EXTENSION_CONTROL_BLOCKpointer. You just make sure to overwrite the
exception handler pointer, and when the function crashes the system will call
the function to handle the exception.
There is one other problem with exploiting this code. Remember that what-
ever is fed into DecodeURLEscapeswill be translated into Unicode. This
means that the function will add a byte with 0x0between every byte you send
it. How can you possibly construct a usable address for the exception handler
in this way? It turns out that you don’t have to. Among its many talents,
DecodeURLEscapesalso supports the decoding of hexadecimal digits into
binary form, so you can include escape codes such as %u1234in your URL,
and DecodeURLEscapeswill write the values right into the target string—no
Unicode conversion problems!
Conclusion
Security holes can be elusive and hard to define. The fact is that even with
source code it can sometimes be difficult to distinguish safe, harmless code
from dangerous security vulnerabilities. Still, when you know what type of
problems you’re looking for and you have certain code areas that you know
are high risk, it is definitely possible to estimate whether a given function is
safe or not by reversing it. All it takes is an understanding of the system and
what makes code safe or unsafe.
If you’ve never been exposed to the world of security and hacking, I hope
that this chapter has served as a good introduction to the topic. Still, this barely
scratches the surface. There are thousands of articles online and dozens of
books on these subjects. One good place to start is Phrack, the online magazine
at http://www.phrack.org. Phrack is a remarkable resource of attack and exploita-
tion techniques, and offers a wealth of highly technical articles on a variety of
hacking-related topics. In any case, I urge you to experiment with these con-
cepts on your own, either by reversing live code from well-known vulnerabil-
ities or by experimenting with your own code.
Auditing Program Binaries 271