At that point our shellcode will be jumped into
and executed. This staging and execution technique will serve as our attack vector for this
exploit.
To find the location of such an opcode in an ELF (Linux) file, you may use Metasploit??™s
msfelfscan tool.
As you can see, the ???jmp esp??? opcode exists in several locations in the file. You cannot
use an opcode that contains a ???00??? byte, which rules out the third one. For no particular
reason, we will use the second one: 0x0808ff97.
NOTE This opcode attack vector is not subject to stack randomization and is
therefore a useful technique around that kernel defense.
Build the Exploit Sandwich
We could build our exploit sandwich from scratch, but it is worth noting that Metasploit
has a module for PeerCast v0.1212. All we need to do is modify the module to add our
newly found opcode (0x0808ff97) for PeerCast v0.1214.
Chapter 7: Basic Linux Exploits
167
PART III
Test the Exploit
Restart the Metasploit console and load the new peercast module to test it.
Woot! It worked! After setting some basic options and exploiting, we gained root,
dumped ???id???, then proceeded to show the top of the /etc/password file.
References
Exploit Development www.metasploit.
Pages:
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342