This is a simple introduction to get you warmed up. The return address is supplied in case your memory needs a jog :)
Hint: Storing your shellcode inside of the fix_path resolved buffer might
be a bad idea due to character restrictions due to realpath(). Instead, there
is plenty of room after the HTTP/1.1 that you can use that will be ideal (and
much larger).
| Option | Setting |
|---|---|
| Vulnerability Type | Stack |
| Position Independent Executable | No |
| Read only relocations | No |
| Non-Executable stack | No |
| Non-Executable heap | No |
| Address Space Layout Randomisation | No |
| Source Fortification | No |
#include "../common/common.c"
int fix_path(char *path)
{
char resolved[128];
if(realpath(path, resolved) == NULL) return 1;
// can't access path. will error trying to open
strcpy(path, resolved);
}
char *parse_http_request()
{
char buffer[1024];
char *path;
char *q;
printf("[debug] buffer is at 0x%08x :-)\n", buffer);
if(read(0, buffer, sizeof(buffer)) <= 0)
errx(0, "Failed to read from remote host");
if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");
path = &buffer[4];
q = strchr(path, ' ');
if(! q) errx(0, "No protocol version specified");
*q++ = 0;
if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol");
fix_path(path);
printf("trying to access %s\n", path);
return path;
}
int main(int argc, char **argv, char **envp)
{
int fd;
char *p;
background_process(NAME, UID, GID);
fd = serve_forever(PORT);
set_io(fd);
parse_http_request();
}