[framework] Problem in writing exploits
Simple Nomad
thegnome at nmrc.org
Tue Oct 10 11:31:55 CDT 2006
On Tuesday 10 October 2006 10:44, Cristiano de Nunno wrote:
> Hello to everybody.
>
> I followed the tutorial on writing exploits shown in this page:
>
> http://metasploit.com/projects/Framework/documentation.html
>
> (Exploit Module Tutorial (English))
>
> But I actually couldn't exploit the server.
> I admit I'm a total noob and that's why I'm looking for help here.
> I'll explain in fw words the problem I have.
>
> I used the vuln1_*.pm included in the framework documentation, and I
> calculated the offset with pattern0ffset application included, and that is
> ok. The problem is the ESP reg value. The tutorial tell me to pull out this
> value with gdb, writing it in the exploit pm file and increasing it a bit;
> the problem is that each time I run the exploitable server the esp reg
> value changes, and in such a way the exploit doesn't work. My server
> crashes with segmentation fault, but no payload is executed.
> I set up the msfconsole in the right way, with right addresses and port, I
> think the problem is in that esp reg value.
>
> I saw a lot of exploits uses 1 hex value which works on all the machine,
> how is this possible if it changes each run the vulnerable program runs? I
> read about windows programs and their fixed call value to overwrite eip
> reg, and I understand that, but under unix how can I do something similar?
>
> Tnx to everyone :)
Sounds like you are running into one of the security features in the Linux
kernel (I am assuming Linux). Google for exec-shield for an idea. Usually
these features are fairly easy to turn off. For example exec-shield is:
echo "0" > /proc/sys/kernel/exec-shield
echo "0" > /proc/sys/kernel/exec-shield-randomize
However all of this is way beyond the list charter. I'd recommend a couple of
books, such as "Gray Hat Hacking", "Hacking: The Art of Exploitation", and
"The Shellcoder's Handbook".
-SN
More information about the framework
mailing list