REMOTE THE WINDOWS USING EXPLOIT and BUFFER OVER FLOW
This time it tries to do fuzzing to mp3 converter (rm-m3u) that runs on Microsoft Windows XP (victim). Previously been discussed and tested in war-ftp application. Techniques used in buffer overflow is equivalent to the direct return of the previous techniques based exploitation, the difference here will try to make the fuzzer itself does not use a fuzzer that already exist in the exploit-db.
 |
| mp3 converter |
 |
| Rm-mp3 converter on Windows |
Tools :Victim : Microsoft Windows XP, RM-MP3 Converter, OllyDbg.
Attacker : Bactrack
Ok, we try to make a simple fuzzer. The purpose of making a simple fuzzer without using the exploit-db is to try yourself to understand about fuzzing techniques in a buffer overflow. The following is the result of a simple fuzzer but have not been able to make the overflow on the ESP.
 |
| Fuzzer1 |
 |
| Crash |
Seen that the fuzzer can not overwrite the ESP. therefore we try to increase fuzzer size. In the sessions i used size 19000. And try to running the fuzzer like this python (fuzzername).py ......Lets see my fuzzer and after fuzzer run.
 |
| ESP OverFlow |
Then looking at the bytes where the register is overflow by using pattern_create. by using pattern create to find out the location of a string in the data packets sent by the fuzzer.
 |
| pattern_create |
 |
| Pattern_create output |
Look, the pattern_create output in the picture above, next we use it and fill into fuzzer. Lets edit the fuzzer like this.
 |
| Fuzzer2 |
So we run again the fuzzer, and look at the rm-mpe converter in the victim. The register ESP overwrite with the pattern and we know the value of EIP. If ESP overwrite and showing the value of EIP. We can find the byte.
 |
| EIP number |
By using pattern_offset to calculate the byte size of the resulting pattern of olleh pattern_create.
 |
| Pattern_offset output |
Lets see the picture above, we know where the byte now, (17417-17425). So after this we edit the fuzzer again like this. By editing a fuzzer in order to conduct experiments to write DEADBEEF the EIP. If it works means that EIP has been undercontroll.
 |
| Fuzzer3 |
After running the fuzzer.
 |
| EIP Undercontroll |
Next, edit the fuzzer agains with fill the offset value and the nop (no operation) in the fuzzer. Nop is a waste to write ASCII file into the C stack, but will not affect the execution.
 |
| Fuzzer finall |
Running the fuzzer again and lets see in the stack.
 |
| Stack with Nop |
Next, see the executable modules, usually people choose SHELL32.dll or USER32.dll and i choose the SHELL32.dll to exploited. To open the executable modules with view-executable modules. Double klick and search for JMP ESP.
 |
| Executable Modules |
Search JMP ESP....
 |
| JMP ESP |
 |
| JMP ESP |
Lets change the DEADBEEF in the fuzzer with value from JMP ESP (7C9D30D7). and run the fuzzer.
 |
| Fuzzer JMP ESP |
The output memory in the stack and memory instruction full with ASCII CCCCC and CC.
 |
| Stack and Memory Instructions |
After this, breakpoint in the memory instructions by F2 or right click and than break point---> momory on access like this.
 |
| Memory Breakpoint |
Open the metasploit to get the payload. Start msf web services :
 |
| Msfweb service running |
Lets open the browser. (127.0.0.1:55555), Filter the module and choose the payload. Because i will remote the victim i choose the Bind Shell,.
 |
| Find Payload |
 |
| Fill in the payload |
 |
| The payload |
Ok. we find the payload and than fill the payload into the fuzzer...edit the fuzzer again :) and run it. Lets see the goal. by running telnet in the konsole (attacker Backtrack 5 R1). We are succesfully to remote the victim.
 |
| Fuzzer with payload |
 |
| Telnet |
Lets make a directory on the victim's drive.
 |
| Make a directory |
|
 |
| The directory on the victim |
So HOT .... :)
0 comments:
Post a Comment