Exploits. In most information technology circles these days, the term exploits has
become synonymous with vulnerabilities or in some cases, buffer overflows. It is not
only a scary word that can keep you up at night wondering if you purchased the best
firewalls, configured your new host-based intrusion prevention system correctly, and have
patched your entire environment, but can enter the security water-cooler discussions
faster than McAfee’s new wicked anti-virus software or Symantec’s latest acquisition.
Exploits are proof that the computer science, or software programming, community still
does not have an understanding (or, more importantly, firm knowledge) of how to
design, create, and implement secure code.
Like it or not, all exploits are a product of poorly constructed software programs and
talented software hackers – and not the good type of hackers that trick out an application
with interesting configurations.These programs may have multiple deficiencies such
as stack overflows, heap corruption, format string bugs, and race conditions—the first
three commonly being referred to as simply buffer overflows. Buffer overflows can be as
small as one misplaced character in a million-line program or as complex as multiple
character arrays that are inappropriately handled. Building on the idea that hackers will
tackle the link with the least amount of resistance, it is not unheard of to think that the
most popular sets of software will garner the most identified vulnerabilities. While there
is a chance that the popular software is indeed the most buggy, another angle would be
to state that the most popular software has more prying eyes on it.
If your goal is modest and you wish to simply “talk the talk,” then reading this first
chapter should accomplish that task for you; however, if you are the ambitious and eager
type, looking ahead to the next big challenge, then we welcome and invite you to read
this chapter in the frame of mind that it written to prepare you for a long journey.To
manage expectations, we do not believe you will be an uber-hacker or exploit writer
after reading this, but you will have the tools and knowledge afterward to read, analyze,
modify, and write custom exploits and enhance security tools with little or no assistance.