Next
the main function allocates a function pointer called fp (simply a 4-byte integer that
serves as an address pointer, used to point at a function). The function pointer is then set
to the starting address of sc[]. Finally, the function (our shellcode) is executed.
Now compile and test the code:
$ gcc -o sc2 sc2.c
$ sudo chown root sc2
$ sudo chmod +s sc2
$ ./sc2
sh-2.05b# exit
exit
As expected, the same results are obtained. Congratulations, you can now write your
own shellcode!
References
Aleph One, ???Smashing the Stack??? www.phrack.org/archives/49/P49-14
Murat Balaban, Shellcode Demystified www.enderunix.org/docs/en/sc-en.txt
Jon Erickson, Hacking: The Art of Exploitation (San Francisco: No Starch Press, 2003)
Koziol et al., The Shellcoder??™s Handbook (Indianapolis: Wiley Publishing, 2004)
Implementing Port-Binding Shellcode
As discussed in the last chapter, sometimes it is helpful to have your shellcode open a
port and bind a shell to that port. This allows the attacker to no longer rely on the port
that entry was gained on and provides a solid backdoor into the system.
Linux Socket Programming
Linux socket programming deserves a chapter to itself, if not an entire book. However, it
turns out that there are just a few things you need to know to get off the ground.
Pages:
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423