Hacking - The Art of Exploitation, 2nd Edition

Countermeasures 367 Amazingly, these instructions, combined with the AND eax instruction, are sufficient to build loader code th ...

368 0x600 reader@hacking:~/booksrc $ gdb -q (gdb) print 0 - 0x39393333 - 0x72727550 - 0x54545421 $1 = 860 (gdb) The goal is to s ...

Countermeasures 369 ESP up (toward lower memory addresses) to the end of the newly pushed value, ready for the next four bytes o ...

370 0x600 printf("calculating printable values to subtract from EAX..\n\n"); t[3] = (targ & 0xff000000)>>24; // Splitt ...

Countermeasures 371 reader@hacking:~/booksrc $ gcc -o printable_helper printable_helper.c reader@hacking:~/booksrc $ ./printable ...

372 0x600 push eax sub eax,0x25696969 sub eax,0x25786b5a sub eax,0x25774625 push eax ; EAX = 0xe3896e69 sub eax,0x366e5858 sub e ...

Countermeasures 373 At the end, the shellcode has been built somewhere after the loader code, most likely leaving a gap between ...

374 0x600 0x080484b5 <update_product_description+13>: lea eax,[ebp-24] 0x080484b8 <update_product_description+16>: m ...

Countermeasures 375 esp 0xbffffa2c 0xbffffa2c eax 0x0 0 (gdb) The first nine instructions add 860 to ESP and zero out the EAX re ...

376 0x600 (gdb) stepi 10 0xbffff9c4 in ?? () (gdb) x/24x 0xbffff9ba 0xbffff9ba: 0x50505050 0x50505050 0x50505050 0x50505050 0xbf ...

Countermeasures 377 functions are shared, so any program that uses the printf() function directs execution into the appropriate ...

378 0x600 (gdb) break main Breakpoint 1 at 0x804837a (gdb) run Starting program: /home/matrix/booksrc/dummy Breakpoint 1, 0x0804 ...

Countermeasures 379 A quick binary search shows that the return address is probably over- written by the eighth word of the prog ...

380 0x600 aslr_demo.c #include <stdio.h> int main(int argc, char *argv[]) { char buffer[50]; printf("buffer is at %p\n", & ...

Countermeasures 381 beginning of the buffer. When a program exits, the value returned from the main function is the exit status. ...

382 0x600 Trying offset of 13 words buffer is at 0xbfe0fd80 Trying offset of 14 words buffer is at 0xbfe03d70 Trying offset of 1 ...

Countermeasures 383 The breakpoint is set at the last instruction of main. This instruction returns EIP to the return address st ...

384 0x600 Despite the randomization between runs, notice how similar the address in ESP is to the address of the buffer (shown i ...

Countermeasures 385 Bouncing off linux-gate refers to a shared object, exposed by the kernel, which looks like a shared library. ...

386 0x600 find_jmpesp.c int main() { unsigned long linuxgate_start = 0xffffe000; char *ptr = (char *) linuxgate_start; int i; fo ...