Finding Return Address
In a buffer overflow attack, the malicious code is usually placed within the stack that is pointed to by the ESP. In order to execute the code present in the ESP we need the EIP, instruction pointer, to point to the ESP. Unfortunately, the ESP keeps changing as the stack keeps changing every time with the execution of an application.
The next best thing to do is make an indirect jump, where the EIP points to an address within a dll that contains a "JMP ESP". The "JMP ESP" instructs to jump to the ESP address despite it being dynamic.
The following process can be followed to identify the address to the JMP ESP.
Once the application being tested for BOF is attached to the immunity debugger, use the command "!mona modules" to list the dlls loaded by the application. Look out for the dll that has "SafeSEH", "ASLR" and "NXCompat" (DEP Protection) disabled. Make sure none of the bad characters are present as part of the address.
Now we have to search for the "JMP ESP" within the code for which we will need the text in hex string. We can convert it using the following command in linux,
It should generate an output 0xFFE4. The following command can be used within the immunity debugger to search for the address,
The JMP ESP address found can be used in the exploitation process by including it in the EIP. Because of the endian format the address has to be used in reverse order. For e.g,
JMP ESP Address - 0x90108202, has to be used as "\x02\x82\x10\x90".
Note
The payload is prepended with a stud that is used for decoding the encoded reverse shell script. During the process of decoding the stub gathers its addresses in memory and from there look for the encoded shell. As part of the process of gathering the decoder's stub's location in memory, the code performs a series of assembly instructions, called as the GetPC routince. This routince writes data in and around the stack, resulting in messing up with the data at the ESP. In order to avoid this situation, we can prepend the payload with No Operation (NoP). This instructions do nothing but pass on execution to the next instruction. So it is good to prepend the shell with few NoPs and careful enough not to exhaust the space available for the shell code.
Last updated