root@dafthack:~#‎ > ‎

Video: Basic Exploit Modification part 1: Porting to a Different OS Version

posted Jan 11, 2013, 5:23 PM by Beau Bullock
Sometimes you may find a system that has a service running that has a known vulnerability and exploit available.  If the author has overwritten the stack pointer to call a JMP command within a file local to that specific OS or service pack sometimes that exploit will fail against other OS's/service packs.  When this happens one must modify parts of the exploit to make it work again.  In the following video I demonstrate how one can use Immunity Debugger to find a JMP EDX command that will enable the exploit to work for a different service pack.

The target software I will be trying to exploit is Bison FTP Server running on Windows XP SP2.  There is an exploit available for Bison so it lets try it out.  I found the exploit on www.exploit-db.com.  It is written for XP SP3 Spanish version and doesn't work against SP2 English version.  Using Immunity Debugger I find the JMP EDX command location for Shell32.dll and modify the exploit accordingly.  

After trying the exploit after changing the JMP command it still fails.  Looking at the exploit a second time with Immuninty Debugger pausing at the crash shows that we will need to modify the NOP's before the shellcode to land the JMP correctly.

Steps:
1. Nmap target

2. Find exploit on exploit-db
-http://www.exploit-db.com/exploits/17649/

3. Try running exploit... Bison crashes but no shell

4. Modify original exploit to work with Win XP SP2 EN
-change JMP EDX to Shell32.dll

5. Try running exploit again... Still crashes and no shell

6. Modify NOP's to land the the JMP correctly

7. Run exploit and gain remote shell
Comments