Metasploit mailing list archives

FW: SDK Questions

From: bazarova at anz.com (Bazarov, Alexey)
Date: Thu, 12 Aug 2004 17:04:56 +1000

Well,

It is not a big deal , sure that in the real world it is never happened , but at least on my presentation for my team I 
will be able to demonstrate a full cycle of exploit development process with a working exploit  :))

Just some plays with gdb :

1) start gdb "vuln_1"

2) disas main

3) get the address of the first line , in my case, it is 0x0804 84D0 (should be the same as I know ELF structure ?) 

4) break *0x0804 84D0

5) run

6) gdb gets stopped almost immediatly

7) info reg , looking for value of EBP , it is always different - 0xBFFF E708

8) add 16 bytes to this address (it seems that 8 bytes should be Ok , but I didn't test it yet) = 0xBFFF E718

9) continue gdb

9) use this address to change corresponding value in the exploit module

10) start metasploit 

11) configure exploit with payload and target

12) exploit - yes! we are in

Thank you guys 

Alex

Current thread:

FW: SDK Questions Bazarov, Alexey (Aug 10)
- <Possible follow-ups>
- FW: SDK Questions ninjatools at hush.com (Aug 11)
- FW: SDK Questions Bazarov, Alexey (Aug 11)
  - FW: SDK Questions Steve Bonds (Aug 11)
- FW: SDK Questions Bazarov, Alexey (Aug 12)