Hacking the art of exploitation – part 2

➤ Gửi thông báo lỗi ⚠️ Báo cáo tài liệu vi phạm

Loại tài liệu: PDF

Số trang: 198 Trang

Tài liệu: ✅ ĐÃ ĐƯỢC PHÊ DUYỆT

TẢI VỀ

Nội dung chi tiết: Hacking the art of exploitation – part 2

Hacking the art of exploitation – part 2

0x500SHELLCODESo far, the shellcode used ill our exploits has been just a string ol copied and pasted bytes. We have seen standard shell-spawning shel

Hacking the art of exploitation – part 2 licode lor local exploits and port-binding shcllcode lor remote ones. Sbcllcode is also sometimes referred IO as an exploit payload, since these self-

contained programs do the real work once a program has been hacked. Shellcode usual!) spawns a shell, as that is an elegant Win to hand oil control; b Hacking the art of exploitation – part 2

ut it can do anything a program can do.Unfortunately, for many hackers the shellcode story stops at copying and pasting bytes. These hackers are just

Hacking the art of exploitation – part 2

scratching the surface of what’s possible. Custom shellcode gives you absolute control over the exploited program. Perhaps von want your shellcode to

0x500SHELLCODESo far, the shellcode used ill our exploits has been just a string ol copied and pasted bytes. We have seen standard shell-spawning shel

Hacking the art of exploitation – part 2 limited only by your imagination. In addition, writing shellcode develops assembly language skills and employs a number of hacking techniques worth kn

owing.0x510 Assembly vs. cThe shellcode bytes are actually architecture-specific machine instructions, so shellcode is written using the assembly lang Hacking the art of exploitation – part 2

uage. Writing a program in assembly is different than writing it in c. but many of the principles are similar. The operating system manages things lik

Hacking the art of exploitation – part 2

e input, output, process control, tile access, and network communication in the kernel. Compiled c programs ultimately perform these tasks by making s

0x500SHELLCODESo far, the shellcode used ill our exploits has been just a string ol copied and pasted bytes. We have seen standard shell-spawning shel

Hacking the art of exploitation – part 2 bility. AC program that uses prlntf() IO output a siring can be compiled for many different systems, since the library knows the appropriate system ca

lls for various architectures. A c program compiled on an .v86 processor will produce assembly language.definition, assembly language is already speci Hacking the art of exploitation – part 2

fic to a certain processor architecture, so portability is impossible. There arc no standard libraries; instead, kernel system calls have to be made d

Hacking the art of exploitation – part 2

irectly. To begin out comparison, let's write a simple c program, then rewrite it in .xiSG assembly.hello world.c#lncludc 1nt ma1n() {printf(

0x500SHELLCODESo far, the shellcode used ill our exploits has been just a string ol copied and pasted bytes. We have seen standard shell-spawning shel

Hacking the art of exploitation – part 2 te the suing Hello, world! to the screen. The strace program is used to trace a program's sy stem calls. I sed on the compiled helloworld program, it

shows eve IVsystem call that program makes.readerộhack1ng:~/booksrc s gcc helloworld.creaderộhack1ng:~/booksrc s strace ./a.outexecve("./a.out", I"./a Hacking the art of exploitation – part 2

.out"I, [/♦ 27 vars */]) = 0brk(o)= 0x804a000access("/etc/ld.so.nohwcap", F OK) = -1 ENOFNT (No such file or directory)mmap2(NULL, 8192, PROT READ|PRO

Hacking the art of exploitation – part 2

T WRITE, MAP PRIVATE|MAP ANONYMOUS, -1, 0) = Oxb7ef6OOOaccess("/etc/ld.so.preload", R_OK) ■ -1 ENOENT (No such file or directory)open("/etc/ld.so.cach

0x500SHELLCODESo far, the shellcode used ill our exploits has been just a string ol copied and pasted bytes. We have seen standard shell-spawning shel

Hacking the art of exploitation – part 2 s("/etc/ld.so.nohwcap", F-OK) ■ -1 ENOENT (No such file or directory)open('/lib/tls/1686/cmov/libc.so.6", O-RDONLY) « 3read(3, '\177ELF\1\1\1\0\0\0\0\

0\0\0\0\0\3\0\3\0\1\0\0\0\20Z\1\000"..., 512) = 512fstat64(3, {st_rode-S_IFREG|O755, st_size=12489O4, ...}) « 0mmap2(NULL, 1258876, PROT_READ|PROT_EXE Hacking the art of exploitation – part 2

C, MAP-PRIVATE IMAP-DENYWRITE, 3, 0) « Oxb7db3OOO mmap2(oxb7eeoooo, 16384, PROT_READ|PROT_WRITE, MAP-PRIVATE|lMAP-FIXED 1 MAP DENYaRITE, 3, 0x12c) =ox

Hacking the art of exploitation – part 2

b7eeoooo282 0.500mmap2(0xb7ee4000, 9596, PROT READ IPROT WRITE, MAP-PRIVATEIMAP-FIXEDI MAP-ANONYMOUS, -1, 0) = 0xb7ee4000close(3)0mmap2(NULL, 4096, PR

0x500SHELLCODESo far, the shellcode used ill our exploits has been just a string ol copied and pasted bytes. We have seen standard shell-spawning shel

Hacking the art of exploitation – part 2 2blt:l, content$:0, iead_exec_only:o, limit_in_pages:i, $eg_not_pre$ent:0, useable:l)) = 0 mprotect(Oxb7ceOOOO, 8192, PROT-READ) = 0 munmap(0xb7ee7000

, 61323)0fstal64(l, {st_mode=S_IFCHR|O62O, st_rdev=makedev(136, 2), ...))= 0 Hacking the art of exploitation – part 2

0x500SHELLCODESo far, the shellcode used ill our exploits has been just a string ol copied and pasted bytes. We have seen standard shell-spawning shel