You may also just press F9 and let the program
pause at the ???\xcc???. At that point, right-click on the eip register and select Follow in
Dump to view a hex memory dump of the shellcode. The easiest way to do this would be
to pull up your shellcode in a text window and reformat it by placing 8 bytes per line.
Then you can lay that text windowalongside the debugger and visually inspect for differences
between what you sent and what resides in memory.
Gray Hat Hacking: The Ethical Hacker??™s Handbook
274
As you can see, in this case the byte just after ???0x7F???, the ???0x0a??? byte, was translated to
???0x00??? and probably caused the rest of the damage. To test this theory, regenerate
shellcode and designate the ???0x0a??? byte as a badchar.
Modify the attack script and repeat the debugging process until the exploit successfully
completes and you can connect to a shell on port 4444.
NOTE You may have to repeat this process of looking for bad characters
many times until your code executes properly. In general, you will want to
exclude all white space chars: 0x00, 0x20, 0x0a, 0x0d, 0x1b, 0x0b, 0x0c.
When this works successfully in the debugger, you may remove the ???\xcc??? from your
shellcode (best to just replace it with a ???\x90??? to keep the current alignment) and try again.
Pages:
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498