Lets begin...
First we need a skeleton script for out exploit.
This will send 2000 A's to the IP address specified as the first
parameter of the programs
Next lets start up the target application using Immunity Debugger on
the target system.
Now we run the program by clicking the “play” run button >
Next we need to run our skeleton script from the attacking host.
Doesnt look exciting from this view.
Checking out the target.
Boom! Its dead!
Notice EIP is 41414141 with is AAAA.
Now we need to find how much room we have for shellcode. :)
Lets use pattern_create.rb to generate a pattern that we can use.
Copy this into our skeleton script. I like saving it under a new name
so I keep a skeleton script around.
Now we run this against our target.
NOTE: Remember to restart the application within Immunity.
And this is what we get.
Lets calculate our shellcode spacing.
We get the value in EIP and ESP.
Now we can use pattern_offset.rb to find the offsets at which these
values are at.
So it looks like pattern_offset is having issues finding the offset
of 0Aj1A
Lets do it by hand.
Vim find
Ok so we found it at 281. But thats from beginning of line which
includes 'buff =' We don't want that. The actual string starts at
offset 9. so 281-9=272
Now we have the offset of ESP
and its only 4 bytes away from EIP.
Lets translate this information into our python exploit.
Offset to EIP was 268 so we fill buffer with 268 A's
EIP is 4bytes long so we fill that with B's
ESP is filled with C's
Lets test it out and we should see EIP have B's and ESP C's.
Cool what we thought should happen did.
So we confirmed our information and now we can actually exploit this.
First we need the location of our shellcode, this is ESP. Since we
have control over EIP we can just put the address directly in.
Lets generate some shellcode real quick, a bind_tcp should work for a
poc.
Insert the shellcode into our script
New exploit script looks like this.
Lets run it agains our target now and if all goes as planned we
should be able to use netcat to connect in on port 4444 (default for
msf payloads).
And we have a shell.
Notice our connection in netstat from 192.168.0.109