Finding Exploit-Friendly Instructions

Source: Python “Grey Hat”

After you have obtained EIP control, you have to transfer execution to your shellcode. Typically, you will have a register or an offset from a register that points to your shellcode, and it’s your job to find an instruction somewhere in the executable or one of its loaded modules that will transfer control to that address.

from immlib import *
def main(args):
 imm = Debugger()
 search_code = “”.join(args)
 search_bytes = imm.Assemble( search_code)
 search_results= imm.Search( search_bytes ) 

 for hit in search_results: 

 # Retrieve the memory page where this hit exists
# and make sure it’s executable

code_page = imm.getMemoryPagebyAddress( hit )
 access = code_page.getAccess( human = True ) 

 if “execute” in access.lower():
   imm.log( “[*] Found: %s (0x%08x)” % ( search_code, hit ),
    address = hit )
return “[*] Finished searching for instructions, check the Log window.” 


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: