Metasploit mailing list archives
demo code needed for starting ...
From: hdm at metasploit.com (H D Moore)
Date: Mon, 17 Oct 2005 10:23:04 -0500
On Monday 17 October 2005 10:26, Daniel Renaud wrote:
Can someone send me a clue or some new demo code that I can try ?
Red Hat does annoying things to their glibc that make return-to-stack exploits a bit different. The return address you want should be on the stack somewhere, the one you tried (main()) is in the .text of the executable. To get the offset into the buffer, use patternOffset.pl: $ perl sdk/patternOffset.pl 0x41346341 This should print out 72, or 76, etc. To get your return address, you will need to examine the stack memory area with gdb: Program received signal SIGSEGV, Segmentation fault. 0x080486a6 in main () (gdb) x/200 esp-256 [ large block of data ] Keep hitting enter until you see the nop sled start. This might be difficult if RandomNops are enabled (they are by default), so disable them from the msf prompt: $ msf exploit_name (payload) > set RandomNops 0 $ msf exploit_name (payload) > save If the stack address keeps changing, you will need to find another way to get back to your shellcode. You can do it windows-style by bouncing off your executable's .text segment (msfelfscan -f ./vuln1 -j esp, etc) Hope this helps, -HD
Current thread:
- demo code needed for starting ... Daniel Renaud (Oct 17)
- demo code needed for starting ... H D Moore (Oct 17)