Lab 6: Locating op codes

Lesson:

Moving forward…

  • First of all, we need to figure out what the opcode for “jmp esp” is

    • We can do this by using the nasm_shell.rb file in metasploit

    • Or we can use mona - !mona asm –s jmp esp

  • We can see that the opcode is: FFE4

  • Now we need to find this opcode in one of our loaded DLLs

  • We can do this by Launching Easy RM to MP3, then opening Immunity Debugger

    • We have been using Immunity Debugger to start up the software, but we can also attach to a process that is already running

Finding the opcode

  • Using mona, we can search for the command throughout this program (including loaded DLLs)

    !mona jmp -r esp

  • This list shows which DLLs have this opcode.

    • If we need to use a DLL that belongs to the OS, then we might find that the exploit does not work for other versions of the OS

    • It is better if ASLR and Rebase are set to False, to ensure our exploit works consistently

    • If we can’t find one, then a DLL that the software loads will be a good next choice. Last resort is to use an OS DLL

    • So let’s search the area of one of the Easy RM to MP3 DLLs first

  • We’ll look in the area of C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll

    • This DLL is loaded between 01d00000 and 021cd000

    • Search this area for ff e4

    • find -s “\xff\xe4” –m MSRMCcodec02.dll

  • Since we want to put our shellcode in ESP (which is placed in our payload string after overwriting EIP), the “jmp esp” address from the list must not have null bytes

    • If this address would have null bytes, we would overwrite EIP with an address that contains null bytes

    • Null byte acts as a string terminator, so everything that follows would be ignored

    • In some cases, it would be ok to have an address that starts with a null byte

      • If the address starts with a null byte, because of little endian, the null byte would be the last byte in the EIP register

      • And, if you are not sending any payload after overwrite EIP (so if the shellcode is fed before overwriting EIP, and it is still reachable via a register), then this will work.

  • Anyways, we will use the payload after overwriting EIP to host our shellcode, so the address should not contain null bytes.

  • The first address will do : 0x01ccf23a

  • Verify that this address contains the jmp esp (so unassemble the instruction at 01ccf23a):

    Success!!!

Shellcode

  • Metasploit has a nice payload generator that will help you building shellcode

  • Payloads come with various options, and (depending on what they need to do), can be small or very large

  • If you have a size limitation in terms of buffer space, then you might even want to look at multi-staged shellcode, or using specifically handcrafted shellcodes

    • Alternatively, you can split up your shellcode in smaller ‘eggs’ and use a technique called ‘egg-hunting’ to reassemble the shellcode before executing it

Create shellcode

msfvenom –p [payload] [options] –f [file format] –e [encoder

Practical application Time

Assignment:

  • Step 1 – Discover what the opcode for “jmp esp” is

  • Step 2 – Locate the op code

  • Step 3 – Search through the software DLL

  • Step 4 – Verify that the memory location actually holds the opcode

  • Step 5 – Why were we not able to find the op code using the command from Step 2?

  • Step 6 – Rewrite the exploit, replacing EIP with the discovered memory address

  • Step 7 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger

    • Did we get the expected error from the last lab?

Answers:

  • View associated .txt file

PreviousLab 7: Writing shellcodeNextLab 5: Shellcode testing

Last updated

Was this helpful?