bypassing Stack Canaries
- 8.1 Leaking the Canary Value
- Methods for Leaking:
- Payload Construction after Leak:
- 8.2 Brute-Forcing the Canary
- Factors Affecting Feasibility:
- Brute-Force Payload Structure (Byte-by-Byte):
- 8.3 Overwriting Targets Below the Canary
- Potential Targets:
- 8.4 Attacking Canary Generation or Checking Logic
- 8.5 Partial Overwrites and Data-Only Attacks
- 8.6 Conclusion
- Chapter 9: Bypassing NX/DEP: Return-Oriented Programming (ROP)
- 9.1 The Principle: Reusing Existing Code
- 9.2 What is a Gadget?
- 9.3 Finding Gadgets
- 9.4 Gadget Types and Their Roles
- 9.5 ROP Chain Construction: Orchestrating Gadgets
- Stack Layout Example (Conceptual x64 - Call
func(arg1, arg2)):
- 9.6 Controlling Function Arguments
- 9.7
ret2libc: Calling Library Functions
- 9.8 Syscall Gadgets: Direct OS Interaction
- 9.9 Stack Pivoting: Changing the Stage
- 9.10 Advanced ROP: Sigreturn-Oriented Programming (SROP)
- 9.11 Blind ROP (BROP)
- 9.12 Conclusion: The Ubiquity of ROP
- Chapter 10: Bypassing Address Space Layout Randomization (ASLR)
- 10.1 The Crucial Role of Information Leaks
- 10.2 Common Sources of Information Leaks
- 10.3 Leveraging Leaked Pointers: Calculating Base Addresses
- 10.4 Partial Overwrites: Exploiting Low Entropy
- 10.5 Brute-Forcing ASLR: A High-Cost Gamble
- 10.6 Exploiting Non-Randomized Components
- 10.7 Chaining Leaks: Multi-Stage Exploitation
- 10.8 Conclusion
- Chapter 11: Bypassing CFI, CFG, and Advanced Hardware Mitigations
- 11.1 Bypassing Control Flow Guard (CFG - Windows)
- 11.2 Bypassing Control-Flow Integrity (CFI)
- 11.3 Bypassing Pointer Authentication Codes (PAC - ARM)
- 11.4 Bypassing Memory Tagging Extension (MTE - ARM)
- 11.5 JOP/COP: Alternative Code Reuse
- 11.6 Return-to-CSU (
__libc_csu_init)
- 11.7 Conclusion: The Ever-Shifting Battlefield
- Chapter 12: The Holistic View: Combining Bypasses and Tooling
- 12.1 Typical Exploit Chains: The Sum of Parts
- 12.2 Exploit Development Workflow: A Systematic Approach
- 12.3 Using Debuggers Effectively
- Debugger Usage Strategy:
- 12.4 Leveraging Disassemblers/Decompilers
- Usage Strategy:
- 12.5 Exploit Frameworks (pwntools)
- 12.6 Fuzzing for Bug Discovery
- 12.7 Automated Exploit Generation (AEG) Concepts
- 12.8 Conclusion
- Part 3: Beyond the Basics and Future Trends
- Chapter 13: Architecture Specifics and Kernel Exploitation
- 13.1 Architecture Specifics: ARM/AArch64 Exploitation
- Key Architectural Differences:
- Impact on Exploitation Techniques:
- 13.2 Introduction to Kernel Exploitation
- User Space vs. Kernel Space:
- Kernel Memory Layout:
- Kernel Attack Surface:
- Common Kernel Bug Classes:
- Kernel Mitigations:
- 13.3 Basic Kernel Exploit Concepts
- Payload Example: Privilege Escalation
- 13.4 Conclusion
- Chapter 14: The Shifting Landscape and Conclusion
- 14.1 The Rise of Memory-Safe Languages
- 14.2 Managed Runtimes (JVM, .NET, Python, Ruby, etc.)
- 14.3 WebAssembly (Wasm) Security Considerations
- 14.4 Hardware-Level Security Evolution
- 14.5 The Continuous Arms Race: What’s Next?
- 14.6 Final Thoughts: The Primacy of Secure Development
- Appendix A: Glossary of Terms
- Appendix B: Common Linux Syscall Tables (x86 & x64)
- B.1 x86 (32-bit) Syscall Convention
- Common x86 Syscalls:
- B.2 x64 (64-bit) Syscall Convention
- Common x64 Syscalls:
- Important Considerations:
- Appendix C: Useful Debugger Commands for Exploit Development
- C.1 GDB + Extensions (PEDA/GEF/Pwndbg)
- Process Control & Execution:
- Breakpoints:
- Memory Examination:
- Register Manipulation:
- Stack Analysis:
- Disassembly:
- Heap Analysis (Extensions - Commands may differ slightly):
- ASLR/PIE/Mitigation Info (Extensions):
- Searching Memory:
- Scripting & Automation:
- C.2 WinDbg (Windows)
- Process Control & Execution:
- Breakpoints:
- Memory Examination:
- Register Manipulation:
- Stack Analysis:
- Disassembly:
- Heap Analysis:
- Module/Memory Info:
- Searching Memory:
- Symbols:
- C.3 Final Note
- Appendix D: Further Reading and Resources
- D.1 Foundational Books
- D.2 Advanced Exploitation & Reverse Engineering Books
- D.3 Online Resources & Communities
- D.4 Essential Tools (Recap & Beyond)
- D.5 Practice Platforms
- D.6 Final Advice
The Leanpub 60 Day 100% Happiness Guarantee
Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.
You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!
So, there's no reason not to click the Add to Cart button, is there?
See full terms...
Earn $8 on a $10 Purchase, and $16 on a $20 Purchase
We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.
(Yes, some authors have already earned much more than that on Leanpub.)
In fact, authors have earnedover $14 millionwriting, publishing and selling on Leanpub.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them
