CSC347H5- Midterm Exam Guide - Comprehensive Notes for the exam ( 14 pages long!)

With a shell they have general access to the system as the user of the target software. shellcode. c. #include void main() { char *name[2]; name[0] = /bin/sh; name[1] = null; execve(name[0], name, null); Then gdb shellcode and disassemble main to see what gets pushed on the stack to call __execve (gdb) disassemble main. 0x80481f9 : lea 0xfffffff8(%ebp),%eax # address of name. End of assembler dump. (gdb) inside execve the stack looks like ebp -> sfp ret (4)%ebp name[0] (8)%ebp name (c)%ebp. Null (4 bytes of 0) (10%ebp) and disassemble __execve to see how execve works. (gdb) disassemble __execve. 7(%esi) z # 1 byte to be null termination of string. 8(%esi) xxxx # 4 bytes address of /bin/sh "name[0]" c(%esi) yyyy # 4 bytes null (long 0) "name[1]" Solution: that is easy to fix, you can examine the bytes of shellcodeasm. c void main() { . string "/bin/sh" # 8 bytes in gdb (gdb) x/bx main+3