How to find addresses to overwrite EIP??


Metasploit
  • Share
  • SumoMe
  • Share

While developing exploit, we need to overwrite EIP( Extended Instruction pointer) to change the flow of execution of program.

Note: EIP contains the address of the memory which the processor is going to execute.

Generally EIP is overwritten with the address of instructions like jmp esp, call , push ret etc. which point to our shellcode.

We can find the addresses using findjmp2, windbg, memdump etc.

1. Findjmp2

This program will find addresses suitable to overwrite EIP that will return to our code.

It currently supports looking for:

  • jmp reg
  • call reg
  • push reg,  ret
  • pop, pop, ret

You can download this program from this link Findjmp2
Usage:   findjmp <dllname> <reg>

Example:

C:\Documents and Settings\Administrator\Desktop>findjmp.exe ntdll.dll esp

Findjmp, Eeye, I2S-LaB
Findjmp2, Hat-Squad
Scanning ntdll.dll for code useable with the esp register
0x7C914663      call esp
0x7C919DB0      push esp – ret
0x7C95311B      call esp
0x7C9676E2      pop esp – pop – retbis
Finished Scanning ntdll.dll for code useable with the esp register
Found 4 usable addresses

2. Memdump

Memdump is used to dump the entire memory of running process.The directory created by memdump can be used with msfpescan to quickly find viable instructions
and return addresses.
You can find memdump in Metasploit tool folder in this location “C:\Program Files\Metasploit\Framework3\msf3\tools\memdump”.
Download link for Metasploit.

Usage:  Memdump <process id> <dump directory>

How to find process id??

1. Open windows Task manager (ctrl + alt + del).
2. Go to View->Select Columns.
3. Select PID(process id) checkbox, click ok.

Select columns

Now we can see the PID of all the process.

We need a create a directory for dump. We will dump the memory of firefox.exe of PID 1800.

Example:

C:\Program Files\Metasploit\Framework3\msf3\tools\memdump>mkdir C:\firefox

C:\Program Files\Metasploit\Framework3\msf3\tools\memdump>memdump 1800 C:\firefox
[*] Creating dump directory…C:\firefox
[*] Attaching to 1800…
[*] Dumping segments…
[*] Dump completed successfully, 343 segments.

Now we will run msfpescan on memory dump of firefox.

1. Copy the dump directory C:\firefox to C:\Program Files\Metasploit\Framework3\home\Administrator\
2. Open cygwin shell. Go to All Programs–> Metasploit 3–> Cygwin Shell
3. Type following commands

$ cd ../..

$ cd msf3

$ ./msfpescan -p -M /home/Administrator/firefox/ > /home/Administrator/firefox/output.txt

Piping the output to output.txt file.

Output of msfpescan

3. msfpescan

This can also be used looking for following pattern:

  • jmp reg
  • call reg
  • push reg, ret
  • pop, pop, ret

1. Open cygwin shell and change the directory to msf3
2. Copy the dll to C:\Program Files\Metasploit\Framework3\home\Administrator\
3. Run the following commands as shown below:

For finding addresses of pattern for jmp reg, call reg, push reg ret

$./msfpescan -j eax /home/Administrator/ntdll.dll

0x7c90160b push eax; ret
0x7c901633 push eax; ret
0x7c9059b8 push eax; ret
0x7c90e435 call eax
0x7c90e95f call eax
0x7c90e9a7 call eax
0x7c916342 call eax
0x7c9174a8 call eax
0x7c917dce call eax
0x7c91e1e2 call eax
0x7c9211b9 call eax
0x7c923be6 call eax
0x7c924689 call eax
0x7c9395a0 call eax
0x7c939619 call eax
0x7c9405dc call eax
0x7c942626 call eax
0x7c9542cf call eax
0x7c954f40 jmp eax
0x7c954f79 jmp eax
0x7c954f94 call eax
0x7c955014 jmp eax
0x7c95504d jmp eax
0x7c955068 call eax
0x7c95515c call eax
0x7c955fb4 call eax
0x7c9562ad call eax
0x7c957dff call eax
0x7c957e94 call eax
0x7c957f2c call eax
0x7c96d17c call eax
0x7c974f5e call eax
0x7c9756b2 call eax

For finding addresses of pattern for pop pop ret

$ ./msfpescan -p /home/Administrator/ntdll.dll

[/home/Administrator/ntdll.dll]
0x7c90118e pop esi; pop ebp; retn 0x0010
0x7c9011d3 pop esi; pop ebp; retn 0x0008
0x7c9014e0 pop esi; pop edi; retn 0x0010
0x7c9015bf pop esi; pop edi; retn 0x0010
0x7c9016e4 pop edi; pop ebx; retn 0x0010
0x7c90178c pop esi; pop ebx; retn 0x0010
0x7c901931 pop esi; pop ebx; ret
0x7c901cf8 pop edi; pop ebx; ret
0x7c901cfe pop edi; pop ebx; ret
0x7c901d04 pop edi; pop ebx; ret
0x7c901d51 pop edi; pop esi; ret
0x7c901db0 pop edi; pop esi; ret
0x7c902783 pop esi; pop edi; ret
……

.