search

Finding a Return Address

This Return Address would be written in the EIP and used to direct the application to where our payload will be located! Mona.py would be used for this as well.

hashtag
Listing all modules

The following command returns a bunch of programs/dependencies that our software in question uses/calls when operating. We notice that one of them has no memory protection or whatsoever. This would be useful for the process.

!mona modules

hashtag
Analyzing Output

Searching through the output, essfunc.dll seems to have most of the protections turned off which would allow for this attack to go through.

hashtag
Locating OpCode syscall

hashtag
Generating OpCode

The next step would be to generate the opt code for “JMP ESP” so that we can look for it in essfunc.dll. We will be using msf-nasm_shell for this.

hashtag
Finding JMP ESP

0x625011AF

hashtag
Hitting Offset

Now that we have an offset, we can try setting a breakpoint and hitting to verify that we have full control.

hashtag
Setting breakpoint

Then, hit F2 to set the breakpoint

hashtag
returnAddress.py

hashtag
Hitting breakpoint

Our debugger shows that we did hit the JMP ESP and hit the breakpoint that we set previously.

PreviousFinding Bad CharactersNextGenerating Shellcode

Last updated

Was this helpful?