6 private links
This article’s aim is to explain how a modern operating system makes it possible to use shared libraries with load-time relocation. It focuses on the Linux OS running on 32-bit x86, but the general principles apply to other OSes and CPUs as well.
Each code module in your shared library should define the GOT as an external symbol:
extern _GLOBAL_OFFSETTABLE ; in ELF
extern __GLOBAL_OFFSETTABLE ; in BSD a.out
At the beginning of any function in your shared library which plans to access your data or BSS sections, you must first calculate the address of the GOT. This is typically done by writing the function in this form:
func: push ebp
mov ebp,esp
push ebx
call .get_GOT
.get_GOT:
pop ebx
add ebx,_GLOBAL_OFFSETTABLE+$$-.get_GOT wrt ..gotpc
; the function body comes here
mov ebx,[ebp-4]
mov esp,ebp
pop ebp
ret
On i386, because of the dearth of general-purpose registers, the calling convention passes all arguments on the stack. This makes the vaarg implementation easy – A valistis simply a pointer into the stack, andvaargjust adds the size of the type to be retrieved to thevalist, and returns the old value. In fact, the i386 ABI reference simply specifiesva_arg in terms of a single line of code:
On amd64, the problem is much more complicated. To start, amd64 specifies that up to 6 integer arguments and up to 8 floating-point arguments are passed to functions in registers, to take advantage of amd64's larger number of registers. So, for a start, va_arg will have to deal with the fact that some arguments may have been passed in registers, and some on the stack.
for i in $(objdump -d binary.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
There are several ways to obtain access to a local shell with a remote connection. The most common of all is to open a known port with a tcp socket and bind its stdout/stderr/stdin to a newly forked shell. This way we can connect from our computer with a simple netcat command. However, this doesn’t work well most of the time: most of the public-facing servers out there have only a few number of ports open to the outside world (like http(s), ftp, smtp, etc) and the remaining inbound requests are usually filtered and dropped by iptables or firewalls.
The solution to this is to use a reverse bind for your local shell. A reverse bind is a simple operation that turns the client into a server and vice-versa. Originally, you’d have opened a port on the target and waited for inbound connections (from your attacking machine). Reverse this and you’ll have an open connection on your own machine waiting for the target machine to connect, this turns the attacker into the receiver waiting for some poor victim to fall into the trap.
This is a list of assemblers: computer programs that translate ("assemble") assembly language source code into binary programs. Sort by target instruction/architecture
Online asssembly dessasembler.
Quick how to on nasm
Basic assembly language doc
Compile asm file with _start
ld -static -o hello -Lgcc -print-file-name= /usr/lib/crt1.o /usr/lib/crti.o hello.o /usr/lib/crtn.o -lc -lgcc
syscall list in x64
Minimalish assembly TCP HTTP server program for i386 Linux. It
serves up files from the directory where you run it on port
.equiv port_number, 8086