Book: The Shellcoder’s Handbook (first edition)
I had numerous requests to write review about the two editions of “The Shellcoder’s Handbook”. I have read those two books a few times in the past so I think I’m in position of writing a review about them. Here is the first edition…
Title: The Shellcoder’s Handbook: Discovering and Exploiting Security Holes
Authors: Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan Eren, Neel Mehta and Riley Hassell
Part 1: Introduction to Exploitation: Linux on x86
Chapter 1: Before You Begin
Just like most “exploitation” books, it starts with a chapter that introduces the essentials for understanding basic exploitation on x86 platform.
Chapter 2: Stack Overflows
Nice chapter that goes through all the basics as well as some common bypassing techniques such as NOP sleds and return-to-libc techniques.
Chapter 3: Shellcode
Once again, a gentle introduction to simple x86 shellcoding.
Chapter 4: Introduction to Format String Bugs
Everything you need to know to get started with format string vulnerabilities as well as their exploitation for x86 on Linux.
Chapter 5: Introduction to Heap Overflows
The last chapter of this part of the book that follows the same approach as the previous chapter, but this time for heap based buffer overflows.
Part 2: Exploiting More Platforms: Windows, Solaris, and Tru64
Chapter 6: The Wild World of Windows
An introduction to the nuances of Windows operating system. This includes APIs, DCE-RPC (along with an exploitation example), debugging, etc.
Chapter 7: Windows Shellcode
The title says it all…
Chapter 8: Windows Overflows
This is a very extensive chapter on Windows overflows going through stack, heap, .data and TEB/PEB overflows. Furthermore, you can find information on some usual bypassing techniques and other important aspects for heap based buffer overflows.
Chapter 9: Overcoming Filters
Another chapter on shellcoding, this time dealing with a little bit more advanced concepts. More specifically, the chapter includes information for alphanumeric and Unicode shellcodes and provides a complete example for encoding/decoding shellcodes.
Chapter 10: Introduction to Solaris Exploitation
Beginning with an introduction to the SPARC architecture and Solaris specific details, it goes through basic stack based buffer overflows and off-by-one overflows, to heap based overflows and static data overflows. Clearly one of my personally favourite chapters even up to the date of this writing.
Chapter 11: Advanced Solaris Exploitation
This is a small chapter that includes a good amount of Solaris/SPARC tricks useful for exploitation.
Chapter 12: HP Tru64 Unix Exploitation
Believe it or not this is the only Tru64 exploitation reference you can find on any book (of course, I’m talking about the books I am aware of). After discussing the essentials of the ALPHA architecture, the author goes through shellcoding, stack based buffer overflows, bypassing of non-executable stack and finally remote exploitation of an RPC vulnerability.
Part 3: Vulnerability Discovery
Chapter 13: Establishing a Working Environment
As its title suggests, this guides you through the general setup you need to have for working on vulnerability discovery.
Chapter 14: Fault Injection
Most of these are well known nowadays but in any case, it is a good reference.
Chapter 15: The Art of Fuzzing
So, here you have information on fuzzing and a couple of examples as well as a few concepts that you have to consider when either fuzzing or writing your own fuzzer.
Chapter 16: Source Code Auditing: Finding Vulnerabilities in C-based Languages
Here you can find information on useful tools for such jobs and also for methodology, identification, etc.
Chapter 17: Instrumented Investigation: A Manual Approach
This is a truly interesting chapter that begins from the background philosophy and later uses the Oracle EXTPROC vulnerability as a case study. It includes very helpful information on manual vulnerability discovery.
Chapter 18: Tracing Vulnerabilities
Another innovative chapter (for such books) dealing with the methodology for tracing vulnerabilities.
Chapter 19: Binary Auditing: Hacking Closed Source Software
Moving to the closed source code side, we have this nice introduction to reverse engineering and debugging closed source software. As in most of the previous chapter, this one also includes some examples using real-world vulnerabilities on Microsoft software.
Part 4: Advanced Materials
Chapter 20: Alternative Payload Strategies
The first chapter of the 4th part of the book is about some less common payload techniques. Authors provide some nice examples with both closed and open source software that range from common patching or runtime patching to less common like system call proxies.
Chapter 21: Writing Exploits that Work in the Wild
Most modern books dealing with exploit development now include such chapters. Nevertheless, it is always important to keep in mind the requirements for having a working exploit and not just a proof of concept exploit code.
Chapter 22: Attacking Database Software
A small introduction to database exploitation although, as it turned out, David Litchfield wrote an entire book on this subject. This chapter has sections for all major enterprise class products including Oracle, IBM DB2 and Microsoft SQL Server.
Chapter 23: Kernel Overflows
Two nice examples are discussed for the OpenBSD and Solaris platforms.
Chapter 24: Exploiting Kernel Vulnerabilities
General techniques for kernel exploitation are available in this chapter. Most parts of this chapter are specifically for OpenBSD and Solaris operating systems but there are information that can be applied to other systems too.
So, even though today this book is a little bit outdated on some parts, it is still an excellent resource. However, when it was published it was definitely one of the best, if not the best, book for exploitation. Even today it is the only book I am aware of that deals with Tru64 exploitation as well as user space Solaris remote exploitation. Also, the amount of examples and code samples in the book is amazing. Congratulations to all the authors for this release.