424 write the code we want in C, for example this would be the |
424 write the code we want in C, for example this would be the |
425 program for starting a shell: |
425 program for starting a shell: |
426 |
426 |
427 \lstinputlisting[language=C,numbers=none]{../progs/shell.c} |
427 \lstinputlisting[language=C,numbers=none]{../progs/shell.c} |
428 |
428 |
429 \noindent Once compiled, we can use the debugger to obtain |
429 \noindent Once compiled, we can use the debugger to obtain the |
430 the machine code, or even the ready-made encoding as character |
430 machine code, or even get the ready-made encoding as character |
431 sequence. |
431 sequence. |
|
432 |
|
433 \lstinputlisting[language=C,numbers=none]{../progs/o2.c} |
432 |
434 |
433 While not too difficult, obtaining this string is not entirely |
435 While not too difficult, obtaining this string is not entirely |
434 trivial using \pcode{gdb}. Remember the functions in C that |
436 trivial using \pcode{gdb}. Remember the functions in C that |
435 copy or fill buffers work such that they copy everything until |
437 copy or fill buffers work such that they copy everything until |
436 the zero byte is reached. Unfortunately the ``vanilla'' output |
438 the zero byte is reached. Unfortunately the ``vanilla'' output |
437 from the debugger for the shell-program above will contain |
439 from the debugger for the shell-program above contains such |
438 such zero bytes. So a post-processing phase is needed to |
440 zero bytes. So a post-processing phase is needed to rewrite |
439 rewrite the machine code in a way that it does not contain any |
441 the machine code in a way that it does not contain any zero |
440 zero bytes. This is like some works of literature that have |
442 bytes. This is like some works of literature that have been |
441 been written so that the letter e, for example, is avoided. |
443 written so that the letter e, for example, is avoided. The |
442 The technical term for such a literature work is |
444 technical term for such a literature work is |
443 \emph{lipogram}.\footnote{The most famous example of a |
445 \emph{lipogram}.\footnote{The most famous example of a |
444 lipogram is a 50,000 words novel titled Gadsby, see |
446 lipogram is a 50,000 words novel titled Gadsby, see |
445 \url{https://archive.org/details/Gadsby}, which avoids the |
447 \url{https://archive.org/details/Gadsby}, which avoids the |
446 letter `e' throughout.} For rewriting the machine code, you |
448 letter `e' throughout.} For rewriting the machine code, you |
447 might need to use clever tricks like |
449 might need to use clever tricks like |
529 pointer given at the end). |
531 pointer given at the end). |
530 |
532 |
531 \begin{figure}[p] |
533 \begin{figure}[p] |
532 \lstinputlisting[language=C]{../progs/C3.c} |
534 \lstinputlisting[language=C]{../progs/C3.c} |
533 \caption{Overwriting a buffer with a string containing a |
535 \caption{Overwriting a buffer with a string containing a |
534 payload.\label{C3}} |
536 payload. Lines 14 and 15 write the address of the buffer |
|
537 into \pcode{large\_string}. The payload is copied in |
|
538 Lines 17 and 18. Line 20 copies the (too large) string |
|
539 into the buffer.\label{C3}} |
535 \end{figure} |
540 \end{figure} |
536 |
541 |
537 By the way you might naw have the question how do attackers |
542 By the way you might naw have the question how do attackers |
538 find out about vulnerable systems in the first place? Well, |
543 find out about vulnerable systems in the first place? Well, |
539 the automated version uses \emph{fuzzers}, which throw |
544 the automated version uses \emph{fuzzers}, which throw |
806 \begin{itemize} |
811 \begin{itemize} |
807 \item \texttt{(l)ist n} -- lists the source file from line |
812 \item \texttt{(l)ist n} -- lists the source file from line |
808 \texttt{n}, the number can be omitted |
813 \texttt{n}, the number can be omitted |
809 \item \texttt{disassemble fun-name} -- show the assembly code |
814 \item \texttt{disassemble fun-name} -- show the assembly code |
810 of a function |
815 of a function |
|
816 \item \texttt{info registers} -- prints out the current |
|
817 content of all registers |
811 \item \texttt{run args} -- starts the program, potential |
818 \item \texttt{run args} -- starts the program, potential |
812 arguments can be given |
819 arguments can be given |
813 \item \texttt{(b)reak line-number} -- sets break point |
820 \item \texttt{(b)reak line-number} -- sets break point |
814 \item \texttt{(c)ontinue} -- continue execution until next |
821 \item \texttt{(c)ontinue} -- continue execution until next |
815 breakpoint |
822 breakpoint |
816 \item \texttt{x/nxw addr} -- prints out \texttt{n} words starting |
823 \item \texttt{x/nxw addr} -- prints out \texttt{n} words starting |
817 from address \pcode{addr}, the address could be \code{$esp} |
824 from address \pcode{addr}, the address could be \code{$esp} |
818 for looking at the content of the stack |
825 for looking at the content of the stack |
819 \item \texttt{x/nxb addr} -- prints out \texttt{n} bytes |
826 \item \texttt{x/nxb addr} -- prints out \texttt{n} bytes |
|
827 \item \texttt{q} -- quits the debugger |
820 \end{itemize} |
828 \end{itemize} |
821 |
829 |
822 |
830 |
823 \bigskip\bigskip \noindent \end{document} |
831 \bigskip\bigskip \noindent \end{document} |
824 |
832 |