Minggu, 28 Oktober 2012
Transferring Crafted File On the Linux
The first step we have to do is file mengopykan nc.exe to virtualbox windows
Kamis, 25 Oktober 2012
Exploitasi Sofware Crossfire to Linux
The first step is to exploit the game crossfire fuzzer advance
run the software crossfire on consul:
root @ bt: ~ / crossfire / bin #. / crossfire
and run the fuzzer in consul: root@bt:~# python xxx.py
then observe what happens to the software running on the consul.
CrossFire software that we use the fuzzer attack was apparently crashes, then what we do next is to change the fuzzer again to look at the program EIPnya crossfire.
after fuzzer diruba using 4379 as the data byte and run more software crossfire mengunkan consul and observe what happens
and it can change the contents inside and ruba fuzzer is a much bite karater 4379 with the command consul.
crash = "\ X41" * 4379 -- 4 menjadi [4395]
+ crash = "\ XeF \ xBE \ XAD \ xDE"
run the command again as the first one to know what happened that made fuzzer tadi. root @ bt: ~ / crossfire / bin # gdb crossfire
run the fuzzer and then Kelik run the applications that are running earlier.
add crash + = "\ X41" * 3 pda fuzzer and do it again by running the program was run until it changes its EIP.
do is override the program using the file fuzzer sends 4397 on the application.
next run on the console, run the ./msfweb.
payload copied all obtained in the browser
root @ bt: ~ / crossfire / bin #. / crossfire
CrossFire software that we use the fuzzer attack was apparently crashes, then what we do next is to change the fuzzer again to look at the program EIPnya crossfire.
after fuzzer diruba using 4379 as the data byte and run more software crossfire mengunkan consul and observe what happens
and it can change the contents inside and ruba fuzzer is a much bite karater 4379 with the command consul.
crash = "\ X41" * 4379 -- 4 menjadi [4395]
+ crash = "\ XeF \ xBE \ XAD \ xDE"
run the fuzzer and then Kelik run the applications that are running earlier.
add crash + = "\ X41" * 3 pda fuzzer and do it again by running the program was run until it changes its EIP.
checking a lot of data to the consul:
root @ bt :/ opt/framework/msf3/tools #. / pattern_offset.rb 46,367,046
root @ bt :/ opt/framework/msf3/tools #. / pattern_offset.rb 46,367,046
checking a lot of data to the consul:
root @ bt :/ opt/framework/msf3/tools #. / pattern_offset.rb 46,367,046
turns on the 4368 data as there patten_offsetnya means the data we created in 4379 as one of the first fuzzer it too much. should be reduced first and then do the check again using the consul.
root @ bt :/ opt/framework/msf3/tools #. / pattern_offset.rb 46,367,046
turns on the 4368 data as there patten_offsetnya means the data we created in 4379 as one of the first fuzzer it too much. should be reduced first and then do the check again using the consul.
to ensure test it using the command: crash + = "\ X90 \ X90 \ X90 \ X90"
then we can ensure that we find the EIP will change and go a long overwrite EIP.
then we can ensure that we find the EIP will change and go a long overwrite EIP.
do a test by typing commands on the consul
root @ bt: ~ / crossfire / bin # gdb crossfire
root @ bt: ~ / crossfire / bin # gdb crossfire
of the process: typing run and info registers
seen in the above gampar EIP was changed to 0x90909090
then entered into the fox was again fuzzer (EAX 0xb7da3a0e) by filling in and flipped fuzzernya something like the following.
crash + = "\ X0E \ 3A \ DA \ B7"
and insert EIP (eip 0xb7da3a1f 0xb7da3a1f)
and insert that has turned into eip: crash + = "\ x1E \ x3A \ xda \ xB7"
and insert that has turned into eip: crash + = "\ x1E \ x3A \ xda \ xB7"
"Payload"
next run on the console, run the ./msfweb.
when it's over we find and install new payload for pairs later in the fuzzer. rare look inside our first consul and type the command: root @ bt :/ pentest/exploits/framework2 #. / msfweb
rom there later will come that will bring the address URLs Payload later.
payload copied all obtained in the browser
payload copied all acquired within the browser into a fuzzer and that she was put into the payload and test fuzzer using telnet 127.0.0.1 4444.
....Finish...
Alhamdullah hirobbilalamin.
Sabtu, 13 Oktober 2012
Buffer Overflow Exploit Easy RM To MP3 Converter
Now we're going to use application exploits Easy RM To MP3 Converter. because he exploitnya manual system and we have to collect the information in the application Easy RM To MP3.
Easy RM to MP3 Converter application can open / load file format real-meda (* ra,. *. Ram, *. RMJ, RMVB *,. *. Smi) and playlist file (* m3u,. *. Pls, *. WPL , * candles. *. smi, *. wvx, etc.)
well now we mngambil the only information from a variety of existing information.
we take the example m3u.
Here we have to make a manual fuzzer using m3u extension.
and a call was made earlier that fuzzer uses.
root @ bt: ~ # python rmp3.py
then we attacked Easy RM To MP3 Converter uses a file called music. first run the application Easy RM To MP3 Converter and then click start and open the load on the application and select the music file in the file and change the first of Files Of Type to choose two.
watch and observe what happens to the application
watch and observe what happens to the application. application crash in sight then that we do now is open the app Easy RM To MP3 Converter uses OliyDbg to know EIP Its Applications.
"Easy open applications use the RM To MP3 Converter OllyDbg, and observe that there"
run the application Easy RM To MP3 Converter is ter start first. and concomitantly also run OllyDbg application.
On the application OllyDbg select:
File >> attach >>
run the application Easy RM To MP3 Converter and enter the file fuzzer application called "music" and observe the application Olly DBG.
entered on consul windows. and create as many as 26,500 files is
command: root @ bt :/ opt/framework/msf3/tools #. / pattern_create.rb 26500
enter data into fuzzer that had as many as 26500
run the application Easy RM To MP3 Converter and enter the file fuzzer application called "music" and observe the application Olly DBG.
EIP: that has turned into 48336D48
run the application Easy RM To MP3 Converter and enter the file fuzzer application called "music" and observe the application Olly DBG.
Easy RM to MP3 Converter application can open / load file format real-meda (* ra,. *. Ram, *. RMJ, RMVB *,. *. Smi) and playlist file (* m3u,. *. Pls, *. WPL , * candles. *. smi, *. wvx, etc.)
well now we mngambil the only information from a variety of existing information.
we take the example m3u.
Here we have to make a manual fuzzer using m3u extension.
root @ bt: ~ # python rmp3.py
then we attacked Easy RM To MP3 Converter uses a file called music. first run the application Easy RM To MP3 Converter and then click start and open the load on the application and select the music file in the file and change the first of Files Of Type to choose two.
watch and observe what happens to the application
"Easy open applications use the RM To MP3 Converter OllyDbg, and observe that there"
run the application Easy RM To MP3 Converter is ter start first. and concomitantly also run OllyDbg application.
On the application OllyDbg select:
File >> attach >>
run the application Easy RM To MP3 Converter and enter the file fuzzer application called "music" and observe the application Olly DBG.
command: root @ bt :/ opt/framework/msf3/tools #. / pattern_create.rb 26500
enter data into fuzzer that had as many as 26500
run the application Easy RM To MP3 Converter and enter the file fuzzer application called "music" and observe the application Olly DBG.
EIP: that has turned into 48336D48
run the application Easy RM To MP3 Converter and enter the file fuzzer application called "music" and observe the application Olly DBG.
Rabu, 10 Oktober 2012
Buffer Overflow Using Application War-FTPD N OllDbg use process Fuzzer and Fuzzing
"The Basic Theory"
Buffer Overflow
Buffer overflow itself is a process that goes on inside a computer
memory system in which there is an normal process at the time of the
temporary data storage in memory i.e. when there is data that will be
stored exceeds the capacity of the buffer (temporary storage) in memory.
FUZZER
fuzzer itself is a word that is widely used in the world of science
technology one is fuzzy logic, but this discussion on fuzzer no his
relationship with fuzzy logic, Fuzzer is a mention to the applications
used on the process of fuzzing.
FUZZING
fuzzing is an early stage which is sure to be done by a
security researcher, an application will be in line to manage the data
that is not normal, so it will be seen how applications handle data as
well as the process of error handling by the application, from the
process here, a researcher can see if there's a gap in security
application that can be exploited.
Toolstools that will be used as follows :
Toolstools that will be used as follows :
* Ollydbg as a debugger
* Fuzzer to do the process Fuzzing
* Phyton, used to create an application fuzzer and exploit
* Fuzzer to do the process Fuzzing
* Phyton, used to create an application fuzzer and exploit
1. War-FTP exploits using fuzzing
for the application to be exploited is an FTP Server application, then we try to make a simple fuzzer that can send data to the FTP protocol. Fuzzer created using Python.
command : root@bt:# kwrite xfuzz.py
the War-FTP application run first (online) or suppress lightning icon.
The next process is to try to run the application fuzzer that we created earlier.
command: root @ bt: ~ # python xfuzz.py
previously make sure the windows Virtual-Box can be seen clearly in order to see what happens in the War-FTP server application.
The next process is to try to run the application fuzzer that we created earlier.
command: root @ bt: ~ # python xfuzz.py
previously make sure the windows Virtual-Box can be seen clearly in order to see what happens in the War-FTP server application.
what happened to the War-FTP application if he disappeared from the screen means that the application crash.
2. War-FTP exploits using OllyDbg.
in order to see what happens when the application crash.War-Ftp run the application server through OllyDbg.
for Ollydbg can see what happens when the application crashes, run WarFTP server through applications, when Ollydbg WarFTP server application tried to run back, then an Error message will appear.
to prevent the occurrence of such error appeared again during the process of development, please follow these steps :
* delete the file FtpDaemon.
* run WarFTP server application again.
* create a user through the User Security dummies.
rerun the War-FTP application using Application OllyDbg
then we go into the display consul backtrack and go into the folder
# cd / opt/metasploit/msf3/tools /
If it looks pattern_create.rb the folder so now we create as much data as 1000> byte in pattern_create.rb and name the file [string_pattern.txt]
run to generate as much as 1000 byte data, run like this :
#./pattern_create.rb 1000 > string_pattern.txt
#./pattern_create.rb 1000 > string_pattern.txt
then copy-paste the data was 1000>. earlier in the fuzzer we make that previously.
run WarFTP server applications through the Ollydbg.
the next step into the window and attack again consule War-FTPnya using python perinta xfuzz.py. then observe carefully the application of war-FTP fuzzer sure that we created earlier had entered into OllyDbg.
Unlike before, the current value of the register in memory WarFTP application server is fully charged with a string
ESP register is vital because, when an attacker knows where the location address of the stack, allowing for her store payload code (trojan, virus, trojans, etc.) into the stack, and then executed by the system through the address stored in the EIP. Since space is on a large enough stack, making it possible to store application code to the application of VNC client!
"Pattern offset"
The function of this application is to calculate the amount of bytes from the pattern set generated by the application pattern_create.rb.
To run this application, simply enter the ESP and EIP.
To prove that, too can overwrite EIP registers in bytes 486, 487, 488 and 489 from the collection of the data buffer that is sent through a fuzzer, the next step is to customize the application fuzzer to again change the existing buffer variables and add variables nilaiEIP in it. Value in the variable nilaiEIP will be stored in the EIP register on the memory WarFTP server. Consider the following script fuzzer.
and try to run the war-Ftp in OllyDbg and see the results. fuzzer that we were going to change their insert the original EIP 32714131 turned into DEADBEEF.
run the application using the Ollydbg, on a Special Executable modules,
then it would appear like the following.
then it would appear like the following.
If it looks like the above, proceed to determine which libraries you want to use, double click on the file name, then it will appear as follows.
It appears as below, now do right click in the main window: Search For-> Command.
the input JMP ESP in window and press the find Command Find:
dialog box appears: enter the keyword JMP ESP and Enter Find.
OllyDbg has managed to find an address in memory that stores the file shell32.dll JMP ESP command.
he next thing to do is change the offset address into little endian format, from 773F36F8 to "\xF8\x36\x3F\x77", note the following script:
Now, run the application again WarFTP sever using OllyDbg and once again run the application fuzzer has customizable with JMP ESP address.
It appears that, WarFTP server directs the system to do the reading into the buffer (stack). Stack sided with hexa characters \ xCC that in order assembly is used as a command interrupt (stop the process). This means, the concept that there is going according to plan. However, why is the value of the EIP register becomes 00AFFD59 instead 773F36F8?
EIP register value has been changed to the address that will be executed next, to see if the address 7CA58265 have actually read the EIP register, to do the debugging process by using breakpoints as the malware analysis process. Breakpoint will be installed in the memory address 7CA58265, the goal is to determine whether there is access to the above address by the EIP register.
Figure 4.23 Setting a breakpoint at address 773F36F8
Run back WarFTP server using OllyDbg and run the application fuzzer. Watch what happens! OllyDbg stop the process WarFTP
EIP register value has been changed to the address that will be executed next, to see if the address 7CA58265 have actually read the EIP register, to do the debugging process by using breakpoints as the malware analysis process. Breakpoint will be installed in the memory address 7CA58265, the goal is to determine whether there is access to the above address by the EIP register.
Figure 4.23 Setting a breakpoint at address 773F36F8
Run back WarFTP server using OllyDbg and run the application fuzzer. Watch what happens! OllyDbg stop the process WarFTP
"Payload"
now run WarFTP Ollydbg and again as before, right-click the selected Breakpoint-> memory, on access.
next run on the console, run the ./msfweb.
next run on the console, run the ./msfweb.
Now we will go on the payload, payload that will choose in the next build,Metasploit will display the configuration menu of the payload type of the shell as it looks like the following figure,don't forget after you finish press generate to generate the payload has been selected.
Now we memangil metasploit address in consul mtf3 and running a web browser is calling the URL address that appears on metasploit earlier.
call / raise payload in the browser and then later it was the payload will be input into a fuzzer that we make.
now been entered into the windows system 32
Langganan:
Komentar (Atom)