Lab 4: Shellcode?

Lesson:

Ok, we can see 2 interesting things here: ESP starts at the 5th character of our pattern, and not the first character

Why?

When a function is called, the first thing it does is pushes the return pointer (EIP) on to the stack
Then it goes to the address of the function
The function (in this case strcpy()), when it RET’s, it will pop the 4 bytes from the stack for that return pointer
- See if this is true in example.exe… does EIP get pushed to the stack, and does RET pop it?
When we go back, then it pops the first 4 bytes
- Can we this in our padding example? Try it… does 1ABCDEFG go to EIP?
When we RET to the start of a function, then we’re not pushing the return pointer on to the stack
We then have to forge this return pointer, i.e. PADD (the missing 4 characters)
If we gave this the address to the exit() function, the program would close gracefully rather than an exception being thrown
NOTE: After the pattern string, we see “A’s” These A’s most likely belong to the first part of the buffer (26064 A’s), so we may also be able to put our shellcode in the first part of the buffer (before overwriting RET)…

Step 1 – Locate which register contains our “shellcode”
Step 2 – Create pattern
Step 3 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger
Step 4 – Review pattern
- Look at register previously identified
- What is weird about our pattern?
Step 4 – Fix code so that pattern starts at beginning
Step 5 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger
Step 6 – Verify that ESP is now displaying the full pattern
Step 7 – Write down what the memory location of the beginning of this pattern

Last updated 4 years ago

Was this helpful?