Metasploit mailing list archives
FW: SDK Questions
From: bazarova at anz.com (Bazarov, Alexey)
Date: Wed, 11 Aug 2004 10:49:57 +1000
Hello, Could you help me guys ? The last week I spent playing with Metasploit. It is a great tool and I found a SDK example very interesting , but some moments are difficult to me to understand. My working environment is RedHat 9.0 Linux installed on VMware Workstation 4.0. The main problem arises in the second stage when we try to exploit vuln and bind shell. As I understood the buggy buf [64] rewrites the return point of function main () , right ? Following your steps I found that in my system the offset is 76 as you wrote , sure it must be 76 because buf[] is the first variable we pushed in stack after function prelude and gives us 64 plus stored ret, ebp, etc. Well, gdb showed me that esp was 0xBFFF EA70. I changed the corresponded field and executed exploit. Nothing. Again. Nothing. I am not a linux guru and actually it is a first time when I meet with assembler stuff , but I was very currios to understand how it worked so I done some additional checks to see entire picture. Below I placed the diagram of my research. Stack at the initial moment ____ |___| <==== RET ADDRESS FOR FUNCTION MAIN () ____ |___| <==== EBP POINTS AT 0xBFFF F758 ____ | |___| 68 bytes [ 64 bytes of buf + 4 bytes of prelude(saved ESP) ? ] ____ | |___| | ____ | |___| <=== ESP POINTS AT 0xBFFF F6E0 , OUR BUFFER STARTS HERE Stack after exploit ____ |___| <=== SPLOIT CODE STARTS HERE ____ |___| <=== SOME NOPs HERE ____ |___| ____ |___| <=== WE PLACED VALUE 0xBFFF EA70 HERE REPLACING RET ____ |___| <=== 0xBFFF F758 ____ | |___| 68 bytes filled with 'A' ____ | |___| | ____ | |___| <=== OUR BUFFER STARTS HERE AT 0xBFFF F6E0 ____ |___| ____ |___| <=== EIP POINTS HERE 0xBFFF EA70 AFTER READING RET FROM STACK As you can see exploit wont work untill the address provided by us falls in the range where NOPs pad is located. Anyway we have to guess this address that makes very hard to exploit this vuln because we have only one shoot. Where am I wrong ? Thank you Alex -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20040811/e09978cf/attachment.htm>
Current thread:
- FW: SDK Questions Bazarov, Alexey (Aug 10)
- <Possible follow-ups>
- FW: SDK Questions ninjatools at hush.com (Aug 11)
- FW: SDK Questions Bazarov, Alexey (Aug 11)
- FW: SDK Questions Steve Bonds (Aug 11)
- FW: SDK Questions Bazarov, Alexey (Aug 12)