Windows Exploit Development Basics
◾
279
We will now feed this string inside of our buffer variable and send
it to the application and
then copy the value of the EIP register, which is
69413269
and
feed it inside the
pattern _
offset
to determine the offset.
This is what the code looks like:
Upon feeding the address of the EIP register to the
pattern _ offset
tool, we determine
that the offset is 247, which means that our EIP gets overwritten after 247 characters of data.
Let’s confirm this. We would need to slightly modify our Python code. We first send 247 Bs,
which
would smash the stack; after that we write 4 Bs in the EIP register followed by 400 Cs.
Restart the server by pressing the thunderbolt button at the top
and then click the “Play”
button
to start the application again and then execute the code. Here is what the output
would look like:
280
◾
Ethical Hacking and Penetration Testing Guide
We can see that our EIP has been successfully overwritten with 42424242,
which is the hex
equivalent for four Bs; also, we can see that the ESP register contains the Cs that we sent.
Dostları ilə paylaş: 
