I have been seeing a lot of exploits that write the memory address of functions/code into the EIP and was wondering if there was a way (maybe with gdb or something) that I could use to determine the memory address of some shellcode I am using in a buffer overflow test and use the python struct library to pack it into the return pointer.
Right now, I am examining the stack with gdb and using NOPS in my code to figure out the address of the function but it is really just a guessing game. Does anyone know what I can do?
Advertisement
Answer
In GDB you can examine a function and get its address from its symbol name using: x myFun
However, hardcoding a function address in your exploit is basically betting on the odds that the binary’s address space will never change, ASLR is a protection that will get in your way when trying to hardcode a memory address as It will randomize certain segments of memory at runtime.
When I’m trying to exploit a binary using ret2shellcode, I usually try and fill the buffer with my own input and set a breakpoint at that input, then I try to determine its location and size in the stack, whether it will fit my shellcode or not depending on your buffer size. Sometimes you can place the shellcode before EIP sometimes you can place it after. It all depends on your binary and that’s assuming a basic ret2shellcode exploit.