Saturday, June 9, 2018
Vulnserver.exe
A few Buffer overflow scripts I wrote for vulnserver.exe. Mostly EIP overwrites and a few SEH. Played with egghunters too. You can access it, here.
Friday, June 1, 2018
EasyChat Server 3.1 Remote Buffer Overflow Exploit
A simple remote BoF exploit for EasyChat Server ver 3.1, CVE2004-2466. You can find the code @ my github gist. This exploit uses SEH overwrite which I find easier than the traditional EIP overwrite. With SEH, we overwrite it with the address location of the 'POP POP RET' directive directly on the stack, as opposed to hunting for a 'JMP ESP'. This exploit spawns a reverse meterpreter shell, which can be easily modified using msfvenom.
The exploit breakdown is pretty simple, there are only 2 bad chars to avoid, thus, none of which mangles the return address. Firstly, we send 217 bytes of 'A's to reach nseh, also known as an offset. Then, we hop over it with a 6 byte jump to seh, which contains the address location 'POP POP Ret' which puts us neatly at the start of our evil shellcode. Below illustrates the exploit:
pattern --> nseh --> seh --> evil buf
A word of caution to always check if SafeSEH is turn ON before trying to exploit this handler. This can be achieved by using the SafeSEH check in OllyDbg. Another reason of using SEH overwrite in cases you do not get an EIP overwrite immediately. You should be able to overwrite EIP, upon receiving the exception; press shift-control-f9 in Olly or Immunity.
I'm working on Egg Hunting, ASLR bypass and AV Avoidance techniques. In next month post, I'll publish several step-by-step instructions on developing more advance Windows Buffer Overflow exploits.
Note: All exploit codes are for educational purposes only, I take no responsibility for any unlawful or misuse of my code.
The exploit breakdown is pretty simple, there are only 2 bad chars to avoid, thus, none of which mangles the return address. Firstly, we send 217 bytes of 'A's to reach nseh, also known as an offset. Then, we hop over it with a 6 byte jump to seh, which contains the address location 'POP POP Ret' which puts us neatly at the start of our evil shellcode. Below illustrates the exploit:
pattern --> nseh --> seh --> evil buf
A word of caution to always check if SafeSEH is turn ON before trying to exploit this handler. This can be achieved by using the SafeSEH check in OllyDbg. Another reason of using SEH overwrite in cases you do not get an EIP overwrite immediately. You should be able to overwrite EIP, upon receiving the exception; press shift-control-f9 in Olly or Immunity.
I'm working on Egg Hunting, ASLR bypass and AV Avoidance techniques. In next month post, I'll publish several step-by-step instructions on developing more advance Windows Buffer Overflow exploits.
Note: All exploit codes are for educational purposes only, I take no responsibility for any unlawful or misuse of my code.
Subscribe to:
Comments (Atom)