Graphics Programs Reference
In-Depth Information
0xbffff9a3: 0xe8 0x0f 0x48 0x65 0x6c 0x6c 0x6f 0x2c
0xbffff9ab: 0x20 0x77 0x6f 0x72 0x6c 0x64 0x21 0x0a
0xbffff9b3: 0x0d 0x59 0xb8 0x04 0xbb 0x01 0xba 0x0f
0xbffff9bb: 0xcd 0x80 0xb8 0x01 0xbb 0xcd 0x80 0x00
(gdb) quit
root@hacking:/home/reader/booksrc # hexdump -C helloworld1
00000000 e8 0f 00 00 00 48 65 6c 6c 6f 2c 20 77 6f 72 6c |.....Hello, worl|
00000010 64 21 0a 0d 59 b8 04 00 00 00 bb 01 00 00 00 ba |d!..Y...........|
00000020 0f 00 00 00 cd 80 b8 01 00 00 00 bb 00 00 00 00 |................|
00000030 cd 80 |..|
00000032
root@hacking:/home/reader/booksrc #
Once GDB is loaded, the disassembly style is switched to Intel. Since we
are running GDB as root, the .gdbinit file won't be used. The memory where
the shellcode should be is examined. The instructions look incorrect, but it
seems like the first incorrect call instruction is what caused the crash. At least,
execution was redirected, but something went wrong with the shellcode bytes.
Normally, strings are terminated by a null byte, but here, the shell was kind
enough to remove these null bytes for us. This, however, totally destroys the
meaning of the machine code. Often, shellcode will be injected into a process
as a string, using functions like strcpy() . Such functions will simply terminate
at the first null byte, producing incomplete and unusable shellcode in mem-
ory. In order for the shellcode to survive transit, it must be redesigned so it
doesn't contain any null bytes.
0x523 Removing Null Bytes
Looking at the disassembly, it is obvious that the first null bytes come from
the call instruction.
reader@hacking:~/booksrc $ ndisasm -b32 helloworld1
00000000 E80F 000000 call 0x14
00000005 48 dec eax
00000006 656C gs insb
00000008 6C insb
00000009 6F outsd
0000000A 2C20 sub al,0x20
0000000C 776F ja 0x7d
0000000E 726C jc 0x7c
00000010 64210A and [fs:edx],ecx
00000013 0D59B80400 or eax,0x4b859
00000018 0000 add [eax],al
0000001A BB01000000 mov ebx,0x1
0000001F BA0F000000 mov edx,0xf
00000024 CD80 int 0x80
00000026 B801000000 mov eax,0x1
0000002B BB00000000 mov ebx,0x0
00000030 CD80 int 0x80
reader@hacking:~/booksrc $
This instruction jumps execution forward by 19 ( 0x13 ) bytes, based on the
first operand. The call instruction allows for much longer jump distances,
Search WWH ::




Custom Search