•Usually unable to determine ESP on the remote system
–Educated guess by
compiling/testing remotely
–If daemon is a part of a
binary package (rpm or deb, for example) debug your own copy of the daemon first
–Brute force it (ugly and
noisy)
•If you have the source code, compile it yourself (with the -ggdb option set for
better debugging)
–Try to compile it with the
same options as an rpm or deb you wish to exploit, that way you can get all the values such as ESP and the proper size of the payload correct
–Test with an rpm or deb
package, until you get it right