Finding Exploit-Friendly Instructions

Source: Python “Grey Hat”

After you have obtained EIP control, you have to transfer execution to your shellcode. Typically, you will have a register or an offset from a register that points to your shellcode, and it’s your job to find an instruction somewhere in the executable or one of its loaded modules that will transfer control to that address.
========

from immlib import *
def main(args):
 imm = Debugger()
 search_code = “”.join(args)
 search_bytes = imm.Assemble( search_code)
 search_results= imm.Search( search_bytes ) 


 for hit in search_results: 

 # Retrieve the memory page where this hit exists
 
# and make sure it’s executable

code_page = imm.getMemoryPagebyAddress( hit )
 access = code_page.getAccess( human = True ) 

 if “execute” in access.lower():
   imm.log( “[*] Found: %s (0x%08x)” % ( search_code, hit ),
    address = hit )
return “[*] Finished searching for instructions, check the Log window.” 

​========

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s