issuhub.com

Hacking - The Art of Exploitation, 2nd Edition

(Romina) #1

356 0x600


warning: not using untrusted file "/home/reader/.gdbinit"
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
Attaching to process 478
/cow/home/reader/booksrc/tinywebd: No such file or directory.
A program is being debugged already. Kill it? (y or n) n
Program not killed.
(gdb) list handle_connection
77 / This function handles the connection on the passed socket from the
78 passed client address and logs to the passed FD. The connection is
79 processed as a web request, and this function replies over the connected
80 socket. Finally, the passed socket is closed at the end of the function.
81 /
82 void handle_connection(int sockfd, struct sockaddr_in client_addr_ptr, int logfd) {
83 unsigned char *ptr, request[500], resource[500], log_buffer[500];
84 int fd, length;
85
86 length = recv_line(sockfd, request);
(gdb) break 86
Breakpoint 1 at 0x8048fc3: file tinywebd.c, line 86.
(gdb) cont
Continuing.


After the breakpoint is set and the program continues, the silent exploit

tool is used from another terminal to connect and advance execution.

Breakpoint 1, handle_connection (sockfd=13, client_addr_ptr=0xbffff810, logfd=3) at
tinywebd.c:86
86 length = recv_line(sockfd, request);
(gdb) x/x &sockfd
0xbffff7e0: 0x0000000d
(gdb) x/x &new_sockfd
No symbol "new_sockfd" in current context.
(gdb) bt
#0 handle_connection (sockfd=13, client_addr_ptr=0xbffff810, logfd=3) at tinywebd.c:86
#1 0x08048fb7 in main () at tinywebd.c:72
(gdb) select-frame 1
(gdb) x/x &new_sockfd
0xbffff83c: 0x0000000d
(gdb) quit
The program is running. Quit anyway (and detach it)? (y or n) y
Detaching from program: , process 478
reader@hacking:~/booksrc $


This debugging output shows that new_sockfd is stored at 0xbffff83c within

main’s stack frame. Using this, we can create shellcode that uses the socket

file descriptor stored here instead of creating a new connection.

While we could just use this address directly, there are many little things

that can shift stack memory around. If this happens and the shellcode is using

a hard-coded stack address, the exploit will fail. To make the shellcode more

reliable, take a cue from how the compiler handles stack variables. If we use

an address relative to ESP, then even if the stack shifts around a bit, the address
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.