background image

114

Chapter 8

Figure 8-1: Examples of multiple NOPs that create the NOP slide

In the example in Figure 8-2, notice the last instruction set, which is a 

C3

That is the last instruction set in our bind shell that we need.

After that 

C3

, press F2, which sets up another breakpoint. Now we’re 

ready to roll and see what happens. Go back to the very top, where you 
added your NOPs, and press F7, which tells the debugger to execute the 
next assembly command, stepping into your next assembly instruction. 
Notice that the highlight moves down one line. Nothing happened because 
you added a NOP. 

Next, press F7 a few times to walk down the NOP slide. When you first 

arrive at the memory instructions, open up a command prompt and type 

netstat -an

. Nothing should be listening on 443, and this is a good sign that 

your payload hasn’t executed yet. 

Press F5 to continue running the rest of the application until it reaches 

the breakpoint that you set. You should see the breakpoint indicated in the 
lower-left corner of the Immunity Debugger window. At this point, you have 
executed your payload within the debugger, and you should now be able to 
check 

netstat -an

 and notice port 443 listening.

On a remote machine, try to telnet to the target machine on port 443. You’ll 

notice that nothing happens; this is because the listener hasn’t received the sec-
ond stage from Metasploit yet. On your Back|Track VM, go into Metasploit 
and set up a multi-handler. This will tell Metasploit that a first-stage listener 
is on port 443 on the target machine.