-1

My teacher give me some exercise about B.O to understand how buffer overflow works, and "how" write some exploit to prove it! He give me some programs in C, i can't solve the last. For the last, the goal is exploit the buffer overflow, enabling rdp and add administrator account to victim machine.

Configuration:

Victim machine with Windows XP SP3, running server side vulnerable program.

Attacker machine my kali linux box.

Here the code: code I compiled it, and launch on xp sp3 box, back to kali i wrote also a script in python to search the buffer overflow with the help of immunity debugger:

Here's the code:

Thanks to pattern_create.rb and pattern_offset.rb saw that i need 185 charater before overwrite the EIP. I also saw that the string generated by pattern_create compare to ESP registry. So open kernel32.dll for the address of CALL ESP and put it to my exploit, here's the code with the changes:

buff = "\x41"*185 #junk charaters

buff += "\x67\x86\x86\x7c" #the address of CALL ESP

buff += needshellcodeHERE!

Now i need the shellcode, but unfortunately, i don't understand how i can create a shellcode that enable RDP and add user account with max privileges.

Anyone can help me?

Improve this question
1
  • 1
    We aren't really a homework help centre here, I'm afraid. Really, what you need is a shell command to do the above - that's more of a system admin question than a security one.
    – crovers
    CommentedOct 28, 2016 at 18:17

2 Answers 2

Reset to default
0

Now i need the shellcode, but unfortunately, i don't understand how i can create a shellcode that enable RDP and add user account with max privileges.

I don't understand why you need a shell code which enables Remote Desktop. If you are able to get remote shell on the machine, as an admin, You can enable Remote Desktop by changing the registry values and starting the service.

This article gives more details on how to enable MS Remote Desktop.

Improve this answer
2
  • Yeah, you're right, your solution is best. but... I don't know how to get a shell system on victim box because i don't know how to create a properly shellcode. I Googled for 5-6 hours but nothing
    – Murdoc
    CommentedOct 28, 2016 at 18:30
  • @Murdoc This would help you with that. corelan.be/index.php/2009/07/19/…
    – hax
    CommentedOct 28, 2016 at 18:32
0

Just use an ordinary shellcode generated with msfvenom. Once you get a connection to the popped shell, enable RDP, add administrator accounts or whatever you want really in the usual way. Creating shellcode that only enables RDP or just one specific task is not very useful or efficient (except for special cases). Keep in mind that the word shellcode is derived from the fact that this code is used to launch a shell. Although shellcode has since then been used to do a whole lot of other stuff, the usage for the word has stuck. Unless you are under serious constraints, use a generic shellcode to just pop a shell.

Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.