114
Chapter 8
Figure 8-1: Examples of multiple NOPs that create the NOP slide
In the example in Figure 8-2, notice the last instruction set, which is a
C3
.
That is the last instruction set in our bind shell that we need.
After that
C3
, press F2, which sets up another breakpoint. Now we’re
ready to roll and see what happens. Go back to the very top, where you
added your NOPs, and press F7, which tells the debugger to execute the
next assembly command, stepping into your next assembly instruction.
Notice that the highlight moves down one line. Nothing happened because
you added a NOP.
Next, press F7 a few times to walk down the NOP slide. When you first
arrive at the memory instructions, open up a command prompt and type
netstat -an
. Nothing should be listening on 443, and this is a good sign that
your payload hasn’t executed yet.
Press F5 to continue running the rest of the application until it reaches
the breakpoint that you set. You should see the breakpoint indicated in the
lower-left corner of the Immunity Debugger window. At this point, you have
executed your payload within the debugger, and you should now be able to
check
netstat -an
and notice port 443 listening.
On a remote machine, try to telnet to the target machine on port 443. You’ll
notice that nothing happens; this is because the listener hasn’t received the sec-
ond stage from Metasploit yet. On your Back|Track VM, go into Metasploit
and set up a multi-handler. This will tell Metasploit that a first-stage listener
is on port 443 on the target machine.