Graphics Programs Reference
In-Depth Information
big red flag. We could change the port to something that looks less suspicious;
however, simply having a webserver open outbound connections could be a
red flag by itself. A highly secure infrastructure might even have the firewall
setup with egress filters to prevent outbound connections. In these situations,
opening a new connection is either impossible or will be detected.
0x671
Socket Reuse
In our case, there's really no need to open a new connection, since we already
have an open socket from the web request. Since we're mucking around inside
the tinyweb daemon, with a little debugging we can reuse the existing socket
for the root shell. This prevents additional TCP connections from being
logged and allows exploitation in cases where the target host cannot open
outbound connections. Take a look at the source code from tinywebd.c
shown below.
Excerpt from tinywebd.c
while(1) { // Accept loop
sin_size = sizeof(struct sockaddr_in);
new_sockfd = accept(sockfd, (struct sockaddr *)&client_addr, &sin_size);
if(new_sockfd == -1)
fatal("accepting connection");
handle_connection(new_sockfd, &client_addr, logfd);
}
return 0;
}
/* This function handles the connection on the passed socket from the
* passed client address and logs to the passed FD. The connection is
* processed as a web request, and this function replies over the connected
* socket. Finally, the passed socket is closed at the end of the function.
*/
void handle_connection(int sockfd, struct sockaddr_in *client_addr_ptr, int logfd) {
unsigned char *ptr, request[500], resource[500], log_buffer[500];
int fd, length;
length = recv_line(sockfd, request);
Unfortunately, the
sockfd
passed to
handle_connection()
will inevitably be
overwritten so we can overwrite
logfd
. This overwrite happens before we gain
control of the program in the shellcode, so there's no way to recover the
previous value of
sockfd
. Luckily,
main()
keeps another copy of the socket's
file descriptor in
new_sockfd
.
reader@hacking:~/booksrc $ ps aux | grep tinywebd
root 478 0.0 0.0 1636 420 ? Ss 23:24 0:00 ./tinywebd
reader 1284 0.0 0.0 2880 748 pts/1 R+ 23:42 0:00 grep tinywebd
reader@hacking:~/booksrc $ gcc -g tinywebd.c
reader@hacking:~/booksrc $ sudo gdb -q—pid=478 --symbols=./a.out
