Metasploit mailing list archives
FW: SDK Questions
From: ninjatools at hush.com (ninjatools at hush.com)
Date: Wed, 11 Aug 2004 12:33:57 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey, Yes, you are right that you only get 1 shot for the exploit (we are talking about a sample vulnerable program in the sdk exploit tutorial). I could have written a more real world program that did a fork, and this would allow you to brute force the target. Also, if you increase the size of your nopsled, you may have a better chance of hitting it (it all depends on how it was started, arguments, env, etc). The idea was just to keep with a very simple vulnerable program, and then look at real programs (instead of trying to recreate real world examples). I commented the svnserve_date exploit, which has a traditional fork() design, allowing you to successfully bruteforce. I suggest looking at vulnerabilities like these if you are actually concentrating on the exploit itself. I wrote the demostration programs to mostly concentrate on the layout of a metasploit exploit, and not so much on exploiting the program itself. Good luck! - -spoon On Tue, 10 Aug 2004 17:49:57 -0700 "Bazarov, Alexey" <bazarova at anz.com> wrote:
Hello, Could you help me guys ? The last week I spent playing with Metasploit. It is a great tool and I found a SDK example very interesting , but some moments are difficult to me to understand. My working environment is RedHat 9.0 Linux installed on VMware Workstation 4.0. The main problem arises in the second stage when we try to exploit vuln and bind shell. As I understood the buggy buf [64] rewrites the return point of function main () , right ? Following your steps I found that in my system the offset is 76 as you wrote , sure it must be 76 because buf[] is the first variable we pushed in stack after function prelude and gives us 64 plus stored ret, ebp, etc. Well, gdb showed me that esp was 0xBFFF EA70. I changed the corresponded field and executed exploit. Nothing. Again. Nothing. I am not a linux guru and actually it is a first time when I meet with assembler stuff , but I was very currios to understand how it worked so I done some additional checks to see entire picture. Below I placed the diagram of my research. Stack at the initial moment ____ |___| <==== RET ADDRESS FOR FUNCTION MAIN () ____ |___| <==== EBP POINTS AT 0xBFFF F758 ____ | |___| 68 bytes [ 64 bytes of buf + 4 bytes of prelude(saved ESP) ? ] ____ | |___| | ____ | |___| <=== ESP POINTS AT 0xBFFF F6E0 , OUR BUFFER STARTS HERE Stack after exploit ____ |___| <=== SPLOIT CODE STARTS HERE ____ |___| <=== SOME NOPs HERE ____ |___| ____ |___| <=== WE PLACED VALUE 0xBFFF EA70 HERE REPLACING RET ____ |___| <=== 0xBFFF F758 ____ | |___| 68 bytes filled with 'A' ____ | |___| | ____ | |___| <=== OUR BUFFER STARTS HERE AT 0xBFFF F6E0 ____ |___| ____ |___| <=== EIP POINTS HERE 0xBFFF EA70 AFTER READING RET FROM STACK As you can see exploit wont work untill the address provided by us falls in the range where NOPs pad is located. Anyway we have to guess this address that makes very hard to exploit this vuln because we have only one shoot. Where am I wrong ? Thank you Alex
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkEadKMACgkQtCeTLzI39eMougCgqjbBGEwCZbbZoFT3zaEeLt+zIegA oJ5PKl6YuwTVO/G5dgTcXgeKVqj8 =jpgJ -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427
Current thread:
- FW: SDK Questions Bazarov, Alexey (Aug 10)
- <Possible follow-ups>
- FW: SDK Questions ninjatools at hush.com (Aug 11)
- FW: SDK Questions Bazarov, Alexey (Aug 11)
- FW: SDK Questions Steve Bonds (Aug 11)
- FW: SDK Questions Bazarov, Alexey (Aug 12)