Lab 6: Locating op codes

Lesson:

Moving forward…

First of all, we need to figure out what the opcode for “jmp esp” is
- We can do this by using the nasm_shell.rb file in metasploit
- Or we can use mona - !mona asm –s jmp esp
We can see that the opcode is: FFE4
Now we need to find this opcode in one of our loaded DLLs
We can do this by Launching Easy RM to MP3, then opening Immunity Debugger
- We have been using Immunity Debugger to start up the software, but we can also attach to a process that is already running

Finding the opcode

Using mona, we can search for the command throughout this program (including loaded DLLs)
!mona jmp -r esp
This list shows which DLLs have this opcode.
- If we need to use a DLL that belongs to the OS, then we might find that the exploit does not work for other versions of the OS
- It is better if ASLR and Rebase are set to False, to ensure our exploit works consistently
- If we can’t find one, then a DLL that the software loads will be a good next choice. Last resort is to use an OS DLL
- So let’s search the area of one of the Easy RM to MP3 DLLs first
We’ll look in the area of C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll
- This DLL is loaded between 01d00000 and 021cd000
- Search this area for ff e4
- find -s “\xff\xe4” –m MSRMCcodec02.dll
Since we want to put our shellcode in ESP (which is placed in our payload string after overwriting EIP), the “jmp esp” address from the list must not have null bytes
- If this address would have null bytes, we would overwrite EIP with an address that contains null bytes
- Null byte acts as a string terminator, so everything that follows would be ignored
- In some cases, it would be ok to have an address that starts with a null byte
  - If the address starts with a null byte, because of little endian, the null byte would be the last byte in the EIP register
  - And, if you are not sending any payload after overwrite EIP (so if the shellcode is fed before overwriting EIP, and it is still reachable via a register), then this will work.
Anyways, we will use the payload after overwriting EIP to host our shellcode, so the address should not contain null bytes.
The first address will do : 0x01ccf23a
Verify that this address contains the jmp esp (so unassemble the instruction at 01ccf23a):
Success!!!

Shellcode

Metasploit has a nice payload generator that will help you building shellcode
Payloads come with various options, and (depending on what they need to do), can be small or very large
If you have a size limitation in terms of buffer space, then you might even want to look at multi-staged shellcode, or using specifically handcrafted shellcodes
- Alternatively, you can split up your shellcode in smaller ‘eggs’ and use a technique called ‘egg-hunting’ to reassemble the shellcode before executing it

Create shellcode

msfvenom –p [payload] [options] –f [file format] –e [encoder

Assignment:

Step 1 – Discover what the opcode for “jmp esp” is
Step 2 – Locate the op code
Step 3 – Search through the software DLL
Step 4 – Verify that the memory location actually holds the opcode
Step 5 – Why were we not able to find the op code using the command from Step 2?
Step 6 – Rewrite the exploit, replacing EIP with the discovered memory address
Step 7 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger
- Did we get the expected error from the last lab?

Answers:

View associated .txt file

PreviousLab 7: Writing shellcode NextLab 5: Shellcode testing

Last updated 4 years ago

Was this helpful?

Lesson:

Moving forward…

First of all, we need to figure out what the opcode for “jmp esp” is

We can do this by using the nasm_shell.rb file in metasploit
Or we can use mona - !mona asm –s jmp esp

We can see that the opcode is: FFE4

Now we need to find this opcode in one of our loaded DLLs

We can do this by Launching Easy RM to MP3, then opening Immunity Debugger

We have been using Immunity Debugger to start up the software, but we can also attach to a process that is already running

Finding the opcode

Using mona, we can search for the command throughout this program (including loaded DLLs)

!mona jmp -r esp

This list shows which DLLs have this opcode.

If we need to use a DLL that belongs to the OS, then we might find that the exploit does not work for other versions of the OS
It is better if ASLR and Rebase are set to False, to ensure our exploit works consistently
If we can’t find one, then a DLL that the software loads will be a good next choice. Last resort is to use an OS DLL
So let’s search the area of one of the Easy RM to MP3 DLLs first

We’ll look in the area of C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll

This DLL is loaded between 01d00000 and 021cd000
Search this area for ff e4
find -s “\xff\xe4” –m MSRMCcodec02.dll

Since we want to put our shellcode in ESP (which is placed in our payload string after overwriting EIP), the “jmp esp” address from the list must not have null bytes

If this address would have null bytes, we would overwrite EIP with an address that contains null bytes
Null byte acts as a string terminator, so everything that follows would be ignored
In some cases, it would be ok to have an address that starts with a null byte
- If the address starts with a null byte, because of little endian, the null byte would be the last byte in the EIP register
- And, if you are not sending any payload after overwrite EIP (so if the shellcode is fed before overwriting EIP, and it is still reachable via a register), then this will work.

Anyways, we will use the payload after overwriting EIP to host our shellcode, so the address should not contain null bytes.

The first address will do : 0x01ccf23a

Verify that this address contains the jmp esp (so unassemble the instruction at 01ccf23a):

Success!!!

Shellcode

Metasploit has a nice payload generator that will help you building shellcode

Payloads come with various options, and (depending on what they need to do), can be small or very large

If you have a size limitation in terms of buffer space, then you might even want to look at multi-staged shellcode, or using specifically handcrafted shellcodes

Alternatively, you can split up your shellcode in smaller ‘eggs’ and use a technique called ‘egg-hunting’ to reassemble the shellcode before executing it

Create shellcode

msfvenom –p [payload] [options] –f [file format] –e [encoder

Assignment:

Step 1 – Discover what the opcode for “jmp esp” is

Step 2 – Locate the op code

Step 3 – Search through the software DLL

Step 4 – Verify that the memory location actually holds the opcode

Step 5 – Why were we not able to find the op code using the command from Step 2?

Step 6 – Rewrite the exploit, replacing EIP with the discovered memory address

Step 7 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger

Did we get the expected error from the last lab?