This is not a full guide. This is a small addition to “Writing JIT shellcode for fun and profit” article written by Alexey Sintsov. If you want to know how it works, it is better to start from there. It has complete description and you should be able to follow it step by step.
First, we need find address of the function we are going to call later. In my case it’s system(). To find it we look at pep and get address of a loaded dll with this function, then we look for system() and get its address. After that, we can push vars (name of the function to be called). In my case, it was ‘notepad’. The stack was like:
push "eton"
push "dap"
We should use an exploit to run our ActiveX. I used vulnerability in emsmtp.dll
. Make
sure
that version of the library you have is 6.0.1. We rewrite a return address or (in my case I rewrote
SEH
because it was easier for me).
However it didn’t work first. The main problem was that the address of the memory where we are supposed to jump was wrong. I needed to use mona — an extension for Immunity Debugger.
There’re also these useful commands:
!mona pc 14356
!mona findmsp
!mona find -s "123"
Working exploit you can find in my repo.