FW: SDK Questions

[ninjatools at hush.com (ninjatools at hush.com)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey,

Yes, you are right that you only get 1 shot for the exploit (we are talking
about a sample vulnerable program in the sdk exploit tutorial).  I could
have written a more real world program that did a fork, and this would
allow you to brute force the target.  Also, if you increase the size
of your nopsled, you may have a better chance of hitting it (it all depends
on how it was started, arguments, env, etc).

The idea was just to keep with a very simple vulnerable program, and
then look at real programs (instead of trying to recreate real world
examples).  I commented the svnserve_date exploit, which has a traditional
fork() design, allowing you to successfully bruteforce.  I suggest looking
at vulnerabilities like these if you are actually concentrating on the
exploit itself.  I wrote the demostration programs to mostly concentrate
on the layout of a metasploit exploit, and not so much on exploiting
the program itself.

Good luck!
- -spoon

On Tue, 10 Aug 2004 17:49:57 -0700 "Bazarov, Alexey" <bazarova at anz.com>
wrote:
> Hello,
>
> Could you help me guys ? The last week I spent playing with Metasploit.
> It is a great tool and I found a SDK example very interesting , but
> some moments are difficult to me to understand. My working environment
> is RedHat 9.0 Linux installed on VMware Workstation 4.0.
>
> The main problem arises in the second stage when we try to exploit
> vuln and bind shell. As I understood the buggy buf [64] rewrites
> the return point of function main () , right ? Following your steps
> I found that in my system the offset is 76 as you wrote  , sure it
> must be 76 because buf[] is the first variable we pushed in stack
> after function prelude and gives us 64 plus stored ret, ebp, etc.
>
> Well, gdb showed me that esp was 0xBFFF EA70. I changed the corresponded
> field and executed exploit. Nothing. Again. Nothing. I am not a linux
> guru and actually it is a first time when I meet with assembler stuff
> , but I was very currios to understand how it worked so I done some
> additional checks to see entire picture.  Below I placed the diagram
> of my research.
>
> Stack at the initial moment
> ____
> |___| <==== RET ADDRESS FOR FUNCTION MAIN ()
> ____
> |___| <==== EBP POINTS AT  0xBFFF F758
> ____           |
> |___|            68 bytes [ 64 bytes of buf + 4 bytes of prelude(saved
> ESP) ? ]
> ____           |
> |___|           |
> ____           |
> |___|  <=== ESP POINTS AT  0xBFFF F6E0 , OUR BUFFER STARTS HERE
>
>
> Stack after exploit
> ____
> |___| <=== SPLOIT CODE STARTS HERE
> ____
> |___| <=== SOME NOPs HERE
> ____
> |___|
> ____
> |___| <=== WE PLACED VALUE 0xBFFF EA70 HERE REPLACING RET
> ____
> |___| <=== 0xBFFF F758
> ____          |
> |___|          68 bytes filled with 'A'
> ____          |
> |___|          |
> ____          |
> |___|  <=== OUR BUFFER STARTS HERE AT  0xBFFF F6E0
> ____
> |___|
> ____
> |___| <=== EIP POINTS HERE 0xBFFF EA70 AFTER READING RET FROM STACK
>
>
> As you can see exploit wont work untill the address provided by
> us falls in the range where NOPs pad is located. Anyway we have to
> guess this address that makes very hard to exploit this vuln because
> we have only one shoot.
>
> Where am I wrong ?
>
> Thank you
>
> Alex
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkEadKMACgkQtCeTLzI39eMougCgqjbBGEwCZbbZoFT3zaEeLt+zIegA
oJ5PKl6YuwTVO/G5dgTcXgeKVqj8
=jpgJ
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427