Hacking - The Art of Exploitation, 2nd Edition
Shellcode 287 In shellcode, the bytes for the string "Hello, world!" must be mixed together with the bytes for the assembly inst ...
288 0x500 mov edx, 15 ; Length of the string int 0x80 ; Do syscall: write(1, string, 14) ; void _exit(int status); mov eax, 1 ; ...
Shellcode 289 reader@hacking:~/booksrc $ export SHELLCODE=$(cat helloworld1) reader@hacking:~/booksrc $ ./getenvaddr SHELLCODE . ...
290 0x500 0xbffff9a3: 0xe8 0x0f 0x48 0x65 0x6c 0x6c 0x6f 0x2c 0xbffff9ab: 0x20 0x77 0x6f 0x72 0x6c 0x64 0x21 0x0a 0xbffff9b3: 0x ...
Shellcode 291 which means that a small value like 19 will have to be padded with leading zeros resulting in null bytes. One way ...
292 0x500 00000029 6F outsd 0000002A 2C20 sub al,0x20 0000002C 776F ja 0x9d 0000002E 726C jc 0x9c 00000030 64210A and [fs:edx],e ...
Shellcode 293 The next few instructions, like the mov instruction, have two operands. They all do simple arithmetic and bitwise ...
294 0x500 comprises 80 percent of the code. Subtracting any value from itself also pro- duces 0 and doesn’t require any static d ...
Shellcode 295 After assembling this shellcode, hexdump and grep are used to quickly check it for null bytes. reader@hacking:~/bo ...
296 0x500 passed as environment to the new program. Both argv and envp must be terminated by a null pointer. The argument vector ...
Shellcode 297 exec_shell.s BITS 32 jmp short two ; Jump down to the bottom for the call trick. one: ; int execve(const char *fil ...
298 0x500 sh-3.2# whoami root sh-3.2# This shellcode, however, can be shortened to less than the current 45 bytes. Since shellco ...
Shellcode 299 reader@hacking:~/booksrc $ nasm tiny_shell.s reader@hacking:~/booksrc $ wc -c tiny_shell 25 tiny_shell reader@hack ...
300 0x500 drop_privs.c #include <unistd.h> void lowered_privilege_function(unsigned char *ptr) { char buffer[50]; seteuid( ...
Shellcode 301 int setresuid(uid_t ruid, uid_t euid, uid_t suid); int setresgid(gid_t rgid, gid_t egid, gid_t sgid); DESCRIPTION ...
302 0x500 0x532 And Smaller Still.......................................................................... A few more bytes can ...
Shellcode 303 push BYTE 11 ; push 11 to the stack. pop eax ; pop the dword of 11 into eax. push ecx ; push some nulls for string ...
304 0x500 sin_size = sizeof(struct sockaddr_in); new_sockfd = accept(sockfd, (struct sockaddr *)&client_addr, &sin_size) ...
Shellcode 305 So, to make socket system calls using Linux, EAX is always 102 for socketcall(), EBX contains the type of socket c ...
306 0x500 $2 = 16 (gdb) x/16xb &host_addr 0xbffff780: 0x02 0x00 0x7a 0x69 0x00 0x00 0x00 0x00 0xbffff788: 0x00 0x00 0x00 0x0 ...
«
11
12
13
14
15
16
17
18
19
20
»
Free download pdf