Problem in writing exploits

[msairam at intoto.com (M.P.Sairam)]

hi,

The exploit realvnc_client is not able to exploit the client i.e., 
Real vnc viewer 3.3.7 with payload win32_reverse and target is 
Windows 2000 professional SP4 English. I checked this by downloading 
the real vnc viewer from Real VNC  site also.



Please check this exploit.

At 06:16 PM 8/11/2006, you wrote:
> hi,
>
> I'm new  in writing the exploits.
>
> Iam working with windows-based exploit with framework-2.6 as the 
> base.I want to write a exploit for realvnc_client.Actually the 
> realvnc_client exploit is not giving back a shell to me.I tried this 
> out on Real-vnc viewer 3.3.7 , as said in cve or security focus this 
> is the vulnerable application.In the exploit script the scalar 
> $second is replaced with first eight bytes as it was but after that 
> I'm commenting the scalar $filler and rest of the matter and Iam 
> replacing it with Pex::Text::PatternCreate(1200) and I checked for 
> the Position of the Return address in the Pattern created by 
> Pex::Text::PatternCreate(1200) subroutine and I got the index as 
> '993' and the hex value I got is '0x42316842' and the ESP value is 
> 'ASCII Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2B'
> Now Iam not getting any idea to move forward to get the correct 
> return address.
>
> The URL for the application is http://download.bensoncarwell.ca/
>
> Can any help me for this?
>
> At 10:01 PM 10/10/2006, you wrote:
> > On Tuesday 10 October 2006 10:44, Cristiano de Nunno wrote:
> > > Hello to everybody.
> > >
> > > I followed the tutorial on writing exploits shown in this page:
> > >
> > > http://metasploit.com/projects/Framework/documentation.html
> > >
> > > (Exploit Module Tutorial (English))
> > >
> > > But I actually couldn't exploit the server.
> > > I admit I'm a total noob and that's why I'm looking for help here.
> > > I'll explain in fw words the problem I have.
> > >
> > > I used the vuln1_*.pm included in the framework documentation, and I
> > > calculated the offset with pattern0ffset application included, and that is
> > > ok. The problem is the ESP reg value. The tutorial tell me to 
> > pull out this
> > > value with gdb, writing it in the exploit pm file and increasing it a bit;
> > > the problem is that each time I run the exploitable server the esp reg
> > > value changes, and in such a way the exploit doesn't work. My server
> > > crashes with segmentation fault, but no payload is executed.
> > > I set up the msfconsole in the right way, with right addresses and port, I
> > > think the problem is in that esp reg value.
> > >
> > > I saw a lot of exploits uses 1 hex value which works on all the machine,
> > > how is this possible if it changes each run the vulnerable program runs? I
> > > read about windows programs and their fixed call value to overwrite eip
> > > reg, and I understand that, but under unix how can I do something similar?
> > >
> > > Tnx to everyone :)
> >
> > Sounds like you are running into one of the security features in the Linux
> > kernel (I am assuming Linux). Google for exec-shield for an idea. Usually
> > these features are fairly easy to turn off. For example exec-shield is:
> >
> >         echo "0" > /proc/sys/kernel/exec-shield
> >         echo "0" > /proc/sys/kernel/exec-shield-randomize
> >
> > However all of this is way beyond the list charter. I'd recommend a couple of
> > books, such as "Gray Hat Hacking", "Hacking: The Art of Exploitation", and
> > "The Shellcoder's Handbook".
> >
> > -SN
>
> Thanks & Regards,
>
>       SAIRAM

Thanks & Regards,

       SAIRAM