Mini-stream RM-MP3 Converter v3.1.2.2 Local Buffer Overflow—- write my own exp

============================
attacker : bt5 r2
victim : win XP sp3 (CHINESE)
============================

here is the exploit info , the exp is not work in my own victim

************************************************
1

************************************************


now , i will set junk = \x41 * 10000 to test it , here is python script
************************************************
2


3


************************************************

i can see that , the app have not crash , so , how about junk = \x41 * 20000 ,

************************************************
4


5


************************************************

ok , the app was crash now , but i want more sure the address , here is python script

************************************************
6


7

************************************************

i can see that the “EIP 42424242″ , so it mean
EIP 42424242 (BBBB) ———————- Between 15000 and 20000

now , i will find out the exact location in my buffer that overwrites EIP , metasploit is my best choses

this tool help me to calculating the offset , like fellow
************************************************
8


9


************************************************

now , i will run the app in immunity debugger after i create the pattern_5000.m3u file

************************************************
10

************************************************

i can see that “EIP 63443563”

now i need metasploit tool to calculate the exact length of the buffer before writing into EIP , like fellow

************************************************
11

************************************************

ok , 2416 ——– this is the buffer length needed to overwrite EIP.

so ,i create a file with 15000+2416 A’s (17416),and then add 4 B’s

I also add some C’s after overwriting EIP

python like this

************************************************
12

************************************************

run it in immunity debugger

************************************************

13


************************************************

now ,i can sure that the ESP start at the 5th character of my pattern , and not the first (because it now appear “1ABC” character in ESP)

for more clear, i will add 4 characters in front of the pattern ,script like this

************************************************
14


15


************************************************

ok , it show the “1ABC” to the ESP now

i going to find out the jmp esp address
“Alt + E”
************************************************
16

************************************************

double click the last line

************************************************
17

************************************************

“Ctrl+F”

input “jmp esp”

************************************************
18

************************************************

“7D5A30F3” is the address , now , here is my python script

************************************************

19


************************************************

ok , run it in app

************************************************
20

************************************************

haha , it work .

BUT ,  i want more powerful shellcode , here we go

************************************************

************************************************

run it in app

attacker machine

yeah !!!!!!

此条目发表在Uncategorized分类目录。将固定链接加入收藏夹。

评论功能已关闭。