Graphics Programs Reference
In-Depth Information
When run through strace, the notetaker binary's suid-bit isn't used, so it
doesn't have permission to open the data file. That doesn't matter, though;
we just want to make sure the arguments to the
open()
system call match the
arguments to the
open()
call in C. Since they match, we can safely use the values
passed to the
open()
function in the notetaker binary as the arguments for the
open()
system call in our shellcode. The compiler has already done all the work
of looking up the defines and mashing them together with a bitwise OR oper-
ation; we just need to find the call arguments in the disassembly of the note-
taker binary.
reader@hacking:~/booksrc $ gdb -q ./notetaker
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) set dis intel
(gdb) disass main
Dump of assembler code for function main:
0x0804875f <main+0>: push ebp
0x08048760 <main+1>: mov ebp,esp
0x08048762 <main+3>: sub esp,0x28
0x08048765 <main+6>: and esp,0xfffffff0
0x08048768 <main+9>: mov eax,0x0
0x0804876d <main+14>: sub esp,eax
0x0804876f <main+16>: mov DWORD PTR [esp],0x64
0x08048776 <main+23>: call 0x8048601 <ec_malloc>
0x0804877b <main+28>: mov DWORD PTR [ebp-12],eax
0x0804877e <main+31>: mov DWORD PTR [esp],0x14
0x08048785 <main+38>: call 0x8048601 <ec_malloc>
0x0804878a <main+43>: mov DWORD PTR [ebp-16],eax
0x0804878d <main+46>: mov DWORD PTR [esp+4],0x8048a9f
0x08048795 <main+54>: mov eax,DWORD PTR [ebp-16]
0x08048798 <main+57>: mov DWORD PTR [esp],eax
0x0804879b <main+60>: call 0x8048480 <strcpy@plt>
0x080487a0 <main+65>: cmp DWORD PTR [ebp+8],0x1
0x080487a4 <main+69>: jg 0x80487ba <main+91>
0x080487a6 <main+71>: mov eax,DWORD PTR [ebp-16]
0x080487a9 <main+74>: mov DWORD PTR [esp+4],eax
0x080487ad <main+78>: mov eax,DWORD PTR [ebp+12]
0x080487b0 <main+81>: mov eax,DWORD PTR [eax]
0x080487b2 <main+83>: mov DWORD PTR [esp],eax
0x080487b5 <main+86>: call 0x8048733 <usage>
0x080487ba <main+91>: mov eax,DWORD PTR [ebp+12]
0x080487bd <main+94>: add eax,0x4
0x080487c0 <main+97>: mov eax,DWORD PTR [eax]
0x080487c2 <main+99>: mov DWORD PTR [esp+4],eax
0x080487c6 <main+103>: mov eax,DWORD PTR [ebp-12]
0x080487c9 <main+106>: mov DWORD PTR [esp],eax
0x080487cc <main+109>: call 0x8048480 <strcpy@plt>
0x080487d1 <main+114>: mov eax,DWORD PTR [ebp-12]
0x080487d4 <main+117>: mov DWORD PTR [esp+8],eax
0x080487d8 <main+121>: mov eax,DWORD PTR [ebp-12]
0x080487db <main+124>: mov DWORD PTR [esp+4],eax
0x080487df <main+128>: mov DWORD PTR [esp],0x8048aaa
0x080487e6 <main+135>: call 0x8048490 <printf@plt>
0x080487eb <main+140>: mov eax,DWORD PTR [ebp-16]
