Writing exploits
Monday, March 20th, 2006I took some time out over the weekend to catch up on some reading material that I’ve been sitting on for a while.
One of the things I’ve been sitting on was a sample chapter from the book Sockets, Shellcode, Porting, and Coding : Reverse Engineering Exploits and Tool Coding for Security Professionals.
The sample chapter is called Writing Exploits III. If the rest of the book is written like this chapter, then this is a really good book. I definitely learned a lot from reading this chapter. The material deals with how to find vulnerabilities in applications and then how to use MetaSploit to exploit those vulnerabilities. It will show you how to send a string of characters to an application and how to watch the debugging application to see where you need to insert your malicious payload. It will show you how to find which hex characters to avoid in your payload. It will show you how to use MetaSploit to generate and encode the proper shellcode to use in your exploit. And finally, it will show you how to port an existing exploit so you can use it from within Metasploit.
I was very impressed with the chapter and learned quite a lot. If this is a topic you’re interested in, I highly recommend reading through this chapter. There are a lot of pictures, also, to help you understand exactly what the author is demonstrating.
You can find the sample chapter at http://www.syngress.com/book_catalog/327_SSPC/sample.pdf