Graphics Programs Reference
In-Depth Information
So, to make socket system calls using Linux, EAX is always 102 for
socketcall() , EBX contains the type of socket call, and ECX is a pointer to
the socket call's arguments. The calls are simple enough, but some of them
require a sockaddr structure, which must be built by the shellcode. Debugging
the compiled C code is the most direct way to look at this structure in memory.
reader@hacking:~/booksrc $ gcc -g bind_port.c
reader@hacking:~/booksrc $ gdb -q ./a.out
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) list 18
13 sockfd = socket(PF_INET, SOCK_STREAM, 0);
14
15 host_addr.sin_family = AF_INET; // Host byte order
16 host_addr.sin_port = htons(31337); // Short, network byte order
17 host_addr.sin_addr.s_addr = INADDR_ANY; // Automatically fill with my IP.
18 memset(&(host_addr.sin_zero), '\0', 8); // Zero the rest of the struct.
19
20 bind(sockfd, (struct sockaddr *)&host_addr, sizeof(struct sockaddr));
21
22 listen(sockfd, 4);
(gdb) break 13
Breakpoint 1 at 0x804849b: file bind_port.c, line 13.
(gdb) break 20
Breakpoint 2 at 0x80484f5: file bind_port.c, line 20.
(gdb) run
Starting program: /home/reader/booksrc/a.out
Breakpoint 1, main () at bind_port.c:13
13 sockfd = socket(PF_INET, SOCK_STREAM, 0);
(gdb) x/5i $eip
0x804849b <main+23>: mov DWORD PTR [esp+8],0x0
0x80484a3 <main+31>: mov DWORD PTR [esp+4],0x1
0x80484ab <main+39>: mov DWORD PTR [esp],0x2
0x80484b2 <main+46>: call 0x8048394 <socket@plt>
0x80484b7 <main+51>: mov DWORD PTR [ebp-12],eax
(gdb)
The first breakpoint is just before the socket call happens, since we
need to check the values of PF_INET and SOCK_STREAM . All three arguments are
pushed to the stack (but with mov instructions) in reverse order. This means
PF_INET is 2 and SOCK_STREAM is 1 .
(gdb) cont
Continuing.
Breakpoint 2, main () at bind_port.c:20
20 bind(sockfd, (struct sockaddr *)&host_addr, sizeof(struct sockaddr));
(gdb) print host_addr
$1 = {sin_family = 2, sin_port = 27002, sin_addr = {s_addr = 0},
sin_zero = "\000\000\000\000\000\000\000"}
(gdb) print sizeof(struct sockaddr)
Search WWH ::




Custom Search