Writing JIT-spray Exploit

This is not a full guide. This is just a small addition to “Writing JIT shellcode for fun and profit” article written by Alexey Sintsov. If you want to know how it works it’s better to start with it. It has complete description and you can repeat it step by step.

Enviroment

Description

First of all we should find address of the function we are going to call later. In my case it’s system(). To find it we look at pep and get address of loaded dll with this function, then we looking for system() and get her address. After that we can push vars (name of the function to be called actually). In my example it’s ‘notepad’ but you should take in cosidiration that in stack it will be:

push "eton"
push "dap"

We should use some exploit to run our ActiveX. I used vulnerability in emsmtp.dll. Make sure that version of the library you have is 6.0.1. So we just rewrite a return address or (in my case I rewrote SEH because it was easier for me).

However it didn’t work first. The main problem was that the address of the memory where we are supposed to jump was wrong. So I needed to use mona - an extension for Immunity Debugger.

There’re some useful command:

Working exploit you can find in my repo.

This is not a full guide. This is just a small addition to “Writing JIT shellcode for fun and profit” article written by Alexey Sintsov. If you want to know how it works it’s better to start with it. It has complete description and you can repeat it step by step.

Enviroment

Description

First of all we should find address of the function we are going to call later. In my case it’s system(). To find it we look at pep and get address of loaded dll with this function, then we looking for system() and get her address. After that we can push vars (name of the function to be called actually). In my example it’s ‘notepad’ but you should take in cosidiration that in stack it will be:

push "eton"
push "dap"

We should use some exploit to run our ActiveX. I used vulnerability in emsmtp.dll. Make sure that version of the library you have is 6.0.1. So we just rewrite a return address or (in my case I rewrote SEH because it was easier for me).

However it didn’t work first. The main problem was that the address of the memory where we are supposed to jump was wrong. So I needed to use mona - an extension for Immunity Debugger.

There’re some useful command:

Working exploit you can find in my repo.