Security Challenge V

dlofnep

Good man Well done.

obviousTroll

Thanks!

The one thing that got be caught the most was the RET value. It was a different value on my VM to Damo's. I'm reading through on the tutorials that were provided so I can make an assumption on how to counteract this, i.e. make the expolit universal. I'm not even sure if it is wholly possible.

h57xiucj2z946q

Use findjmp2 to find hundred's RET addresses you can use.

If there was a JMP ESP or similar in the binary itself, you maybe could use that.. But since exe's in Win32 have image base 00400000, you would have nulls in your payload. You could partially overwrite the EIP and jump back but this highly depends on the layout of the stack, probably not suitable here.

Sometimes exe's load local dll's that you can use.

dlofnep

obviousTroll wrote: »

Thanks!

The one thing that got be caught the most was the RET value. It was a different value on my VM to Damo's. I'm reading through on the tutorials that were provided so I can make an assumption on how to counteract this, i.e. make the expolit universal. I'm not even sure if it is wholly possible.

Usually what I do when writing exploits is to gather various valid addresses for JMP ESP, and just use a switch statement to allow the user to specify the target.

obviousTroll

dlofnep wrote: »

obviousTroll wrote: »

Thanks!

The one thing that got be caught the most was the RET value. It was a different value on my VM to Damo's. I'm reading through on the tutorials that were provided so I can make an assumption on how to counteract this, i.e. make the expolit universal. I'm not even sure if it is wholly possible.

Usually what I do when writing exploits is to gather various valid addresses for JMP ESP, and just use a switch statement to allow the user to specify the target.

Makes sense. I've spotted some more vulnerable apps on exploitdb, so I'll start a pentest lab, and play with them.

Can't wait for Sec Challenge 6.

h57xiucj2z946q

obviousTroll, looks like you may have done part 3 a different way than what I had layed out, which is cool, but this means you have a bonus task if you want! This of what other way you could do this task.

dlofnep

Novalee Tight Haze wrote: »

obviousTroll, looks like you may have done part 3 a different way than what I had layed out, which is cool, but this means you have a bonus task if you want! This of what other way you could do this task.

Send me a PM with what he did. I'm curious

dlofnep

obviousTroll wrote: »

Makes sense. I've spotted some more vulnerable apps on exploitdb, so I'll start a pentest lab, and play with them.

Can't wait for Sec Challenge 6.

Try Freefloat FTP server. It's pretty easy to exploit. You can download it for free.

obviousTroll

Novalee Tight Haze wrote: »

obviousTroll, looks like you may have done part 3 a different way than what I had layed out, which is cool, but this means you have a bonus task if you want! This of what other way you could do this task.

Getting to work!

I had originally intended to do the way that you had laid out, but I saw an opportunity, and took it.

obviousTroll

Done... (Check PM)

h57xiucj2z946q

Cheers guys,

This is now finished.

dlofnep

Yay Best challenge so far and certainly the one with the most 'real world' feel to it.

h57xiucj2z946q

Hall of Fame:

dlofnep
obviousTroll

BTW, did anyone else actually try this and get stuck? If so, then I can post a solution tonight.

obviousTroll

Woo hoo!

dlofnep

We're famous oT

h57xiucj2z946q

Attaching metasploit module for this challenge.

obviousTroll

I've never written a MSF module before this. Was a lot simpler that I initailly thought. The hard part was finding the beloved values...

h57xiucj2z946q

Source code and binaries attached if anyone wants to host challenge similar to above or wants to try the metasploit module a few posts back with the exploitable binary.

I compiled with Code::Blocks. Remember to link against libws2_32.a