Wednesday, October 31, 2012

SEH : exploit Ezserver

1. make fuzzer

2. open ezserver and attach proccess ezserver to ollydbg then run.
run your fuzzer and look to register.
register have affected buffer AAAAAAA ,



for look register EIP affected buffer
select view->SEH chain next press Shift+F9 for bypass EIP





3. now we search module are not protect by SEH SafeSEH
select view->executable module
here i select MSVCRTD.
next copy MSVCRTD to backtrack used feature share on virtual box
here i save MSVCRTD to my directory /Worked
next step, we want to find out wheter this module is protected SEH or not
open console and type
#cd /opt/metasploit/msf3
#./msfpescan -i /media/Worked/MSVCRTD.DLL | grepSEHandler
#./msfpescan -i /media/Worked/MSVCRTD.DLL |
#grep DllCharacteristics



ok,here this module no protect by SEH or SafeSEH

4. now search POP, POP RETN on module MSVCRTD
like ussualy, choose MSVCRTD , click right and choose search for->sequence of commands
then input :
POP r32
POP r32
RETN
and click Find





now we have memory address POP,POP RETN  of MSVCRTD.DLL

5. next step we make pattern create
#cd /opt/metasploit/msf3/tools
#./pattern_create.rb 7000




copy data to fuzzer



6. open Ezserver and attach to ollydbg then run
next run fuuzer
select view->SEH chain
bypass press Shift+F9


7. make pattern offset
#cd /opt/metasploit/msf3/tools
#./pattern_offset.rb 48316F48 7000
5883

edit fuzzer


now restart ollydbg then run fuzzer


register EIP overwrite AAAAAA

8. next step, we try to control CPU
edit fuzzer


tide breakpoint to address POP ,POP RETN of MSVCRTD
restart ollydbg and run fuzzer then look SEH chain


 now press Shift+F9 to forward into memory of MSVCRTD.DLL.
press Shift+F9 again to forward to POP, POP RETN


for look empty space, click right on first memory follow in dump ->selection
look bottom left..




9. make payload
#cd /pentest/exploit/framwork2
#./msfweb

open browser and type 127.0.0.1:55555 then go



next click payload->choose os::win32 and filter module->windows bind shell

click generate payload
copy payload to fuzzer


10. restart ollydbg and run fuzzer



ok,here we can look no space for landing payload
 so, we try to execute calc.exe


go to msfweb
click payloads->choose os::win32->filter module->windows execute command



click generate payload then copy shellcode to fuzzer



restart ollydbg and run fuzzer
then show apps calculator..



if calc show,that mean is space can accomadate calc,but not for payload,because here just 252 byte while payload must 344 byte..
so we must used egghunter

11. make payload can execute,
here,we used egghunter

this scenario:
junk
w00tw00t
payload
padding
JUMP Short
Address of MSVCRTD
padding
egghunter

take script egghunter on here

now edit fuzzer



run ezserver then run fuzzer
telnet 192.168.56.101 4444
wait a minute


Finish !














Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)