[framework] Problem in writing exploits

M.P.Sairam msairam at intoto.com
Fri Aug 11 09:33:17 CDT 2006 

hi,

The exploit realvnc_client is not able to exploit the client i.e., 
Real vnc viewer 3.3.7 with payload win32_reverse and target is 
Windows 2000 professional SP4 English. I checked this by downloading 
the real vnc viewer from Real VNC  site also.



Please check this exploit.

At 06:16 PM 8/11/2006, you wrote:
>hi,
>
>I'm new  in writing the exploits.
>
>Iam working with windows-based exploit with framework-2.6 as the 
>base.I want to write a exploit for realvnc_client.Actually the 
>realvnc_client exploit is not giving back a shell to me.I tried this 
>out on Real-vnc viewer 3.3.7 , as said in cve or security focus this 
>is the vulnerable application.In the exploit script the scalar 
>$second is replaced with first eight bytes as it was but after that 
>I'm commenting the scalar $filler and rest of the matter and Iam 
>replacing it with Pex::Text::PatternCreate(1200) and I checked for 
>the Position of the Return address in the Pattern created by 
>Pex::Text::PatternCreate(1200) subroutine and I got the index as 
>'993' and the hex value I got is '0x42316842' and the ESP value is 
>'ASCII Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2B'
>Now Iam not getting any idea to move forward to get the correct 
>return address.
>
>The URL for the application is http://download.bensoncarwell.ca/
>
>Can any help me for this?
>
>At 10:01 PM 10/10/2006, you wrote:
>>On Tuesday 10 October 2006 10:44, Cristiano de Nunno wrote:
>> > Hello to everybody.
>> >
>> > I followed the tutorial on writing exploits shown in this page:
>> >
>> > http://metasploit.com/projects/Framework/documentation.html
>> >
>> > (Exploit Module Tutorial (English))
>> >
>> > But I actually couldn't exploit the server.
>> > I admit I'm a total noob and that's why I'm looking for help here.
>> > I'll explain in fw words the problem I have.
>> >
>> > I used the vuln1_*.pm included in the framework documentation, and I
>> > calculated the offset with pattern0ffset application included, and that is
>> > ok. The problem is the ESP reg value. The tutorial tell me to 
>> pull out this
>> > value with gdb, writing it in the exploit pm file and increasing it a bit;
>> > the problem is that each time I run the exploitable server the esp reg
>> > value changes, and in such a way the exploit doesn't work. My server
>> > crashes with segmentation fault, but no payload is executed.
>> > I set up the msfconsole in the right way, with right addresses and port, I
>> > think the problem is in that esp reg value.
>> >
>> > I saw a lot of exploits uses 1 hex value which works on all the machine,
>> > how is this possible if it changes each run the vulnerable program runs? I
>> > read about windows programs and their fixed call value to overwrite eip
>> > reg, and I understand that, but under unix how can I do something similar?
>> >
>> > Tnx to everyone :)
>>
>>Sounds like you are running into one of the security features in the Linux
>>kernel (I am assuming Linux). Google for exec-shield for an idea. Usually
>>these features are fairly easy to turn off. For example exec-shield is:
>>
>>         echo "0" > /proc/sys/kernel/exec-shield
>>         echo "0" > /proc/sys/kernel/exec-shield-randomize
>>
>>However all of this is way beyond the list charter. I'd recommend a couple of
>>books, such as "Gray Hat Hacking", "Hacking: The Art of Exploitation", and
>>"The Shellcoder's Handbook".
>>
>>-SN
>
>Thanks & Regards,
>
>       SAIRAM

Thanks & Regards,

       SAIRAM

More information about the framework mailing list