# Lab 3: Locating EIP

## Lesson:

### pattern\_create.rb

* Open the tools folder in the metasploit framework3 folder (I’m using a linux version of metasploit 3)
* You should find a tool called pattern\_create.rb
* Create a pattern of 10000 characters and write it into a file
* locate pattern\_create.rb

  **/usr/share/metasploit-framework/tools/exploit/pattern\_create.rb -l 10000**
* Edit the ruby script and insert a new variable ($junk2) with our 10000 characters
* Create the m3u file
* Open this file in Easy RM to MP3, wait until the application dies again, and take note of the contents of EIP
* At this time, eip contains 0x75483175 (note: little endian - we have overwritten EIP with 75 31 48 75 = u1Hu

  **pattern\_offset.rb**

  **Let’s use a second metasploit tool now, to calculate the exact length of the buffer before writing into EIP, feed it with the value of EIP (based on the pattern file) and length of the buffer**

  **/usr/share/metasploit-framework/tools/exploit/pattern\_offset.rb -l 10000 -q 75483175**

  **6064**

  That’s the buffer length needed to overwrite EIP<br>

  So if you create a file with 20000+6064 A’s, and then add 4 B’s (42 42 42 42 in hex) EIP should contain 42 42 42 42<br>

  We also know that ESP points at data from our buffer, so we’ll add some C’s after overwriting EIP totaling the 30000 A’s we initially threw<br>

  **30000 (original payload) – 26064 A’s – 4 B’s = 3932 C’s**

  Let’s try. Modify the ruby script to create the new m3u file<br>

  **Exploit:**
* In Immunity Debugger, you can see the contents of the stack, at ESP, by looking at the lower right hand window
* EIP contains BBBB, which is exactly what we wanted

  So now we control EIP, and On top of that, ESP points to our buffer (C’s)<br>

  **Our exploit buffer so far looks like this:**

  ![pic1](https://github.com/dco-idm/Intro-Exploit-Development-Course/blob/master/assignments/images/lab3/pic1.PNG)

  **Where are we?:**
* We control EIP
* We can point EIP to somewhere else, to a place that contains our own code (shellcode)
* But where is this space, how can we put our shellcode in that location, and how can we make EIP jump to that location?

  In order to crash the application, we have written 26064 A’s into memory, we have written a new value into the saved EIP field (ret), and we have written a bunch of C’s<br>

  **Where do we go from here?**

  When the application crashes, take a look at the registers and dump all of them (d esp, d eax, d ebx, d ebp, …).<br>

  If you can see your buffer (either the A’s or the C’s) in one of the registers, then you may be able to replace those with shellcode and jump to that location.<br>

  In our example, we can see that ESP seems to point to our C’s (remember the output of d esp above), so ideally we would put our shellcode instead of the C’s and we tell EIP to go to the ESP address.<br>

  Despite the fact that we can see the C’s, we don’t know for sure that the first C (at address 000ff730, where ESP points at), is in fact the first C that we have put in our buffer<br>
* We’ll change the ruby script and feed a pattern of characters (I’ve taken 144 characters, but you could have taken more or taken less) instead of C’s<br>
* Create the file, open it, let the application die and dump memory at location ESP

#### You know what time is it!

## Assignment:

* Step 1 – Locate pattern\_create.rb
* Step 2 – Create unique pattern of characters
* Step 3 – Create a variable in \[filename] with created string
* Step 4 – Run executable, transfer crash\_\[sid].m3u to target, and run it in the debugger
* Step 5 – Find what the offset is in the EIP register&#x20;
* Step 6 – Find pattern offset
* Step 7 – Run executable, transfer crash\_\[sid].m3u to target, and run it in the debugger
* Step 8 – Verify whether EIP equals “0x424242”

## Answers:

* View associated .txt file


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://romc.gitbook.io/exploit-dev/assignments/labs/lab3.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.