Finding the Return Address

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:02
finding a return address
00:04
are learning objective is to understand how to find a return address.
00:11
So what I mean by this, ultimately we want to write shell code so that when we do our buffer overflow, the program executes into our jumps into our shell code. Well, as the name sounds, we need to find
00:26
a jump sp return address
00:29
where we can consistently have the program jump into our shell code so we can consistently get a shell.
00:36
What some programmers do is they have protections against buffer overflow attacks, like A S L R. So we want to do is try to find modules within the program that do not have these types of protections so that we can consistently over and over again jump into our shell code with the jump E S P
00:56
instruction by finding that memory location
00:59
that won't change every time.
01:00
So we can do that with mona.
01:03
So what I'll do now
01:06
is I'll do exclamation mona
01:08
modules.
01:11
And as you can see here
01:17
these are our modules. And we're going to look for false because everything that's true means that that flag that protection is on. And 11 of these uh we see has the most false is in them. Which is the do stack buffer overflow Good dot E X E
01:34
Mhm.
01:36
So the P W Kr pen 200 materials is a great job of explaining this
01:42
and they use the MSF Nazem shell module. But we're trying to find the
01:47
off code or hex for jump E S p.
01:53
Now, what they do find or what we have for Jump E S P is F F E four.
01:59
So keeping that in mind, we're going to use Mona
02:02
and we're gonna do Mona find
02:07
S
02:08
and here's the jump PSP instruction.
02:17
Sorry, my microphone slipped there.
02:21
XFFXE four.
02:25
Mm.
02:28
Now we're going to do stack
02:30
buffer overflow good dot E X E.
02:38
It's processing
02:40
so it's gonna find our our memory locations with jumpy sp instructions and we see we found two we found 080414 C three and 080416 B F. I can you can choose either. I chose the first one.
02:58
But we're going to do now is going to set a breakpoint at that memory location. So keep that in mind
03:04
this number
03:06
And we're going to go to this address and we already have it here. 080414 C3.
03:15
And I'm gonna say this is a break point. You can see already did. But to toggle this you press F two,
03:21
you might get the suspicious breakpoint warning
03:27
but now I'm going to go back to Cali and you'll see where I changed my or where I wrote my python script how I changed it.
03:36
Keep in mind if you're having issues if you're saying permission denied when you write your script
03:40
Traumatic plus X. You can trim it at 777.
03:45
But that might be a reason why you're having issues executing your scripts.
03:50
So
03:52
if we look here we have our A's instead of Arby's. I'm replacing it with this memory location you can send me the comment here
03:59
but I'm doing it in a little indian format so I'm writing it backwards. So 080804041414 C. Three. So that's our memory location. So we're having it go to the jumpy sp instruction and then hopefully we move into our seas here.
04:15
So let's verify that. That's why I said that breakpoint at the memory location here.
04:20
And what we'll do is we will send this program.
04:25
I'm sorry to send the script.
04:27
Mhm.
04:28
And it should hit our break point
04:30
Here. We see it did. So now I press F7 to step through and we should see it land in our seas
04:40
And you can see 43 43. It did land in our seas.
04:44
So we verified that jumpy sp instruction. And now the only thing left to do is write our shell code so we can get a shell on this box.
04:56
So in summary we should now understand how to find a return address.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By