Sockets, Shellcode, Porting and Coding
by Foster, James with Mike Price
Syngress 2005.
ISBN 1-597490-05-9. 667 pages. $49.95. Index. Four appendices, including glossary. Code examples available at www.syngress.com (registration required plus a key from the book).
Reviewed by Robert Bruen 07/14/05
The small, but growing library of excellent books in reverse engineering and shellcode has one more member. As held by common wisdom, writing good exploits is still difficult and not too many people can do it. The difficulty is rooted in the requirement of expertise in architecture and coding. In a point and click world, there is little opportunity to learn how the technical stuff works, especially now that the US is producing less programmers with less skills. You have to make an effort to master several languages, including assembler, and to understand things like memory addressing, stacks and pointers. There are at least two major problems with this scenario, if no one understands how software works, then vendors can sell junk without any complaints. Secondly, if the US continues its decline in expertise, the rest of the world will continue its path toward technical superiority. Fortunately, Mr. Foster is contributing his knowledge for anyone who wishes to take the time and make the effort to learn how it is done.
The portability of code is always an issue, both between platforms and between languages. The usual platforms are Windows and some flavor of Unix. In this book the languages run from C, C++, C#, Java, Perl and Python to assembly. Going between platforms and languages can be demanding, especially when networking is involved. Foster seems to be unaffected by the challenges presented by each variant as he seamlessly rewrites code to work under different scenarios. Each line is numbered and explained for each code example, which is very helpful when comparing, for example, how Windows creates a process and how Unix creates a process. The example code is short so that the actual point is made without superfluous code. Of course there are plenty examples of more complex code throughout the book, as well.
The book has three full chapters on writing exploits, plus two chapters on writing shellcode. These sections analyze existing exploit code using numerous techniques, such as format string attacks, heap corruption and various buffer overflows. One chapter on writing exploits does a nice job covering the Metasploit Framework. MSF has started to show up as chapters like this, demonstrating a need for its own book. In this chapter the Framework is used in a step by step creation of a buffer overflow for an older version of IIS. First, an analysis is undertaken to show how one determines what needs to be done. It makes me feel better when one thinks about the plan rather than just jumping into the code. How the use of MSF cuts down on the time for developing exploit code is also explained. All of this is valuable to defenders as well as attackers, and to those who write resilient code.
This book is highly recommended and will be put on my bookshelf next to The Shellcoders Handbook and Eilam's Reversing.