Finding the Return Address

00:02

finding a return address

00:04

are learning objective is to understand how to find a return address.

00:11

So what I mean by this, ultimately we want to write shell code so that when we do our buffer overflow, the program executes into our jumps into our shell code. Well, as the name sounds, we need to find

00:26

a jump sp return address

00:29

where we can consistently have the program jump into our shell code so we can consistently get a shell.

00:36

What some programmers do is they have protections against buffer overflow attacks, like A S L R. So we want to do is try to find modules within the program that do not have these types of protections so that we can consistently over and over again jump into our shell code with the jump E S P

00:56

instruction by finding that memory location

00:59

that won't change every time.

01:00

So we can do that with mona.

01:03

So what I'll do now

01:06

is I'll do exclamation mona

01:08

modules.

01:11

And as you can see here

01:17

these are our modules. And we're going to look for false because everything that's true means that that flag that protection is on. And 11 of these uh we see has the most false is in them. Which is the do stack buffer overflow Good dot E X E

01:34

Mhm.

01:36

So the P W Kr pen 200 materials is a great job of explaining this

01:42

and they use the MSF Nazem shell module. But we're trying to find the

01:47

off code or hex for jump E S p.

01:53

Now, what they do find or what we have for Jump E S P is F F E four.

01:59

So keeping that in mind, we're going to use Mona

02:02

and we're gonna do Mona find

02:07

S

02:08

and here's the jump PSP instruction.

02:17

Sorry, my microphone slipped there.

02:21

XFFXE four.

02:25

Mm.

02:28

Now we're going to do stack

02:30

buffer overflow good dot E X E.

02:38

It's processing

02:40

so it's gonna find our our memory locations with jumpy sp instructions and we see we found two we found 080414 C three and 080416 B F. I can you can choose either. I chose the first one.

02:58

But we're going to do now is going to set a breakpoint at that memory location. So keep that in mind

03:04

this number

03:06

And we're going to go to this address and we already have it here. 080414 C3.

03:15

And I'm gonna say this is a break point. You can see already did. But to toggle this you press F two,

03:21

you might get the suspicious breakpoint warning

03:27

but now I'm going to go back to Cali and you'll see where I changed my or where I wrote my python script how I changed it.

03:36

Keep in mind if you're having issues if you're saying permission denied when you write your script

03:40

Traumatic plus X. You can trim it at 777.

03:45

But that might be a reason why you're having issues executing your scripts.

03:50

So

03:52

if we look here we have our A's instead of Arby's. I'm replacing it with this memory location you can send me the comment here

03:59

but I'm doing it in a little indian format so I'm writing it backwards. So 080804041414 C. Three. So that's our memory location. So we're having it go to the jumpy sp instruction and then hopefully we move into our seas here.

04:15

So let's verify that. That's why I said that breakpoint at the memory location here.

04:20

And what we'll do is we will send this program.

04:25

I'm sorry to send the script.

04:27

Mhm.

04:28

And it should hit our break point

04:30

Here. We see it did. So now I press F7 to step through and we should see it land in our seas

04:40

And you can see 43 43. It did land in our seas.

04:44

So we verified that jumpy sp instruction. And now the only thing left to do is write our shell code so we can get a shell on this box.