◾  Ethical Hacking and Penetration Testing Guide Determining the Offset

Windows Exploit Development Basics
◾ 
279
We will now feed this string inside of our buffer variable and send it to the application and 
then copy the value of the EIP register, which is 
69413269
and feed it inside the 
pattern _
offset
to determine the offset.
This is what the code looks like:
Upon feeding the address of the EIP register to the 
pattern _ offset
tool, we determine 
that the offset is 247, which means that our EIP gets overwritten after 247 characters of data.
Let’s confirm this. We would need to slightly modify our Python code. We first send 247 Bs, 
which would smash the stack; after that we write 4 Bs in the EIP register followed by 400 Cs.
Restart the server by pressing the thunderbolt button at the top 
and then click the “Play” 
button 
to start the application again and then execute the code. Here is what the output 
would look like:

280
◾ 
Ethical Hacking and Penetration Testing Guide
We can see that our EIP has been successfully overwritten with 42424242, which is the hex 
equivalent for four Bs; also, we can see that the ESP register contains the Cs that we sent.

Yüklə 22,44 Mb.

Dostları ilə paylaş: