Mercurial Mercurial > hg > sen-material / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho03.tex
changeset 399 6d552ef3b435
parent 397 93affa1ebd6f
child 400 f05368d007dd
equal deleted inserted replaced
398:b183036ba675 399:6d552ef3b435 
   410 \noindent These characters represent the machine code for
 
   410 \noindent These characters represent the machine code for
 
   411 opening a shell. It seems obtaining such a string requires
 
   411 opening a shell. It seems obtaining such a string requires
 
   412 ``higher-education'' in the architecture of the target system.
 
   412 ``higher-education'' in the architecture of the target system.
 
   413 But it is actually relatively simple: First there are many
 
   413 But it is actually relatively simple: First there are many
 
   414 such strings ready-made---just a quick Google query away.
 
   414 such strings ready-made---just a quick Google query away.
 
       
   415 A nice selection of ready-made shell-codes can be found 
       
   416 for example at
 
       
   417 
       
   418 \begin{center}
 
       
   419 \url{http://shellblade.net/shellcode.html}
 
       
   420 \end{center}
 
       
   421 
       
   422 
   415 Second, tools like the debugger can help us again. We can just
 
   423 Second, tools like the debugger can help us again. We can just
 
   416 write the code we want in C, for example this would be the
 
   424 write the code we want in C, for example this would be the
 
   417 program for starting a shell:
 
   425 program for starting a shell:
 
   418 
   426 
   419 \lstinputlisting[language=C,numbers=none]{../progs/shell.c} 
   427 \lstinputlisting[language=C,numbers=none]{../progs/shell.c} 
   448 
   456 
   449 Having removed the zero-bytes we can craft the string that
 
   457 Having removed the zero-bytes we can craft the string that
 
   450 will be send to the target computer. This of course requires
 
   458 will be send to the target computer. This of course requires
 
   451 that the buffer we are trying to attack can at least contain
 
   459 that the buffer we are trying to attack can at least contain
 
   452 the shellcode we want to run. But as you can see this is only
 
   460 the shellcode we want to run. But as you can see this is only
 
   453 47 bytes, which is a very low bar to jump over. More
 
   461 47 bytes, which is a very low bar to jump over. Actually there
 
       
   462 are optimised versions which only need 24 bytes. More
 
   454 formidable is the choice of finding the right address to jump
 
   463 formidable is the choice of finding the right address to jump
 
   455 to. The string is typically of the form
 
   464 to. The string is typically of the form
 
   456 
   465 
   457 \begin{center}
 
   466 \begin{center}
 
   458   \begin{tikzpicture}[scale=0.6]
 
   467   \begin{tikzpicture}[scale=0.6]
sen-material