Hacking - The Art of Exploitation, 2nd Edition

Countermeasures 341

0x08048f5f <main+460>: call 0x8048ac4
0x08048f64 <main+465>: nop
0x08048f65 <main+466>: mov DWORD PTR [ebp-60],0x10
0x08048f6c <main+473>: lea eax,[ebp-60]
0x08048f6f <main+476>: mov DWORD PTR [esp+8],eax
0x08048f73 <main+480>: lea eax,[ebp-56]
0x08048f76 <main+483>: mov DWORD PTR [esp+4],eax
0x08048f7a <main+487>: mov eax,ds:0x804a970
0x08048f7f <main+492>: mov DWORD PTR [esp],eax
0x08048f82 <main+495>: call 0x80488d0 accept@plt
0x08048f87 <main+500>: mov DWORD PTR [ebp-12],eax
0x08048f8a <main+503>: cmp DWORD PTR [ebp-12],0xffffffff
0x08048f8e <main+507>: jne 0x8048f9c <main+521>
0x08048f90 <main+509>: mov DWORD PTR [esp],0x804962e
0x08048f97 <main+516>: call 0x8048ac4
0x08048f9c <main+521>: mov eax,ds:0x804a96c
0x08048fa1 <main+526>: mov DWORD PTR [esp+8],eax
0x08048fa5 <main+530>: lea eax,[ebp-56]
0x08048fa8 <main+533>: mov DWORD PTR [esp+4],eax
0x08048fac <main+537>: mov eax,DWORD PTR [ebp-12]
0x08048faf <main+540>: mov DWORD PTR [esp],eax
0x08048fb2 <main+543>: call 0x8048fb9
0x08048fb7 <main+548>: jmp 0x8048f65 <main+466>
End of assembler dump.
(gdb)

All three of these addresses basically go to the same place. Let’s

use0x08048fb7 since this is the original return address used for the call to

handle_connection(). However, there are other things we need to fix first.

Look at the function prologue and epilogue for handle_connection(). These

are the instructions that set up and remove the stack frame structures on

the stack.

(gdb) disass handle_connection
Dump of assembler code for function handle_connection:
0x08048fb9 <handle_connection+0>: push ebp
0x08048fba <handle_connection+1>: mov ebp,esp
0x08048fbc <handle_connection+3>: push ebx
0x08048fbd <handle_connection+4>: sub esp,0x644
0x08048fc3 <handle_connection+10>: lea eax,[ebp-0x218]
0x08048fc9 <handle_connection+16>: mov DWORD PTR [esp+4],eax
0x08048fcd <handle_connection+20>: mov eax,DWORD PTR [ebp+8]
0x08048fd0 <handle_connection+23>: mov DWORD PTR [esp],eax
0x08048fd3 <handle_connection+26>: call 0x8048cb0
0x08048fd8 <handle_connection+31>: mov DWORD PTR [ebp-0x620],eax
0x08048fde <handle_connection+37>: mov eax,DWORD PTR [ebp+12]
0x08048fe1 <handle_connection+40>: movzx eax,WORD PTR [eax+2]
0x08048fe5 <handle_connection+44>: mov DWORD PTR [esp],eax
0x08048fe8 <handle_connection+47>: call 0x80488f0 ntohs@plt

.:[ output trimmed ]:.

0x08049302 <handle_connection+841>: call 0x8048850 write@plt