Data mining Backtrack 4 for buffer overflow return addresses (by Ben via

So, if you are reading this blog you are probably aware of the online exploit database sponsored by Offensive Security, which currently holds over 15,000 exploits, from the present back to the mid 1990’s.

There are some advantages to using this database online, such as the ability to download some of the vulnerable applications for testing purposes.

However, there is already a local copy of all of these exploits on Backtrack 4, held in /pentest/exploits/exploitdb and subdirectories – which has some other advantages we explore here i.e. mining it for useful information.

The advantages of a local copy of the database

In addition to the convenience of having the exploits already downloaded, there are other things that you can do by having a local copy. (A few weeks back, I used this local copy to do some analysis of Language trends in exploit development )

Here I am going to explore a couple of ways we could retrieve previously found return addresses, using the knowledge stored in files on backtrack.

Updating the exploit database

First get your copy of the exploit database up-to-date.

cd /pentest/exploits/

You should see the new files and changes whiz past as you get your copy of Backtrack up to the latest revision of the exploit database.

Basic exploit searches

Cool, so we will test the update by looking for something recent in the index file. I will do a quick search for an exploit from this week, the ProFTP remote root exploit.

cd exploitdb
grep -i “ProFTPD” files.csv | grep -i “remote root”
107,platforms/linux/remote/107.c,”ProFTPD 1.2.9rc2 ASCII File Remote Root Exploit”,2003-10-04,bkbll,linux,remote,21
110,platforms/linux/remote/110.c,”ProFTPD 1.2.7 – 1.2.9rc2 Remote Root & brute-force Exploit”,2003-10-13,Haggis,linux,remote,21
3021,platforms/linux/remote/3021.txt,”ProFTPD <= 1.2.9 rc2 (ASCII File) Remote Root Exploit”,2003-10-15,”Solar Eclipse”,linux,remote,21
15449,platforms/linux/remote/,”ProFTPD IAC Remote Root Exploit”,2010-11-07,Kingcope,linux,remote,0

There are a few in there, but I have highlighted the one from this week (15449) in red.

Searching for specific code within the database

We are up-to-date, so what interesting things can we do with all this exploit data?

How about we search all the files for some piece of information we might want to know?

Let’s take the example of looking for “JMP ESP” addresses (used in buffer-overflows to control code execution). Quite often, good information on this is available in the comment sections of the exploits.

First we will search for all the files that might contain offset addresses, using fgrep to recursively search and list any files containing the phrase “jmp esp”:

fgrep -r -l -i “jmp esp” *

This produces a long list of files (including some I don’t want)

…truncated for brevity…

 …truncated for brevity…

We will filter out anything with “svn-base” and count what we have left:

fgrep -r -l -i “jmp esp” * | grep -v “svn-base” | wc -l


Extracting and filtering the data

We have 232 files potentially containing “jmp esp” addresses, let’s grab those suckers.

We’ll wrap our filenames in a “for” loop, to pull just the lines we want, out of the files we are interested in.

for file in $(fgrep -r -l -i “jmp esp” * | grep -v “svn-base”); do grep “jmp esp” $file; done

This produces a big blob of data, but, say we are interested to find addresses for Windows XP SP 2:

for file in $(fgrep -r -l -i “jmp esp” * | grep -v “svn-base”); do grep “jmp esp” $file; done | grep -i “Win XP SP2”

[ ‘Win XP SP2 English‘, { ‘Ret’ => 0x77D8AF0A } ], # jmp esp user32.dll 

$ret = “xEDx1Ex95x7C“; #jmp esp en ntdll.dll,win xp sp2(spanish) 
xb3x57x04x7d”  # jmp esp @ shell32.dllWin XP SP2

Well, that gives 3 options, one for Spanish, two for English. Pretty handy if you don’t happen to have a Windows XP SP2 system lying around waiting to help you develop your exploit for that version – all thanks to exploit developers who comment their code nicely.

(there are several more if you mess with the final grep expression to try different ways of writing “WinXP sp2”).

Mining Metasploit

Of course, you could run similar operations on the Metasploit modules. First update Metasploit:


Then we can run the following command (which gives another handy set of return addresses):

for file in $(fgrep -r -l -i “jmp esp” /pentest/exploits/framework3/modules/*); do grep -i “jmp esp” $file; done | sort -u | grep -i “xp sp2”

  #0x773f346a # XP SP2 comctl32.dll: jmp esp
 #[ ‘Windows XP SP2 English’, { ‘Ret’ => 0x76b43ae0 } ], # jmp esp, winmm.dll
 ‘Ret1’ => 0x00420B45, # jmp esp on XP SP2 (iexplore.exe)
 ‘jmp esp’ => 0x774699bf, # user32.dll (xp sp2 and sp3)
 [ ‘Win XP SP2 English’, { ‘Ret’ => 0x77D8AF0A } ], # jmp esp / user32.dll
 [ ‘Windows XP SP2 – EN’, { ‘Ret’ => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en
 [ ‘Windows XP SP2 – English’, { ‘Ret’ => 0x7c941eed} ], # 0x7c941eed JMP ESP – SHELL32.dll
 [ ‘Windows XP SP2 Pro German’, { ‘Ret’ => 0x77D5AF0A } ], # SHELL32.dll JMP ESP
 [ ‘Windows XP SP2 Spanish’, { ‘Ret’ => 0x7c951eed } ], #jmp esp
 [ ‘Windows XP SP2 Universal’, { ‘Ret’ => 0x77d92acc } ], # USER32.dll JMP ESP
 [ ‘Windows XP SP2/SP3 English’, { ‘Ret’ => 0x774699bf } ], # jmp esp, user32.dll
 [‘Windows XP SP2 French’, { ‘Rets’ => [ 1787, 0x77d5af0a ]}], # jmp esp
 [‘Windows XP SP2 German’, { ‘Rets’ => [ 1787, 0x77d5af0a ]}], # jmp esp
 [‘Windows XP SP2 Polish’, { ‘Rets’ => [ 1787, 0x77d4e26e ]}], # jmp esp

Of course you can add the grep -B or -A options, to get lines before and after the line containing what you searched for.

There are probably many other uses for this type of searching. Looking for strings like “jmp esp” is just one example.

Please leave a comment if you find this helpful, or if you can think of any other applications for these techniques.


Original article:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s