Minggu, 12 Februari 2012

Mini-Stream RM-MP3 Converter 3.1.2.1 "Buffer Overflow"


here we will try to make the application crash Mini-Stream RM-MP3 Converter.

  • The first thing that should be known., This application can read file type certain. See the picture below:
  • then we try to make a simple fuzzer.
  •  after we make a fuzzer.
    then we execusi file. order, can be read on the application.

 
 file is the one we send to the RM-mp3.

We do deliveries using the web server.,
before, you have to activate apache









 save the file :







  •   The next open application Mini-Stream RM-MP3 with OllyDbg -> click load.
    and see what happens.,
    register ESP, EBP and EIP. affected by the data we send.
    the application will crash due to the EIP register (loaded values ​​0x41414141)
 









  •  next we create pattern_create.
    the core of its usefulness iyalah to find out the true locations of a string in the data packets sent by an application into the fuzzer

  •   stelah managed to make a string pattern of 56 969 bytes.
    enter data into the application fuzzer
like this


  •  repeat such an early stage.,
    and see what the application yangterjadi OllyDbg




see values ​​in ESP and EIP registers. The second register is rigister that are vital to an application system.


  • after we get the EIP and ESP., then we try to calculate how many bytes of data from the initial pattern to the string contained in the string


  • insert data into the application pattern_offset.rb our fuzing

and run.,
see what happens.,
EIP address falling,be DEADBEEF







  •  next we do JMP ESP
    because of the EIP register can not access directly into memory.
    then the only memory that can be access directly into the buffer (stack) iyalah ESP
klick view -> Executable modules -> SHELL32 -> and right-click ->search for -> command





write JMP ESP
after getting the ESP register
change back to the application fuzzer










repeat again at the Olly debbg.
seen, the system performs the reading into the buffer (stack).
stack contains the character \ xCC

to ensure the address "7C9D30D7" right "has been read by the EIP register.
we do breakpoint and click on memory acces




  • The next stage open the console type. / msfweb







  • select payload., -> then select windows 32 -> I use a bind shell
input data according to the picture above


 after getting insert on the application fuzzer payloadnya


then run the fuzzer and do telnet
consequently :




Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)