Basic Egghunting

Source: CaptMeelo^1

Commands learned

• Alternative to pattern create:
  • /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <number_of_buffer>
  • is
  • !mona pc <number_of_buffer>
• Alternative to pattern offset
  • /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l <number_of_buffer> -q <value_in_register>
  • is
  • !mona findmsp @ mona itself after sending the pattern
    • This can be used in conjunction with pattern_create + it tells you more details such as other registers and the size of the whole payload
• !mona jmp -r esp -m 'essfunc.dll'
• SHORT JUMP
  • \xEB<offset>
  • offset = i.e. 50 bytes back so '-50' convert to hex using the calculator site is 'FFFFFFFFFFFFFFCE' so it is \xCE therefore making the whole command \xEB\xCE,
  • This would technically only move you back 48 bytes since \xEB\xCE itself consumes 2 byes and will be counted in walking back
    • calculator site [^2]
• !mona egg -t <keyword_you_would_like_to_use>
  • i.e. !mona egg -t Bellend
  • then send shellcode via other means like via other COMMAND (i.e. "STATS "+"BellendBellend"+shellcode)
  • make space for shellcode

[^2]: Binary Hex Converter