Joe's
Digital Garden

Hacking the Art of Exploitation

Hacking the Art of Exploitation 2nd Edition, by Jon Erickson and published by No Starch Press (2008). Currently the topical book for the #TechniColorRainbow book club hosted by Hacker's town. The following are my chapter notes and notes derrived from the book club meetings themselves.

0x200 Programming

  • objdump can be used to examine compiled binaries. The output includes columns for memory addresses, the machine-language command in hex, and the assembly.
  • x86 assemby comes in either AT&T or Intel syntax. Erickson prefers Intel which requires the -M intel switch for objdump.
  • gdb can e used to see the contents of the CPU registers
  • EAX, ECX, EDX and EBX are known as the general purpose registers. They act as temporary variables for the CPU. ESP, EBP, ESI, and EDI stand for Stack Pointer, Base Pointer, Source Pointer, and Destination pointer.
  • EIP points at the current command being executed
  • When compiling using GCC, the -g flag can be used to debug the source code with GDB.
  • There is a prologue to a C program which sets up memory for variable storage followed by the program itself.
  • There are lots of undefined behaviors in the C language which can lead to different compilers handling behaviors differently.
  • Note: Reread the Memory Segmentation (x270) and Getting Your Hands Dirty (x250)
  • Musing on buying a microcontroller and writing something up in C with it for fun.

0x300 Exploitation

0x400 Networking

  • OSI Model: physical (cables), data-link (routers), network layer (IP), transport (TCP), session, presentation, application (HTTP/POP/FTP)
  • Each layer wraps the protocols of the previous layer. Going out each layer is added and coming in each layer is peeled away.
  • Sockets come in stream (TCP) or datagram (UDP)
  • ARP Poisoning. Request goes out to map a MAC address to an IP. This can be intercepted/replaced.
  • TCP works by sending a Syn request out, receiving a Syn/Ack back and then sending an Ack back. This sets up the sequence number for bytes on each end.
  • Portscanning works by sending out a Syn, but instead of sending an Ack to complete the connection, sending a Rst to reset it.
  • Syn Flooding. Send out a lot of Syn packets to use up the available TCP connections on the server.
  • TCP/IP hijacking. Send out a sapoofed sync to throw off the victim's sequence. Now you can mitm them.
  • Promiscuous devices, read every packet and decode it. Switching protects agains this by only sending packets to the MAC that requested them.
  • Where does https and DOH fall into this picture? Book was written in 2008, and these technologies wouldn't have had widespread adoption at that time.

0x500 ...

External References

  1. Erickson, John. Hacking the Art of Exploitation, 2nd Edition. No Starch Press, 2008.

Linked References