blob: 9e055def0d515aad8cf2bed592ed8621abbf8583 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
Usage: ./exploit.sh | nc hackme.cs.ru.nl 2288
You start with control over input. Send EOF (ctrl+D) to send the exploit. Input control
is then returned to you. Note that the shell will not echo a prompt. Just try some commands.
If the exploit does not function out of the box, use the initial control to send format
string (50 times %p). Get the desired return address from this (it's the 8 bytes before the
stored frame pointer, 16 bytes before the current return address, in "int ret", right behind
the buffer now recognizable by the run of 0x7025702570257025). Change the return address
in genretaddr.sh. Run genexploit.sh to generate the new exploit. Note that the return address
tends to drift, even with ASLR turned off. See genretaddr.sh for details.
If the shellcode must be altered, do so in genshellcode.sh. If this also means the padding
must be altered, change the number of NOPs in genexploit.sh (the first loop). If necessary,
also alter the number of copies of the return address in genexploit.sh (the second loop).
If you need more than a single try in one session (e.g. when ASLR is turned on), change
exploit.sh to use the commented loop instead of `cat - exploit -`.
|
