June 21, 2010 at 1:22 pm #5236
I started coding the WAR FTP 1.65 Remote Code exploit in python to exploit a Win XP SP2 machine this morning and it’s still not finished:(. it went fine up until the point that shellcode had to be added.
i managed to overwrite EIP with my A’s and eventually with a JMP EBP from my USR32.dl file and even managed to put in my breakpoints where my shellcode was supposed to go, everything worked with Ollydbg. but I kept failing at the shellcode which I generated with Msfpayload. I spent the rest of the day playing around with different shellcodes trying to get the blasted thing to work, I played with different connecting shellcodes, vnc injects encoders and even filtering out bad characters, padding with Nops and the blasted thing still wouldn’t work.
Could anybody please provide me with any tips for shellcode. I understand the difference between types of shells e.g bind and reverse but the different encoders are throwing me off. could I have just missed a bad character somewhere. Any help would be much appreciated thanks 🙂
June 23, 2010 at 8:37 pm #33202n1pParticipant
Better late than neveer 😉 I normally use the alpha upper encoder which should remove bad characters. I remember having problems with the gai-nai encoder and removing bad characters whilst exploiting a program previously.
msfencode -e x86/alpha_upper -t c
Paste that into your exploit code and see. Also happy to look at your code if necessary.
http://seclists.org/metasploit/2006/q4/51 – possibly related
June 24, 2010 at 9:39 am #33203
Thanks very much for your help and wreply I will give it a go and let you know how it turns out
June 24, 2010 at 8:21 pm #33204n1pParticipant
No problem, do let us know how it turns out 😛
June 25, 2010 at 10:04 am #33205
well i tried Alpha_Upper encoding, reviewed my code and couldn’t see anything that terminate the string. so here is my code.
EIP was overwritten at the 476th byte.
I used JMP EBP which i discovered in USER32.dll as it had more room for shellcode.
I used a ./msfpaylod windows/shell_bind_tcp payload with the /x86/alpha
Any insight that you could provide would be most appreciative thanks
s= socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ret = “x32xa4xd5x77”
#EBP ADDRESS 77D5A432
buffer = ‘x41’ *476 + ret + ‘x90’ *16 + ‘x90’ * 16 + shell
print “nSending evil buffer…”
s.send(‘USER anonymous’ + buffer +’rn’)
data = s.recv(1024)
- You must be logged in to reply to this topic.