Ethical Hacking and Penetration Testing Guide
Overwriting the Return Address
Yüklə 22,44 Mb. Pdf görüntüsü
|
|
283
Overwriting the Return Address Now we would need to overwrite the return address, that is, EIP, to point to the memory address of an executable code. The memory attack then jumps to ESP where we place our shell code. To search for all the executable modules, click on the “e” button at the top. This returns all the execut- able modules; we will use the one most commonly used for exploitation, that is, SHELL32.dll. We then press Ctrl+F on the keyboard and search for jmp esp address. Note : The reason we are looking for the jmp esp address is that we will point our EIP register to the jmp esp instruction that will contain our shellcode. We will now copy the memory address to a notepad or a wordpad file. Our memory address is 7CA58265; we would need to reverse it and then convert it to hex to make it work. Since 32-bit processors are little endians, this is the standard that is used by computer engineers to read the order of the data. So our memory address would be equivalent to 65825a7c inside of the reverse order and would look like \x65\x82\xA5\x7c when converted to hex. 284 ◾ Ethical Hacking and Penetration Testing Guide We can also use mona to find an executable module that jumps to ESP; the –n will exclude all the modules containing null bytes. We will execute the following command from the mona. !mona jmp –r esp –n A file named jmp.txt would be created; press Ctrl+F and search for jmp esp and eventually you will reach the place where you find the jmp esp address of the executable module named SHELL32.dll. Next, we would feed the EIP register with the jmp esp address and test if everything is working perfectly. Here is how the modified code would look like: We would now crash the stack with 247 characters; the EIP would then execute the memory address of the jmp esp, and the esp would contain the \xcc interrupt command. We do it to make sure that our code jumps to \xcc. Windows Exploit Development Basics ◾ 285 As we can see, the command window contains many INT3 commands; this shows that we have successfully managed to jump to esp and that we can successfully redirect the application to execute our shellcode. NOP Sledges For our exploit to work, our return address (EIP) should point to the first instruction of our shell- code. Sometimes it might be difficult to determine where exactly it is inside of the memory; there- fore to improve our chances of success we add NOP Sledges. NOP is short for “No Operation”, they are assembly instructions that advise the computer not to do anything at all; so the idea is that if we could jump somewhere inside the nop sledges, it will execute a bunch of No instructions and finally reach our shellcode. Here is how the command window looks like; it will execute a bunch of NOPs before reaching our shellcode. This improves the reliability of our exploit. |