Hacking - The Art of Exploitation, 2nd Edition
Countermeasures 327 if(fd == -1) { // If file is not found strcat(log_buffer, " 404 Not Found\n"); send_string(sockfd, "HTTP/1.0 ...
328 0x600 This daemon program forks into the background, writes to a log file with timestamps, and cleanly exits when it is kill ...
Countermeasures 329 In previous chapters, we’ve written exploit code in C and manually exploited vulnerabilities from the comman ...
330 0x600 When the program is run, it just exits. In order to debug this program, GDB needs to be told to follow the child proce ...
Countermeasures 331 63 if (listen(sockfd, 20) == -1) 64 fatal("listening on socket"); 65 66 while(1) { // Accept loop 67 sin_siz ...
332 0x600 The debugger shows that the request buffer starts at 0xbffff5c0 and the stored return address is at 0xbffff7dc, which ...
Countermeasures 333 message. Shell variables are used for the offset and overwrite return address, so they can be easily changed ...
334 0x600 0x640 Log Files.................................................................................................. One ...
Countermeasures 335 There’s a simple mistake in the tinyweb daemon’s source code that allows the request buffer to be truncated ...
336 0x600 localhost [127.0.0.1] 80 (www) open reader@hacking:~/booksrc $ fg nc -l -p 31337 whoami root The connection used by th ...
Countermeasures 337 any program to show every system call it makes. In the output below, this is used to verify that the argumen ...
338 0x600 When run through strace, the notetaker binary’s suid-bit isn’t used, so it doesn’t have permission to open the data fi ...
Countermeasures 339 0x080487ee <main+143>: mov DWORD PTR [esp+8],eax 0x080487f2 <main+147>: mov eax,DWORD PTR [ebp-1 ...
340 0x600 The shellcode opens a file to create it and then immediately closes the file. Finally, it calls exit to avoid an infin ...
Countermeasures 341 0x08048f5f <main+460>: call 0x8048ac4 0x08048f64 <main+465>: nop 0x08048f65 <main+466>: m ...
342 0x600 0x08049307 <handle_connection+846>: mov DWORD PTR [esp+4],0x2 0x0804930f <handle_connection+854>: mov eax, ...
Countermeasures 343 push BYTE 0x6 ; Close () pop eax int 0x80 ; Close file. int3 ; zinterrupt one: call two db "/HackedX" To use ...
344 0x600 Back in the debugging terminal, the first breakpoint is encountered. Some important stack registers are displayed, whi ...
Countermeasures 345 A quick glance at the function prologue for main() shows that EBP should be 0x68 bytes larger than ESP. Sinc ...
346 0x600 shellcode: mark_restore (53 bytes) fake request: "GET / HTTP/1.1\x00" (15 bytes) [Fake Request (15 b)] [NOP (348 b)] [ ...
«
13
14
15
16
17
18
19
20
21
22
»
Free download pdf
