Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:17

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 5 posts ] 
Author Message
 Post subject: webdesproxy[v0.0.1]: (cygwin) remote buffer overflow exploit
PostPosted: 05 Jul 2008 18:42 

Joined: 05 Jul 2008 18:38
Posts: 3
I try that remote exploit on some servers.

I get results like :
[*] target: desktop.fakehalo.lan:1111 *
* [*] return address($eip/"CALL ESP"): 0x6104936d *
* [*] attempting to connect: desktop.fakehalo.lan:1111. *
* [*] successfully connected: desktop.fakehalo.lan:1111. *
* [*] sending string: *
* [+] "GET http://[NOPSx250][JMP4][EIP/"CALL ESP"][NOPSx32][S$ *
* [*] closing connection. *
* *
* [*] attempting to connect: desktop.fakehalo.lan:7979. *
* [*] successfully connected: desktop.fakehalo.lan:7979.



but it dont prompt to shell .

why is wrong ?
Why i am not go into shell ?

i got exploit code from here
http://milw0rm.com/exploits/3913


Top
 Profile  
 
 
 Post subject:
PostPosted: 06 Jul 2008 00:48 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
depends by the cygwin1.dll version you are using on your test server.
that exploit has been written for a specific version (not reported) where there is a "jmp esp" (ff e4) at offset 0x6104936D so if you are not using a version that has the same 2 bytes at that RVA offset naturally the shellcode will not be executed.


Top
 Profile  
 
 Post subject:
PostPosted: 06 Jul 2008 10:17 

Joined: 05 Jul 2008 18:38
Posts: 3
So , it can be modified to work and drop the shell on last version of webdesproxy ?


Top
 Profile  
 
 Post subject:
PostPosted: 06 Jul 2008 10:20 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
if the last version of webdesproxy is still vulnerable yes.
anyway read the header of the source file which contains all the informations about how to find the return address (findjmp)


Top
 Profile  
 
 Post subject:
PostPosted: 06 Jul 2008 10:52 

Joined: 05 Jul 2008 18:38
Posts: 3
ok , thank you for help


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 5 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: