root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gcc -g -fno-stack-protector -z execstack -o tinywebd tinywebd.c
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# sudo chown root ./tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# sudo chown root ./tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# sudo chmod u+s ./tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./webserver_id 127.0.0.1
The web server for 127.0.0.1 is Tiny webserver
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ps ax | grep tinywebd
2588 ? Ss 0:00 ./tinywebd
2597 pts/1 S+ 0:00 grep --color=auto tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# kill 2588
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ps ax | grep tinywebd
2599 pts/1 S+ 0:00 grep --color=auto tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# cat /var/log/tinywebd.log
09/08/2013 14:38:09> Starting up..
09/08/2013 14:38:29> From 127.0.0.1:45041 "HEAD / HTTP/1.0" 404 Not Found
09/08/2013 14:39:10> Shutting down..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#
Es bis auf wenige andere Speicheradressen kommt ihr auf das gleiche Ergebnis, bei mir ist es so, dass das Verzeichnis vom Tinyweb Server leer ist. Keine Angst, es geht hier nur um den Zugriff.
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q ./tinywebd
Reading symbols from /home/tomovic/Dokumente/hack/tinywebd...done.
(gdb) list 47
42
43 if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int)) == -1)
44 fatal("setting socket option SO_REUSEADDR");
45
46 printf("Starting tiny web daemon..\n");
47 if(daemon(1, 0) == -1) // fork to a background daemon process
48 fatal("forking to daemon process");
49
50 signal(SIGTERM, handle_shutdown); // call handle_shutdown when killed
51 signal(SIGINT, handle_shutdown); // call handle_shutdown when interrupted
(gdb) break 50
Haltepunkt 1 at 0x8048e35: file tinywebd.c, line 50. ← Die Adresse ist ok :-)
(gdb) run
Starting program: /home/tomovic/Dokumente/hack/tinywebd
Starting tiny web daemon..
[Inferior 1 (process 2623) exited normally]
Ich finde gut, dass das Buch dem Leser öfters in Messer laufen lässt. :-)
(gdb) set follow-fork-mode child
(gdb) help set follow-fork-mode
Set debugger response to a program call of fork or vfork.
A fork or vfork creates a new process. follow-fork-mode can be:
parent - the original process is debugged after a fork
child - the new process is debugged after a fork
The unfollowed process will continue to run.
By default, the debugger will follow the parent process.
(gdb) run
Starting program: /home/tomovic/Dokumente/hack/tinywebd
Starting tiny web daemon..
[New process 2629]
[Switching to process 2629]
Breakpoint 1, main () at tinywebd.c:50
50 signal(SIGTERM, handle_shutdown); // call handle_shutdown when killed
(gdb) quit
A debugging session is active.
Inferior 2 [process 2629] will be killed.
Quit anyway? (y or n) y
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ps ax | grep tinywebd
2627 ? Ss 0:00 /home/tomovic/Dokumente/hack/tinywebd
2635 pts/1 S+ 0:00 grep --color=auto tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# kill 2627
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ps ax | grep tinywebd
2638 pts/1 S+ 0:00 grep --color=auto tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ps ax | grep tinywebd
2640 ? Ss 0:00 ./tinywebd
2642 pts/1 S+ 0:00 grep --color=auto tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q-pid=2640 --symbols=./tinywebd
gdb: Unbekannte Option »-q-pid=2640«
Use `gdb --help' for a complete list of options.
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q -pid=2640 --symbols=./tinywebd
Reading symbols from /home/tomovic/Dokumente/hack/tinywebd...done.
Attaching to process 2640
Load new symbol table from "/home/tomovic/Dokumente/hack/tinywebd"? (y or n) n
Nicht bestätigt.
(gdb) bt
#0 0xb7fdd424 in ?? ()
#1 0xb7e2f935 in ?? () ← #2 fehlt, das ist ok so.
(gdb) list 68
63 if (listen(sockfd, 20) == -1)
64 fatal("listening on socket");
65
66 while(1) { // Accept loop
67 sin_size = sizeof(struct sockaddr_in);
68 new_sockfd = accept(sockfd, (struct sockaddr *)&client_addr, &sin_size);
69 if(new_sockfd == -1)
70 fatal("accepting connection");
71
72 handle_connection(new_sockfd, &client_addr, logfd);
(gdb) list handle_connection
77 /* This function handles the connection on the passed socket from the
78 * passed client address and logs to the passed FD. The connection is
79 * processed as a web request and this function replies over the connected
80 * socket. Finally, the passed socket is closed at the end of the function.
81 */
82 void handle_connection(int sockfd, struct sockaddr_in *client_addr_ptr, int logfd) {
83 unsigned char *ptr, request[500], resource[500], log_buffer[500];
84 int fd, length;
85
86 length = recv_line(sockfd, request);
(gdb) break 86
Haltepunkt 1 at 0x8048f80: file tinywebd.c, line 86.
(gdb) cont
Continuing.
Breakpoint 1, handle_connection (sockfd=5, client_addr_ptr=0xbffff6f8, logfd=3) at tinywebd.c:86
86 length = recv_line(sockfd, request);
(gdb) bt
#0 handle_connection (sockfd=5, client_addr_ptr=0xbffff6f8, logfd=3) at tinywebd.c:86
#1 0x08048f73 in main () at tinywebd.c:72
(gdb) x/x request
0xbffff4c0: 0x30314d2c
(gdb) x/16x request + 500
0xbffff6b4: 0xb7ff2990 0xbffff6f8 0xbffff728 0xb7fc5000
0xbffff6c4: 0x00000000 0xbffff728 0x08048f73 0x00000005
0xbffff6d4: 0xbffff6f8 0x00000003 0xbffff718 0x00000004
0xbffff6e4: 0x08048990 0x00000000 0x08048711 0xb7fc53e4
(gdb) info frame ← Damit kann man die Retrunadresse herausfinden.
Stack level 0, frame at 0xbffff6d0:
eip = 0x8048f80 in handle_connection (tinywebd.c:86); saved eip 0x8048f73 ← Das ist eure Returnadresse
called by frame at 0xbffff730
source language c.
Arglist at 0xbffff6c8, args: sockfd=5, client_addr_ptr=0xbffff6f8, logfd=3
Locals at 0xbffff6c8, Previous frame's sp is 0xbffff6d0
Saved registers:
ebx at 0xbffff6c0, ebp at 0xbffff6c8, edi at 0xbffff6c4, eip at 0xbffff6ccCouldn't read extended state status: Kein passendes Gerät gefunden.
(gdb) x/x 0xbffff6c4 +8
0xbffff6cc: 0x08048f73
(gdb) p /x 0xbffff6cc - 0xbffff4c0 (Speicheradresse von ret – Request Anfang)
$2 = 0x20c
(gdb) p 0xbffff6cc - 0xbffff4c0 (Speicheradresse von ret – Request Anfang)
$3 = 524
(gdb) p /x 0xbffff4c0 + 100 ( Request Anfang + 100 No's)
$4 = 0xbffff524
(gdb) quit
A debugging session is active.
Wenn ihr das Prinzip verstanden habt, dann braucht ihr kein Buch.