Graphics Programs Reference
In-Depth Information
In previous chapters, we've written exploit code in C and manually
exploited vulnerabilities from the command line. The fine line between
an exploit program and an exploit tool is a matter of finalization and recon-
figurability. Exploit programs are more like guns than tools. Like a gun, an
exploit program has a singular utility and the user interface is as simple as
pulling a trigger. Both guns and exploit programs are finalized products that
can be used by unskilled people with dangerous results. In contrast, exploit
tools usually aren't finished products, nor are they meant for others to use.
With an understanding of programming, it's only natural that a hacker would
begin to write his own scripts and tools to aid exploitation. These personalized
tools automate tedious tasks and facilitate experimentation. Like conventional
tools, they can be used for many purposes, extending the skill of the user.
0x631
tinywebd Exploit Tool
For the tinyweb daemon, we want an exploit tool that allows us to experiment
with the vulnerabilities. As in the development of our previous exploits,
GDB is used first to figure out the details of the vulnerability, such as offsets.
The offset to the return address will be the same as in the original tinyweb.c
program, but a daemon program presents added challenges. The daemon
call forks the process, running the rest of the program in the child process,
while the parent process exits. In the output below, a breakpoint is set after
the daemon() call, but the debugger never hits it.
reader@hacking:~/booksrc $ gcc -g tinywebd.c
reader@hacking:~/booksrc $ sudo gdb -q ./a.out
warning: not using untrusted file "/home/reader/.gdbinit"
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) list 47
42
43 if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int)) == -1)
44 fatal("setting socket option SO_REUSEADDR");
45
46 printf("Starting tiny web daemon.\n");
47 if(daemon(1, 1) == -1) // Fork to a background daemon process.
48 fatal("forking to daemon process");
49
50 signal(SIGTERM, handle_shutdown); // Call handle_shutdown when killed.
51 signal(SIGINT, handle_shutdown); // Call handle_shutdown when interrupted.
(gdb) break 50
Breakpoint 1 at 0x8048e84: file tinywebd.c, line 50.
(gdb) run
Starting program: /home/reader/booksrc/a.out
Starting tiny web daemon.
Program exited normally.
(gdb)
Search WWH ::




Custom Search