Metasploit mailing list archives
Problem in writing exploits
From: msairam at intoto.com (M.P.Sairam)
Date: Fri, 11 Aug 2006 20:03:17 +0530
hi, The exploit realvnc_client is not able to exploit the client i.e., Real vnc viewer 3.3.7 with payload win32_reverse and target is Windows 2000 professional SP4 English. I checked this by downloading the real vnc viewer from Real VNC site also. Please check this exploit. At 06:16 PM 8/11/2006, you wrote:
hi, I'm new in writing the exploits. Iam working with windows-based exploit with framework-2.6 as the base.I want to write a exploit for realvnc_client.Actually the realvnc_client exploit is not giving back a shell to me.I tried this out on Real-vnc viewer 3.3.7 , as said in cve or security focus this is the vulnerable application.In the exploit script the scalar $second is replaced with first eight bytes as it was but after that I'm commenting the scalar $filler and rest of the matter and Iam replacing it with Pex::Text::PatternCreate(1200) and I checked for the Position of the Return address in the Pattern created by Pex::Text::PatternCreate(1200) subroutine and I got the index as '993' and the hex value I got is '0x42316842' and the ESP value is 'ASCII Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2B' Now Iam not getting any idea to move forward to get the correct return address. The URL for the application is http://download.bensoncarwell.ca/ Can any help me for this? At 10:01 PM 10/10/2006, you wrote:On Tuesday 10 October 2006 10:44, Cristiano de Nunno wrote:Hello to everybody. I followed the tutorial on writing exploits shown in this page: http://metasploit.com/projects/Framework/documentation.html (Exploit Module Tutorial (English)) But I actually couldn't exploit the server. I admit I'm a total noob and that's why I'm looking for help here. I'll explain in fw words the problem I have. I used the vuln1_*.pm included in the framework documentation, and I calculated the offset with pattern0ffset application included, and that is ok. The problem is the ESP reg value. The tutorial tell me topull out thisvalue with gdb, writing it in the exploit pm file and increasing it a bit; the problem is that each time I run the exploitable server the esp reg value changes, and in such a way the exploit doesn't work. My server crashes with segmentation fault, but no payload is executed. I set up the msfconsole in the right way, with right addresses and port, I think the problem is in that esp reg value. I saw a lot of exploits uses 1 hex value which works on all the machine, how is this possible if it changes each run the vulnerable program runs? I read about windows programs and their fixed call value to overwrite eip reg, and I understand that, but under unix how can I do something similar? Tnx to everyone :)Sounds like you are running into one of the security features in the Linux kernel (I am assuming Linux). Google for exec-shield for an idea. Usually these features are fairly easy to turn off. For example exec-shield is: echo "0" > /proc/sys/kernel/exec-shield echo "0" > /proc/sys/kernel/exec-shield-randomize However all of this is way beyond the list charter. I'd recommend a couple of books, such as "Gray Hat Hacking", "Hacking: The Art of Exploitation", and "The Shellcoder's Handbook". -SNThanks & Regards, SAIRAM
Thanks & Regards, SAIRAM
Current thread:
- Problem in writing exploits M.P.Sairam (Aug 11)
- Problem in writing exploits M.P.Sairam (Aug 11)