=======================================================

Friday, September 28, 2012

Buffer Overflow ( SEH ): Bigant Server ( 2.52 )

Come back to exploitation, now to learn about buffer overflow with SEH for Bigannt aplication. Lets to hunt:

1. Create fuzzer with python.


2. Running Bigant on windows xp.


3. Running fuzer ==> # python fuzzer.py


4. To see effect of fuzzer open  ollydb


5. View--SEH chain and shift+F9


6. Search running library service (.dll ) to jump POP POP RETN
    ==> In this case use vbajet32.dll

  
7. Copy vbajet32.dll to backtrack and cek dllcharacteristic with msfpescan.


8. Open module vbajet32.dll ==> Executables Modules==>search for
     ==> Sequence of command


9. Search POP POP RETN to see address.


10. Now look for address which use for control CPU.


11. Looking for offset==> using create pattern with Msf==>Fuzzer


12. Running fuzzer and see the result.



13. View==> SEH chain to see seh result


14. Shift + F9==> to see value in EIP==> cek offset value with pattern offset



15. Cek bad charackter ==> if seh chain to vbajet32.dll ( it's sound good).


==> I will explain to observation bad char in next section

        Assumed we know the bad char is 0x00 0x0a 0x0d 0x20 0x25


16. Generate  payload with msfweb



17. Modify Fuzzer with payload content.



18. Execute Fuzzer & telnet

             

==> DONE <==

===================================================================================
===================================================================================



Time

No comments:

Post a Comment

Subscribe to: Post Comments (Atom) 

==========================================================================
==========================================================================
                                                                
IIIIIIIIII   SSSSSSSSSSSSSSS  222222222222222           CCCCCCCCCCCCC
I::::::::I SS:::::::::::::::S2:::::::::::::::22      CCC::::::::::::C
I::::::::IS:::::SSSSSS::::::S2::::::222222:::::2   CC:::::::::::::::C
II::::::IIS:::::S     SSSSSSS2222222     2:::::2  C:::::CCCCCCCC::::C
  I::::I  S:::::S                        2:::::2 C:::::C       CCCCCC
  I::::I  S:::::S                        2:::::2C:::::C              
  I::::I   S::::SSSS                  2222::::2 C:::::C              
  I::::I    SS::::::SSSSS        22222::::::22  C:::::C              
  I::::I      SSS::::::::SS    22::::::::222    C:::::C              
  I::::I         SSSSSS::::S  2:::::22222       C:::::C              
  I::::I              S:::::S2:::::2            C:::::C              
  I::::I              S:::::S2:::::2             C:::::C       CCCCCC
II::::::IISSSSSSS     S:::::S2:::::2       222222 C:::::CCCCCCCC::::C
I::::::::IS::::::SSSSSS:::::S2::::::2222222:::::2  CC:::::::::::::::C
I::::::::IS:::::::::::::::SS 2::::::::::::::::::2    CCC::::::::::::C
IIIIIIIIII SSSSSSSSSSSSSSS   22222222222222222222       CCCCCCCCCCCCC
                                                                   
==========================================================================
==========================================================================

My Classmate

Show All 

==========================================================================
        (        )      )          (    (           (     
  *   ) )\ )  ( /(   ( /(   (      )\ ) )\ )        )\ )  
` )  /((()/(  )\())  )\())  )\    (()/((()/(   (   (()/(  
 ( )(_))/(_))((_)\  ((_)\((((_)(   /(_))/(_))  )\   /(_)) 
(_(_())(_)) __ ((_)  _((_))\ _ )\ (_)) (_))_  ((_) (_))   
|_   _|| _ \\ \ / / | || |(_)_\(_)| _ \ |   \ | __|| _ \  
  | |  |   / \ V /  | __ | / _ \  |   / | |) || _| |   /  
  |_|  |_|_\  |_|   |_||_|/_/ \_\ |_|_\ |___/ |___||_|_\  
                                                         
==========================================================================