Last active
September 28, 2018 20:56
-
-
Save ninp0/1a587320aeaf9c0baf95dc28f0707d1c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Find Buffer Overflow Len | |
2. /opt/metasploiit-framework-dev/tools/exploit/pattern_create.rb -l <buffer_overflow_len> | |
3. Replace orig overflow contents w/ response from pattern_create.rb | |
4. Run debugger, find eip value within pattern generated above...then run: | |
5. /opt/metasploit-framework-dev/tools/exploit/pattern_offset.rb -l <buffer_overflow_len> -q <eip_value> | |
6. Find bad characters (e.g. \x00 \x0a \x0d etc) | |
7. Update malicious payload accordingly | |
Other misc notes: | |
nasm_shell | |
nasm > jmp esp | |
00000000 FFE4 jmp esp | |
Once control of EIP is achieved: | |
# Immunity Debugger: | |
!mona modules | |
# Find module w/ least amount of security enabled (e.g. aslr = false, etc) | |
!mona find -s "\xff\xe4" -m <module name to find JMP ESP> | |
# EDB | |
Plugins >> OpcodeSearcher >> Opcode Search >> <highlight start addr> >> <choose Jump equivalent (e.g. ESP -> EIP)> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment