demo code needed for starting ...

[hdm at metasploit.com (H D Moore)]

On Monday 17 October 2005 10:26, Daniel Renaud wrote:
> Can someone send me a clue or some new demo code that I can try ?

Red Hat does annoying things to their glibc that make return-to-stack 
exploits a bit different. The return address you want should be on the 
stack somewhere, the one you tried (main()) is in the .text of the 
executable. 

To get the offset into the buffer, use patternOffset.pl:
$ perl sdk/patternOffset.pl 0x41346341

This should print out 72, or 76, etc.

To get your return address, you will need to examine the stack memory area 
with gdb:

Program received signal SIGSEGV, Segmentation fault.
0x080486a6 in main ()
(gdb) x/200 esp-256
[ large block of data ]

Keep hitting enter until you see the nop sled start. This might be 
difficult if RandomNops are enabled (they are by default), so disable 
them from the msf prompt:

$ msf exploit_name (payload) > set RandomNops 0
$ msf exploit_name (payload) > save

If the stack address keeps changing, you will need to find another way to 
get back to your shellcode. You can do it windows-style by bouncing off 
your executable's .text segment (msfelfscan -f ./vuln1 -j esp, etc)

Hope this helps,

-HD