You can download the Immunity Debugger pyCommand from the link below.
(Note : you must be logged in to be able to download this plugin)
More information about the latest version of this plugin can be found here (again, you must be logged in before you can access the exploit writing forums)
If you want to show your respect for my free tools and free support, please consider a small donation :
Download :
Version for Immunity Debugger v1.73 :
pvefindaddr for ImmDbg v1.73 only (Log in before downloading this file ! ) - Downloaded 144 times
Installation :
Drop the file in the pycommands folder within your Immunity Debugger installation folder. You can get the list of functions and paramters by running !pvefindaddr (without arguments) from the input box at the bottom of Immunity Debugger. Look at the “Log” window for output.
Version history :
Current version
v1.21 (13 feb 2010)
I decided to cease support for ImmDbg v1.74 for a while, until a new version of ImmDbg has been re-released.
The new version of the plugin has better support for unicode in the “findmsp”, “suggest” and “compare” functions.
Older versions:
Version 1.20 (06 feb 2010)
- Fixed some issues with “jo”
- Added feature in !pvefindaddr suggest. If you have used AAAA or BBBB to overflow a buffer, !pvefindaddr suggest will try to ‘guess’ the offset to EIP or SEH even though you did not use a metasploit pattern. Results may not be really accurate, but should give you an impression of the payload size that needs to be used.
Example :
- create a .m3u file with 5000 A’s
- open the file in s.o.m.p.l. player
- when application crashes (in Immunity), run
!pvefindaddr suggest
output :
Log data
Address Message
0BADF00D
0BADF00D
0BADF00D **************************************
0BADF00D Getting safeseh table – please wait…
0BADF00D **************************************
0BADF00D
0BADF00D
0BADF00D ————————————————————————-
0BADF00D Searching for metasploit pattern references
0BADF00D ————————————————————————-
0BADF00D [1] Searching for first 8 characters of Metasploit pattern : Aa0Aa1Aa
0BADF00D =====================================================================
0BADF00D ** Could not find begin of Metasploit pattern in memory ! **
0BADF00D
0BADF00D [2] Checking register addresses and contents
0BADF00D ============================================
0BADF00D – Register EAX is overwritten with AAAA – Try using a Metasploit pattern next time
0BADF00D – Register EBX is overwritten with AAAA – Try using a Metasploit pattern next time
0BADF00D
0BADF00D [3] Checking seh chain
0BADF00D ======================
0BADF00D – Checking seh chain entry at 0×0012eb2c, value 40048762
0BADF00D – Checking seh chain entry at 0×0012fb7c, value 41414141
0BADF00D => record is overwritten with AAAA
0BADF00D Trying to guess the startlocation of the buffer with AAAA’s
0BADF00D Please wait, this may take a long time…
0012EB48 Start of string may have be found at 0012EB48
0BADF00D That means that SEH may have been overwritten after about 4148 bytes (more or less – I could be wrong !)
0BADF00D (including 4 null bytes… )
0BADF00D Again, this is just a guess – try using a Metasploit pattern instead of AAAA
0BADF00D ————————————————————————-
0BADF00D Exploit payload information and suggestions :
0BADF00D ———————————————
0BADF00D [+] Sorry, you’ll have to analyse this vulnerability manually
0BADF00D ———————————————
v1.19 (02 feb 2010)
- Improved !pvefindaddr jo (search for pointers to jump to reg+offset)
Usage :
!pvefindaddr jo reg offset (search for offsets between -offset and +offset)
!pvefindaddr jo reg offset module (search for offsets between -offset and +offset, only in given module)
!pvefindaddr jo reg minoffset maxoffset (search for offset between minoffset and maxoffset)
!pvefindaddr jo reg minoffset maxoffset module (search for offset between minoffset and maxoffset only in given module)
- Improved output to file (now includes safeseh/aslr information for each address found)
v1.18 (31 jan 2010)
Added feature !pvefindaddr assemble
Added feature !pvefindaddr peb
Improved some functions and output formatting
v1.17 (20 jan 2010)
Added feature !pvefindaddr a (will search for add esp,8 + ret)
Included search for add esp,8+ret in “jseh” as well. If you are looking for an address to bypass Safeseh, you should try !pvefindaddr jseh all
v1.16 (19 jan 2010)
Added 2 new features :
- !pvefindaddr update : check for updates and reports if a new version of the plugin is available for download
- !pvefindaddr compare : allows you to compare bytecode(shellcode) in a file with contents in memory. This feature will search for the bytecode dynamically and will compare each instance with the original bytecode in a file.
v1.15 (14 jan 2010)
Good news – The folks at Immunity replied to my questions about the changed attributes and I have now fixed all “broken” code in the plugin. At the same time, they had to fix some issues in certain pycommands and have released a new version (which still has the same version number). My advise is to download the latest version of Immunity Debugger from the Immunity website, and use v1.15 (or higher) of the pvefindaddr plugin to make things work again.
Update : Immunity has removed this version from their download page and are downgrading all 1.74 versions back to 1.73 due to a number of bugs. As a result, I now maintain 2 versions of the plugin (see above) : one for v1.73 and one for v1.74
In case you want to test, you can get a (possibly broken) Immunity Debugger v1.74 here
Immunity Debugger v1.74 (may be broken) (2.5 MiB, 220 downloads)
v1.14 (13 jan 2010)
- Immunity Debugger v1.74 was released today, but the plugin stopped working. The “Log” method/attribute was changed to “log” so I replaced all “.Log” occurences with “.log”. The current version works with v1.74 (I have not tested all functionality though). If this new version does not work with the previous versions of Immunity Debugger anymore, simply rename all “.log” instances back to “.Log” and it should work fine
Update : apparently not only the .Log attribute was changed. I noticed that some other things stopped working too, so perhaps it’ s not a good time to upgrade yet …
v1.13 (10 jan 2010)
- fixed some minor log output issues
v1.12 (09 jan 2010)
- fixed bug in “jseh all” (thanks ekse for reporting this issue)
v1.11 (29 dec 2009)
- Added new function “suggest”. You need to crash the application using a metasploit pattern. Then, running !pvefindaddr suggest at crash time, will evaluate registers and will try to suggest possible exploit code/payload (in perl) based on offsets and register values. This obviously won’t work in all cases, but it can save you some time
v1.10 (29 dec 2009)
- Added 2 new functions : pattern_create and pattern_offset. Guess what these will do (from within your debugger !)
v1.9 (28 dec 2009)
- Added support for metasploit pattern unicode search in seh chain. (So if a seh record is overwritten with metasploit pattern in unicode format, the offset will be calculated automatically). (Option was added to the findmsp function)
- Added feature in findmsp : When running !pvefindaddr findmsp without arguments, a search in registers and seh chain is performed. But you can now also run findmsp + argument, which will emulate Metasploit’s pattern_offset functionality. You can either specify a 4 character ascii string, or a 10 byte address (in 0x……..) format. If the pattern is found in the built-in Metasploit pattern, the offset will be calculated and displayed.
v1.8 (28 dec 2009)
Added function p1 (search for pop pop ret in non-safeseh and non-aslr aware modules only)
v1.7 (27 dec 2009)
Added 3 new functions :
fa : find A’s
jo : find addresses that will allow you to jump to a register+offset
findmsp : find reference to Metasploit pattern in registers (addresses + values) and sehchain