1. Fuzz
2. Load immunity debugger
3. Overwrite EIP register
4. Use /usr/share/metasploit-framework/tools/pattern_create.rb [length]
5. Find value crashed in EIP register.
6. Use /usr/share/metasploit-framework/tools/pattern_offset.rb [value] of the crashed value in the EIP register.
7. Use this as the new base length for the crash.
8. Find out if there are any restricted characters for payload in shell code.
9. !mona modules in immunity debugger. So we can find the loaded libraries. Find one that does not have protection ( ASLR , the range of memory does not include null bytes)
10. Search for jmp esp register to use:
10.a Use /usr/share/metasploit-framework/tools/nasm_shell.rb to search for the opcode equivalent of jump esp
nasm > jmp esp
00000000 FFE4 jmp esp
11. Search for this op code in mona again: !mona find -s “\xff\xe4” -m slmfc.dll
12. Select one that does not have bad addresses, double check the contents at this address by double clicking.
13. Replace your EIP address that will be modified during the overflow with this jmp esp register value.
14. To validate, set a breakpoint at the address of the jmp esp register. Run the exploit again to make sure that the address has been hit.
15. Add shell code so that jsp will now run the shell code
No comments:
Post a Comment